UnfoldSEO

Legal

Privacy Policy

Last updated: 2026-05-11

Working draft. UnfoldSEO is operated as an independent product, with an Estonia OÜ legal entity in formation. This document reflects how the service is run today and will be finalised once the entity is registered and reviewed by counsel. If you need a signed version before that's done, contact success@unfoldseo.com.

This Privacy Policy explains what personal data UnfoldSEO collects when you use the Service, why we collect it, how it is processed and shared, and the rights you have over it under applicable law — including the EU General Data Protection Regulation (GDPR).

1. Who we are

UnfoldSEO is the data controller for personal data processed in connection with your account. We're an Estonia-headquartered software product. Contact: success@unfoldseo.com.

2. What we collect

2.1 Account data

  • Name and email address
  • Hashed password (we never store plain-text passwords)
  • Organisation / tenant name and metadata you supply
  • Role within your tenant (owner, admin, editor, viewer)

2.2 Billing data

Payment is processed by Stripe. We receive a Stripe customer identifier and subscription metadata (plan, status, period). We do not receive or store full card numbers.

2.3 Service usage data

  • Content you upload or generate (briefs, drafts, articles, keyword lists)
  • Site context profiles (brand voice, destinations, competitor lists)
  • Rank-tracking snapshots and audit results tied to your sites
  • Integration credentials you provide (third-party API tokens, OAuth grants, plugin shared secrets) — stored encrypted at rest

2.4 Technical data

  • IP address, browser type and locale
  • Pages visited, actions taken, timestamps (for product analytics)
  • Error logs (with personal identifiers stripped before retention)

3. Why we process it (legal bases)

  • Contract. To create and operate your account, deliver the Service, process payments, and provide support.
  • Legitimate interest. Product analytics, fraud prevention, anti-footprint mechanisms, cost attribution per tenant, and platform security.
  • Legal obligation. Tax records, invoices, and responses to lawful authority requests.
  • Consent. Cookies that are not strictly necessary, and any optional marketing communications.

4. Who we share data with

We share personal data only with processors that operate the Service on our behalf, each bound by a data-processing agreement. The categories of processors we rely on are:

  • Hosting and infrastructure: EU-based cloud and dedicated-server providers (data centres in Helsinki and Frankfurt regions).
  • Payments: Stripe Payments Europe Ltd. (Ireland) — handles all card processing. We never receive or store full card numbers.
  • Transactional email: EU-resident transactional-email providers for account, billing and product notifications.
  • AI inference: Third-party LLM providers used by our content and analysis pipelines. Content you submit to the AI pipeline is transmitted to whichever provider the routing layer selects for the task.
  • SEO data: Third-party providers of keyword, backlink and SERP data, plus our own SERP-scraping infrastructure.

A current, named list of sub-processors is available on request at success@unfoldseo.com. We do not sell personal data to third parties. Schema-per-tenant isolation prevents cross-tenant data access at the database layer.

5. International transfers

Some AI-inference processors operate primarily from the United States. Transfers outside the EEA are protected by the EU's Standard Contractual Clauses (SCCs) or equivalent safeguards. EU customer data on our own infrastructure is held in EU regions.

6. Retention

  • Active account data: retained for the lifetime of your account.
  • Cancelled accounts: thirty (30) days grace period, then deleted (raw backups purged after a further thirty days).
  • Billing records: retained for seven years to meet Estonian tax law.
  • Error and audit logs: ninety days, with personal identifiers stripped after thirty days.

7. Your rights

Under GDPR you have the right to:

  • access the personal data we hold about you;
  • request correction or deletion of inaccurate data;
  • request a portable copy of your data;
  • object to processing based on legitimate interest;
  • withdraw consent for processing where consent is the basis;
  • lodge a complaint with your local supervisory authority (in Estonia: Andmekaitse Inspektsioon).

Send requests to success@unfoldseo.com. We will respond within thirty (30) days. We may need to verify your identity before fulfilling the request.

8. Security

We use TLS for all data in transit, Fernet symmetric encryption for sensitive at-rest fields (API tokens, WordPress shared secrets), and schema-per-tenant isolation at the database level. Access to production systems is limited to a small operations team with two-factor authentication.

If we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority within seventy-two (72) hours where required by law.

9. Children

The Service is intended for businesses and is not directed to anyone under sixteen (16). We do not knowingly collect personal data from children.

10. Changes to this policy

We'll post any updates here and bump the “last updated” date. Material changes will be sent to account owners by email.

11. Contact

Questions, requests, or complaints? success@unfoldseo.com.