Security & Trust
Your data security is fundamental to ChatSEO. This page provides a clear overview of how we protect your data and the measures we have in place.
At a Glance
| Area | Our Practice |
|---|---|
| Hosting | Hetzner, Germany (EU) |
| Data encryption | TLS 1.3 in transit, encrypted at rest |
| GSC data storage | Never stored - real-time API access only |
| AI training on your data | Never - real-time inference only |
| Cookie consent | Strict opt-in, granular categories |
| Sub-processors | Fully documented |
| DPA available | Yes, GDPR Article 28 compliant |
| Data deletion | Within 30 days of request |
| GDPR compliance | Structured and documented |
Data Hosting & Infrastructure
- All primary infrastructure hosted on Hetzner Online GmbH in Germany (EU)
- Firecrawl (web scraping) self-hosted on EU infrastructure (Hetzner)
- Data encrypted at rest and in transit (TLS 1.3)
- Regular security assessments and vulnerability testing
- Role-based access controls with per-user authentication
Google Search Console: Zero-Storage Architecture
We designed ChatSEO with a zero-storage approach to your GSC data:
- Read-only access: We request only the
webmasters.readonlyOAuth scope - we cannot modify your Search Console data - Real-time only: GSC data is fetched from Google's API, displayed to you, and immediately discarded
- No database storage: Our database schema contains no tables or columns for GSC metrics (queries, impressions, clicks, rankings)
- No caching: GSC data is not cached in Redis or any other data store
- You control access: Revoke permissions anytime from your Google security settings
What we DO store: OAuth credentials (access token, refresh token) needed to authenticate API requests on your behalf. These are deleted when you disconnect your integration.
AI Usage: No Training, Ever
- Anthropic Claude (Sonnet 4, Haiku): Used for real-time SEO analysis and conversation
- Voyage AI: Used for vector embeddings in the cross-conversation memory system
- Under Anthropic's commercial API terms, data sent via their API is not used for model training
- We do not fine-tune, train, or improve any AI model using your data
- AI processing is ephemeral: your data is processed and the result returned, with no retention by the AI provider
Cookie Consent & Tracking
We implement strict GDPR-compliant cookie consent:
- Necessary only by default: Only Sentry (error monitoring) and Crisp (support chat) load without consent
- Strict opt-in: Analytics (Mixpanel, Customer.io) and marketing (Tolt, Meta Pixel) require explicit consent
- Granular control: Choose consent category by category
- Revocable anytime: Click the cookie icon or use the footer link to change your preferences
- Equal visual weight: Accept and reject buttons are presented with the same visual prominence
Compliance Documents
| Document | Description |
|---|---|
| Privacy Policy | Full privacy policy (GDPR compliant) |
| Data Processing Agreement | DPA for enterprise customers (GDPR Article 28) |
| Sub-processors | Complete list of all sub-processors with data transfer mechanisms |
| Terms of Service | Service terms |
| Terms of Sale | Commercial terms (B2B and B2C) |
| Legal Notice | Company information, cookies, and intellectual property |
Enterprise Needs
If you have specific security or compliance requirements, we are happy to discuss:
- Custom DPA provisions
- Security questionnaires
- Specific sub-processor concerns
- Data residency requirements
Contact us: [email protected]