Privacy Policy

Effective date: January 1, 2026 · Last updated: May 1, 2026

This Privacy Policy explains how AI Auto SEO ("we", "our", "us") handles personal and operational data when you use our website at aiautoseo.com and our application at app.aiautoseo.com (together, the "Service"). By using the Service you agree to the practices described here.

1. Data we collect

1.1 Account data

• Email address, hashed password, and (optionally) full name, company, phone, country, timezone, avatar URL, and short bio.
• Account role (member or admin), email verification status, and lockout state.
• Authentication session cookies (signed, server-side only).

1.2 Project & store data

• Store URLs, locale, brand voice profile, central topic, and any custom configuration you enter into a project.
• Shopify and WooCommerce API credentials you provide to enable store push (encrypted at rest).
• Pipeline output: competitor analyses, topical maps, keyword clusters, site architectures, content briefs, execution logs and reports.

1.3 Google OAuth data

When you connect Google Search Console using the in-app "Connect Google" button, Google issues us OAuth access and refresh tokens scoped only to the webmasters.readonly permission and your basic profile email. We use those tokens exclusively to:

• List the GSC properties you have access to so you can pick one;
• Read clicks, impressions, queries and pages for the property you select;
• Display GSC analytics inside your dashboard and trigger regeneration of underperforming pages.

We never use Google user data for advertising, never share it with third parties, and never use it to train models. You can disconnect at any time from the project's onboarding screen, which immediately deletes the stored tokens. You can also revoke us from your Google account permissions page.

1.4 Bring-your-own LLM keys

If you choose to provide your own OpenAI, Anthropic or other LLM provider API keys, those keys are stored encrypted, isolated per user, and used only on your behalf for your projects. We never reuse them across customers.

1.5 Usage and technical data

• Standard server logs: IP address, user agent, request timestamps, URL paths, response codes.
• Pipeline run metadata: stage timings, success/failure status, error traces.
• Aggregate, anonymised product analytics (page views, feature engagement) used to improve the Service.

1.6 Cookies

We use cookies for two purposes only:

• Session cookies — required to keep you signed in. These are HTTP-only, secure (in production), and signed with a server secret.
• Preference cookies — remember your theme, last selected project and similar UI choices.

We do not use third-party advertising cookies or cross-site trackers.

2. How we use data

• To operate the pipeline and produce the SEO outputs you request.
• To authenticate you and protect your account.
• To bill you, send transactional emails and support correspondence.
• To monitor performance, debug issues and improve the Service.
• To comply with legal obligations.

We do not sell your personal data. We do not use your project content, store data or Google data to train any machine learning model.

3. Third-party processors

We share data only with vendors strictly necessary to run the Service. Each is bound by contract to comparable confidentiality and security standards:

• Cloud hosting (e.g. AWS / Hetzner / Vercel) — application + database infrastructure.
• Payment processor (e.g. Stripe) — billing and subscription management.
• Email transactional service (e.g. Postmark / Resend) — verification and account emails.
• LLM providers (OpenAI, Anthropic, etc.) — generation requests for content briefs and execution. We send only the minimum context required and instruct providers not to retain data for training.
• Google APIs — only when you have explicitly connected GSC.
• Shopify / WooCommerce — only on stores you have connected, only to push content you have approved.

4. Data retention

• Active accounts: retained for the lifetime of the account.
• Cancelled accounts: data is retained for 30 days for re-activation, then deleted.
• Server logs: 30 days, then rolled off.
• Contact form submissions: 24 months.
• Backups: encrypted snapshots retained up to 30 days.

5. Security

• Passwords are hashed using a memory-hard scrypt KDF — we never see your plaintext password.
• Sensitive credentials (LLM keys, store API tokens, OAuth tokens) are encrypted at rest.
• All traffic is served over TLS in production.
• Per-user data isolation is enforced at the application boundary on every request.
• Access to production systems is limited to a small set of named engineers and audited.

6. Your rights

Depending on your jurisdiction (EU/UK GDPR, California CCPA, etc.) you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent (e.g. revoke Google OAuth) at any time.

To exercise any of these rights, email privacy@aiautoseo.com.

7. International transfers

If you access the Service from outside our hosting region, you consent to the transfer of your data to and storage in that region. We use standard contractual clauses where required.

8. Children

The Service is not intended for users under 16. We do not knowingly collect data from children.

9. Changes to this policy

We may update this Policy from time to time. Material changes will be announced by email and on the dashboard at least 14 days before they take effect.

10. Contact

Questions about privacy? Email privacy@aiautoseo.com or use the contact form.