Privacy Policy

01Fundamental principles

The SEO Master PRO MAX application is built local-first. This principle directly shapes the privacy policy:

• Application data lives on your computer — audits, reports, settings, API keys, AI prompts are in the local SQLite database in Program Files. The Operator has no technical access to this data.
• Separate admin account — for Pro/Studio purchase, you create an account at admin.seo-master.ro with a minimal data set (email, encrypted password, invoices, license keys). Only this data passes through our servers.
• Anonymous public site — on seo-master.ro we collect only aggregated, consent-based usage statistics, with no individual identification.
• We don't sell your data. We don't use it for third-party advertising. We don't share it with data brokers.

02Data collected

2.1 Data on your computer (desktop Application)

The Operator does not collect this data — it is stored exclusively locally on your computer:

• Sites you audit (URL, audit settings, results)
• Audit content and reports (generated PDF/Excel/Word/CSV)
• Your API keys for external services (Google Search Console, Bing Webmaster, OpenAI, Anthropic, Google Gemini, etc.) — encrypted with Electron's safeStorage on your own OS
• Custom AI prompts
• UI settings (theme, language, module preferences)
• Local audit history and version comparisons

2.2 Data at admin account creation (Administration panel)

This data is stored on our EU-based servers, required for the account to function:

• Email — for technical communications (invoices, license notifications, announcements)
• Password — stored with bcrypt encryption (we never read it in plaintext)
• Optional profile — name, company name, phone, VAT ID (for invoicing)
• Contact messages — if you write to contact@seo-master.ro or use the contact form

2.3 Data at purchase and invoicing

• Invoice data — name, address, VAT ID/registration (if legal entity), country
• Payment history — amount, date, plan, status (invoice data for tax records — mandatory 5 years by law)
• Note: card data is NOT stored by us — it is processed by Stripe (see Sub-processors).

2.4 Data collected automatically on the site (seo-master.ro)

• IP address and browser type (temporary server logs, max 30 days)
• Pages visited and duration — only if you accept analytics cookies (see Cookie Policy)
• Technical cookies — session, CSRF protection, consent preferences

03Processing purposes

We use collected data strictly for:

1. Providing the Application and Service — issuing license keys, periodic validation, technical support, mandatory account communications
2. Invoicing and tax obligations — issuing invoices, accounting reports, archiving per Romanian law (5 years)
3. Technical assistance — answering requests sent to contact@seo-master.ro or via the contact form
4. Site improvement — aggregated, anonymous traffic analysis, optional (with analytics cookie consent) for content optimization
5. Security — fraud prevention (payments), protection against automated attacks (rate limiting, CSRF)
6. Legal compliance — answering justified requests from authorities

Explicit guarantee: We don't sell your data. We don't use it for third-party retargeting advertising. We don't train AI models with your User Content.

04Legal basis

Per GDPR Art. 6, we process data based on the following grounds:

• Contract performance (Art. 6.1.b) — Email, password, invoice data, license keys — needed for admin account function and license issuance.
• Consent (Art. 6.1.a) — Analytics cookies, optional marketing communications (newsletter), non-technical communications.
• Legitimate interest (Art. 6.1.f) — Security (fraud detection, rate limiting), abuse prevention, server protection.
• Legal obligation (Art. 6.1.c) — Invoice data (5-year tax archive), responses to competent authorities.

05Storage and security

5.1 Storage location

• Desktop Application data — exclusively on your computer, in the install folder. Never replicated on our servers.
• Admin account + invoicing data — secure servers in the European Union (hosting provider to be communicated in the final page version).
• Public site data — hosting server in the European Union.

5.2 Security measures

• Transmission: HTTPS on all domains (HSTS preload, TLS 1.3)
• Passwords: bcrypt with random salt (cost factor 12+)
• User API keys (in Application): encrypted with Electron safeStorage on your OS (uses native Keychain/Credential Manager/libsecret)
• Administrative access: minimum necessary, auditable logs, 2FA authentication for technical staff
• Server backups: daily, encrypted, 30-day retention, in the same EU geographic zone
• Periodic pentest: at least annual, in preparation for public launch (aggregated results will be published)

5.3 Retention duration

• Desktop Application data: as long as you keep it on your computer (the Operator never copies it)
• Active admin account: for the subscription duration + 90 days after closure (for reactivation)
• Invoice data: 5 years from issue (mandatory by Romanian tax law)
• Server logs (IP, browser): maximum 30 days
• Contact messages: 24 months from resolution
• Analytics cookies: see Cookie Policy — specific durations per cookie

5.4 Deletion on request

At your justified request (see Rights), we delete your data within max 30 calendar days, except for data that must be kept due to legal obligation (invoices — 5 years).

