1. Who we are
Smart SEO Audit is a Swiss-hosted SEO auditing platform operated from Switzerland. We are the data controller for all personal data processed through our website and application at smartseoaudit.com.
You can reach us at any time at [email protected] for anything related to this policy, your data, or your rights.
2. What we collect
We collect only the data we need to provide the service. Nothing we collect is optional padding to "improve the experience" — if it's listed here, it's because the service genuinely needs it.
Data you give us directly
| Type of data | When we collect it |
|---|---|
| Email address | When you create an account or subscribe to updates |
| Name (optional) | On your profile, if you choose to provide it |
| Password (hashed, never stored in plain text) | When you create an account |
| Payment details | When you subscribe to a paid plan (handled by Stripe — we never see your card number) |
| Billing information | Company name, address, VAT ID — for invoices |
| Support conversations | When you email us or use the in-app contact form |
| URLs you audit | Every URL, sitemap or HTML snippet you submit for auditing |
Data we collect automatically
| Type of data | Why |
|---|---|
| IP address | For security (abuse detection, rate limiting) and approximate country detection for currency/language |
| Browser & device info | For compatibility debugging and basic security |
| Usage logs | Which audits were run, when, and whether they succeeded — to debug issues and measure service health |
| Access times & pages visited | Captured anonymously via our privacy-first analytics (see Cookies) |
What we do NOT collect
- We do not use third-party advertising trackers, retargeting pixels, or social media trackers
- We do not collect data for ad personalisation — we don't run ads
- We do not track you across the web
- We do not fingerprint your device or browser
- We do not sell, rent or trade any of the data we collect
3. Why we collect it
Every piece of data we collect has a specific, listed purpose:
- To provide the service — running your audits, showing your history, delivering reports
- To charge you — processing subscriptions, generating invoices, handling refunds
- To keep the service running — detecting abuse, preventing fraud, debugging issues
- To communicate with you — product updates, security notices, support responses
- To comply with legal obligations — keeping records of transactions, responding to lawful requests
4. Legal basis for processing
Under GDPR Article 6, we rely on the following legal bases:
- Contract performance — for everything required to deliver the service you signed up for (your audits, your account, your reports)
- Legitimate interest — for security, abuse prevention, and improving the service based on aggregated usage patterns
- Legal obligation — for tax records, accounting, responding to lawful requests
- Consent — for anything optional, such as marketing emails (you can withdraw consent at any time)
5. Where your data is stored
All application data — your account, your audits, your audit history, your reports — is stored on servers physically located in Switzerland. The servers are operated by Hostpoint, one of Switzerland's largest and most established hosting providers, with data centres in Rapperswil-Jona (SG) and Zurich. All data remains within Swiss jurisdiction and is not transferred to third countries.
We do not replicate your data to US, EU or any other non-Swiss regions — not for backups, not for performance, not for analytics.
Exceptions: where data leaves Switzerland
There are a small number of specific, necessary cases where certain data is processed outside Switzerland. We list each one explicitly:
Payment processing (Stripe)
When you subscribe to a paid plan, your payment details are processed by Stripe Payments Europe, Ltd. (based in Ireland). We never see or store your full card number — Stripe handles it under its own infrastructure, which is PCI-DSS Level 1 compliant. Stripe's data processing is covered by Standard Contractual Clauses under GDPR. See Stripe's privacy policy.
AI-powered audit insights (OpenAI)
If your plan includes AI-generated audit insights, the audit findings for that specific audit are sent to OpenAI (United States) to generate the plain-language recommendations. Specifically:
- What we send: the technical audit findings and the URL being audited
- What we do NOT send: your name, email, account ID, or any other identifying information
- OpenAI's terms: OpenAI does not use data sent via the API to train its models, and data is retained for a maximum of 30 days for abuse monitoring before being deleted. See OpenAI's API data privacy.
- Your choice: you can disable AI insights in your account settings. When disabled, nothing is ever sent to OpenAI.
If data sovereignty is critical for your use case (e.g. auditing sites containing sensitive information), we recommend disabling AI insights. The full audit functionality remains available without AI — only the plain-language recommendations are skipped.
