SEAES

Legal

Privacy Policy

Last updated: February 23, 2026

SEAES ("we," "us," "our") is an AI-powered SEO and GEO (Generative Engine Optimization) automation platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services at seaes.in and seaes-seo-platform.vercel.app.

Contents

  1. 1. Data We Collect
  2. 2. How We Use Your Data
  3. 3. AI Processing & Third-Party Providers
  4. 4. Automated Content Modification
  5. 5. GEO Monitoring Data
  6. 6. Data Storage & Encryption
  7. 7. Data Retention
  8. 8. Your Rights (GDPR / CCPA / DPDP Act)
  9. 9. Third-Party Services
  10. 10. International Data Transfers
  11. 11. Children's Privacy
  12. 12. Cookie Policy
  13. 13. Data Breach Notification
  14. 14. Indian Data Protection Compliance
  15. 15. Grievance Redressal
  16. 16. Data Anonymization & Benchmarks
  17. 17. Changes to This Policy
  18. 18. Contact Us

1. Data We Collect

We collect the following categories of information:

CategoryExamplesPurpose
Account InformationName, email, password (hashed), Google OAuth tokensAuthentication & account management
Client Business DataBusiness name, website URL, industry, target keywords, competitorsSEO audit & optimization
API CredentialsCMS API keys, Google Search Console/Analytics OAuth tokensAutomated SEO changes & data retrieval
Website AnalyticsKeyword rankings, traffic data, page performance scoresSEO tracking & reporting
AI Interaction DataPrompts sent to AI models, generated recommendations, audit resultsSEO/GEO analysis & optimization
GEO Monitoring DataAI platform queries, brand mention results, citation URLs, sentiment scoresGenerative Engine Optimization tracking
Usage DataIP address, browser type, pages visited, session durationAnalytics & service improvement

2. How We Use Your Data

We use your information for:

  • Performing automated SEO audits (technical, on-page, content, performance)
  • Tracking keyword rankings daily via Google Search Console API
  • Monitoring brand visibility across AI platforms (GEO)
  • Generating AI-powered optimization recommendations
  • Automatically modifying website content (meta tags, schema markup, headings) when explicitly authorized
  • Sending email alerts for ranking drops, audit score changes, and GEO visibility shifts
  • Generating monthly performance reports
  • Competitor analysis and benchmarking
  • Improving our AI models and service quality (anonymized aggregate data only)

Important: We never sell your personal data to third parties. Your website data, keywords, and business information are used solely for providing our SEO/GEO services.

3. AI Processing & Third-Party AI Providers

Our platform uses multiple AI services. Understanding how your data is handled by each provider is critical:

Groq (Llama 3.3 70B) — Primary AI Engine

  • Used for: SEO recommendations, content analysis, sentiment analysis
  • Data retention: Transient processing only — no long-term storage of inputs/outputs
  • Training: Your data is NOT used for model training

OpenRouter (Multi-Model Gateway) — GEO Monitoring

  • Used for: Querying AI platforms (Perplexity, Gemini, Claude) to detect brand mentions
  • Models accessed: Perplexity Sonar, Gemini 2.0 Flash, Claude Haiku, GPT-4o-mini
  • Data handling: Subject to each underlying model provider's data policies
  • Paid API tier used — your data is NOT used for training by any provider

Key AI Data Protection Guarantees

  • Per Anthropic Commercial Terms: "Anthropic may not train models on Customer Content from Services"
  • Per OpenAI API Terms: API data is NOT used for model training by default (since March 2023)
  • Per Google Gemini Paid Terms: Paid tier prompts/responses are NOT used for product improvement
  • All AI providers retain data for abuse monitoring for up to 30-55 days, then delete

4. Automated Content Modification

When you grant content modification permission during client onboarding:

  • Our AI system may automatically update meta tags (titles, descriptions), heading structures (H1-H6), and structured data markup (JSON-LD schema) on your website
  • All modifications are logged with before/after snapshots in your dashboard
  • You can revoke content modification permission at any time from Settings
  • We maintain a complete audit trail of every automated change
  • Your CMS API credentials are stored using AES-256-GCM encryption and are never exposed in logs or transmitted in plain text after initial submission

Per Anthropic's Acceptable Use Policy: All AI-generated content modifications are classified as a "high-risk use case." We implement mandatory human-in-the-loop review for all critical changes and maintain complete audit logs as required.

