Privacy Policy

Effective date: 17 May 2026

1. Who we are

SeoSwift ("we", "our", "us") is an SEO metadata monitoring service operated at seoswift.io. We are established in the European Union and our primary data infrastructure is hosted in Finland, EU. This policy applies to all users of the service.

Contact: hello@seoswift.io

2. Our role — controller and processor

SeoSwift acts in two distinct roles depending on the data being processed:

Data Controller

For account data (your name, email, billing information), SeoSwift is the Controller — we determine why and how this data is processed.

Data Processor

For website metadata crawled on your behalf, you (the agency) are the Controller and SeoSwift is the Processor — we act on your instructions. This relationship is governed by our Data Processing Agreement (DPA), which is incorporated into your subscription by reference.

3. Data we collect

Account data

Name and email address collected at sign-up. Passwords are hashed using bcrypt and stored in our own database — authentication is self-hosted and no third-party authentication provider has access to your credentials.

Site and crawl data

URLs you add to your account and the metadata extracted from crawling them: page titles, meta descriptions, H1 headings, canonical tags, robots directives, Open Graph tags, structured data (JSON-LD), HTTP status codes, and internal link structure. Raw page HTML is never stored — only extracted metadata fields.

Google Search Console data (optional)

If you connect a Google Search Console property, we request the read-only scope https://www.googleapis.com/auth/webmasters.readonly. We retrieve weekly click and impression counts per URL solely to calculate traffic-weighted health scores within your account. OAuth tokens are encrypted at rest. You can disconnect GSC at any time from site settings — all tokens and synced data are deleted immediately.

Billing data

Payment details are processed and stored by Stripe. We receive only a subscription status and customer reference — no card numbers or bank details are held by SeoSwift.

Usage and audit data

We log actions taken within your account (sites added, settings changed, crawls triggered) for security and support purposes. Server access logs are retained for 90 days.

4. Legal bases for processing (GDPR Art. 6)

Processing activityLegal basis
Account creation and managementArt. 6(1)(b) — performance of contract
Website crawling and metadata storageArt. 6(1)(b) — performance of contract
Sending change alert emails and digestsArt. 6(1)(b) — performance of contract
Subscription billing via StripeArt. 6(1)(b) — performance of contract
GSC OAuth token storage and data syncArt. 6(1)(b) — performance of contract (explicit user action required)
Security logging and audit eventsArt. 6(1)(f) — legitimate interests (fraud prevention, security)
Billing record retentionArt. 6(1)(c) — legal obligation (tax and accounting law)
Support communicationArt. 6(1)(f) — legitimate interests (customer support)

5. How we use your data

  • To provide and operate the SeoSwift service
  • To send change alert emails and daily digest notifications you have enabled
  • To calculate health scores and traffic-weighted metrics
  • To process subscription billing via Stripe
  • To respond to support requests
  • To detect and prevent abuse or security incidents

We do not sell your data. We do not use your data to train machine learning models. We do not use your site crawl data for any purpose beyond delivering the service to your account.

6. Sub-processors and international transfers

Our primary infrastructure is hosted in the EU (Finland). Some sub-processors are located in the United States. Transfers to US sub-processors are made under EU Standard Contractual Clauses (SCCs) or other lawful mechanisms as indicated below.

Sub-processorCountryPurposeTransfer basis
Hetzner Online GmbHGermany / Finland (EU)VPS hosting, database, infrastructureEU — no transfer
Cloudflare Inc.USA / EUDNS, CDN, DDoS protectionSCCs + Cloudflare DPA
MailerSend (UAB MailerLite)Lithuania (EU)Transactional email deliveryEU — no transfer
Stripe Inc.USA / Ireland (EU)Subscription billingEU entity + Stripe DPA
Google LLCUSA / EUCrUX API, GSC API (when connected)EU adequacy + Google DPA
Anthropic PBCUSAAI recommendations (anonymised data only — no personal data)No personal data transferred
Better Stack s.r.o.Czech Republic (EU)Uptime monitoring (pings public health endpoint only)EU — no transfer

7. Data retention

Data typeRetention
Crawled page metadata30 days
Change history and health scoresUntil account deletion
GSC click/impression dataUntil GSC disconnected or account deleted
Audit and crawl event logs90 days
Account and billing recordsDuration of subscription + 7 years (legal requirement)

8. Your rights (GDPR)

As a data subject under GDPR, you have the following rights:

  • Access (Art. 15): Request a copy of personal data we hold about you
  • Rectification (Art. 16): Request correction of inaccurate data
  • Erasure (Art. 17): Request deletion of your account and associated data
  • Portability (Art. 20): Request your data in a machine-readable format
  • Restriction (Art. 18): Request we restrict processing while a dispute is resolved
  • Objection (Art. 21): Object to processing based on legitimate interests
  • Withdraw GSC consent: Disconnect GSC at any time from site settings — tokens and data deleted immediately

To exercise any right, email hello@seoswift.io. We will respond within 30 days. You also have the right to lodge a complaint with your local Supervisory Authority. SeoSwift's lead supervisory authority is the Data State Inspectorate of Latvia (dvi.gov.lv).

9. Security

All data is transmitted over HTTPS (TLS 1.2+). OAuth tokens are encrypted at rest using AES-128-CBC (Fernet). Passwords are hashed using bcrypt. Database access is restricted to the application server. Row-level security ensures each agency can only access their own data. Authentication is self-hosted using HS256 session tokens; no third-party authentication provider processes your credentials.

10. Cookies

We use only functional cookies required to operate the service: a session cookie set by our authentication system to keep you signed in. We do not use advertising or tracking cookies.

11. Business customers (DPA)

If you use SeoSwift to process data on behalf of your own clients, a Data Processing Agreement is in place between you (Controller) and SeoSwift (Processor), incorporated by reference into your subscription. The DPA governs all processing carried out on your behalf and includes the sub-processor list, security measures, breach notification obligations, and your rights to audit.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email at least 30 days before taking effect. The effective date at the top of this page always reflects the latest version.

13. Contact

Questions about this policy or our data practices: hello@seoswift.io