← Back to SEO Score API
Privacy Policy
Last updated: February 25, 2026
SEO Score API ("we", "us", "our") respects your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.
1. Data We Collect
| Data | Purpose | Retention |
| Email address | Account creation, API key delivery, service communications | Until account deletion |
| API key (hashed) | Authentication — we store only a SHA-256 hash, not the raw key | Until account deletion |
| URLs audited | Usage tracking and rate limiting | 90 days |
| Request timestamps | Usage tracking and rate limiting | 90 days |
| IP address | Rate limiting and abuse prevention (via nginx logs) | 14 days |
| Payment information | Subscription billing — processed and stored exclusively by Stripe | Per Stripe's policy |
2. Data We Do NOT Collect
- We do not use cookies or tracking pixels on our website.
- We do not use analytics services (no Google Analytics, no Facebook Pixel).
- We do not collect personal data from the websites you audit.
- We do not store the content of audited pages — only the URL and the generated score.
- We do not store payment card numbers or bank details (Stripe handles all payment data).
3. How We Use Your Data
- To provide the Service: Your email identifies your account. Your API key authenticates requests. URLs are logged for usage tracking.
- To enforce limits: Usage data ensures fair access per your subscription tier.
- To communicate: We may email you about service changes, security issues, or billing. We will never send marketing emails without consent.
- To improve the Service: Aggregate, anonymized usage patterns may inform product decisions.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data under the following legal bases:
- Contract performance: Processing your email and usage data is necessary to provide the Service you signed up for (Article 6(1)(b) GDPR).
- Legitimate interest: Rate limiting, abuse prevention, and service security (Article 6(1)(f) GDPR).
- Consent: Where required by law, such as for optional marketing communications (Article 6(1)(a) GDPR).
5. Data Sharing
We do not sell, rent, or trade your personal data. We share data only with:
- Stripe: Payment processing. Stripe's privacy policy: stripe.com/privacy
- Law enforcement: Only when required by valid legal process (subpoena, court order).
We do not use sub-processors for data analytics, advertising, or marketing.
6. International Data Transfers
Our servers are located in the United States (AWS). If you are accessing the Service from the EEA, UK, or other regions with data transfer restrictions:
- Your data is transferred to the US under Standard Contractual Clauses (SCCs) as recognized by the European Commission.
- We apply equivalent safeguards regardless of where your data originates.
7. Your Rights
All Users
- Access: Request a copy of all data we hold about you.
- Deletion: Request deletion of your account and associated data.
- Correction: Request correction of inaccurate data.
EEA/UK Users (GDPR)
- Portability: Receive your data in a machine-readable format.
- Restriction: Request restriction of processing.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
- Lodge a complaint: File a complaint with your local data protection authority.
California Residents (CCPA/CPRA)
- Right to know: What personal information we collect and how we use it.
- Right to delete: Request deletion of your personal information.
- Right to opt-out: We do not sell personal information. No opt-out is necessary.
- Non-discrimination: We will not discriminate against you for exercising your rights.
To exercise any of these rights, email: privacy@seoscoreapi.com. We will respond within 30 days (or sooner as required by applicable law).
8. Data Security
- API keys are stored as SHA-256 hashes — even we cannot see your raw key.
- All traffic is encrypted via TLS 1.2+ (HTTPS).
- Server access is restricted to SSH key authentication only.
- We follow the principle of minimal data collection.
9. Data Retention
- Account data (email, key hash): Retained until you request deletion.
- Usage logs (URLs, timestamps): Retained for 90 days, then automatically purged.
- Server logs (IP addresses): Retained for 14 days.
- Payment data: Managed by Stripe per their retention policy.
10. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top indicates the latest revision.
12. Contact
For privacy-related inquiries:
- Email: privacy@seoscoreapi.com
- For GDPR inquiries, our data controller is the operator of SEO Score API.