5. GEO Monitoring Data

For Generative Engine Optimization (GEO) tracking:

  • We query AI platforms (ChatGPT, Gemini, Perplexity, Claude, AI Overviews) with industry-relevant prompts to detect brand mentions and citations
  • Query data, AI responses, and analysis results are stored for trend tracking
  • AI crawler bot visits to your website are logged (GPTBot, ClaudeBot, PerplexityBot, GoogleOther, etc.)
  • This data is used solely for visibility scoring and competitive analysis

6. Data Storage & Encryption

  • All data is stored on PostgreSQL (Supabase) with encryption at rest
  • API credentials (CMS keys, OAuth tokens) are encrypted using AES-256-GCM with keys derived from a secure server-side secret
  • User passwords are hashed using bcrypt — we never store plaintext passwords
  • Application hosted on Vercel with automatic TLS/SSL, SOC 2 compliant infrastructure
  • All data in transit is encrypted via TLS 1.3
  • Database access is restricted to server-side API routes only — no direct client access

7. Data Retention

Data TypeRetention Period
Account dataDuration of account + 30 days after deletion
SEO audit resultsDuration of service agreement
Ranking historyDuration of service agreement
GEO monitoring data12 months rolling
Change logs (audit trail)Duration of service + 90 days
CMS API credentialsUntil revoked or account terminated
AI interaction logs90 days (for quality improvement)
Email communications12 months

Upon account termination, all client data (including encrypted credentials) is permanently deleted within 30 days. Data export is available during the 30-day grace period.

8. Your Rights (GDPR / CCPA / DPDP Act)

Regardless of your location, you have the following rights under GDPR (EU), CCPA (California), and the Digital Personal Data Protection Act, 2023 (India):

Right to Access

Request a summary of all personal data we hold about you and the processing activities undertaken (DPDP Act Section 11)

Right to Correction

Correct inaccurate, misleading, or incomplete data (DPDP Act Section 12)

Right to Erasure

Request permanent deletion of your data when no longer necessary for the stated purpose

Right to Data Portability

Export your data in standard formats (JSON/CSV)

Right to Withdraw Consent

Revoke any consent at any time with ease comparable to granting it (DPDP Act Section 6(4))

Right to Grievance Redressal

File a complaint with our Grievance Officer or the Data Protection Board of India (DPDP Act Section 13)

Right to Nominate

Nominate an individual to exercise your data rights in case of death or incapacity (DPDP Act Section 14)

Right Against Automated Decisions

Request human review of AI-driven decisions that significantly affect you (GDPR Article 22)

To exercise any of these rights, email privacy@seaes.in or use your dashboard under Settings > Data & Privacy. We will respond within 30 days.

Limitation: Data already processed by third-party AI models (Groq, OpenAI, Anthropic, Google) during the service period cannot be retroactively removed from those providers' abuse-monitoring logs (retained up to 30-55 days for safety). Billing records are retained for 8 years as required under the Income Tax Act and GST Act.

9. Third-Party Services

We share data with the following categories of service providers:

ProviderPurposeData Shared
VercelApplication hostingAll application data
Supabase (PostgreSQL)Database hostingAll stored data
GroqAI recommendationsSEO data, website content excerpts
OpenRouterGEO multi-model AI queriesBrand queries, keyword data
Google APIsSearch Console, AnalyticsSite URL, OAuth tokens
SMTP (mail.seaes.in)Email deliveryEmail addresses, report content

10. International Data Transfers

Your data may be transferred to and processed in countries outside India, including the United States, for the following services:

ProviderLocationData Transferred
Vercel Inc.United StatesApplication hosting — all platform data
Supabase (AWS)United StatesDatabase — all stored data
Groq Inc.United StatesAI processing — website content only (NOT credentials)
OpenRouterUnited StatesGEO queries — brand queries, keyword data only
Google LLCUnited StatesOAuth, Search Console, Analytics data

We ensure adequate protection through:

  • Compliance with DPDP Act Section 16 — we do not transfer data to countries on the Central Government's restricted list
  • EU Standard Contractual Clauses (SCCs) where required for GDPR compliance
  • Data Processing Agreements (DPAs) with all sub-processors requiring equivalent data protection standards
  • Vercel and Supabase provide SOC 2 compliant infrastructure
  • Website credentials and API tokens are NEVER transferred to AI providers — only website content and metadata are shared for analysis

11. Children's Privacy

SEAES is not directed to children under the age of 18. We do not knowingly collect personal information from minors. If you believe a child has provided us with personal data, contact us immediately at privacy@seaes.in and we will delete it.

