This policy explains what ConceptSEO ("we", "us", "our") collects from Customers and visitors at seo.concept211.com, why we collect it, how we store it, who else handles it on our behalf, and the rights you have over it. We try to write it plainly. Capitalized terms not defined here have the meaning given in our Terms of Service.
ConceptSEO is operated from Orlando, Florida, USA. We are the data controller for personal information we collect from Customers and visitors to seo.concept211.com. For data we process on a Customer's behalf about their end-users (e.g., analytics data we ingest from Google Analytics into the dashboard), the Customer is the controller and we are a processor / service provider acting on the Customer's instructions.
To perform the Service, Customers commonly provide us with Access Credentials such as: OAuth tokens for Google Analytics / Search Console / Business Profile / Ads, SFTP or SSH credentials for their web host, CMS administrator logins, DNS provider logins, IndexNow keys, Cloudflare API tokens, and similar.
Credentials are stored in our application database, encrypted at rest using AES-256-GCM with keys controlled by us and rotated on a documented schedule. The database itself sits on dedicated infrastructure at our hosting provider (GoDaddy, Orlando, FL) behind a hardened firewall.
Only the production application process and authorized ConceptSEO personnel performing the Service can decrypt Access Credentials. We do not log credential values, do not include them in error reports, and do not share them with any subprocessor not strictly necessary to perform the work the credential was given for.
Where the upstream provider supports it (Google products in particular), we use OAuth tokens rather than passwords. OAuth tokens can be revoked by you at any time without changing your password, and they are scoped to the specific permissions the Service needs.
You may revoke any credential at any time by changing the underlying password, removing our user from the property, or rotating the API key on the provider side. We recommend rotating any credential after canceling the Service — see Terms section 4.5.
We do not sell personal information. We do not share personal information with third parties for their independent marketing purposes.
When you connect a Google account, we request read-only access to Google Analytics 4, Search Console, Business Profile, and (if you opt in) Google Ads, plus the limited write scopes needed to submit URLs for indexing and (where you opt in) publish Business Profile posts.
ConceptSEO's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide and improve the SEO features the Customer subscribed to. We do not use Google user data to train, fine-tune, or evaluate any machine-learning model. We do not sell or share Google user data with advertisers, data brokers, or other third parties. You can revoke Google access at any time from your dashboard's Account Settings page or from myaccount.google.com/permissions.
The Service sends data to AI providers (currently Anthropic and OpenAI) so they can generate analyses, recommendations, and content drafts. Data sent includes the Customer's URLs, page content fetched from the Customer's own public website, analytics data the Customer authorized us to access, and the prompts we construct to instruct the model.
Both providers have committed in their enterprise terms that they do not use the data we send to train their models and retain it only for the period necessary to process the request and comply with their security/abuse policies. We do not send credit-card numbers, Access Credentials, or other secret values to AI providers.
We use the following subprocessors to deliver the Service. Each is bound by their own privacy commitments and processes data only as needed to perform the function described.
| Provider | Purpose | Where |
|---|---|---|
| GoDaddy | Production hosting + storage | USA |
| Stripe | Payment processing, tax-ID collection | USA |
| Resend | Transactional email delivery | USA |
| Cloudflare | Edge CDN, DDoS protection | Global |
| Anthropic | AI analyses, recommendations, content drafts | USA |
| OpenAI | AI fallback + specialized models | USA |
| Google APIs | Analytics, Search Console, Business Profile, Ads, PageSpeed, Places, CrUX | USA / Global |
| DataForSEO | Keyword rank, SERP, backlink data | USA |
| OpenPageRank | Domain authority data | USA |
| Bing Webmaster | Index submission | USA |
| Telegram | Internal operational alerts (no Customer secret data) | Global |
We will update this list as our subprocessors change. Material additions will be announced by email to active Customers at least thirty (30) days before they take effect, with a chance to object by terminating the subscription.
No security program is perfect. Despite our controls, no system is immune to compromise. We commit to continuous improvement and to honest, timely notification if something goes wrong.
If we confirm a security incident involving unauthorized access to your personal information or Access Credentials, we will: (a) notify affected Customers by email within seventy-two (72) hours of confirmation; (b) describe what we know, what we don't know, and what steps you should take (almost always: rotate credentials immediately); (c) cooperate with applicable regulators as legally required. We will not delay notification to investigate root cause beyond what is operationally necessary.
We use a small number of first-party cookies for: (a) session authentication on the dashboard; (b) CSRF protection; (c) the form-submission timestamp used to detect bot traffic. We do not use third-party advertising cookies. We do not run third-party analytics scripts (Google Analytics, Mixpanel, Segment, etc.) on our marketing site or dashboard.
Depending on where you reside, you may have the right to: (a) access the personal information we hold about you; (b) correct inaccuracies; (c) request deletion; (d) request export in a portable format; (e) object to or restrict certain processing; (f) opt out of "sale" or "sharing" of personal information (we do neither). To exercise any of these rights, email [email protected]. We will respond within 30 days, or sooner where law requires. We will not charge a fee or retaliate against you for exercising your rights.
If you are an EU/UK resident, our lawful bases for processing are: contract (to provide the Service you subscribed to), legitimate interests (to keep the Service secure and improve it), and consent (for optional features). You may lodge a complaint with your local supervisory authority, though we hope you'll contact us first.
Our infrastructure is in the United States. If you access the Service from outside the US, you understand that your information will be transferred to, stored, and processed in the US. Where required (e.g., for EU/UK residents), we rely on the EU Standard Contractual Clauses or equivalent transfer mechanisms with our subprocessors.
The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, please contact us and we will delete it.
We may update this policy from time to time. Material changes will be announced by email at least 30 days before they take effect. The effective date and version at the top of this page indicate the current revision.
Email [email protected] with any privacy question, data-subject request, or breach concern. We will respond promptly.
ConceptSEO · Orlando, Florida, USA
Free audit in your inbox in about 5 minutes. Like what you see? Subscribe and you're live in 72 hours. No deck, no sales call.