Legal Document — Public

Comprehensive Privacy Policy

Effective:: April 2, 2026
Version:: 1.0
Entity:: SEO Marketing Tool Devs
Jurisdiction:: Global (GDPR, CCPA/CPRA, PIPEDA)

This Privacy Policy governs all data processed through SEOMarketingToolDevs.com, including web applications, Google Chrome extensions, APIs, and associated services. By using our services, you agree to the terms outlined below.

01 Introduction and Scope

This Comprehensive Privacy Policy (“Policy”) governs the collection, use, processing, storage, disclosure, and protection of personal data and information by SEO Marketing Tool Devs (“Company,” “we,” “us,” or “our”), operating through the website SEOMarketingToolDevs.com and all associated web applications, Google Chrome extensions, browser-based tools, application programming interfaces (APIs), mobile applications, and any other digital products or services offered by the Company (collectively, the “Services”).

This Policy applies to all individuals who access, use, or interact with our Services, including but not limited to registered users, trial users, free-tier users, enterprise clients, site visitors, beta testers, and any third parties whose data may be processed in connection with our Services (“Users,” “you,” or “your”).

By accessing or using any of our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any provision of this Policy, you must immediately discontinue use of all Services.

This Policy is designed to comply with all applicable data protection and privacy laws, including but not limited to the European Union General Data Protection Regulation (EU GDPR, Regulation 2016/679), the United Kingdom General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and all other applicable federal, state, provincial, and international privacy regulations.

02 Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed below:

Personal Data: Any information that relates to an identified or identifiable natural person, including but not limited to name, email address, IP address, device identifiers, usage data, and any other information defined as personal data, personal information, or personally identifiable information under applicable law.

Sensitive Personal Data: A subset of Personal Data that includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation data, and any other categories designated as sensitive under applicable law.

Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Data Controller: The entity that determines the purposes and means of Processing Personal Data. With respect to data collected through our Services, the Company acts as the Data Controller.

Data Processor: An entity that processes Personal Data on behalf of the Data Controller, subject to the Controller’s instructions.

Consent: Any freely given, specific, informed, and unambiguous indication of a data subject’s wishes by which they signify agreement to the Processing of their Personal Data.

Data Subject: An identified or identifiable natural person whose Personal Data is being processed.

Third-Party Service Provider: Any external entity engaged by the Company to process data, provide infrastructure, analytics, payment processing, or other services in connection with the operation of our Services.

03 Categories of Data Collected

3.1 Data You Provide Directly

We collect information that you voluntarily provide when creating an account, configuring Services, contacting support, or otherwise interacting with our platforms:

Full legal name, display name, and username
Email address (primary and secondary)
Hashed and salted authentication credentials (passwords are never stored in plaintext)
OAuth/SSO tokens and federated identity provider metadata (e.g., Google OAuth 2.0)
Billing and invoicing details (name, address, tax identification numbers)
Communication content from support tickets, feedback forms, and surveys
User-generated content including configurations, templates, and custom settings
Professional or organizational information provided during enterprise onboarding

3.2 Data Collected Automatically

When you access or use our Services, we automatically collect the following categories of technical and usage data:

IP address (IPv4 and IPv6), geolocation data derived from IP (city/region level only)
Browser type, version, language preferences, and user agent string
Device information: operating system, screen resolution, hardware identifiers, device type
Referring URLs, landing pages, exit pages, and navigation paths within our Services
Session duration, page view counts, click patterns, scroll depth, and feature utilization metrics
Timestamps of all interactions (UTC normalized)
Error logs, crash reports, and diagnostic telemetry

3.3 Chrome Extension-Specific Data

Our Google Chrome extensions may collect additional data to provide their intended functionality:

Active tab URL and page title (only when the extension is actively invoked by the user)
Selected DOM elements or page content necessary for the extension’s specific function
Extension configuration preferences and user-defined rules
Extension performance metrics, error states, and interaction logs

We explicitly DO NOT collect the following through any extension:

Keystroke patterns, keylogging data, or typing behavior analytics
Clipboard contents or clipboard history
Screenshots, screen recordings, or visual captures of any kind
Stored passwords, API keys, authentication tokens, or other credentials
Browsing history beyond the active tab during extension invocation
Data from browser incognito/private browsing sessions

3.4 Payment Data

All payment transactions are processed exclusively through PCI DSS Level 1 compliant third-party payment processors. We do not store, process, or have access to full credit card numbers, CVV codes, or complete banking credentials. We retain only tokenized payment references, transaction identifiers, billing addresses, and invoice records necessary for accounting and dispute resolution.

