Legal

Privacy Policy

Last updated: March 10, 2025

SEO Desk ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store and share your personal information when you use our service at seodesk.io and app.seodesk.io.

Google API Services — Limited Use Disclosure

SEO Desk's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data obtained via Google APIs is used only to provide and improve the SEO Desk analytics dashboard. We do not use this data for serving advertisements, for any purpose not disclosed in this Privacy Policy, or for developing, improving, or training generalized AI or machine learning models.

1. What data we collect

1.1 Account information

When you sign in with Google OAuth 2.0, we receive:

  • Your Google account email address
  • Your display name
  • Your profile picture URL
  • A Google OAuth refresh token (used for background data synchronization — see section 2.2)

We do not receive your Google password.

1.2 Google Search Console data

With your explicit authorization, we access data from the Google Search Console API using the https://www.googleapis.com/auth/webmasters.readonly scope. This scope grants read-only access to:

  • The list of websites (properties) you own or have access to in Google Search Console
  • Search analytics data for those properties: search queries, page URLs, clicks, impressions, click-through rate (CTR), average search position, and keyword counts

We store this data in order to display it in your SEO Desk dashboard. We do not write to, modify, or delete any data in your Google Search Console account.

1.3 Usage data

We collect anonymous, aggregated usage analytics (page views, feature interactions) to improve the product. This data does not contain personally identifiable information and is not linked to your Google account.

2. How we use your data

2.1 Core service

  • To authenticate you and maintain your account
  • To display your Google Search Console analytics in a unified dashboard
  • To enable filtering, grouping, tagging, and exporting of your search data
  • To send transactional emails (account notifications, billing receipts)
  • To improve the product via aggregated, anonymized usage analysis

2.2 Automatic background synchronization

We store your Google OAuth refresh token to perform automatic daily synchronization of your Search Console metrics without requiring you to re-authenticate each time. This allows your dashboard to stay up to date with the latest data. You can revoke this access at any time via your Google Account permissions page.

2.3 What we do NOT do

  • We do not sell your personal data or Google API data to any third party
  • We do not use your data for advertising or ad targeting
  • We do not share your Google API data with third parties except as described in section 4 (service providers operating on our behalf)
  • We do not use your data to train AI or machine learning models
  • We do not access any Google data beyond what is necessary for the features described in this policy

3. Data storage and security

Your data is stored on servers located in the European Union. We use industry-standard encryption (TLS 1.2+ in transit, AES-256 at rest). Access to production data is restricted to authorized team members under confidentiality obligations.

Google Search Console data cached in our database is retained for as long as your account is active. If your account is inactive for more than 30 days, cached GSC data may be purged. You can request full deletion at any time — see section 5.

OAuth refresh tokens are stored encrypted and are immediately invalidated upon account deletion or access revocation.

4. Third-party services

We use the following third-party service providers to operate SEO Desk. Each acts as a data processor on our behalf and is bound by appropriate data processing agreements:

  • Google OAuth & Search Console API — authentication and read-only access to Search Console data. Google Privacy Policy
  • Railway / PostgreSQL — database hosting for storing your account and analytics data
  • Stripe — payment processing. We never store or transmit card details to our own servers. Stripe Privacy Policy
  • Postmark — transactional email delivery. Postmark Privacy Policy

We share only the minimum data necessary for these services to function. We do not share your Google API data with any of the above except Google itself (as part of API requests).

5. Your rights

As a user, you have the following rights regarding your personal data:

  • Access — request a copy of all personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and all associated data, including cached Google Search Console data and your OAuth refresh token
  • Portability — export your analytics data in CSV format at any time from within the app
  • Withdraw consent — revoke SEO Desk's access to your Google account at any time via your Google Account permissions. Revoking access will disable data synchronization but will not automatically delete your account
  • Object to processing — object to processing of your personal data in certain circumstances

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

6. Data retention

We retain your personal data for as long as your account is active or as needed to provide the service. If you delete your account:

  • Your profile information is deleted immediately
  • Your Google OAuth refresh token is immediately invalidated and deleted
  • Cached Search Console metrics data is deleted within 7 days
  • Anonymized, aggregated usage statistics may be retained indefinitely as they cannot be linked back to you

7. Cookies

We use only essential cookies required for the service to function:

  • Session cookie — keeps you authenticated during your session. Deleted when you log out or the session expires.
  • CSRF token — protects against cross-site request forgery attacks.

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

8. Children's privacy

SEO Desk is intended for use by website owners, SEO professionals, and businesses. Our service is not directed at children under the age of 13 (or 16 in the EU under GDPR). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

9. International transfers

Our primary servers are located in the European Union. If you access SEO Desk from outside the EU, your data may be transferred to and processed in the EU. By using our service, you consent to this transfer. We ensure that appropriate safeguards are in place in accordance with applicable data protection law.

10. Legal basis for processing (GDPR)

For users in the European Economic Area, our legal bases for processing personal data are:

  • Contract — processing necessary to provide the service you have signed up for
  • Consent — for Google OAuth access and optional communications. You may withdraw consent at any time.
  • Legitimate interests — for security, fraud prevention, and product improvement via anonymized analytics

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact & Data Controller

SEO Desk is the data controller for personal data processed through this service.

For privacy-related questions, requests, or complaints:

If you are located in the EU and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.

Also see: Terms of Service