PRIVACY POLICY - SERP LAB PLATFORM

1. DATA CONTROLLER AND CONTACT INFORMATION

Data Controller

SERP Lab ApS is the data controller for the processing of personal data in connection with the use of our SEO analysis platform (app.serplab.io).

Note: This Privacy Policy applies specifically to our software platform at app.serplab.io. For information about the processing of personal data on our marketing website (serplab.io), please refer to the separate privacy policy there.

Company Information:

• Name: SERP Lab ApS

• Address: Vestergade 19C, 1st floor, 8000 Aarhus C, Denmark

• CVR Number: DK45657809

• Website: https://serplab.io

• Platform: https://app.serplab.io

Contact for Data Protection Matters

If you have questions about our processing of your personal data or wish to exercise your rights, please contact us at:

Email: contact@serplab.io

You may also send physical mail to our address above, marked "Attn: Data Protection".

Data Protection Officer (DPO)

We have not appointed a Data Protection Officer as we are not subject to this requirement. All inquiries regarding data protection can be directed to the contact information above.

2. PRIVACY SUMMARY - KEY POINTS

This summary provides key points about our data processing, but please read the full Privacy Policy for complete details.

• Business-to-Business Only: We exclusively serve registered businesses. We do not process personal data of consumers or end-users of your websites.

• Data We Collect: Business contact information, Google Search Console data, usage analytics, and integrated platform data (Shopify, WordPress, WooCommerce).

• Permanent Data Retention: Integrated data from Google Search Console and other sources becomes part of our core algorithms. This data is retained indefinitely in anonymized form, even after account termination.

• How We Use Your Data: To provide SEO analysis, improve our algorithms, generate industry benchmarks, and develop new features. Individual customer data is never sold or shared.

• International Transfers: Your data may be processed in the USA through our service providers (Google BigQuery, AWS, Stripe) with appropriate safeguards.

• Your Rights: Access, rectification, deletion (with limitations due to our legitimate interests), data portability, and objection to processing.

3. TYPES OF PERSONAL DATA WE PROCESS

As a B2B platform, we primarily process business data. However, some of this data may contain personal information about individuals acting on behalf of businesses. We process the following categories:

3.1 Business Account Data

• Company name and business registration numbers (CVR or equivalent)

• VAT numbers and billing information

• Names and email addresses of authorized users (employees/contractors)

• Payment method details (processed by Stripe)

• Subscription history and account preferences

• Account usage patterns and feature adoption

3.2 Technical and Usage Data

• IP addresses and browser information

• Device identifiers and operating system details

• Platform usage analytics and interaction patterns

• Performance metrics and error logs

• Session data and security logs

• Login times and access patterns

3.3 Integrated Business Data

• Google Search Console data (website URLs, search queries, performance metrics)

• Third-party platform data from connected services:

  • Shopify (product URLs, titles, descriptions, meta tags, metafields)

  • WordPress (page content, titles, meta descriptions, SEO metadata)

  • WooCommerce (product content, categories, tags, SEO attributes)

• DataForSEO API responses containing search engine data

• Business content uploaded for analysis

• SEO keywords and competitor analysis inputs

3.4 Communication Data

• Support ticket content and correspondence

• Feedback and survey responses

• Marketing communication preferences

• Training and onboarding communications

3.5 AI-Generated Content

• Text generated using our AI tools

• Prompts and inputs provided for content generation

• Content optimization preferences

Important Note: We do not process personal data of your website visitors or end-users. Our platform is designed for B2B use only, and we do not collect or have access to personal data of consumers who visit your websites.