04 Legal Bases for Processing

We process Personal Data under the following legal bases, as applicable under relevant jurisdiction:

Legal Basis	Description	Applicable Data
Consent Art. 6(1)(a) GDPR	Freely given, specific, informed, and unambiguous consent provided by the Data Subject	Marketing communications, optional analytics, non-essential cookies
Contractual Necessity Art. 6(1)(b) GDPR	Processing necessary for performance of a contract or pre-contractual steps	Account data, service configuration, billing information
Legitimate Interest Art. 6(1)(f) GDPR	Processing necessary for purposes of legitimate interests pursued by the Controller, balanced against data subject rights	Security monitoring, fraud prevention, product improvement, aggregated analytics
Legal Obligation Art. 6(1)(c) GDPR	Processing necessary for compliance with a legal obligation	Tax records, regulatory reporting, law enforcement requests

05 Purposes of Data Processing

5.1 Service Delivery and Operations

Provisioning, maintaining, and administering user accounts and subscriptions
Authenticating users and managing session security
Processing transactions, generating invoices, and managing billing cycles
Providing customer support, responding to inquiries, and resolving technical issues
Delivering product updates, patches, security fixes, and feature releases

5.2 Product Improvement and Development

Analyzing aggregated and anonymized usage patterns to identify feature adoption and friction points
Conducting A/B testing to optimize user experience and interface design
Training and improving machine learning models using de-identified, aggregated datasets
Identifying and prioritizing new feature development based on usage telemetry
Performing quality assurance testing and regression analysis

      IMPORTANT: When usage data is employed for product improvement, it is first subjected to a de-identification pipeline that strips all direct identifiers. Individual user behavior is never analyzed in isolation for product development purposes without explicit, separate consent.
    

5.3 Security and Fraud Prevention

Detecting, investigating, and preventing unauthorized access, fraud, abuse, and security incidents
Monitoring for anomalous activity patterns indicative of account compromise
Enforcing rate limits, API quotas, and acceptable use policies
Conducting security audits, penetration testing analysis, and vulnerability assessments

5.4 Legal and Regulatory Compliance

Maintaining records required by applicable tax, accounting, and financial regulations
Responding to lawful requests from governmental authorities and law enforcement
Establishing, exercising, or defending legal claims
Complying with data protection impact assessments and regulatory reporting requirements

5.5 Communications

Sending transactional notifications (account verification, password resets, billing confirmations)
Delivering service announcements, maintenance notices, and security alerts
Providing marketing communications only with prior explicit opt-in consent, with one-click unsubscribe functionality in every communication

06 Data Sharing and Third-Party Disclosures

We do not sell, rent, lease, or trade your Personal Data to third parties for their own marketing or commercial purposes. We share data only in the following circumstances:

6.1 Service Providers and Processors

We engage carefully vetted third-party service providers who process data on our behalf under strict contractual obligations:

Cloud infrastructure and hosting providers (compute, storage, CDN)
Payment processors and billing platforms (PCI DSS compliant)
Analytics and product intelligence platforms
Artificial intelligence and machine learning API providers (for AI-powered features)
Error monitoring, crash reporting, and application performance management tools
Email delivery and transactional messaging services
Customer relationship management (CRM) platforms

All Data Processors are bound by Data Processing Agreements (DPAs) that require them to process data only on our documented instructions, implement appropriate technical and organizational security measures, assist with data subject rights requests, notify us of data breaches without undue delay, and delete or return all Personal Data upon termination of the relationship.

