Privacy Policy

SEORav is operated by SKB Business Service Ltd, a company registered in England & Wales (Companies House number 13879468) with registered office at 20 Wenlock Road, London, N1 7GU, United Kingdom.

1.1 Who we are and how to contact us

1.2 What personal data we collect

Account data (when you sign up)

• Name and email address
• Password (stored as a salted hash; we never see your plaintext password)
• Google account identifier (if you sign in with Google OAuth: email, name, Google ID)
• Company / organization name
• Website URL(s) you connect to SEORav
• Billing details (processed by Stripe — see Section 1.5)

Usage data (automatically collected)

• IP address and approximate location (city/country) derived from it
• Browser type, operating system, device type
• Pages viewed, features used, time spent on pages
• Referring URL (how you got to seorav.com)
• Session recordings — interactions with the dashboard (mouse movement, clicks, scroll behavior, visible content), captured via PostHog session replay. See Section 1.4 for how these are used and how to opt out.

Customer content (when you use the platform)

• URLs of websites you connect for crawling and analysis
• Content (articles, briefs, prompts, voice fingerprints) you generate, edit, or store
• CMS connection metadata (OAuth tokens, scoped API keys — encrypted with AES-256-GCM at rest, with a customer-isolated encryption key)
• Citation tracking results (which AI engines cite which of your articles)

Communications data

• Email correspondence with our support team
• Feedback you submit through the platform

1.3 Why we collect it (lawful bases)

We process personal data on the following lawful bases under Article 6 of UK GDPR:

1.4 How we use AI and what we do (and don’t) send to AI providers

SEORav uses AI to help generate content, score quality, extract brand voice, and track citations. Here’s exactly what happens to your data when AI is involved:

Anthropic (Claude API)

We use Anthropic’s Claude (Sonnet 4.6 and Haiku 4.5) for article outlines, drafts, optimization, AEO scoring on certain signals, and citation gap analysis. Anthropic does not train its models on data sent through their commercial API — this is contractually committed in Anthropic’s commercial terms. Content you generate through SEORav is not used to train any AI model.

Voyage AI (embeddings)

We use Voyage AI’s voyage-4-large model to convert your content into numerical “embeddings” used for keyword clustering, related-article matching, and semantic search over your own crawled content. Voyage processes content excerpts but does not retain or train on them.

Citation tracking — user-initiated scans

SEORav lets you check whether the four major AI engines (ChatGPT, Perplexity, Claude, Gemini) cite your content for a given query. Scans are user-initiated — they run only when you click Run scan on a tracked keyword from your dashboard, not on a background schedule. Each scan is performed via Brightdata’s web infrastructure, which proxies our queries. The queries we send are generic, search-style prompts (e.g. “best CRM for startups,” “how to reduce SaaS churn”) — they do not contain customer-identifying URLs, customer brand names tied to specific accounts, or any personal data. They are equivalent to what any user might type into the AI engine themselves. Citation responses are stored against your account so you can review them on subsequent visits.

Image generation (planned, not yet active)

SEORav plans to add AI-generated hero and inline images for blog posts and articles. The vendor and region for image generation will be confirmed before the feature launches and will be added to our Sub-processor List. No image generation processing is happening today.

We do not train our own models on your data

SEORav does not currently train any proprietary AI models, and we will not use customer content to train models without separate, explicit, written consent.

Session replay

We use PostHog session replay to record dashboard interactions for the purpose of debugging and product improvement. Session replays are tied to your account once you sign in. You can opt out of session replay (and all other PostHog analytics) by:

• Declining the analytics cookie category in our cookie banner, or
• Toggling “Disable analytics” in your account settings, which calls posthog.opt_out_capturing()

We mask sensitive form fields and password inputs before recording. Session replays are stored for 30 days and then automatically deleted.

