Privacy Policy

Last updated: June 1, 2026

This Privacy Policy explains how SEO Fragments(“we”, “our”, “us”) collects, uses, stores, and shares your personal data when you use our website seofragments.com, seo-fragments.vercel.app, and related Services. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

1. Information We Collect

1.1 Information you provide

• Account info: email address, name, password (hashed), Google OAuth identifier if used.
• Billing info: billing name, country, plan selected. Payment card numbers are NEVER seen by us — they are collected and stored by our payment processors (Paddle, Stripe, NowPayments).
• API keys (BYOK): if you choose to bring your own keys, they are encrypted at rest using AES-256-GCM and used only to fulfill your requests.
• Content inputs: the text, URLs, keywords, and parameters you submit to tools.
• Communications: support emails, contact form submissions.

1.2 Information collected automatically

• Usage data: which tools you use, generation timestamps, token counts (for billing & analytics).
• Device data: browser type, operating system, IP address (truncated after 24h), referring URL.
• Cookies: session cookies (essential), preference cookies (theme, sidebar state), and analytics cookies (Google Analytics 4 — anonymized).

1.3 Information we do NOT collect

• We never store full payment card numbers, CVVs, or bank account numbers.
• We do not sell your personal data to third parties.
• We do not use your inputs or outputs to train AI models without your explicit consent.

2. How We Use Your Information

• To provide, maintain, and improve the Service.
• To process payments and manage subscriptions.
• To send transactional emails (deposit receipts, plan upgrade confirmations, password resets).
• To send service updates and product announcements (you may opt out anytime).
• To detect, prevent, and respond to fraud, abuse, or security incidents.
• To comply with legal obligations.

3. Legal Bases (GDPR)

• Contract performance: to deliver the Service you purchased.
• Legitimate interests: to improve the Service, prevent fraud, and run analytics.
• Consent: for non-essential cookies and marketing emails.
• Legal obligation: for tax, accounting, and law enforcement requests.

4. Sharing Your Information

We share data only with the following categories of recipients, under strict data-processing agreements:

• Infrastructure providers: Supabase (database & auth, EU/US regions), Vercel (hosting, US/EU edge).
• Payment processors: Paddle, Stripe, NowPayments.
• AI providers: Anthropic (Claude), OpenAI (where applicable), Perplexity (where applicable). Inputs are sent to these providers to generate Outputs.
• SEO data providers: DataForSEO (for live SERP and keyword data).
• Email provider: Resend (for transactional emails).
• Analytics: Google Analytics 4 (IP anonymized, no cross-site tracking).
• Legal: if required by valid legal process or to protect our rights.

We do not sell or rent personal data to advertisers or data brokers.

5. International Transfers

Your data may be processed in the United States or other countries where our providers operate. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards for transfers out of the EEA, UK, and Switzerland.

6. Data Retention

• Active accounts: retained until you delete your account.
• Generation history: retained for 90 days (or longer if your plan offers it).
• Billing records: retained 7 years for tax and accounting compliance.
• Deleted accounts: personal data purged within 30 days; backups purged within 90 days.

7. Your Rights

Subject to applicable law, you have the right to:

• Access the data we hold about you.
• Rectify inaccurate data.
• Erase your data (right to be forgotten).
• Restrict or object to certain processing.
• Portability — export your data in a machine-readable format.
• Withdraw consent for marketing or non-essential cookies.
• Lodge a complaint with your local data-protection authority.

To exercise these rights, email privacy@seofragments.comor use the data export & delete tools in your account settings. We respond within 30 days.

8. Cookies

We use the following categories of cookies:

• Essential: session, CSRF token, auth — required to log in. Cannot be disabled.
• Functional: theme, sidebar collapse state, recent tools. Optional.
• Analytics: Google Analytics 4 (anonymized IP). You can opt out in your browser or via our cookie banner.

9. Security

• All traffic encrypted in transit via TLS 1.2+.
• Passwords hashed with bcrypt; OAuth where possible.
• BYOK API keys encrypted at rest with AES-256-GCM.
• Database row-level security (RLS) enforces per-user access.
• Regular security audits and dependency updates.
• Admin actions are logged to an immutable audit trail.

No system is 100% secure. If you suspect a security incident, email security@seofragments.com immediately.

10. Children

The Service is not directed to children under 16. We do not knowingly collect data from children.

11. Changes

We may update this policy. Material changes will be notified by email and an in-app notice. The “last updated” date at the top reflects the current version.

12. Contact

• General: hello@seofragments.com
• Privacy & DPO: privacy@seofragments.com
• Security: security@seofragments.com

See also: Terms of Service · Refund Policy · Transparency Report · Contact