Privacy policy
Last updated: May 2026 · Effective immediately on publication.
This policy explains what personal data Seoxpert collects, why we collect it, how long we keep it, and how you can exercise the rights the GDPR gives you. It covers the website at seoxpert.io, the dashboard, and the API.
1. Who is responsible for your data
The data controller for everything described here is Cloud Ninja Consulting ApS, a Danish company registered as CVR 46044118 (VAT DK46044118). Operational details and the legal address are listed on the imprint page.
For privacy questions, data subject access requests, or to exercise any of the rights below, contact us at support@seoxpert.io. We aim to reply within five business days and resolve substantive requests within thirty days as required by GDPR Article 12(3).
2. What we collect and why
2.1 Account data
When you sign up we store your email address. Authentication and password hashing are handled by Supabase on our behalf — we never see your plaintext password. We also store a marketing-communication preference flag (off by default), the date of account creation, and the workspace memberships you belong to.
Lawful basis: performance of our contract with you (GDPR Article 6(1)(b)). We can't provide a personal account without an account identifier.
2.2 Scans you run
For every scan, we store the URL you submitted, the time it ran, the crawl results (HTML metadata, response headers, Core Web Vitals, security findings), the issues we surface, and any reports you generate. We also store a counter showing how many scans you have remaining on your plan.
Scan inputs and outputs are linked to your account so the dashboard can show your history. We do not crawl your site beyond the URLs you submit, and we do not collect data from people visiting your site — we collect publicly accessible HTML the same way Googlebot does.
Lawful basis: performance of our contract (Article 6(1)(b)).
2.3 Billing data
If you purchase a plan, our payment processor Stripe handles your card details directly. We never see, store, or transmit your card number, CVC, or expiry — those go straight to Stripe. We store a Stripe customer reference, the plan you purchased, the billing cycle, the invoice status, and the timestamp of each successful charge.
Lawful basis: performance of our contract (Article 6(1)(b)) and compliance with Danish accounting law for the seven-year retention of invoice records (Article 6(1)(c)).
2.4 Cookies and analytics
We set a small number of strictly-necessary cookies (session, consent state) without asking for consent — they are required for the service to function. Anything else (analytics, marketing) requires your explicit opt-in via the cookie banner. The full inventory is listed on the cookies page.
If you accept analytics, we send pseudonymous usage data to Google Analytics 4 to understand which pages people read and which features they use. If you decline, no analytics scripts are loaded at all.
Every consent action — accept, reject, or change — is logged to our consent_events table along with a timestamp plus a one-way hashed IP (using a daily-rotating salt, so the hash cannot be reversed and is used only to detect duplicate consent submissions). This is the audit trail the GDPR requires.
Lawful basis: consent (Article 6(1)(a)) for non-essential cookies; legitimate interest (Article 6(1)(f)) for the consent log itself, which protects both you and us.
2.5 Customer support and communications
If you email us or open a support thread, we keep the message and our reply for as long as needed to resolve the issue, plus a year for reference in case you come back with a related question.
Transactional emails — receipts, scan-completion summaries, security notices, password resets — are sent regardless of marketing consent because they are necessary to operate the service. Marketing emails (product updates, tips, occasional offers) are sent only if you have explicitly opted in, and you can revoke consent any time from the dashboard or by clicking unsubscribe in the email.
Lawful basis: contract for transactional emails (Article 6(1)(b)); consent for marketing emails (Markedsføringsloven §10 + GDPR Article 6(1)(a)).
2.6 Audit and security data
Sensitive actions in the admin panel (changing a customer's plan, deleting an issue, refunding credits) are logged to an audit_events table that records who did what and when. This helps us investigate incidents and respond to data subject requests.
Lawful basis: legitimate interest in operating a secure service (Article 6(1)(f)).
3. Who we share data with
We use a small number of subprocessors — companies that process data on our behalf to make Seoxpert work. We have a data processing agreement (DPA) with each of them.
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase | Authentication, primary database | EU |
| Vercel | Application hosting (UI + API) | Global edge (EU + US) |
| Fly.io | Scan-worker hosting (long-running background scans) | EU (Amsterdam) |
| Stripe | Payments and invoicing | USA / Ireland |
| Brevo | Transactional and marketing email + email-event analytics | France (EU) |
| OpenAI | Generates issue-catalog content and scan summaries | USA |
| Sentry | Error capture and performance monitoring (server-side only; sendDefaultPii: false — no IPs, user-agents, or cookies) | USA |
| Google (OAuth) | “Sign in with Google” — only when you choose this option | USA |
| GitHub (OAuth) | “Sign in with GitHub” — only when you choose this option | USA |
| Google Analytics | Pseudonymous traffic analytics — consented only | USA |
For subprocessors based outside the EEA (Stripe, OpenAI, Sentry, Google, GitHub), transfers are protected by the European Commission's Standard Contractual Clauses (2021/914), plus supplementary measures where applicable. Stripe, Google, and GitHub are also certified under the EU–US Data Privacy Framework. Sentry is configured server-side only with sendDefaultPii: false, so no IP addresses, user agents, or cookie identifiers cross the Atlantic in error events.
