Privacy Policy

Last updated: April 12, 2026

SeoSonar ("we", "our", "us") operates www.seosonar.me and app.seosonar.me (together, the "Service"). This policy explains what we collect, how we use it, and the specific protections we provide for Google user data accessed through the Google Search Console API.

1. What we collect

Account basics: your Google account email address, name, profile picture, and Google user ID — provided by Google when you sign in.
Google Search Console data: when you grant access, we read the list of verified Search Console properties on your account and the 90 days of search analytics for the one property you select (queries, pages, clicks, impressions, CTR, position).
Payment metadata: Stripe collects and processes your payment. We store only a reference to the Stripe session and whether it's paid — never your card number or full billing details.
Product usage: basic logs (IP, user agent, timestamps) to operate and secure the Service.

2. Google user data — scope and use

SeoSonar requests the following Google OAuth scopes:

openid, email, profile — to sign you in and display your account.
https://www.googleapis.com/auth/webmasters.readonly — read-only access to your Google Search Console data. We use this exclusively to:
- List the Search Console properties on your account so you can pick which one to scan.
- Fetch 90 days of search analytics for the property you selected and generate your one-time SEO research report.

We do not use Google user data for advertising, do not sell it, do not share it with third parties for their own purposes, do not use it to train generalized AI/ML models, and do not access Google accounts other than the one you signed in with. We cannot modify anything in your Search Console account — the scope is read-only by design.

2a. Google API Services User Data Policy & Limited Use

SeoSonar's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3. How the data is processed

Tokens and raw GSC data are stored in our application database on a managed Postgres instance, encrypted at rest.
Access to the production database is restricted to the founders for operational purposes (debugging, generating reports).
We retain raw GSC data only as long as needed to deliver and support your report (typically under 30 days). Aggregated, non-identifying benchmarks may be retained longer.
Reports are delivered to the email address on your Google account.

4. Sub-processors

We rely on the following services, each with their own privacy commitments:

Google LLC — authentication and Search Console API.
Stripe, Inc. — payment processing.
Postmark (ActiveCampaign) — transactional email delivery.
Amazon Web Services — hosting and storage.
Sentry & PostHog — error monitoring and product analytics (no GSC data is sent to either).

5. Your rights and controls

Revoke Google access at any time at myaccount.google.com/permissions. Revocation stops all future access immediately.
Request deletion of your account and all associated data by emailing hello@seosonar.me. We will comply within 30 days.
Request a copy of the data we hold about you by emailing the same address.

6. Security

We use HTTPS for all traffic, encrypt tokens and databases at rest, and follow standard operational security practices. No internet service is perfectly secure — if we learn of a breach that affects you, we will notify you by email promptly.

7. Children

The Service is not directed to children under 13 and we do not knowingly collect data from them.

8. Changes

We may update this policy as the Service evolves. Material changes will be announced by email and on this page. Continued use after changes means you accept the updated policy.

9. Contact

Questions, deletion requests, or security reports: hello@seosonar.me.