4. PURPOSES OF PROCESSING

We primarily process business data. When we process personal data (such as contact information of business representatives), it is for the following purposes:

4.1 Service Delivery

• Providing access to our SEO analysis platform and tools

• Performing SEO analysis and generating reports

• Creating AI-generated content optimized for search engines

• Delivering SERP tracking and keyword research

• Integrating with third-party platforms (Google Search Console, Shopify, WordPress, WooCommerce)

• Managing your projects and account settings

4.2 Platform Improvement and Innovation

• Enhancing our algorithms and machine learning models

• Developing new features and functionalities

• Creating industry benchmarks and trend analysis

• Improving accuracy of traffic estimations and ranking predictions

• Optimizing platform performance and user experience

4.3 Business Operations

• Managing subscriptions and processing payments

• Providing customer support and responding to inquiries

• Sending service-related communications and updates

• Maintaining platform security and preventing fraud

• Ensuring service availability and performance monitoring

4.4 Analytics and Research

• Generating aggregated insights about SEO trends

• Creating anonymized datasets for market analysis

• Conducting internal research to improve service quality

• Developing competitive intelligence tools

4.5 Legal and Compliance

• Complying with legal obligations and regulatory requirements

• Protecting our legitimate business interests

• Enforcing our Terms of Service

• Responding to legal requests and preventing illegal activities

4.6 Marketing and Communication

• Sending relevant product updates and feature announcements

• Providing educational content about SEO best practices

• Managing your communication preferences

• Conducting customer satisfaction surveys

5. LEGAL BASIS FOR PROCESSING

We process personal data based on the following legal grounds under GDPR Article 6:

5.1 Contractual Necessity (Article 6(1)(b))

We process personal data when necessary to:

• Create and manage your business account

• Provide access to our SEO platform and tools

• Process payments and manage subscriptions

• Deliver customer support and respond to inquiries

• Send essential service communications

5.2 Legitimate Interests (Article 6(1)(f))

We rely on legitimate interests for:

• Platform Improvement: Analyzing usage patterns to enhance our algorithms and develop new features

• Business Intelligence: Creating anonymized datasets for industry benchmarks and SEO trend analysis

• Security: Monitoring for fraud, unauthorized access, and platform abuse

• Business Continuity: Retaining anonymized data indefinitely for algorithm accuracy and service quality

• Marketing: Sending relevant product updates and educational content (with opt-out options)

Our legitimate interests are balanced against your rights and freedoms. You may object to processing based on legitimate interests (see Section 14).

5.3 Legal Obligations (Article 6(1)(c))

We process data when required by law, including:

• Maintaining financial records for tax authorities

• Responding to valid legal requests

• Complying with data protection regulations

5.4 Consent (Article 6(1)(a))

We obtain consent for:

• Marketing communications beyond service updates

• Participation in surveys or beta programs

• Use of optional analytics cookies

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5.5 Special Note on Business Data

Much of the data we process (company information, website URLs, SEO metrics) is business data not subject to GDPR. We apply privacy protections to all data as a matter of best practice.

6. CONCRETE EXAMPLES OF DATA USE

To provide transparency, here are specific examples of how we use your data:

6.1 Algorithm Enhancement Example

Data Used: Your Google Search Console click-through rates, impressions, and ranking positions How We Use It: We aggregate this data with thousands of other customers to improve our traffic estimation algorithms. For instance, if many sites in similar industries show comparable CTR patterns for positions 3-5, we refine our predictions for future analyses. Your Benefit: More accurate traffic forecasts for your SEO planning

6.2 Industry Benchmarking Example

Data Used: Anonymized keyword rankings and search volumes across customer sites How We Use It: We identify patterns like "B2B websites typically see higher CTR on branded searches than e-commerce sites," helping you set realistic goals based on your industry. Privacy Protection: Individual websites are never identifiable in benchmarks

6.3 Content Analysis Example

Data Used: Page content, titles, and meta descriptions from your integrated platforms How We Use It: We analyze which content structures and SEO elements correlate with better rankings across different industries to improve our recommendations. Result: Better SEO suggestions tailored to your industry type

6.4 SERP Analysis Example

Data Used: Search results data and ranking positions for tracked keywords How We Use It: We identify SERP feature patterns (like featured snippets, local packs) across industries to help predict ranking opportunities. Output: More accurate SERP analysis and opportunity identification

