GDPR Compliance

01 Roles & responsibilities

Smart SEO Audit operates in two distinct roles depending on the data category:

As data controller

For account data (email, password, name, billing details) and operational data (usage logs, security logs, support correspondence), we act as data controller. We determine the purposes and means of processing this data.

As data processor

For audit data — the URLs, sitemaps, raw HTML and audit configurations you submit — we act as data processor on your behalf. You determine the purposes; we process the data solely to provide the Service to you, in accordance with the DPA.

02 Personal data we process

For the complete catalogue, see our Privacy Policy. The categories include:

• Identification data — email address, optional name, hashed password
• Billing data — billing address, country, VAT/tax ID, payment metadata (processed by Stripe — we never see card numbers)
• Service data — URLs, sitemaps, raw HTML, audit history, scheduled audit configurations
• Technical data — IP address, browser, device, approximate region, server logs
• Communication data — emails and support tickets exchanged with us

03 Legal bases for processing

Under Article 6 GDPR, we rely on the following legal bases:

• Art. 6(1)(b) GDPR — performance of the contract (running audits, account management, billing)
• Art. 6(1)(c) GDPR — legal obligations (Swiss accounting law, breach notification)
• Art. 6(1)(f) GDPR — legitimate interests (security, abuse prevention, product improvement)
• Art. 6(1)(a) GDPR — consent (marketing emails, optional analytics consent banner)

04 Your rights as a data subject

Under GDPR, you have the following rights — most of which can be exercised in one click from your account dashboard:

• Access (Art. 15) — request a copy of your data; export available from settings
• Rectification (Art. 16) — correct inaccurate data directly in your profile
• Erasure / "right to be forgotten" (Art. 17) — delete your account in one click
• Restriction (Art. 18) — limit how we process your data
• Portability (Art. 20) — export your data in JSON or CSV
• Objection (Art. 21) — object to processing based on legitimate interests
• Withdraw consent (Art. 7(3)) — at any time, without affecting prior processing
• Lodge a complaint (Art. 77) — see "Lodging a complaint" below

Lodging a complaint

• In Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
• In the EU: the data protection authority in your country of residence (full list at edpb.europa.eu)

05 Data Processing Agreement (DPA)

If you process personal data of EU/EEA data subjects through Smart SEO Audit, you may need a Data Processing Agreement under Art. 28 GDPR. We provide a pre-signed DPA that includes:

• The standard data-processing terms required under Art. 28 GDPR
• The current EU Standard Contractual Clauses (Module 2: Controller-to-Processor) for international transfers
• A list of named sub-processors with their purpose and location
• Annexes describing the technical and organisational measures (TOMs) we apply

06 Named sub-processors

We share data only with service providers who process it on our behalf. Each is bound by a written DPA. Unlike most SaaS vendors, we keep this list short — and we name each one.

We do not share data with advertisers, data brokers, social media platforms, or any third party for marketing or analytics purposes. We give reasonable advance notice before adding or replacing a sub-processor.

OpenAI specifics

If your plan includes AI insights, the audit findings for that specific audit are sent to OpenAI to generate plain-language recommendations. We do not send your name, email, account ID or any other identifying information — only the technical findings and the URL being audited. OpenAI does not use API data to train its models, and retains data for a maximum of 30 days for abuse monitoring before deletion. You can disable AI insights from your account settings; when disabled, nothing is ever sent to OpenAI.

07 International data transfers

Primary data storage is in Switzerland on Hostpoint servers. Switzerland is a recognised adequate jurisdiction under EU law — no SCCs are needed for transfers from the EEA to Switzerland.

Where a sub-processor is established outside Switzerland or the EEA (specifically OpenAI in the United States), we rely on appropriate safeguards under Art. 46 GDPR — primarily the EU Standard Contractual Clauses (2021/914) and supplementary measures: the data sent is non-identifying technical findings, and OpenAI's API terms restrict use to the requested purpose.

If data sovereignty is critical for your use case, you can disable AI insights and keep all your data within Switzerland (Hostpoint) and Ireland (Stripe, for payments only).

08 Security measures (TOMs)

We implement appropriate technical and organisational measures under Art. 32 GDPR. The full operational detail is on our Security page; in summary:

• Encryption in transit — TLS 1.3 on all connections
• Encryption at rest — databases and backups encrypted
• Password hashing — encrypted, never plain text
• Two-factor authentication — available on every account
• Swiss-hosted infrastructure — Hostpoint operates ISO 27001–certified data centres in Rapperswil-Jona and Zurich
• Access controls — only authorised personnel with logged access
• Continuous patching — vulnerabilities are addressed as disclosed

09 Breach notification

If a personal data breach occurs, we will notify the relevant supervisory authority within 72 hours as required by Art. 33 GDPR. Affected data subjects (or controllers, when we act as processor) are notified without undue delay where the breach is likely to result in a high risk to rights and freedoms (Art. 34 GDPR).

10 DPO & contact

For all GDPR matters:

• Privacy team: [email protected]
• DPA requests: [email protected] (subject: "DPA request")
• General support: [email protected]

We respond to GDPR enquiries within 30 days. Most are resolved within a few business days.

Smart SEO Audit · Switzerland 🇨🇭