6.2 AI and Machine Learning Providers

Certain features of our Services utilize third-party AI/ML APIs. When your data is transmitted to these providers for real-time processing:

Only the minimum data necessary for the specific function is transmitted
Data is transmitted over TLS 1.3 encrypted connections
We contractually prohibit these providers from using your data to train their own models
Responses are processed in-memory and not persistently stored by the third-party provider beyond the immediate API transaction
You may opt out of AI-powered features at any time through your account settings

6.3 Legal and Regulatory Disclosures

We may disclose Personal Data when we believe in good faith that disclosure is necessary to comply with applicable law, regulation, legal process, or enforceable governmental request; enforce our Terms of Service; detect, prevent, or address fraud, security, or technical issues; or protect against harm to the rights, property, or safety of the Company, our users, or the public.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction, Personal Data may be transferred as part of the transaction. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy. Any acquiring entity will be bound by this Policy with respect to previously collected data until a new privacy policy is published and consented to.

07 Data Retention Schedule

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

Data Category	Active Retention	Archive Period	Post-Deletion
Account Profile Data	Duration of active account	90 days post account deletion	Permanent cryptographic erasure
Usage Analytics & Telemetry	24 months rolling	Aggregated/anonymized after active period	Anonymized data retained indefinitely
Transaction & Billing Records	Duration of active account	7 years (tax/legal compliance)	Permanent erasure after archive
Support Communications	3 years from resolution	N/A	Permanent erasure
Security & Audit Logs	12 months	36 months (compressed, access-restricted)	Permanent erasure
Marketing Consent Records	Duration of consent + 3 years	N/A	Permanent erasure
Chrome Extension Interaction Data	12 months rolling	Aggregated/anonymized after active period	Anonymized data retained indefinitely

Upon expiration of the applicable retention period, data is either permanently deleted using cryptographic erasure methods (rendering recovery computationally infeasible) or irreversibly anonymized such that it can no longer be associated with any individual.

08 Technical and Organizational Security Measures

We implement comprehensive, defense-in-depth security measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction:

8.1 Encryption

Data in transit: TLS 1.2+ (TLS 1.3 preferred) for all external communications; mutual TLS (mTLS) for internal service-to-service communications
Data at rest: AES-256 encryption for all stored Personal Data, including database fields, file storage, and backups
Key management: Hardware Security Module (HSM)-backed key management with automatic key rotation
Credential storage: Passwords hashed using bcrypt with per-user salts and a minimum cost factor of 12

8.2 Access Controls

Role-Based Access Control (RBAC) with principle of least privilege enforcement
Multi-Factor Authentication (MFA) required for all administrative and privileged access
Automated access reviews conducted quarterly with mandatory access recertification
Privileged Access Management (PAM) with session recording for infrastructure access
IP allowlisting and VPN requirements for administrative access to production systems

8.3 Infrastructure Security

Web Application Firewall (WAF) with OWASP Top 10 ruleset enforcement
Distributed Denial of Service (DDoS) mitigation at network and application layers
Intrusion Detection and Prevention Systems (IDS/IPS) with 24/7 monitoring
Regular vulnerability scanning and annual third-party penetration testing
Secure Software Development Lifecycle (SSDLC) with mandatory security code reviews
Container isolation and network segmentation for microservices architectures

8.4 Incident Response

We maintain a documented Incident Response Plan (IRP) that includes defined severity classification tiers, automated alerting and escalation procedures, forensic investigation protocols with chain-of-custody documentation, regulatory notification procedures (within 72 hours for GDPR-reportable breaches), user notification procedures where required by applicable law, and post-incident root cause analysis with remediation tracking.

09 International Data Transfers

Our primary data processing infrastructure is located in the United States. If you are accessing our Services from outside the United States, your Personal Data will be transferred to, stored, and processed in the United States.

