Last updated: April 2026 · Effective immediately on publication.
This policy explains what personal data Seoxpert collects, why we collect it, how long we keep it, and how you can exercise the rights the GDPR gives you. It covers the website at seoxpert.io, the dashboard, and the API.
The data controller for everything described here is Cloud Ninja Consulting ApS, a Danish company registered as CVR 46044118 (VAT DK46044118). Operational details and the legal address are listed on the imprint page.
For privacy questions, data subject access requests, or to exercise any of the rights below, contact us at support@seoxpert.io. We aim to reply within five business days and resolve substantive requests within thirty days as required by GDPR Article 12(3).
When you sign up we store your email address. Authentication and password hashing are handled by Supabase on our behalf — we never see your plaintext password. We also store a marketing-communication preference flag (off by default), the date of account creation, and the workspace memberships you belong to.
Lawful basis: performance of our contract with you (GDPR Article 6(1)(b)). We can't provide a personal account without an account identifier.
For every scan, we store the URL you submitted, the time it ran, the crawl results (HTML metadata, response headers, Core Web Vitals, security findings), the issues we surface, and any reports you generate. We also store a counter showing how many scans you have remaining on your plan.
Scan inputs and outputs are linked to your account so the dashboard can show your history. We do not crawl your site beyond the URLs you submit, and we do not collect data from people visiting your site — we collect publicly accessible HTML the same way Googlebot does.
Lawful basis: performance of our contract (Article 6(1)(b)).
If you start a scan from the homepage before signing up, we briefly hold the result against an opaque token in your browser's session storage. We do not associate it with any identifying data until you sign up and claim it. To prevent abuse, we record a one-way hashed copy of your IP address (using a salt that rotates daily, so the hashes cannot be reversed). The hash is used only to enforce rate limits and is automatically deleted after 90 days. Unclaimed guest scans older than seven days are deleted.
Lawful basis: legitimate interest in preventing platform abuse (Article 6(1)(f)). The interest test favours processing because the data is hashed, short-lived, and used solely for security.
If you purchase a plan, our payment processor Stripe handles your card details directly. We never see, store, or transmit your card number, CVC, or expiry — those go straight to Stripe. We store a Stripe customer reference, the plan you purchased, the billing cycle, the invoice status, and the timestamp of each successful charge.
Lawful basis: performance of our contract (Article 6(1)(b)) and compliance with Danish accounting law for the seven-year retention of invoice records (Article 6(1)(c)).
We set a small number of strictly-necessary cookies (session, consent state) without asking for consent — they are required for the service to function. Anything else (analytics, marketing) requires your explicit opt-in via the cookie banner. The full inventory is listed on the cookies page.
If you accept analytics, we send pseudonymous usage data to Google Analytics 4 to understand which pages people read and which features they use. If you decline, no analytics scripts are loaded at all.
Every consent action — accept, reject, or change — is logged to our consent_events table along with a timestamp and the same one-way hashed IP described in §2.3. This is the audit trail the GDPR requires.
Lawful basis: consent (Article 6(1)(a)) for non-essential cookies; legitimate interest (Article 6(1)(f)) for the consent log itself, which protects both you and us.
If you email us or open a support thread, we keep the message and our reply for as long as needed to resolve the issue, plus a year for reference in case you come back with a related question.
Transactional emails — receipts, scan-completion summaries, security notices, password resets — are sent regardless of marketing consent because they are necessary to operate the service. Marketing emails (product updates, tips, occasional offers) are sent only if you have explicitly opted in, and you can revoke consent any time from the dashboard or by clicking unsubscribe in the email.
Lawful basis: contract for transactional emails (Article 6(1)(b)); consent for marketing emails (Markedsføringsloven §10 + GDPR Article 6(1)(a)).
Sensitive actions in the admin panel (changing a customer's plan, deleting an issue, refunding credits) are logged to an audit_events table that records who did what and when. This helps us investigate incidents and respond to data subject requests.
Lawful basis: legitimate interest in operating a secure service (Article 6(1)(f)).
We use a small number of subprocessors — companies that process data on our behalf to make Seoxpert work. We have a data processing agreement (DPA) with each of them.
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase | Authentication, primary database | EU |
| Vercel | Application hosting | Global edge (EU + US) |
| Stripe | Payments and invoicing | USA / Ireland |
| Brevo | Transactional and marketing email | France (EU) |
| OpenAI | Generates issue-catalog content and scan summaries | USA |
| Google Analytics | Pseudonymous traffic analytics — consented only | USA |
For subprocessors based outside the EEA (Stripe, OpenAI, Google), transfers are protected by the European Commission's Standard Contractual Clauses, plus supplementary measures where applicable. Stripe and Google are also certified under the EU–US Data Privacy Framework.
We do not sell your data, and we do not share it with anyone else for marketing purposes. We may disclose data when legally required (court order, subpoena), to enforce our terms, or to protect the rights and safety of our users.
If you ask us to erase your data sooner, we will — except where retention is legally required (the seven-year invoice records cannot be deleted before they expire under Danish law).
The GDPR gives you a set of rights over your personal data. Here is what each one means in plain English and how to use it with Seoxpert.
You can request a copy of every piece of personal data we hold about you. The dashboard already gives you most of it (account details, scan history, invoices). For anything not visible in the UI, email support@seoxpert.io and we will return a structured export within 30 days.
You can update your email and communication preferences from the dashboard. For anything else, contact privacy@.
You can ask us to delete your account and the personal data tied to it. We honour these within 30 days. The exception is invoice records — Danish accounting law requires seven-year retention regardless of an erasure request — but those are the only retained records and they contain no scan content.
You can export your scans as PDF or CSV from the dashboard at any time. For a full account export in JSON, email privacy@.
You can ask us to pause processing of your data while a dispute is resolved, or to stop processing based on legitimate interest. Email privacy@.
If we are processing data on the basis of consent (analytics cookies, marketing emails), you can withdraw at any time. Use the "Manage cookies" link in the footer for cookie consent, or the marketing toggle in your dashboard settings for emails.
If you believe we are mishandling your data, you have the right to complain to the Danish Data Protection Authority (Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby — datatilsynet.dk). We'd appreciate a chance to address your concern first via privacy@.
We take security seriously. Specifically:
If a breach affects your personal data, we will notify you and Datatilsynet within 72 hours of becoming aware, as required by GDPR Article 33.
Some of our subprocessors (Stripe, OpenAI, Google Analytics) operate from the United States. Transfers of personal data outside the EEA are protected by the European Commission's Standard Contractual Clauses (2021/914) and, where relevant, certification under the EU–US Data Privacy Framework. We have evaluated the safeguards each subprocessor offers and concluded they meet the equivalence standard required by Schrems II.
Seoxpert is a B2B tool intended for site owners, marketers, and developers. The service is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe we have done so, contact privacy@ and we will delete it.
We do not use automated decision-making with legal or similarly significant effects under GDPR Article 22. Some of our scan output is generated by AI models — these produce informational findings, not automated decisions about you.
We will publish material changes to this policy on this page and notify active customers by email (transactional, regardless of marketing consent) at least 14 days before they take effect. Older versions are archived on request via privacy@.
For anything privacy-related or security-related, contact support@seoxpert.io.
Cloud Ninja Consulting ApS · CVR 46044118 · VAT DK46044118 · Denmark.