Privacy notice.

The data controller is ifySEO, based in the Netherlands. We will publish the registered KVK number here once filed; in the meantime treat the entity as a single-operator Dutch trader.

For any privacy question — access, export, deletion, or anything else listed below — write to lab@ifyseo.com. We reply within 30 days, as the GDPR requires.

We only collect what we need to run the service. In practice that means:

• Account. Your email and a hashed password (or your GitHub identity, if you sign in with GitHub). Held by Supabase Auth.
• Scan targets and reports. Every URL you submit and the resulting `scan_reports` row (issues, score, raw findings). Scoped to your account by row-level security.
• Billing data. If you upgrade to a paid plan, Stripe processes the payment and we store your Stripe customer id and subscription state. We never see or store the card number.
• GitHub App scopes. If you connect a repository for the AI auto-fix engine, our GitHub App reads the narrow scopes you grant (contents, pull requests, metadata). You can revoke the install at any time from your GitHub settings.
• Request logs. Vercel records standard HTTP request metadata (IP, user agent, path, timestamps). We use these for security and debugging, not for analytics or profiling.
• Cookies. A small set of strictly-necessary cookies for auth and the post-checkout signup gate. We do not run analytics, marketing, or third-party tracking cookies. See the cookies page for the full list.

• Contract (Art. 6(1)(b)) — for everything needed to give you the service you signed up for: running scans, storing reports, authenticating you, processing payment.
• Legitimate interest (Art. 6(1)(f)) — for request logging, abuse prevention (SSRF guard, rate limits), and securing our infrastructure. You can object at any time.
• Legal obligation (Art. 6(1)(c)) — for tax and accounting records of paid transactions.
• Consent (Art. 6(1)(a)) — for any non-essential cookie or feature we add later. Today there are none, so today there is no consent banner.

Running the service requires sharing some of the data above with infrastructure providers. Each acts under a written Data Processing Agreement (DPA) and only does what we ask them to.

We do not sell your data, we do not share it with advertising networks, and your scan reports are not used to train any model — including the Claude model that powers the AI auto-fix engine. Auto-fix prompts contain only the issues you ticked, not the rest of your account.

• Account data — kept while your account is active; deleted on account deletion.
• Scan reports — kept while your account is active so you can revisit historical scores; deleted on account deletion.
• Billing records — retained for 7 years after the transaction, as Dutch tax law requires.
• Request logs — Vercel's default retention, typically a small number of days. Used for security and debugging only.

Some sub-processors are US-based (Trigger.dev, GitHub, Anthropic, Stripe). Transfers from the EEA to the US rely on the EU–US Data Privacy Framework where the provider is certified, and on Standard Contractual Clauses (SCCs) otherwise. We pick providers that publish their DPAs and either certify under the DPF or sign SCCs.

Under the GDPR you have the right to:

• Access the data we hold about you;
• Receive a copy in a portable format;
• Correct anything inaccurate;
• Delete your account and the data attached to it;
• Object to processing under legitimate interest;
• Lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens).

Email lab@ifyseo.com and we'll handle the request within 30 days.

The practical safeguards we apply:

• Database isolation. Every Postgres table with user data has Row-Level Security enabled with owner-scoped policies. Request-path queries run under the anon key — RLS-enforced. The service-role key, which bypasses RLS, is used only by background workers.
• SSRF guard. Before any scan runs, the target URL is checked against an explicit deny list (loopback, private CIDRs, link-local, cloud metadata). DNS is resolved so a hostname that points to a private address is caught.
• Signed cookies. Sensitive flow cookies (the post-checkout signup gate) are HMAC-signed with an environment-scoped key.
• Secrets. Credentials live in environment variables only — never in the repo, never in client bundles, never logged.
• Audit. The codebase carries an internal security-audit log; CRIT and HIGH findings are tracked and closed before deploy.

No system is perfectly secure. If you find a vulnerability, please email lab@ifyseo.com and give us reasonable time to fix it before disclosure.

ifySEO is a developer tool, not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we'll delete the account.

When we update this notice we change the "Last updated" date at the top and, for material changes, give existing account holders reasonable notice by email before they take effect.

Privacy questions, data requests, security reports — lab@ifyseo.com.