6.5 Search Pattern Detection Example

Data Used: Aggregated search queries and seasonal patterns from GSC data How We Use It: We detect industry-wide patterns like seasonal search volume changes and use these to improve our forecasting models. Benefit: Better understanding of search behavior in your market

6.6 Feature Development Example

Data Used: Platform usage patterns and feature adoption rates How We Use It: If we see high usage of certain analysis tools but low adoption of others, we prioritize improvements based on actual user needs. Result: Platform development focused on features that provide real value

7. SOURCES OF PERSONAL DATA

We collect personal data from the following sources:

7.1 Directly from You

• Account Registration: Business information and contact details you provide when creating an account

• Platform Use: Data you input for SEO analysis, keywords, and content generation

• Communications: Information shared in support tickets, emails, and feedback forms

• Payment Information: Billing details provided during subscription setup

7.2 Automatically Collected

• Technical Data: IP addresses, browser information, and device data collected when you use our platform

• Usage Analytics: Interaction patterns, feature usage, and session data

• Cookies: Essential cookies for platform functionality and optional analytics cookies (with consent)

7.3 Third-Party Integrations

When you connect external services, we receive:

• Google Search Console: Website URLs, search queries, and performance metrics (no personal data)

• E-commerce Platforms: Author names or staff accounts may appear in content from Shopify, WordPress, or WooCommerce

• Payment Processor: Stripe provides us with limited payment status information

7.4 Business Sources

• DataForSEO: Search engine data without personal information

Important Note: We are a B2B platform and do not collect personal data from your website visitors or customers. Any personal data we process relates solely to business representatives using our platform.

8. RECIPIENTS OF PERSONAL DATA

We share personal data only as necessary to provide our services and operate our business:

8.1 Service Providers (Data Processors)

We use carefully selected third-party providers who process data on our behalf:

• Stripe, Inc.: Payment processing and subscription management

• Clerk: Authentication services and invitation management

• Google BigQuery: Data analytics and storage infrastructure

• Amazon Web Services (AWS): Cloud hosting and computing services

• NEON: Database services

All data processors are bound by data processing agreements and can only process data according to our instructions.

8.2 Third-Party Services (Independent Controllers)

When you connect these services, they act as independent data controllers:

• Google (Search Console): Subject to Google's privacy policy

• Shopify: Subject to Shopify's privacy policy

• WordPress/WooCommerce: Subject to their respective privacy policies

8.3 Legal and Compliance Sharing

We may disclose personal data when required by law:

• To comply with valid legal processes

• To respond to government or regulatory requests

• To protect our legal rights or prevent fraud

• To ensure platform security and prevent illegal activities

8.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of such changes and any choices you may have.

8.5 What We Never Do

• We NEVER sell personal data to third parties

• We NEVER share individual customer data with other customers

• We NEVER provide competitor access to your specific data

• We NEVER use personal data for purposes unrelated to our services

8.6 Aggregated and Anonymized Data

We use aggregated and anonymized data internally for:

• Product development and feature improvements

• Industry insights and trend analysis

• Platform optimization

This data cannot identify you or your business and is never shared with external parties.

9. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for all international transfers.

9.1 Transfers to the United States

We transfer personal data to the following US-based service providers:

• Stripe, Inc. - Payment processing

• Google (BigQuery) - Data analytics and storage

• Amazon Web Services - Cloud infrastructure

• Clerk - Authentication services

• NEON - Database services

9.2 Legal Basis and Safeguards

We ensure lawful transfers through:

• Standard Contractual Clauses (SCCs): We have implemented the European Commission's standard contractual clauses with all US service providers

• Additional Safeguards: Technical and organizational measures including encryption, access controls, and data minimization

• Your Rights: You maintain all GDPR rights regardless of where your data is processed

9.3 Specific Provider Safeguards

• Stripe: Maintains comprehensive GDPR compliance and uses SCCs for data transfers

