Privacy Policy | SEO Merlin

Introduction

CARPEBO Devs ("SEO Merlin", "we", "us", "our") operates the seomerlin.com website and the SEO Merlin WordPress plugin. This Privacy Policy explains how we collect, use, store, and protect information when you use our website and/or our plugin. By using our services, you agree to the practices described herein.

Definitions

"Plugin" refers to the SEO Merlin WordPress plugin installed on your server
"Website" refers to seomerlin.com
"User", "you" refers to the person or entity using our services
"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on Personal Data

Data Controller

The data controller for seomerlin.com is:
CARPEBO Devs
Xanthi, Greece
Email: privacy@seomerlin.com

What Data We Collect

4.1 Through our Website (seomerlin.com)

Email address (if you contact us or subscribe to updates)
Name (if provided via contact form)
Standard web analytics data (page views, referrer URL, country, browser type, device type)
IP address (anonymised where possible)
Payment and billing data processed exclusively by Freemius — we never store, access, or process your credit card numbers, bank account details, or other payment instrument data

4.2 Through the WordPress Plugin

The SEO Merlin plugin runs entirely on YOUR server. We do not collect, transmit, receive, or store any of your website content, database data, user data, or visitor data.

Specifically:

Scan results, issue data, and fix history are stored in YOUR local WordPress database only
API keys (Claude AI, DataForSEO, Google OAuth tokens) are encrypted at rest on YOUR server using AES-256-CBC with a key derived from your WordPress AUTH_KEY. We never receive or store these credentials.
Rollback data for every fix is stored locally in your WordPress database
PDF reports are generated and saved to YOUR wp-content/uploads/ directory

The ONLY data transmitted from the plugin to our servers:

License key verification via Freemius (plugin ID, site URL, WordPress version, PHP version, license key)
Optional: anonymous usage statistics (can be opted out during onboarding) — this includes only feature usage counts, never content data

Third-Party Services & Data Transfers

When you use certain features, data is sent directly from YOUR server to third-party APIs. We are not an intermediary in these transfers — your server communicates directly with these services:

5.1 Freemius (License & Payments)

Purpose: license verification, payment processing, subscription management
Data sent: site URL, plugin version, license key, billing information (handled by Freemius)
Privacy policy: https://freemius.com/privacy/
Freemius processes payments via Stripe and PayPal. We never see or store your payment details.

5.2 Anthropic / Claude API (AI Fixes)

Purpose: generating meta descriptions, alt text, product descriptions, schema markup, author bios, FAQ extraction, and other AI-powered content fixes
Data sent: content snippets from your WordPress posts, pages, or products are sent directly from your server to Anthropic's API using YOUR API key
You are the data controller for content sent to the Claude API. You are responsible for ensuring that any personal data within your content is processed lawfully.
Anthropic's API does not use API inputs for training
Privacy policy: https://www.anthropic.com/privacy
DPA: available at https://www.anthropic.com/dpa

5.3 Google Search Console API

Purpose: retrieving search queries, impressions, clicks, CTR, position, and indexing status data
Data sent: OAuth tokens stored on your server, site URL queries
Privacy policy: https://policies.google.com/privacy
OAuth tokens are stored encrypted on YOUR server only

5.4 Google Analytics 4 API

Purpose: retrieving bounce rate, engagement rate, landing page, and exit page data
Data sent: OAuth tokens stored on your server, property queries
Privacy policy: https://policies.google.com/privacy

5.5 Google PageSpeed Insights API

Purpose: measuring Core Web Vitals (LCP, CLS, INP)
Data sent: page URLs from your site (no authentication)
No personal data is transmitted

5.6 DataForSEO API (Business+ plans)

Purpose: SERP data, keyword research, backlink analysis, domain authority
Data sent: domain and keyword queries using YOUR credentials stored encrypted on your server
Privacy policy: https://dataforseo.com/privacy-policy

5.7 IndexNow (Bing & Yandex)

Purpose: notifying search engines of updated URLs after fixes are applied
Data sent: page URLs only, using an auto-generated key
No personal data is transmitted

5.8 Vercel (Website hosting)

Purpose: hosting seomerlin.com
Privacy policy: https://vercel.com/legal/privacy-policy

Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

Contract performance: processing necessary to provide our services (license verification, support)
Legitimate interest: analytics to improve our website, fraud prevention
Consent: marketing communications (you can opt out at any time)
Legal obligation: tax and accounting records

Cookies

seomerlin.com uses:

Essential cookies only (session management, CSRF protection)
No advertising, remarketing, or tracking cookies
No third-party advertising cookies
Analytics implemented via privacy-respecting tools with anonymised data

We do not sell, rent, or trade any data collected via cookies.

Data Retention

Contact form submissions: retained for 12 months, then deleted
Email subscribers: retained until you unsubscribe
Freemius billing records: retained per Freemius policy and applicable tax law (minimum 7 years for invoices)
Plugin data (scans, issues, fixes, rollbacks): stored in YOUR WordPress database — you have full control and can delete it at any time by uninstalling the plugin or using the built-in data cleanup tools
Web analytics: anonymised, aggregated, retained for 26 months maximum

Data Security

All API keys encrypted at rest using AES-256-CBC
seomerlin.com served over HTTPS/TLS
Access to administrative systems restricted to authorised personnel
Regular security reviews of plugin codebase

Despite our security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Your Rights Under GDPR

If you are an EU/EEA resident, you have the right to:

Access: request a copy of the personal data we hold
Rectification: request correction of inaccurate data
Erasure: request deletion of your personal data ("right to be forgotten")
Restriction: request restriction of processing
Portability: receive your data in a structured, commonly used format
Objection: object to processing based on legitimate interests
Withdraw consent: withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact privacy@seomerlin.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority (in Greece: Hellenic Data Protection Authority, www.dpa.gr).

International Data Transfers

Your data may be processed outside the EU/EEA when you use third-party services (Anthropic, Google, Freemius). These transfers are protected by:

EU-US Data Privacy Framework (where applicable)
Standard Contractual Clauses (SCCs)

By using features that connect to non-EU services, you acknowledge that your data may be processed in jurisdictions with different data protection standards.

Children's Privacy

Our services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact privacy@seomerlin.com immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and/or a prominent notice on our website. The "Last updated" date at the top reflects the most recent revision.

Continued use of our services after changes constitutes acceptance of the updated policy.

Contact Us

For privacy-related inquiries:
Email: privacy@seomerlin.com
CARPEBO Devs, Xanthi, Greece