Privacy Policy.

This Privacy Policy explains how SEOABLE (“SEOABLE,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use the SEOABLE websites, dashboard, API, and Model Context Protocol server (collectively, the “Services”). For personal information processed to provide the Services to you, SEOABLE acts as the data controller, except that for data within your Connected Accounts and Customer Content we act as a processor on your behalf. This Policy is incorporated into our Terms of Service.

We collect the following categories of information:

• Account data — name, email address, and authentication identifiers, managed through our authentication provider.
• Billing data — plan, transaction, and tax metadata. Card details are handled by Stripe; we never see or store full card numbers.
• Customer Content — domains, projects, brand and competitor inputs, instructions, and the reports and posts generated for you.
• Connected Account data — when you connect Google Search Console or Google Analytics, OAuth tokens and the search/analytics data we retrieve on your behalf (such as queries, URLs, clicks, impressions, and traffic metrics).
• API and MCP usage — API keys, requests, and actions taken through the API or MCP Server, including by a Connected AI Client, and associated credit and usage history.
• Device and log data — IP address, browser, and event logs collected for security and reliability.
• Site analytics and cookies — aggregated usage data via Google Analytics, plus essential and analytics cookies.

We use personal information to:

• provide, operate, and secure the Services, including generating reports and posts and running your Connected Accounts (performance of a contract);
• process payments, manage Credits, and prevent fraud (contract; legitimate interests; legal obligation);
• send transactional messages such as receipts and sign-in links, and — where you opt in — product or newsletter emails (contract; consent);
• maintain, troubleshoot, and improve reliability and security (legitimate interests);
• comply with legal, tax, and accounting obligations.

We do not sell personal information, do not “share” it for cross-context behavioral advertising, and do not use it for third-party advertising.

Generating reports and posts requires sending relevant Customer Content and Connected Account data to our AI provider, Anthropic, which processes it to return outputs and does not use it to train its models under our service terms. If you create an API key or connect the MCP Server to a Connected AI Client (for example, Claude), that client may, at your direction, access your projects, reports, posts, brand backlog, and Connected Account data and perform actions you authorize. Data accessed through that client is transmitted to, and handled by, that third party under its own terms and privacy policy. You control this access and may revoke an API key or disconnect the MCP Server at any time.

When you connect Google Search Console or Google Analytics, we access that data only with your authorization and only to provide the Services to you. SEOABLE’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it for advertising, and do not transfer it except as necessary to provide or improve the Services, for security, or to comply with law. You can revoke access at any time by disconnecting the integration or via your Google account settings.

We disclose personal information only to service providers that process it on our behalf to deliver the Services, under appropriate contractual safeguards. The providers that handle data directly relating to you are:

• Stripe — payment processing and tax.
• Clerk — account authentication and identity.
• Google — Search Console and Analytics, only when you connect them, as described in Section 5.
• Anthropic — AI generation of your reports and posts, and the Connected AI Client / MCP integration, as described in Sections 4 and 5.
• Resend — transactional email.
• Substack — newsletter delivery, if you opt in.

We also use cloud hosting and infrastructure providers to operate the Services. A current list of the specific named subprocessors is available on request at [email protected]. We may also disclose information to comply with law, enforce our terms, protect rights and safety, or in connection with a merger, acquisition, or asset sale, in which case we will notify you of any change in control of your data.

SEOABLE is operated from Australia and our subprocessors may process personal information in Australia, the United States, the European Union, and other countries. Where we disclose personal information of individuals in Australia to overseas recipients, we take reasonable steps consistent with Australian Privacy Principle 8 to ensure appropriate handling. Where personal information of individuals in the EEA, the UK, or Switzerland is transferred outside those regions, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), together with supplementary measures where required.

We retain account and billing records for the life of your account and for up to seven (7) years thereafter to meet tax and accounting obligations. Customer Content (projects, reports, posts) is retained until you delete it or close your account. Connected Account tokens are retained until you disconnect the integration or revoke access. API keys are retained until you delete them. Backups are purged on a rolling schedule.

We use technical and organizational measures appropriate to the risk, including encryption in transit, scoped access tokens, access controls, and least-privilege practices. No method of transmission or storage is completely secure; we cannot guarantee absolute security and, to the extent permitted by law, you use the Services at your own risk in that respect.

Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal information, to object to processing, to withdraw consent, and to disconnect Connected Accounts or revoke API keys at any time. Australian individuals have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, including to access and correct their personal information and to complain to us and then to the Office of the Australian Information Commissioner (OAIC). Residents of the EEA/UK may exercise GDPR/UK GDPR rights and lodge a complaint with a supervisory authority. California residents have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing (note: we do not sell or share personal information) and the right not to be discriminated against for exercising these rights. To exercise any right, email [email protected]; we respond within the period required by applicable law (and in any case within thirty (30) days). You may also use an authorized agent where the law allows.

We use essential cookies for checkout and sign-in and one analytics cookie via Google Analytics to understand aggregate, non-identifying usage. We do not use advertising cookies or third-party retargeting. You can opt out via the cookie notice or a tracker-blocking extension.

The Services are not directed to, and may not be used by, anyone under sixteen (16). We do not knowingly collect personal information from children; if we learn we have, we will delete it.

We may update this Policy from time to time. We will post the updated Policy here with a revised “Last updated” date and, where a change materially affects how we use your personal information, will make reasonable efforts to notify active customers by email.

For privacy questions or to exercise your rights, contact [email protected].