• Google Cloud: Offers data residency options and implements SCCs with additional security measures

• AWS: Provides SCCs and allows data location selection within EU regions where requested

• Clerk: GDPR compliant with implemented SCCs

• NEON: Database encryption and SCCs for international transfers

9.4 Risks and Your Rights

While we implement all required safeguards, you should be aware that some countries may not provide the same level of data protection as the EEA. You have the right to:

• Request details about specific safeguards

• Lodge a complaint with supervisory authorities

• Request cessation of transfers in specific circumstances

10. DATA RETENTION PERIODS

We retain personal data only as long as necessary for the purposes outlined in this policy and to comply with legal obligations.

10.1 Active Account Data

While your subscription is active, we retain:

• Account Information: For the duration of your subscription

• Usage Data: Continuously updated and maintained

• Integrated Platform Data: As long as integrations remain connected

• Communication History: For the duration of your subscription plus 3 years

• Technical Logs: 12 months rolling retention for security and performance monitoring

10.2 After Account Termination

Following cancellation or termination:

• Account Data: Deleted within 90 days

• Personal Information: Removed within 90 days

• Project Configurations: Deleted within 90 days

• Support Communications: Retained for 3 years for service improvement

10.3 Data Retained Indefinitely

The following data is retained permanently in anonymized form:

• Aggregated SEO Metrics: Used for algorithm improvement

• Anonymized Usage Patterns: For platform development

• Google Search Console Data: Integrated into our core algorithms (anonymized)

• Industry Benchmarks: Created from aggregated customer data

This indefinite retention is based on our legitimate interests in maintaining service quality and algorithm accuracy. Individual businesses cannot be identified from this data.

10.4 Legal Retention Requirements

• Financial Records: 5 years per Danish accounting laws

• Tax Documentation: 5 years from the relevant tax year

• Legal Correspondence: As required by applicable limitation periods

10.5 Your Right to Earlier Deletion

You may request deletion of your personal data before these periods expire, subject to:

• Legal obligations requiring retention

• Our legitimate interests in anonymized data

• Pending legal claims or disputes

10.6 Data Export Before Deletion

You are responsible for exporting any needed data before account termination. We cannot recover data after the 90-day retention period expires.

11. DATA RETENTION TIMELINE - VISUAL OVERVIEW

Active Subscription Period

WHILE ACTIVE ────────────────────────────────────────────────────►

│

├─ Account & Personal Data ──────────────────────────────────────►

├─ Usage Data ───────────────────────────────────────────────────►

├─ Integrated Platform Data ─────────────────────────────────────►

├─ Technical Logs ─────────────────[12 months rolling]──────────►

└─ Support Communications ───────────────────────────────────────►

After Account Termination

TERMINATION

│         90 DAYS                3 YEARS              5 YEARS         INDEFINITE

│           │                      │                     │                 │

▼           ▼                      ▼                     ▼                 ▼

├─ Account Data ────X

├─ Personal Info ───X

├─ Project Config ──X

├─ Support Comms ──────────────────X

├─ Financial Records ─────────────────────────────────────X

├─ Tax Documents ─────────────────────────────────────────X

└─ Anonymized Data ───────────────────────────────────────────────────────►

Legend:

──── = Data retained

X = Data deleted

► = Continues indefinitely

Key Retention Periods Summary

• Immediate: Technical logs older than 12 months (rolling deletion)

• 90 days: Account data, personal information, project configurations

• 3 years: Support communications

• 5 years: Financial records, tax documentation

• Indefinite: Anonymized SEO metrics, usage patterns, aggregated benchmarks

Important: Once data is deleted, it cannot be recovered. Please export any needed data before account termination.

