Content being expanded: official DPIA template + pen test reports + signing chain certificates publish at public v1.0 release. Current page provides the complete framework for pre-implementation GDPR evaluation.
Data categories processed by the app
The SEO Master PRO MAX desktop app processes 4 data categories, all STORED LOCALLY on the user’s device:
- 1. Data about audited sites: URLs, scraped content, schema markup, internal linking structure, canonical URLs, sitemap. For clients with compliance obligations, these URLs can be sensitive (e.g.,
/private-procedures/patient-list.html) even if the page is publicly accessible. - 2. Data from integrations (GSC, Bing, PSI): queries, clicks, impressions, CTR, average position, Core Web Vitals from CrUX. Site-level data — NOT individual personal data about visitors.
- 3. AI providers API keys: your Anthropic / OpenAI / Google / Perplexity / DeepSeek keys. Stored encrypted AES-256 with master password set at setup.
- 4. App configuration: language, database location, notifications settings, theme. Non-personal data.
Data about the app user: zero. There is no user account, no personal information is transmitted to our servers. The app runs strictly as a local tool on the device.
Where the data lives
All 4 categories are stored IN the local SQLite database. Locations per OS:
- Windows:
%APPDATA%\SEO Master PRO MAX\database.db - macOS:
~/Library/Application Support/SEO Master PRO MAX/database.db - Linux:
~/.config/SEO Master PRO MAX/database.db
NOTHING leaves toward our servers. Confirm with wireshark / fiddler / network monitor: in normal app operation (audit, GSC sync, AI calls), all outbound traffic goes to: a) Google APIs (GSC, PSI), b) Bing APIs, c) Anthropic / OpenAI / Google / Perplexity / DeepSeek (AI calls direct with your key), d) GitHub Releases for update notification check (daily, returns only available version, doesn’t transmit local data).
Encryption and security
- AI providers API keys: AES-256-GCM with master password set at setup (PBKDF2 100,000 iterations for key derivation). Master password is NOT saved — required at first session run.
- Rest of database (audits, configurations, history): NOT encrypted by default. If you want full disk encryption, use OS-level encryption (BitLocker on Windows, FileVault on macOS, LUKS on Linux).
- Network communications: ALL outbound exclusively HTTPS (TLS 1.2+). Strict certificate verification, no certificate pinning bypass.
- Update mechanism: digitally signed installer (Authenticode on Windows, notarized on macOS, signed with GPG key on Linux). Automatic signature verification before update install.
Network traffic generated
For the DPO who wants to list data flows in the GDPR record:
- At app start: 1 HTTPS request to
api.github.com/repos/seo-master/releases/latestfor update version check. Response: JSON with current available version. NO info about device, current version, or other data is transmitted. - At crawl audit: HTTPS requests to the audited site (discovered URLs). Per robots.txt + max 10 req/sec rate limit. NO info transmitted to us.
- At GSC / Bing / PSI sync: HTTPS requests to Google and Microsoft APIs with user OAuth tokens. Returned data stored locally. NOT transmitted to us.
- At AI calls: HTTPS requests directly to Anthropic / OpenAI / Google / Perplexity / DeepSeek with your API key. Transmitted content = your prompt + selected context. NOT transmitted to us. The privacy policy of each AI provider applies separately — see Anthropic, OpenAI, etc. terms.
- Crash reporting (opt-in, OFF by default): if you enable from Settings, in case of crash an anonymous report (stack trace + basic device info: OS, version, RAM) is transmitted to a Sentry instance hosted in EU. Doesn’t include data from audits or queries. Can be disabled anytime.
How to apply GDPR for the app
For consultants with clients with compliance obligations, or for organizations that include the app in their GDPR record:
- Inclusion in Article 30 records: the app = internal tool, NOT sub-processor (your client’s data doesn’t leave to us). Your record must list: purpose of processing (“SEO audit for clients”), data categories (“URLs site, public content, SEO queries”), recipients (“nobody — local data”), retention (“how long you keep
.dbfiles”), security measures (“API keys encryption, optional OS-level disk encryption”). - DPIA (Data Protection Impact Assessment): for medical / legal / financial clients, DPIA may be necessary. Our app significantly reduces the DPIA scope because it does NOT export data to third-party cloud. Pre-completed DPIA template publishes at v1.0.
- Right to erasure: if the client requests complete deletion of their data from your portfolio, you delete their audits from the app (Settings → Sites → Delete with all data) or delete the entire
.dbfile. Immediately, no retention duration.
Penetration testing and security audits
The app goes through external pen test annually before each major release. Results published publicly. Categories tested:
- Local data security (encryption at rest for API keys)
- Network communications (TLS, certificate pinning, MITM resistance)
- Update mechanism (supply chain attack resistance)
- SQL injection in queries to local DB
- Privilege escalation on OS
- Memory safety (strict Electron sandboxing)
Complete pen test reports published at seo-master.ro/security/audits/ starting with v1.0.
Specific DPO questions
For concrete questions on the specifics of your organization (sector, jurisdiction, sensitive data type), write to contact@seo-master.ro with subject “DPO questions”. We respond in 1-2 business days with technical details + DPA template ready for signing (although technically we are not sub-processor for your clients’ data).
For complete context regarding GDPR and cloud SEO tools (why local-first eliminates risk categories), see our pillar article on this subject.