Legal

Privacy Policy

Last updated: 7 May 2026

1. Who we are (Data Controller)

pSEOpage (“we”, “us”, the “Operator”) operates the website https://pseopage.com and the related Service. We act as the Data Controller for personal data we collect about you in relation to the Service. For any privacy-related question or request, contact us at hello@pseopage.com.

2. What data we collect

2.1 Data you provide directly

  • Account data: name, email address, hashed password (or Google OAuth identifier), password-reset tokens.
  • Two-factor authentication: if enabled, an encrypted TOTP secret and recovery codes.
  • Campaign data: URLs you submit for scanning or scraping, brand and audience info, keywords, generated drafts, exports.
  • Free scan submissions: the URL you submit and the resulting scan output, even if you don’t register.
  • Waitlist submissions: historical email addresses entered before public launch (may be deleted by user request).
  • Support communications: emails you send to hello@pseopage.com and content of chat or in-app messages.

2.2 Billing data (handled by Paddle)

Subscription and one-time payments are processed by Paddle.com Inc. as Merchant of Record. We do not receive or store full payment-card details. Paddle returns to us limited billing metadata: customer ID, subscription IDs, transaction IDs, price IDs, last 4 digits of the card, billing country, and invoice numbers. Paddle’s privacy policy: paddle.com/legal/privacy.

2.3 Data collected automatically

  • Server logs: IP address, user-agent, request URL, status code, timing — kept for up to 30 days for security and abuse prevention.
  • Analytics: aggregated usage events (page views, button clicks, scan starts/completions, signups, lifetime purchases).
  • Cookies and local storage: a session cookie (required for login), a CSRF token (required for security), and analytics cookies described below.
  • Email engagement: opens and link clicks for transactional and product emails, used to detect deliverability issues.

3. Why we use your data (legal basis)

We process personal data for the following purposes and on the following GDPR legal bases:

Purpose Legal basis (GDPR Art. 6)
Provide the Service (account, generation, exports)Contract performance (Art. 6(1)(b))
Billing and invoicing (via Paddle)Contract performance and legal obligation (Art. 6(1)(b)(c))
Customer supportContract performance and legitimate interest (Art. 6(1)(b)(f))
Security, fraud prevention, abuse detectionLegitimate interest (Art. 6(1)(f))
Product analytics and improvementLegitimate interest (Art. 6(1)(f))
Marketing emails to existing customersLegitimate interest (Art. 6(1)(f)) with opt-out
Legal compliance (tax, accounting, requests by authorities)Legal obligation (Art. 6(1)(c))

4. Sub-processors (third parties that process data on our behalf)

  • Paddle.com Inc. (USA / UK) — payments, invoicing, tax, refunds. Acts as Merchant of Record.
  • OpenRouter / LLM providers (USA, EU) — AI text generation. Inputs you submit (focus keywords, brand info, scrape excerpts) are sent to model providers to produce SEO drafts. We avoid sending personal data of your customers in this flow.
  • Mailgun / transactional email provider — delivery of transactional and product emails.
  • Google Analytics 4 (Google LLC) — aggregated traffic and conversion analytics on the public landing pages.
  • Microsoft Clarity (Microsoft Corporation) — heatmaps and anonymous session replays on public landing pages, used to improve UX.
  • Datafast — alternative privacy-friendly analytics for the public landing pages.
  • Hosting provider — application hosting, database, storage and queue infrastructure.
  • Cloudflare (where applicable) — DNS, CDN and DDoS protection.

We have appropriate safeguards in place with each sub-processor (DPA, Standard Contractual Clauses for international transfers). The current list may evolve; the up-to-date version is always available on this page.

5. International data transfers

Some of our sub-processors are based outside the European Economic Area (notably the USA). Where applicable we rely on the Standard Contractual Clauses approved by the European Commission and on adequacy decisions (e.g. EU-US Data Privacy Framework) to provide an adequate level of protection.

6. How long we keep your data

  • Account data: for as long as your account exists, plus up to 90 days after deletion for backups.
  • Billing records: kept by Paddle and by us for 5 years (or longer where required by tax law).
  • Generated campaigns and exports: until you delete them or close your account.
  • Free scans without an account: up to 30 days, then automatically purged.
  • Server logs: up to 30 days unless required for security investigations.
  • Marketing emails: until you unsubscribe.

7. Your rights

If you are based in the EEA, UK or Switzerland, you have the following rights under GDPR:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — correct inaccurate data.
  • Right to erasure (“right to be forgotten”) — request deletion, subject to legal retention obligations.
  • Right to restriction — limit processing in specific cases.
  • Right to data portability — export your data in a structured format.
  • Right to object — object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right to lodge a complaint with a data protection authority (in Poland: Urząd Ochrony Danych Osobowych, uodo.gov.pl).

If you are a California resident, you have rights under the CCPA/CPRA, including the right to know, delete, correct and opt out of “sale” or “sharing” of personal information. We do not sell personal information.

To exercise any of these rights, email hello@pseopage.com from the address associated with your account. We will respond within 30 days.

8. Cookies and tracking

We use the following categories of cookies and similar technologies:

  • Strictly necessary: session cookie, CSRF token, login state. These are required for the Service to function and cannot be disabled.
  • Analytics: Google Analytics 4, Microsoft Clarity, Datafast — used in aggregate form to understand product usage. You can block these via your browser settings or a privacy extension.
  • Functional: remembering UI preferences (e.g. dark mode, dismissed banners).

We do not use cross-site advertising cookies.

9. Security

We apply industry-standard technical and organisational measures: HTTPS everywhere, hashed passwords (bcrypt), rate limiting, encrypted secrets at rest, access controls, automated dependency scanning and least-privilege deployment. Despite our efforts, no system can be 100% secure. If a breach occurs and personal data is at risk, we will notify affected users and the relevant authorities in accordance with applicable law.

10. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@pseopage.com and we will delete it.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or via in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the current version.

12. Contact

Privacy questions or rights requests: hello@pseopage.com.

Ready to automate your SEO content?

Generate hundreds of pages like this one in minutes with pSEOpage.

Join the Waitlist