12. DATA ANONYMIZATION AND INTERNAL USE

We handle data differently depending on how it's used:

12.1 Internal Algorithm Development

For internal algorithm improvement and machine learning, we use customer data including:

• Google Search Console data with URLs

• Search queries and performance metrics

• Usage patterns and interactions

This data is used in its original form (not anonymized) but is:

• Protected by strict access controls

• Only accessible to authorized development team members

• Subject to confidentiality agreements

• Never exposed to other customers or external parties

12.2 External-Facing Features and Benchmarks

When creating features or reports visible to customers, we anonymize data by:

• Aggregating data across multiple businesses

• Removing all identifying information (domains, company names)

• Grouping by industry type and size

• Ensuring no individual business can be identified

12.3 Security Over Anonymization

For internal use, we prioritize security over anonymization:

• Access Control: Only essential personnel can access raw data

• Encryption: All data is encrypted at rest and in transit

• Audit Logs: All data access is logged and monitored

• Confidentiality: All employees sign strict NDAs

12.4 Why We Retain Identifiable Data Internally

Maintaining URLs and specific data points internally allows us to:

• Provide more accurate SEO predictions

• Improve our algorithms based on real patterns

• Deliver better service quality to all customers

• Develop innovative features based on actual usage

12.5 Your Protection

While we use your data internally for improvement:

• It's never sold or shared with third parties

• Other customers never see your specific data

• You maintain all rights under GDPR

• Our legitimate interests are balanced against your rights

13. AUTOMATED DECISION-MAKING AND PROFILING

13.1 Limited Automated Processing

We use minimal automated decision-making, primarily related to your subscription plan. We do not use automated profiling that evaluates personal aspects or makes predictions about you.

13.2 Automated Subscription Features

The following are automatically determined based on your chosen subscription plan:

• Feature Access: Number of AI-generated texts, SERP lookups, and active projects

• API Rate Limits: Request limits according to your plan

• Data Export Options: Available export formats and frequencies

• Usage Limits: Monthly allocations for various features

These are contractual limitations based on the plan you purchased, not profiling decisions.

13.3 What We Do NOT Do

We do NOT use automated systems to:

• Evaluate your personal characteristics or behavior

• Make predictions about your business success

• Adjust prices based on your usage patterns

• Restrict access based on performance metrics

• Make decisions beyond your subscription terms

13.4 Analytics vs. Decisions

Our platform provides:

• Analytics Tools: SEO insights, traffic predictions, ranking forecasts

• AI Suggestions: Content recommendations and optimization tips

These are informational tools to support your decisions, not automated decisions about you or your business.

13.5 Your Rights

You have the right to:

• Understand how subscription limitations work

• Upgrade or downgrade your plan at any time

• Request human review of any account issues

• Contact support for clarification on any automated process

14. YOUR RIGHTS AS A DATA SUBJECT

Under GDPR, you have specific rights regarding your personal data. We respect these rights and have procedures in place to handle your requests.

14.1 Right to Access (Article 15)

You have the right to:

• Obtain confirmation of whether we process your personal data

• Access your personal data and receive a copy

• Receive information about how we process your data

How to exercise: You can access all your data through the platform while logged in. For data export requests, we provide personal data in CSV format as required by GDPR. Extended historical Google Search Console data (beyond the 16 months available in GSC) represents our value-added service and is available through platform access.

What's included in exports: Personal information, account details, and data required under GDPR. Business intelligence and historical analytics remain accessible through your platform subscription.

14.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data

• Complete incomplete personal data

• Update outdated information

How to exercise: You can update your account and personal data directly in the platform. For any data you cannot modify yourself, contact our support team.

14.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for the original purposes

• You withdraw consent (where consent is the legal basis)

• You object to processing based on legitimate interests

• Data has been unlawfully processed

What we can delete:

• Personal account information (name, email, etc.)

• Payment information

• Communication history

• Account preferences

What we cannot delete:

• Integrated Google Search Console and platform data: This data has been permanently integrated into our algorithms and cannot be extracted or deleted. This is a fundamental condition of using our service as outlined in our Terms of Service.