12. Cookie Policy

We use the following cookies:

  • Essential cookies: Authentication session tokens (NextAuth.js) — required for the service to function
  • Analytics cookies: Anonymous usage analytics to improve our service
  • We do not use advertising or tracking cookies
  • You can manage cookies through your browser settings

13. Data Breach Notification

In the event of a data breach that affects your personal data:

  • CERT-In (India): We report all cyber security incidents to CERT-In within 6 hours of detection as mandated by the CERT-In Cyber Security Directions, 2022
  • Data Protection Board: We notify the Data Protection Board of India as required under the DPDP Act, 2023
  • GDPR (EU): We notify affected users and supervisory authorities within 72 hours of discovering the breach (per GDPR Article 33)
  • Notification will include: nature of the breach, data affected, remediation steps taken, and recommended actions
  • For credential compromises: stored credentials are immediately invalidated, affected users notified within 1 hour via email and dashboard
  • A detailed incident report will be provided within 15 days

14. Indian Data Protection Compliance

SEAES is operated from India and complies with Indian data protection laws:

DPDP Act, 2023 — Data Fiduciary Obligations

  • SEAES is a Data Fiduciary under Section 2(i) for all personal data processed through the platform
  • We process personal data only for specific, lawful purposes disclosed at the time of collection (Section 4)
  • Consent is obtained through clear affirmative action — no pre-ticked boxes, no bundled consent, no consent walls for non-essential features (Section 6)
  • We ensure completeness, accuracy, and consistency of personal data as required by Section 8
  • Personal data is erased when the purpose is fulfilled or consent is withdrawn, unless retention is required by law (Section 8(7))

IT Act, 2000 — Sensitive Personal Data (SPDI)

  • Under the IT (SPDI) Rules, 2011, passwords, API tokens, and financial data stored by SEAES are classified as Sensitive Personal Data or Information
  • SPDI is handled with enhanced security: AES-256-GCM encryption at rest, TLS 1.3 in transit, access logging, and role-based access controls
  • We maintain a documented Information Security Policy aligned with IS/ISO/IEC 27001 as prescribed under Rule 8
  • Disclosure of SPDI to third parties requires prior consent (Rule 6) — AI providers receive website content only, never credentials
  • Security practices are audited annually by an independent assessor as required under Rule 8

CERT-In Directions, 2022 — Compliance

  • All system, access, and modification logs maintained for 180 days rolling within Indian jurisdiction
  • Cyber incidents reported to CERT-In within 6 hours of detection
  • Account verification information retained for 5 years after account closure as per KYC requirements

DPDP Act Penalties: Non-compliance with the DPDP Act can result in penalties up to ₹250 crore for security failures and ₹200 crore for breach notification failures. SEAES takes compliance seriously and maintains comprehensive safeguards.

15. Grievance Redressal

In compliance with the IT (Intermediary Guidelines) Rules, 2021, DPDP Act, 2023, and Consumer Protection Act, 2019:

Grievance Officer: SEAES Privacy & Compliance Team

Email: grievance@seaes.in

Address: SEAES SEO Platform, India

Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST

  • Complaints are acknowledged within 24 hours and resolved within 15 days (IT Intermediary Rules)
  • Data protection grievances are addressed within 30 days (DPDP Act)
  • You may escalate unresolved complaints to the Data Protection Board of India (once constituted) or the appropriate Consumer Disputes Redressal Commission

16. Data Anonymization & Benchmarks

  • We may use anonymized and aggregated data (stripped of all personally identifiable information) for platform-wide benchmarks, industry reports, and service improvement
  • Benchmark data is only generated when the dataset includes 25 or more companies per industry segment, ensuring no individual business can be identified
  • Anonymized data is not considered personal data under the DPDP Act, GDPR, or CCPA and may be retained indefinitely
  • We never sell individual business data, keyword rankings, website content, or competitive intelligence to third parties
  • Enterprise clients may request a Data Processing Agreement (DPA) for additional contractual protection — contact legal@seaes.in

17. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email and/or a prominent notice on our platform at least 30 days before changes take effect. For changes that materially expand data collection or reduce your rights, we will require affirmative re-consent as per the DPDP Act, 2023. Continued use of the service after changes constitutes acceptance.

18. Contact Us

For privacy inquiries, data requests, or concerns:

Privacy inquiries: privacy@seaes.in

Data Protection Officer: dpo@seaes.in

Grievance Officer: grievance@seaes.in

General support: support@seaes.in

Address: SEAES SEO Platform, India

Response Time: Within 30 days of receipt (24 hours for grievance acknowledgment)

Terms of Service →Security →