For transfers of Personal Data from the EEA, United Kingdom, or Switzerland to the United States, we rely on:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision 2021/914)
UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs for UK-originating data
Data Processing Agreements incorporating supplementary measures including encryption, pseudonymization, access controls, and transparency reporting
Transfer Impact Assessments (TIAs) conducted for each data transfer relationship

We continuously monitor regulatory developments affecting international data transfers and will update our transfer mechanisms as necessary to maintain compliance.

10 Your Rights as a Data Subject

Depending on your jurisdiction, you may exercise the following rights. We will respond to all verified requests within 30 calendar days (or such shorter period as required by applicable law):

10.1 Universal Rights (All Jurisdictions)

Right of Access: Request a copy of all Personal Data we hold about you
Right to Rectification: Request correction of inaccurate or incomplete Personal Data
Right to Deletion/Erasure: Request deletion of your Personal Data, subject to legal retention requirements
Right to Withdraw Consent: Withdraw previously granted consent at any time
Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment

10.2 GDPR-Specific Rights (EEA/UK Residents)

Right to Restriction of Processing: Request limitation of processing in specified circumstances
Right to Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
Right to Object: Object to processing based on legitimate interests, including profiling
Right to Lodge a Complaint: File a complaint with your local Data Protection Authority
Automated Decision-Making: Not be subject to decisions based solely on automated processing

10.3 CCPA/CPRA-Specific Rights (California Residents)

Right to Know: Disclosure of categories, sources, purposes, and recipients of Personal Information
Right to Delete: Deletion of Personal Information collected from you
Right to Correct: Correction of inaccurate Personal Information
Right to Opt-Out: We do not sell Personal Information; opt-out requests honored prospectively
Right to Limit Sensitive PI: Direct us to limit use of your sensitive personal information

10.4 PIPEDA-Specific Rights (Canadian Residents)

Right to Access: Access Personal Information upon written request
Right to Challenge Compliance: File a complaint with the Office of the Privacy Commissioner of Canada
Right to Withdraw Consent: Subject to legal or contractual restrictions

10.5 Exercising Your Rights

To exercise any of the rights described above, submit a verifiable request to privacy@seomarketingtooldevs.com. We verify identity using a two-step process: (1) confirmation of the account email, and (2) a security challenge based on account-specific information. For authorized agent requests, we require a notarized power of attorney or written authorization signed by the data subject.

11 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate, secure, and improve our Services. Our cookie implementation follows a consent-first model:

11.1 Cookie Categories

Strictly Necessary: Required for core functionality (authentication, security, load balancing). Cannot be disabled.
Functional: Enable enhanced features and personalization. Require explicit opt-in consent.
Analytics: Collect aggregated usage data. Require explicit opt-in. All data anonymized at collection.
Marketing: Currently not deployed. If implemented, this Policy will be updated and re-consent obtained.

11.2 Cookie Management

You may manage preferences through our cookie consent banner, your browser settings (note: disabling cookies may impair functionality), and our cookie preference center accessible from the website footer. We honor Global Privacy Control (GPC) signals and Do Not Track (DNT) browser headers as valid opt-out signals.

12 Children’s Privacy

Our Services are not directed to, designed for, or intended for use by individuals under the age of sixteen (16). We do not knowingly collect Personal Data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it within 72 hours of discovery.

If you are a parent or guardian and believe your child has provided Personal Data to us, please contact us immediately at privacy@seomarketingtooldevs.com.

13 Do Not Track and Global Privacy Control

We honor both DNT browser signals and GPC signals. When detected, we automatically disable all non-essential tracking, suppress analytics data collection for that session, treat the signal as a valid opt-out of any sale or sharing of Personal Data, and log the preference for future visits from the same browser/device.

14 Data Breach Notification

In the event of a Personal Data breach likely to result in risk to affected individuals, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Article 33)
Notify affected California residents without unreasonable delay (CCPA §1798.150)
Notify affected individuals when the breach is likely to result in high risk to their rights
Provide notification including: nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken
Document all breaches in an internal register regardless of notification thresholds

15 Automated Decision-Making and Profiling

We do not currently engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals. If implemented in the future, we will update this Policy to disclose the logic involved, provide mechanisms to request human intervention, and obtain explicit consent where required.