• Financial records: Retained for 5 years per legal requirements

• Anonymized data: Already processed into non-identifiable form

Our legitimate interests: Retaining integrated data is necessary for maintaining algorithm accuracy, service quality, and the integrity of our SEO intelligence platform. This retention is based on our legitimate business interests and was agreed to as part of your subscription terms.

14.4 Right to Restrict Processing (Article 18)

You can request we limit processing of your data while:

• You contest the accuracy of data

• You oppose erasure despite unlawful processing

• We no longer need data but you need it for legal claims

• You've objected pending verification of legitimate grounds

Technical limitations: Due to our platform architecture, we cannot selectively restrict data processing while maintaining an active account. Data processing is integral to service delivery.

Practical effect: If you need processing restricted, the option is to cancel your subscription, which stops all new data collection and processing. Historical data already integrated into our systems cannot be selectively restricted due to technical impossibility.

14.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your personal data in a structured, machine-readable format

• Transfer this data to another service provider

• Have data transferred directly where technically feasible

Scope: This right applies only to personal data (name, email, company information) provided by you and processed based on consent or contract. We provide this data in CSV format upon request.

Limitations: Business intelligence data, SEO analytics, and Google Search Console data are not included in portability requests as they constitute our proprietary service offering. The limited personal data available for export typically has minimal value for transfer to other platforms.

14.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or direct marketing:

Direct Marketing:

• We do not send marketing emails unless you actively opt-in

• Service-related communications (errors, crawl notifications, platform alerts) are not marketing and are necessary for service delivery

• If you opt-in to marketing, you can unsubscribe at any time

Legitimate Interests:

• You can object to our processing based on legitimate interests

• However, integrated Google Search Console and platform data cannot be removed due to compelling legitimate grounds:

  • Technical impossibility of extraction

  • Necessity for algorithm integrity and service quality

  • Contractual agreement upon service registration

• For objections to other processing, we will assess and respond within 30 days

14.7 Rights Related to Automated Decision-Making (Article 22)

As described in Section 13, we only use automated decisions for plan-based feature limitations. You can:

• Contact support for questions about plan limitations

• Upgrade or downgrade your subscription at any time

• Request clarification on any automated process

14.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time:

Platform Analytics:

• We use first-party analytics based on legitimate interests for service improvement and support

• This includes tracking page views, clicks, and feature usage

• No consent required as this is necessary for platform operation and user support

Marketing Communications (if opted-in):

• Use unsubscribe links in emails

• Note: Marketing is managed through our main website, not the platform

Other Consent-Based Processing:

• We primarily rely on contract and legitimate interests

• If we request consent for specific features, withdrawal options will be clearly provided

Effect of Withdrawal: Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

14.9 How to Exercise Your Rights

Contact us at: contact@serplab.io

Information we need:

• Your identity verification

• Specific right(s) you wish to exercise

• Relevant details about your request

Response time: Within 30 days, extendable by 60 days for complex requests

Cost: Free of charge, except for manifestly unfounded or excessive requests

14.10 Limitations and Exceptions

Some rights may be limited when:

• Other legal obligations apply

• Rights conflict with others' rights

• Requests are manifestly unfounded or excessive

• Our legitimate interests override (with proper justification)

15. RIGHT TO LODGE A COMPLAINT

If you believe we have not handled your personal data correctly or responded appropriately to your rights requests, you have the right to lodge a complaint with a supervisory authority.

15.1 Danish Data Protection Agency

As we are based in Denmark, our lead supervisory authority is:

Datatilsynet

• Address: Borgergade 28, 5., 1300 København K, Denmark

• Phone: +45 33 19 32 00

• Email: dt@datatilsynet.dk

• Website: www.datatilsynet.dk

15.2 Your Local Authority

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

15.3 Our Preference

While you always have the right to go directly to a supervisory authority, we encourage you to contact us first at contact@serplab.io so we can try to resolve your concerns directly.