06Your rights (GDPR)

Per GDPR (EU 2016/679), you have the following rights:

• Access — copy of all data we hold about you. Email gdpr@seo-master.ro with the subject "Data access request".
• Rectification — correction of incorrect/incomplete data. Directly in the administration panel → Profile, or via email.
• Erasure ("right to be forgotten") — delete account and associated data. Administration panel → Settings → Delete account, or email.
• Portability — structured data export (JSON/CSV). Email gdpr@seo-master.ro.
• Objection — object to processing based on legitimate interest or consent.
• Restriction — temporarily limit processing.
• Withdraw consent — for cookies, newsletter, optional communications.
• Authority complaint — file a complaint with ANSPDCP (see GDPR contact section).

Response time: maximum 30 calendar days from receipt of the request. In complex cases, we may extend by an additional 60 days with prior notice.

Identity verification: for sensitive requests (account deletion, full export), we may ask for identity verification via the email used at purchase.

07Data transfers and sub-processors

7.1 Sub-processors

For the Site and administration panel to function, we use a minimal set of third-party services:

• Stripe — payment processing for subscriptions. Card data (NOT stored by us). Location: EU + US (with Standard Contractual Clauses).
• Hosting provider (TBC) — admin + site servers. Data: account email, encrypted password, invoices. Location: EU.
• Transactional email provider (TBC) — email sending (invoices, notifications). Data: recipient email, content. Location: EU.
• Plausible / GA4 (with consent) — site traffic analysis. Data: anonymized IP, pages visited. Location: EU (Plausible) or EU+US (GA4).

Note: the exact sub-processor list will be finalized at public launch, based on the Operator's decision among evaluated options.

7.2 No proprietary cloud for the Application

For the desktop Application we use no proprietary storage cloud. Your data (audits, reports) is NOT sent to us. The sub-processors listed above process data only for the admin account and site, NOT for the Application.

7.3 Optional calls to public APIs (from the Application)

The Application may make calls to public APIs that you configure with your own keys (NOT through our servers):

• Google Search Console (with OAuth authentication of your Google account)
• Bing Webmaster (with your Bing API key)
• PageSpeed Insights (with your Google API key)
• OpenAI / Anthropic / Google Gemini / Mistral / DeepSeek (with your API keys at the respective providers)

The Operator does not intermediate these calls and does not see their content. The respective provider's privacy policy applies to the data sent.

7.4 Transfers outside the EU

No transfer of admin account data outside the EU without GDPR safeguards (Standard Contractual Clauses with Stripe, adequacy decisions with US-based email/analytics providers if applicable).

08Cookies

The site uses technical cookies (essential, no consent needed) and optionally analytics cookies (with explicit consent via banner).

Full details: see the Cookie Policy.

Cookie banner: on first visit you'll get a banner with options "Accept all", "Essential only", "Customize". You can change your preferences at any time via the "Cookie settings" link in the footer.

09Policy changes

We may update this Policy as the application or the legal framework evolves. Significant changes are announced via email to users with active admin accounts and via prominent display on the Site at least 30 days before they take effect.

Current version is displayed in the page header. Previous versions are archived and available on request at gdpr@seo-master.ro.

10GDPR contact

To exercise rights or for GDPR questions

Dedicated email: gdpr@seo-master.ro

General email: contact@seo-master.ro

Form: seo-master.ro/en/contact

Complaint to the supervisory authority

If you consider that the processing of your data violates GDPR, you have the right to file a complaint with:

Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

• Site: www.dataprotection.ro
• Email: anspdcp@dataprotection.ro
• Address: B-dul G-ral Gheorghe Magheru 28-30, sector 1, Bucharest

We recommend resolving directly with us first — we respond fast and honestly.

Related documents: Terms and Conditions · Cookie Policy · GDPR page — your rights.