16 Third-Party Links and Integrations

Our Services may contain links to third-party websites or integrations not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing Personal Data. Inclusion of a link or integration does not imply endorsement or affiliation.

17 Contact Information

For questions, concerns, or requests regarding this Privacy Policy:

Data Privacy Inquiries: privacy@seomarketingtooldevs.com
Postal Address: SEO Marketing Tool Devs, Attn: Privacy Team, [Business Address]
Response Commitment: Acknowledgment within 2 business days; substantive response within 30 calendar days.
DPO Inquiries (EEA/UK): Use the email above with subject line “DPO Inquiry.”

18 Modifications to This Policy

We reserve the right to update this Policy at any time. Notice of material changes will be provided through:

Prominent notice on our website and web applications for a minimum of 30 days
Direct email notification to all registered users
In-app notification within Chrome extensions at next activation
Version number increment and updated effective date

Material changes will not apply retroactively. Continued use after the effective date of an update constitutes acceptance of the revised terms.

19 Severability and Survival

If any provision of this Policy is held invalid or unenforceable, the remaining provisions remain in full force. The invalid provision shall be modified to the minimum extent necessary to make it enforceable while preserving original intent. Obligations under Sections 6, 7, 8, 9, and 10 survive termination of the user relationship.

20 Governing Law and Dispute Resolution

This Policy shall be governed by the laws of the State of Kansas, United States, without regard to conflicts of law principles. Disputes shall be subject to the exclusive jurisdiction of the state and federal courts in Johnson County, Kansas, unless otherwise required by mandatory consumer protection laws.

For EU/EEA residents, this does not override mandatory consumer protection provisions under your country of residence, including your right to bring proceedings before local courts and lodge complaints with your local DPA.

21 California-Specific Disclosures (CCPA/CPRA)

Categories Collected: Identifiers, commercial information, internet/electronic network activity, geolocation data (city-level), professional/employment-related information.

Sale of PI: We do not sell and have not sold Personal Information in the preceding 12 months. We do not sell PI of consumers under 16.

Cross-Context Behavioral Ads: We do not share Personal Information for cross-context behavioral advertising.

Sensitive PI: We do not collect Sensitive Personal Information as defined under CPRA for purposes requiring a right to limit use.

Financial Incentives: We do not offer financial incentives related to collection, sale, or deletion of Personal Information.

Retention: See Section 7 for specific retention periods by data category.

Authorized Agent: Designate an authorized agent via notarized power of attorney or signed written authorization with identity verification.

22 EU/UK GDPR-Specific Provisions

Data Controller: SEO Marketing Tool Devs, operating at SEOMarketingToolDevs.com.

Legal Bases: See Section 4 for complete legal bases for processing.

International Transfers: See Section 9 for transfer mechanisms and safeguards.

DPIAs: We conduct Data Protection Impact Assessments for high-risk processing activities, including new features, data categories, and sharing arrangements.

ROPA: We maintain comprehensive Records of Processing Activities per GDPR Article 30.

Supervisory Authority: EEA residents may lodge complaints with their national DPA. UK residents may contact the Information Commissioner’s Office (ICO).

23 Canadian PIPEDA-Specific Provisions

For Canadian residents, this Policy complies with PIPEDA and its ten fair information principles:

Accountability: We have designated a privacy officer accountable for PIPEDA compliance
Identifying Purposes: Purposes identified at or before the time of collection
Consent: Meaningful consent obtained except where exempted by law
Limiting Collection: Collection limited to what is necessary for identified purposes
Limiting Use, Disclosure, and Retention: Not used for purposes beyond those collected, except with consent or as required by law
Accuracy: Personal Information kept accurate and up-to-date as necessary
Safeguards: Security measures appropriate to the sensitivity of the information
Openness: Policies and practices made readily available
Individual Access: Access provided upon request with information about use and disclosure
Challenging Compliance: Individuals may contact us or the Office of the Privacy Commissioner of Canada