16. SECURITY MEASURES

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

16.1 Technical Security Measures

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest

• Access Controls: Role-based access with principle of least privilege

• Authentication: Secure login via Clerk with modern authentication standards

• Infrastructure Security: Enterprise-grade security through AWS, Google Cloud, and our service providers

• Regular Updates: Security patches and updates applied promptly

• Monitoring: Continuous monitoring for suspicious activities and potential breaches

16.2 Organizational Security Measures

• Access Restrictions: Only authorized personnel can access personal data

• Confidentiality Agreements: All employees and contractors sign NDAs

• Training: Regular security awareness training for staff

• Data Minimization: We only collect and process necessary data

• Vendor Management: All data processors are vetted and bound by data processing agreements

16.3 Platform-Specific Security

• API Security: Rate limiting and authentication for all API endpoints

• Session Management: Secure session handling with automatic timeouts

• Input Validation: Protection against SQL injection and other attacks

• Audit Logs: Comprehensive logging of access and changes

16.4 Incident Response

In the unlikely event of a data breach:

• We will notify affected users within 72 hours when required

• We will inform relevant supervisory authorities as required by law

• We maintain incident response procedures and conduct regular drills

16.5 Your Security Responsibilities

• Keep your login credentials confidential

• Use strong, unique passwords

• Notify us immediately of any suspected unauthorized access

• Ensure your own systems accessing our APIs are secure

16.6 No Absolute Guarantee

While we implement industry-standard security measures, no system is completely secure. We continuously work to improve our security posture and protect your data.

17. COOKIES AND TRACKING

This section describes how we use cookies and similar technologies on our platform (app.serplab.io).

17.1 Essential Cookies

We use strictly necessary cookies that are required for the platform to function:

• Session Cookies: To maintain your logged-in state

• Security Cookies: To prevent CSRF attacks and ensure secure browsing

• Preference Cookies: To remember your platform settings

These cookies are essential for service delivery and do not require consent.

17.2 Analytics and Performance

We use first-party analytics to improve our service:

• What We Track: Page views, feature usage, click patterns, and user flows

• Legal Basis: Legitimate interests in improving our platform and providing support

• No Third Parties: We do not use Google Analytics or other third-party tracking

• Purpose: Solely for platform improvement and troubleshooting user issues

• No Consent Required: As a B2B platform, we process analytics data based on legitimate interests without requiring cookie consent

17.3 What We Don't Use

• No advertising cookies

• No third-party tracking cookies

• No cross-site tracking

• No behavioral profiling for marketing

17.4 Cookie Management

• Essential Cookies: Cannot be disabled as they are necessary for platform operation

• Analytics: Processed under legitimate interests, not requiring consent

• Browser Settings: You can control cookies through your browser settings, but this may affect platform functionality

17.5 Local Storage

We may use browser local storage for:

• Temporary data caching to improve performance

• Saving draft content before submission

• Storing UI preferences

17.6 Third-Party Services

When you connect services like Google Search Console, those services may set their own cookies. These are governed by their respective privacy policies.

Note: This cookie policy applies only to app.serplab.io. Our marketing website (serplab.io) has a separate cookie policy.

18. DIRECT MARKETING

18.1 Our Marketing Approach

• No Unsolicited Marketing: We do not send marketing emails unless you explicitly opt-in

• Service Communications Only: Platform users receive only essential service-related emails (error notifications, crawl alerts, account issues)

• Separate Marketing Program: Marketing communications are managed through our main website (serplab.io), not the platform

18.2 Service vs. Marketing Emails

Service Emails (always sent):

• Account security alerts

• Payment and billing notifications

• Technical issues and error reports

• Crawl completion notifications

• Important platform updates affecting your service

Marketing Emails (only with opt-in):

• Feature announcements

• Industry insights and tips

• Promotional offers

• Webinars and events

18.3 Opting In and Out

• Opt-in: Marketing preferences are managed separately from your platform account

• Unsubscribe: All marketing emails include an unsubscribe link

• Service Emails: Cannot be disabled as they are essential for platform operation

18.4 Your Rights

You have the absolute right to:

