Privacy Policy
Effective date: 17 May 2026
1. Who we are
SeoSwift ("we", "our", "us") is an SEO metadata monitoring service operated at seoswift.io. We are established in the European Union and our primary data infrastructure is hosted in Finland, EU. This policy applies to all users of the service.
Contact: hello@seoswift.io
2. Our role — controller and processor
SeoSwift acts in two distinct roles depending on the data being processed:
Data Controller
For account data (your name, email, billing information), SeoSwift is the Controller — we determine why and how this data is processed.
Data Processor
For website metadata crawled on your behalf, you (the agency) are the Controller and SeoSwift is the Processor — we act on your instructions. This relationship is governed by our Data Processing Agreement (DPA), which is incorporated into your subscription by reference.
3. Data we collect
Account data
Name and email address collected at sign-up. Passwords are hashed using bcrypt and stored in our own database — authentication is self-hosted and no third-party authentication provider has access to your credentials.
Site and crawl data
URLs you add to your account and the metadata extracted from crawling them: page titles, meta descriptions, H1 headings, canonical tags, robots directives, Open Graph tags, structured data (JSON-LD), HTTP status codes, and internal link structure. Raw page HTML is never stored — only extracted metadata fields.
Google Search Console data (optional)
If you connect a Google Search Console property, we request the read-only scope https://www.googleapis.com/auth/webmasters.readonly. We retrieve weekly click and impression counts per URL solely to calculate traffic-weighted health scores within your account. OAuth tokens are encrypted at rest. You can disconnect GSC at any time from site settings — all tokens and synced data are deleted immediately.
Billing data
Payment details are processed and stored by Stripe. We receive only a subscription status and customer reference — no card numbers or bank details are held by SeoSwift.
Usage and audit data
We log actions taken within your account (sites added, settings changed, crawls triggered) for security and support purposes. Server access logs are retained for 90 days.
4. Legal bases for processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Art. 6(1)(b) — performance of contract |
| Website crawling and metadata storage | Art. 6(1)(b) — performance of contract |
| Sending change alert emails and digests | Art. 6(1)(b) — performance of contract |
| Subscription billing via Stripe | Art. 6(1)(b) — performance of contract |
| GSC OAuth token storage and data sync | Art. 6(1)(b) — performance of contract (explicit user action required) |
| Security logging and audit events | Art. 6(1)(f) — legitimate interests (fraud prevention, security) |
| Billing record retention | Art. 6(1)(c) — legal obligation (tax and accounting law) |
| Support communication | Art. 6(1)(f) — legitimate interests (customer support) |
5. How we use your data
- To provide and operate the SeoSwift service
- To send change alert emails and daily digest notifications you have enabled
- To calculate health scores and traffic-weighted metrics
- To process subscription billing via Stripe
- To respond to support requests
- To detect and prevent abuse or security incidents
We do not sell your data. We do not use your data to train machine learning models. We do not use your site crawl data for any purpose beyond delivering the service to your account.
6. Sub-processors and international transfers
Our primary infrastructure is hosted in the EU (Finland). Some sub-processors are located in the United States. Transfers to US sub-processors are made under EU Standard Contractual Clauses (SCCs) or other lawful mechanisms as indicated below.
| Sub-processor | Country | Purpose | Transfer basis |
|---|---|---|---|
| Hetzner Online GmbH | Germany / Finland (EU) | VPS hosting, database, infrastructure | EU — no transfer |
| Cloudflare Inc. | USA / EU | DNS, CDN, DDoS protection | SCCs + Cloudflare DPA |
| MailerSend (UAB MailerLite) | Lithuania (EU) | Transactional email delivery | EU — no transfer |
| Stripe Inc. | USA / Ireland (EU) | Subscription billing | EU entity + Stripe DPA |
| Google LLC | USA / EU | CrUX API, GSC API (when connected) | EU adequacy + Google DPA |
| Anthropic PBC | USA | AI recommendations (anonymised data only — no personal data) | No personal data transferred |
| Better Stack s.r.o. | Czech Republic (EU) | Uptime monitoring (pings public health endpoint only) | EU — no transfer |
7. Data retention
| Data type | Retention |
|---|---|
| Crawled page metadata | 30 days |
| Change history and health scores | Until account deletion |
| GSC click/impression data | Until GSC disconnected or account deleted |
| Audit and crawl event logs | 90 days |
| Account and billing records | Duration of subscription + 7 years (legal requirement) |
8. Your rights (GDPR)
As a data subject under GDPR, you have the following rights:
- Access (Art. 15): Request a copy of personal data we hold about you
- Rectification (Art. 16): Request correction of inaccurate data
- Erasure (Art. 17): Request deletion of your account and associated data
- Portability (Art. 20): Request your data in a machine-readable format
- Restriction (Art. 18): Request we restrict processing while a dispute is resolved
- Objection (Art. 21): Object to processing based on legitimate interests
- Withdraw GSC consent: Disconnect GSC at any time from site settings — tokens and data deleted immediately
To exercise any right, email hello@seoswift.io. We will respond within 30 days. You also have the right to lodge a complaint with your local Supervisory Authority. SeoSwift's lead supervisory authority is the Data State Inspectorate of Latvia (dvi.gov.lv).
9. Security
All data is transmitted over HTTPS (TLS 1.2+). OAuth tokens are encrypted at rest using AES-128-CBC (Fernet). Passwords are hashed using bcrypt. Database access is restricted to the application server. Row-level security ensures each agency can only access their own data. Authentication is self-hosted using HS256 session tokens; no third-party authentication provider processes your credentials.
10. Cookies
We use only functional cookies required to operate the service: a session cookie set by our authentication system to keep you signed in. We do not use advertising or tracking cookies.
11. Business customers (DPA)
If you use SeoSwift to process data on behalf of your own clients, a Data Processing Agreement is in place between you (Controller) and SeoSwift (Processor), incorporated by reference into your subscription. The DPA governs all processing carried out on your behalf and includes the sub-processor list, security measures, breach notification obligations, and your rights to audit.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email at least 30 days before taking effect. The effective date at the top of this page always reflects the latest version.
13. Contact
Questions about this policy or our data practices: hello@seoswift.io