6. Who we share your data with
We share data only with service providers who process it on our behalf ("data processors"). Each processor is bound by a Data Processing Agreement (DPA) and contractually restricted to using the data only to provide the service we contracted them for.
| Processor | Purpose | Location |
|---|---|---|
| Hostpoint | Hosting infrastructure, databases, backups | Switzerland |
| Logiwolf | Website analytics (aggregated, anonymous) | Switzerland |
| Stripe Payments Europe | Payment processing | Ireland (EU) |
| OpenAI | AI-generated audit insights (optional, can be disabled) | United States |
We do not share data with advertisers, data brokers, social media platforms, or any third party for marketing or analytics purposes. We will only share data with law enforcement in response to a valid, legally binding request under Swiss law.
7. How long we keep your data
| Data | Retention period |
|---|---|
| Account data (email, profile, settings) | Until you delete your account |
| Audit data & reports | According to your plan limits; deleted within 90 days of account deletion |
| Payment & invoice records | 10 years (Swiss accounting law requires this) |
| Support conversations | 3 years, then anonymised |
| Server & security logs | 90 days |
| Marketing email subscription | Until you unsubscribe |
When you delete your account, we remove your personal data within 90 days, except data we are legally required to retain (such as invoices, for tax purposes). Retained financial records are anonymised where possible.
8. Your rights
Under GDPR and Swiss FADP, you have the following rights over your personal data:
- Right to access — request a copy of all personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request that we delete your data
- Right to data portability — export your data in a machine-readable format (JSON or CSV)
- Right to restrict processing — temporarily limit how we use your data
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — for any processing based on consent (e.g. marketing emails)
- Right to lodge a complaint — with your national data protection authority (see below)
Most actions — exporting your data, deleting your account, unsubscribing from emails — can be done directly from your account settings in one click. For anything else, email [email protected] and we will respond within 30 days.
Lodging a complaint
If you believe we have mishandled your data, you have the right to file a complaint with a supervisory authority:
- In Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
- In the EU: the data protection authority in your country of residence (full list at edpb.europa.eu)
We would, of course, rather you contact us first so we can resolve the issue directly.
9. Cookies & tracking
We use the minimum necessary cookies. No third-party advertising cookies, no social media trackers, no cross-site tracking.
Essential cookies
These are required for the service to work. They can't be disabled.
- Session cookie — keeps you logged in. Cleared when you close your browser or log out.
- CSRF token — security measure to prevent cross-site request forgery.
- Consent preference — remembers whether you accepted or rejected the optional analytics.
Analytics (optional, privacy-first)
We use Logiwolf, a Swiss-hosted, privacy-first website analytics platform. It:
- Hosts all data on Swiss servers
- Does not use cookies for tracking
- Does not collect personal data
- Does not fingerprint your device
- Does not share data with any third party
Analytics data is aggregated and anonymous. We use it to understand which pages are useful and where users get stuck — not to track individuals.
10. Security
We take the security of your data seriously. Measures include:
- Encryption in transit — all connections use HTTPS with TLS 1.3
- Encryption at rest — databases and backups are encrypted
- Password hashing — passwords are hashed using bcrypt; we never store plain-text passwords
- Two-factor authentication — available on all plans for added account security
- Swiss-hosted infrastructure — our hosting provider Hostpoint operates ISO 27001–certified data centres in Switzerland
- Regular security updates — we patch the platform continuously as vulnerabilities are disclosed
- Access controls — only authorised personnel can access production systems, with logged access
No system is 100% secure. In the unlikely event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.
11. Children's data
Smart SEO Audit is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, please contact us and we will delete the account and any associated data.
12. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our service, legal requirements, or best practices. When we make a material change, we will:
- Update the "Effective" date at the top of this page
- Notify registered users by email at least 30 days before the change takes effect
- Post a prominent notice on the website for at least 14 days
The version history of this policy is available on request.
13. Contact us
For anything related to this privacy policy or your personal data:
- Email: [email protected]
- General support: [email protected]
We respond to privacy-related enquiries within 30 days, as required by GDPR. Most are resolved within a few business days.