• Refuse marketing communications

• Unsubscribe at any time

• Not be subjected to marketing as a condition of using our platform

19. CHANGES TO THIS PRIVACY POLICY

19.1 Right to Update

We may update this Privacy Policy from time to time to reflect:

• Changes in our data processing practices

• New features or services

• Legal or regulatory requirements

• Feedback from users and privacy authorities

19.2 Notification of Changes

Material Changes:

• We will notify you via email and platform dashboard at least 30 days before implementation

• Material changes include significant modifications to:

  • Types of data collected

  • Purposes of processing

  • Data retention periods

  • Your privacy rights

Minor Changes:

• Updates for clarity or typos may be made without advance notice

• The "Last Updated" date will always reflect the most recent version

19.3 Your Choices

If you disagree with changes:

• You may terminate your account before changes take effect

• Continued use after the effective date constitutes acceptance

19.4 Review Current Version

• The current version is always available at app.serplab.io/privacy

• The "Last Updated" date shows when it was most recently modified

20. FREQUENTLY ASKED QUESTIONS

Can my competitors see my data?

No. Your data is never visible to other customers. While we use aggregated data from all customers to improve our algorithms, individual business data remains completely confidential.

Why do you keep my Google Search Console data forever?

Once integrated into our algorithms, GSC data cannot be extracted. This is disclosed upfront and is fundamental to how our platform delivers accurate SEO insights. The data is protected by strict security measures and is never shared.

What happens to my data if I cancel?

• Personal information: Deleted within 90 days

• Integrated GSC/platform data: Retained indefinitely in our algorithms (anonymized)

• You should export any reports or data you need before cancellation

Can I opt-out of data being used for algorithm improvement?

No, this is a core part of our service model. All customers benefit from insights derived from aggregated data. If you're uncomfortable with this model, SERP Lab may not be the right platform for you.

Do you sell my data?

Never. We do not sell, rent, or share your data with third parties. Data is used only for providing our service and improving our algorithms.

How is my historical GSC data valuable to you?

Aggregated historical data helps us identify long-term SEO trends, improve prediction accuracy, and understand seasonal patterns. This benefits all users through better analysis tools.

Can I get my data deleted from your algorithms?

No, due to technical impossibility. Once integrated, data cannot be extracted from our machine learning models and algorithms. This is clearly stated in our Terms of Service.

What data can I export?

You can view and export all data displayed in the platform while your account is active. After cancellation, export functionality is not available.

Do you use my data to train AI that helps competitors?

We use aggregated, anonymized data to improve our AI models. While all users benefit from improvements, your specific strategies and data remain confidential.

Why is this a B2B-only platform?

We're designed for business use and only process data from business representatives. We don't collect or process consumer/end-user data from your websites.

21. VERSION CONTROL AND CHANGELOG

Current Version: 1.0 Last Updated: [DATE] Effective Date: [DATE]

Version History

Version 1.0 - [DATE]

• Initial Privacy Policy for SERP Lab platform (app.serplab.io)

• Comprehensive GDPR compliance

• Clear data retention and usage policies

• Integration with Terms of Service

Future Updates

When we update this Privacy Policy, we will:

• Increment the version number

• Update the "Last Updated" date

• Document major changes here

• Notify users of material changes as described in Section 19

Document Management

• Location: This Privacy Policy is available at app.serplab.io/privacy

• Format: Available in web format and downloadable PDF

• Language: English (authoritative version)

22. EFFECTIVE DATE AND ACCEPTANCE

This Privacy Policy is effective as of [DATE] and replaces any previous privacy policies for the SERP Lab platform.

By using the SERP Lab platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

If you do not agree with this Privacy Policy, please do not use our platform.

---

Contact Information For any questions about this Privacy Policy or our data practices, please contact:

SERP Lab ApS
 Attn: Data Protection
 Vestergade 19C, 1st floor
 8000 Aarhus C, Denmark
 Email: contact@serplab.io

---

© 2024 SERP Lab ApS. All rights reserved.