1.5 Who we share data with (sub-processors)

We use third-party service providers (“sub-processors”) to operate the Services. Each is bound by a data processing agreement that requires GDPR-compliant data handling. Our complete sub-processor list is published at seorav.com/legal/sub-processors. Key sub-processors include:

• Supabase (database, authentication, storage, edge functions, realtime) — EU (eu-west-2)
• Vercel (web app hosting and edge functions) — global edge network
• Hostinger (Python API server hosting on KVM 2 VPS) — UK datacentre
• Anthropic (Claude LLM API) — US-based, GDPR-compliant data processing
• Voyage AI (embeddings) — US-based
• Stripe (payment processing and Customer Portal) — UK / US, PCI DSS Level 1 certified
• Serper (Google SERP enrichment) — keyword data only
• Brightdata (citation polling proxy + competitor-page fallback) — generic queries and target URLs only, no customer data
• PostHog (product analytics + session replay) — EU instance (eu.i.posthog.com)
• Sentry (error tracking, server + client) — stack traces with PII scrubbed
• Google LLC (Google OAuth sign-in + Google Trends read-only API) — covered under standard transfers

We will give you 30 days’ notice via the sub-processor list page (and email if you have an active account) before adding a new sub-processor that materially affects how we process your data.

1.6 International data transfers

Some of our sub-processors are based outside the UK and EEA (notably Anthropic, Voyage AI, Stripe US entity, Sentry, Vercel, Google, and PostHog’s underlying infrastructure). When data is transferred outside the UK / EEA, we ensure protection through one or both of:

• Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner’s Office
• UK International Data Transfer Agreements (IDTA) with US-based providers

You can request a copy of the transfer mechanisms in place by emailing privacy@seorav.com.

1.7 How long we keep your data

1.8 Your rights under UK and EU GDPR

1. Right of access. You can request a copy of the personal data we hold about you. You can also self-serve by exporting articles as Markdown from your dashboard; for a complete data export, email us.
2. Right to rectification. You can correct inaccurate data through your account settings or by emailing us.
3. Right to erasure (“right to be forgotten”). Cancel your subscription to start a 30-day grace period, after which all your data is hard-deleted. Some financial records are retained 7 years per UK tax law.
4. Right to restrict processing. Pausing your subscription via the Stripe Customer Portal stops AI processing while leaving your data intact.
5. Right to data portability. Markdown export covers article content. JSON export of metadata is available on request.
6. Right to object. You can object to processing based on legitimate interests, including marketing.
7. Right to withdraw consent. Where we rely on consent (analytics, marketing emails), you can withdraw it through the cookie banner, account settings, or by emailing us.
8. Right to lodge a complaint. You can complain to the UK Information Commissioner’s Office (ico.org.uk) or your local EU data protection authority.

To exercise any of these rights, email privacy@seorav.com. We will respond within 30 days.

1.9 Cookies and similar technologies

We use cookies and similar technologies on seorav.com. Detailed information about which cookies we use, their purpose, and how to manage them is in our Cookie Policy.

1.10 Security

We protect your data using:

• Encryption in transit: TLS 1.3 for all connections
• Encryption at rest: All Supabase Postgres data and Storage objects encrypted at rest
• CMS credentials: Stored using AES-256-GCM authenticated encryption with customer-isolated encryption keys — no shared encryption keys between customers
• Authentication: OAuth 2.0 or scoped API tokens for all third-party integrations (we never store your CMS passwords)
• Multi-tenant isolation: Postgres Row-Level Security (RLS) policies prevent cross-customer data access; RLS coverage is reviewed and hardened on every schema change as part of our standard migration process.
• Access control: Role-based access controls within our team, principle of least privilege
• Monitoring: Sentry error tracking, OpenTelemetry traces, regular dependency vulnerability scans
• Incident response: Documented breach response plan with 72-hour assessment process

If we discover a personal data breach that is likely to result in a risk to data subjects’ rights and freedoms, we will notify the UK Information Commissioner’s Office within 72 hours of becoming aware, in accordance with Article 33 UK GDPR. Affected users will be notified without undue delay where required by Article 34.

1.11 Children’s data

SEORav is not intended for individuals under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us at privacy@seorav.com and we will delete it.

1.12 Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when changes were made. For material changes, we will email registered users at least 30 days before the changes take effect.

1.13 California residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, disclose, and sell
• The right to delete your personal information (with some exceptions)
• The right to opt out of the sale of personal information (we do not sell personal information)
• The right to non-discrimination for exercising your CCPA rights

To exercise these rights, email privacy@seorav.com.

1.14 Contact