Privacy Policy
Last updated: March 22, 2026
1. Data Controller
The data controller responsible for the processing of your personal data is:
Christopher Heckel
Einzelunternehmer (sole proprietor)
Kriegkstraße 89
60326 Frankfurt am Main, Germany
Email: contact@seooutreach.io
If you have any questions about this Privacy Policy or our data practices, you may contact us at the email address above.
2. Scope and Applicability
This Privacy Policy applies to the processing of personal data in connection with your use of SEOOutreach.io (the "Service"), accessible at seooutreach.io. The Service is a B2B SaaS platform providing SEO analytics and related tools.
This policy applies to information we collect from account holders, website visitors, and users of the Service. It does not apply to third-party websites or services that may be linked from our Service.
3. Personal Data We Collect
3.1 Account Data
When you register for the Service, we collect your email address and, if provided, your name and company name. This data is stored in our authentication and database system (Supabase).
3.2 Billing Data
Payment and billing information (name, billing address, payment method, VAT ID) is collected and processed by Stripe, Inc. ("Stripe"), our payment processor. We do not store your payment card details. We receive from Stripe limited transaction data such as subscription status, plan type, and transaction identifiers.
3.3 Usage Data
We collect usage analytics via PostHog to understand how the Service is used and to improve it. PostHog is configured to identify authenticated users for product analytics purposes. We process: page views, feature usage events, and session data. This data is used solely for product improvement and is not shared with third parties for advertising purposes.
3.4 Technical Data
When you access the Service, our hosting provider (Vercel) may automatically process technical data such as IP addresses, browser type, and request metadata in server logs. This processing is necessary for the operation and security of the Service. Server logs are retained for a limited period and are not used for profiling or tracking.
3.5 Website Data You Provide
In the course of using the Service, you may provide URLs, domain names, or other website-related information for analysis. This data relates to your business websites, not to you personally, and is processed solely to deliver the Service functionality. We do not treat publicly available website data as personal data unless it contains identifiable personal information.
4. Purposes and Legal Basis for Processing
| Purpose | Data | Legal Basis (GDPR) |
|---|---|---|
| Account creation and authentication | Email, name, password hash | Art. 6(1)(b) — performance of contract |
| Providing the Service | Account data, website data you submit | Art. 6(1)(b) — performance of contract |
| Billing and invoicing | Billing data (via Stripe) | Art. 6(1)(b) — performance of contract |
| Product analytics and improvement | Usage events, page views, user ID | Art. 6(1)(f) — legitimate interest |
| Service security and abuse prevention | IP address, server logs | Art. 6(1)(f) — legitimate interest |
| Legal compliance and tax obligations | Transaction records, invoices | Art. 6(1)(c) — legal obligation |
| Service communications (transactional emails) | Email address | Art. 6(1)(b) — performance of contract |
5. Sub-processors and Data Transfers
We use the following third-party service providers (sub-processors) to operate the Service:
| Provider | Purpose | Data Processed | Location / Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | Authentication, database | Email, name, account data | USA — EU Standard Contractual Clauses (SCCs) |
| Vercel Inc. | Hosting, CDN | IP address, request metadata | USA / Global edge — EU SCCs |
| Stripe, Inc. | Payment processing | Billing name, address, payment details, VAT ID | USA / Ireland — EU SCCs / Adequacy Decision |
| PostHog Inc. | Product analytics | User ID, email, page views, feature usage events | EU (Frankfurt) — data hosted in EU |
Where personal data is transferred to countries outside the European Economic Area (EEA) that do not benefit from an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) or other appropriate safeguards under Chapter V of the GDPR.
We maintain an up-to-date list of sub-processors. If we add a new sub-processor that processes personal data, we will update this Privacy Policy accordingly.
6. Cookies and Tracking
The Service uses strictly necessary cookies required for authentication and session management. We do not use advertising cookies or third-party marketing pixels.
PostHog, our product analytics provider, may use cookies or local storage to associate usage events with your account for product improvement purposes. This processing is based on our legitimate interest in improving the Service (Art. 6(1)(f) GDPR).
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:
- (a) Account data: retained for the duration of your account and deleted within 30 days of account deletion, unless longer retention is required by law.
- (b) Billing and transaction records: retained for the statutory retention period under German tax law (currently 10 years under § 147 AO) or as required by applicable law.
- (c) Server logs: retained for a maximum of 90 days for security and debugging purposes.
- (d) Website analysis data you submit: retained for the duration of your subscription and deleted within 30 days of account deletion.
- (e) Product analytics data: retained for a maximum of 24 months.
8. Your Rights Under the GDPR
Under the General Data Protection Regulation, you have the following rights with respect to your personal data:
- (a) Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you.
- (b) Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete personal data.
- (c) Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, subject to legal retention obligations.
- (d) Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data in certain circumstances.
- (e) Right to data portability (Art. 20 GDPR): You may request a machine-readable copy of the personal data you have provided to us.
- (f) Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds.
To exercise any of these rights, please contact us at contact@seooutreach.io. We will respond within one month of receiving your request, as required by the GDPR.
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates the GDPR. The competent supervisory authority for our business is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1
65189 Wiesbaden, Germany
Website: https://datenschutz.hessen.de
You may also contact the supervisory authority in your own Member State of residence or place of work.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS/HTTPS), access controls, and regular security reviews of our infrastructure and sub-processors.
Despite our efforts, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your data.
11. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or through the Service at least thirty (30) days before they take effect. The "Last updated" date at the top of this policy indicates when it was last revised.
13. Third-Party Integrations (Future)
We may offer optional integrations with third-party services (such as Google Search Console or Google Analytics) in the future. If and when such integrations become available, this Privacy Policy will be updated to reflect the additional data processing involved, including the specific data accessed, the purpose of access, and the applicable legal basis. You will be asked to grant explicit authorization (e.g., via OAuth) before any third-party integration accesses your data.
14. Contact
Christopher Heckel
Kriegkstraße 89
60326 Frankfurt am Main, Germany
Email: contact@seooutreach.io