Privacy Policy

How we collect, use, and protect your personal information when you use EngineSEO.

Last updated: April 7, 2026Effective: April 7, 2026

1. Introduction

EngineSEO ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered SEO content generation platform for e-commerce stores.

By using our service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the service.

2. Information We Collect

Personal Information

  • Account Information: Email address, full name, and password (encrypted)
  • Workspace Data: Workspace name and team member information
  • Billing Information: Payment method details (processed securely through Stripe)
  • Usage Analytics: API calls, articles generated, keywords processed

Content Data

  • Keywords: Search terms you input for content generation
  • Generated Content: Articles created by our AI system
  • PAA Questions: "People Also Ask" questions retrieved from search engines
  • Project Data: Project names, descriptions, and organizational information

Third-Party Service Data

  • Shopify Integration: Store information and published content
  • API Credentials: Encrypted storage of your OpenAI, SerpAPI, and other service keys
  • Search Data: SERP data retrieved via SerpAPI for content generation

3. How We Use Your Information

  • Service Provision: Generate SEO-optimized content using AI and deliver it to your e-commerce store
  • Account Management: Maintain your account, process payments, and provide customer support
  • Content Generation: Use your keywords and preferences to create relevant articles
  • Integration Services: Connect with Shopify, OpenAI, and SerpAPI to provide our services
  • Analytics: Track usage patterns to improve our platform and provide usage insights
  • Security: Monitor for fraudulent activity and protect against unauthorized access
  • Communications: Send service-related notifications, billing reminders, and important updates about your account

4. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: All sensitive data is encrypted using AES-256-GCM encryption
  • Database Security: PostgreSQL with Row-Level Security (RLS) for multi-tenant isolation
  • API Protection: Rate limiting, CORS policies, and Helmet.js security headers
  • Authentication: JWT tokens with bcrypt password hashing
  • Access Control: Role-based permissions with workspace isolation
  • Secure Storage: API credentials encrypted before database storage
  • Transport Security: All data in transit is protected via TLS/SSL encryption

5. Third-Party Services

We share data with the following sub-processors as necessary to provide our services. Each sub-processor is contractually obligated to protect your data:

Amazon Web Services (AWS)

Infrastructure hosting. Your data is stored and processed on AWS servers located in US regions, secured with industry-standard encryption and access controls.

Stripe

Payment processing (PCI DSS Level 1 certified). Your payment information is handled securely by Stripe and never stored on our servers.

OpenAI

AI content generation. We send your keywords and approved questions to OpenAI's API to generate content. Data is processed per OpenAI's data usage policy.

SerpAPI

Search engine data retrieval. We use SerpAPI to retrieve "People Also Ask" questions from search engines for content generation.

Shopify

E-commerce platform integration. We integrate with your Shopify store to publish generated content via OAuth 2.0 authenticated connections.

Google Ads

Keyword research and advertising data. We use the Google Ads API to provide keyword research capabilities and search volume data.

Google Search Console

Search performance analytics. With your explicit authorization via OAuth 2.0, we access your Google Search Console data to display content performance metrics within your EngineSEO dashboard. See Section 6 below for full details.

6. Google API Services & User Data

EngineSEO's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google Search Console Data

When you connect your Google Search Console account, we request read-only access (webmasters.readonly) to your verified properties. This access is granted through Google's OAuth 2.0 authorization flow and can be revoked at any time.

Data we access:

  • Search performance metrics: clicks, impressions, click-through rates, and average search position
  • Search queries that lead users to your pages
  • Page-level performance data for your verified properties
  • List of verified properties in your Search Console account (for property selection only)

How We Use Google Data

  • Display content performance analytics within your EngineSEO dashboard
  • Identify content decay (articles losing search rankings over time)
  • Match search performance data to articles you created with EngineSEO
  • Generate trend charts and performance reports visible only to you

How We Store Google Data

  • OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM encryption
  • Search performance data is stored in our PostgreSQL database, scoped to your workspace
  • Data is retained to provide historical performance tracking beyond Google's 16-month retention window
  • All data is isolated per workspace using Row-Level Security (RLS)

How We Share Google Data

We do not share, sell, or transfer your Google Search Console data to any third parties. Your search performance data is accessible only to members of your EngineSEO workspace. We do not use Google user data for advertising, profiling, or any purpose other than displaying analytics within your dashboard.

Revoking Access

You can disconnect your Google Search Console at any time from your EngineSEO Analytics settings page. When you disconnect, we revoke the OAuth token with Google and stop syncing new data. Previously synced performance data is retained in your dashboard unless you request deletion by contacting our support team.

You can also revoke EngineSEO's access directly from your Google Account permissions page.

Google Ads Data

When you use keyword research features powered by Google Ads, we access keyword search volume and competition data through the Google Ads API. This data is used solely for keyword research within your projects and is not shared with third parties.

7. Cookies & Tracking Technologies

We use only essential cookies required for the operation of our service:

  • Authentication Session: A JWT authentication token stored as an HTTP-only cookie to maintain your session
  • User Preferences: Theme preference (light/dark mode)
  • Workspace Selection: Your active workspace context

What we do NOT do:

  • We do not use third-party tracking cookies or advertising trackers
  • We do not share cookie data with any third parties
  • We do not use cookies for behavioral advertising or cross-site tracking

You can control cookie settings through your browser preferences. However, disabling essential cookies may prevent you from using certain features of our service.

Do Not Track Signals: Our service does not respond to "Do Not Track" browser signals, as there is no industry standard for this. However, we do not engage in cross-site tracking.

8. Data Retention

We retain your data for as long as necessary to provide our services:

  • Account Data: Retained while your account is active
  • Generated Content: Stored indefinitely for your reference and platform functionality
  • Usage Analytics: Aggregated data may be retained for service improvement
  • Billing Records: Retained as required by law and for financial record-keeping

You can request data deletion at any time by contacting us. Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law.

9. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your personal data
  • Portability: Export your data in a machine-readable format
  • Objection: Object to processing of your data for certain purposes
  • Withdrawal: Withdraw consent for data processing

To exercise any of these rights, please contact us at privacy@engineseo.io or through your account settings. We will respond to your request within 30 days.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You have the right to know what personal information we collect, how it is used, and whether it is disclosed or sold
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out: You have the right to opt-out of the sale of your personal information. We do not sell your personal information to third parties
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@engineseo.io or through your account settings. We will verify your identity before processing your request and respond within 45 days as required by the CCPA.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including:

  • Standard contractual clauses
  • Adequacy decisions by relevant authorities
  • Other appropriate transfer mechanisms

Our primary data processing occurs in the United States via AWS infrastructure. By using our service, you acknowledge that your data may be transferred to and processed in the United States.

12. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@engineseo.io. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

13. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the breach.

Notification will include:

  • A description of the nature of the breach
  • The types of personal data affected
  • The steps we are taking to address and remediate the breach
  • Recommended actions for affected users to protect themselves

We will also notify relevant supervisory authorities as required by applicable law, including the relevant state attorney general and any applicable data protection authorities.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will send an email notification to the address associated with your account. You are advised to review this Privacy Policy periodically for any changes. Continued use of the service after changes are posted constitutes your acceptance of the revised policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Support: Contact Form

Website: https://engineseo.io

Response Time: We will respond to your inquiry within 30 days