How Semalytic protects your data

1. Controller

This Privacy Policy applies to Semalytic, a semantic SEO analysis service operated from Poland. For the purposes of Regulation (EU) 2016/679, known as the GDPR, Semalytic is the controller of personal data processed in connection with user accounts, billing, support, product communications, and website use.

You can contact Semalytic about privacy matters at legal@semalytic.com.

2. Data We Collect

Depending on how you use Semalytic, we may process:

• Account data, such as name, email address, password hash, and login events.
• Authentication data from third-party sign-in providers, such as Google account identifiers and OAuth tokens when you connect an integration.
• Google Search Console data that you authorize us to access, including properties, pages, queries, clicks, impressions, positions, and related performance metrics.
• Usage data, such as analysis runs, selected properties, feature activity, device information, IP address, browser type, and approximate location derived from logs.
• Communications data, including support requests, administrative emails, and product feedback.
• Billing and transaction data if paid plans are offered, including invoices, payment status, plan information, and tax details. Card details are processed by payment providers and are not stored by Semalytic unless expressly stated.

3. Why We Process Data

We process personal data for these purposes and legal bases:

• To create and manage accounts, authenticate users, and provide the service: performance of a contract.
• To connect integrations, retrieve authorized Search Console data, run SEO analyses, and generate reports: performance of a contract.
• To secure the service, prevent abuse, troubleshoot errors, and maintain logs: legitimate interests.
• To send operational messages, verification emails, password reset emails, and account notices: performance of a contract and legitimate interests.
• To comply with accounting, tax, consumer, and legal obligations under Polish and EU law: legal obligation.
• To send optional marketing or newsletter messages where required: consent, which you may withdraw at any time.

4. Cookies and Similar Technology

Semalytic may use cookies, local storage, and similar technologies to keep you signed in, remember preferences, protect sessions, measure performance, and understand how the service is used. Essential cookies are required for the service to work. Analytics or marketing cookies are used only where a lawful basis exists, including consent when required by applicable law.

5. Sharing Data

We do not sell personal data. We may share personal data with service providers that help us host, secure, operate, analyze, communicate, and improve Semalytic. These providers may include cloud hosting, database, email, analytics, authentication, storage, and payment providers.

We may also disclose data if required by law, to protect rights and safety, to enforce our terms, or in connection with a merger, acquisition, financing, restructuring, or sale of the service.

6. International Transfers

Some providers may process data outside Poland or the European Economic Area. Where this happens, Semalytic uses appropriate safeguards required by the GDPR, such as an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism.

7. Retention

We keep personal data only for as long as needed for the purposes described in this policy, including to provide the service, meet legal obligations, resolve disputes, maintain security, and enforce agreements. Account data is generally kept while your account is active. Logs, backups, analytics records, support records, tax records, and legal records may be kept for different periods as required or permitted by law.

8. Your Rights

Under the GDPR, you may have the right to access, rectify, erase, restrict, or object to processing of your personal data. You may also have the right to data portability, to withdraw consent where processing is based on consent, and to lodge a complaint with a supervisory authority.

In Poland, the supervisory authority is the President of the Personal Data Protection Office, known as UODO. You may contact UODO if you believe your data protection rights have been violated.

9. Security

We use technical and organizational measures designed to protect personal data, including access controls, encryption in transit, authentication controls, provider security features, and operational monitoring. No system is completely secure, so you are responsible for keeping your login credentials confidential and notifying us if you suspect unauthorized access.

10. Children

Semalytic is intended for business and professional users. It is not directed to children, and we do not knowingly collect personal data from children.

11. Changes

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify users through the service, by email, or by another appropriate method.