We do not sell your data, and we do not share it with anyone else for marketing purposes. We may disclose data when legally required (court order, subpoena), to enforce our terms, or to protect the rights and safety of our users.
4. How long we keep your data
- Account record: while your account is active, plus six months after closure to handle billing reconciliation and tax audits.
- Scan history: twelve months from the date of the scan. After that, scans are deleted from our primary store. You can delete individual scans from the dashboard at any time.
- Invoices and payment records: seven years, as required by Danish bookkeeping law (Bogføringsloven §10).
- Hashed IPs (consent events): consent-event hashes are kept for the lifetime of the consent record because they are the audit trail.
- Audit events (admin actions): seven years to align with bookkeeping retention.
- Customer support correspondence: as long as the issue is open, plus one year.
- Marketing email subscriber data: until you unsubscribe, then up to 30 days while we propagate the change to suppression lists.
If you ask us to erase your data sooner, we will — except where retention is legally required (the seven-year invoice records cannot be deleted before they expire under Danish law).
5. Your rights under the GDPR
The GDPR gives you a set of rights over your personal data. Here is what each one means in plain English and how to use it with Seoxpert.
5.1 Access
You can request a copy of every piece of personal data we hold about you. The dashboard already gives you most of it (account details, scan history, invoices). For anything not visible in the UI, email support@seoxpert.io and we will return a structured export within 30 days.
5.2 Rectification
You can update your email and communication preferences from the dashboard. For anything else, email support@seoxpert.io with the subject line “Privacy: rectification request”.
5.3 Erasure ("right to be forgotten")
You can ask us to delete your account and the personal data tied to it. We honour these within 30 days. The exception is invoice records — Danish accounting law requires seven-year retention regardless of an erasure request — but those are the only retained records and they contain no scan content.
5.4 Portability
You can export your scans as PDF or CSV from the dashboard at any time. For a full account export in JSON, email support@seoxpert.io with the subject line “Privacy: data portability request”.
5.5 Restriction and objection
You can ask us to pause processing of your data while a dispute is resolved, or to stop processing based on legitimate interest. Email support@seoxpert.io with the subject line “Privacy: restriction request” or “Privacy: objection request”.
5.6 Withdrawing consent
If we are processing data on the basis of consent (analytics cookies, marketing emails), you can withdraw at any time. Use the "Manage cookies" link in the footer for cookie consent, or the marketing toggle in your dashboard settings for emails.
5.7 Right to complain
If you believe we are mishandling your data, you have the right to complain to the Danish Data Protection Authority (Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby — datatilsynet.dk). We'd appreciate a chance to address your concern first — email support@seoxpert.io with the subject line “Privacy: complaint”.
6. How we protect your data
We take security seriously. Specifically:
- All traffic to and from Seoxpert is encrypted with TLS. HSTS is enforced.
- Passwords are hashed using bcrypt (handled by Supabase). Plaintext passwords are never logged, stored, or transmitted in our systems.
- Card data is handled exclusively by Stripe; we never see it.
- The database is encrypted at rest by Supabase using AES-256.
- Access to production data is limited to a small number of operational staff and is logged.
- Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are set on every response.
- Server-side input validation, rate limits, and SSRF guards block malicious requests.
- Vulnerability disclosures can be sent to support@seoxpert.io; see /.well-known/security.txt.
If a breach affects your personal data, we will notify you and Datatilsynet within 72 hours of becoming aware, as required by GDPR Article 33.
7. International transfers
Several of our subprocessors (Stripe, OpenAI, Sentry, Google, GitHub, Google Analytics) operate from the United States. Transfers of personal data outside the EEA are protected by the European Commission's Standard Contractual Clauses (2021/914) and, where relevant, certification under the EU–US Data Privacy Framework. We have evaluated the safeguards each subprocessor offers and concluded they meet the equivalence standard required by Schrems II (CJEU C-311/18).
8. Children
Seoxpert is a B2B tool intended for site owners, marketers, and developers. The service is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe we have done so, email support@seoxpert.io and we will delete it.
9. Automated decision-making
We do not use automated decision-making with legal or similarly significant effects under GDPR Article 22. Some of our scan output is generated by AI models — these produce informational findings, not automated decisions about you.
10. Updates to this policy
We will publish material changes to this policy on this page and notify active customers by email (transactional, regardless of marketing consent) at least 14 days before they take effect. Older versions are archived on request — email support@seoxpert.io with the subject line “Privacy: archived policy request”.
11. Contact
For anything privacy-related or security-related, contact support@seoxpert.io.
Cloud Ninja Consulting ApS · CVR 46044118 · VAT DK46044118 · Denmark.