Privacy
Privacy Policy
Effective date: March 20, 2026 Last updated: March 20, 2026
InhouseSEO (“Service”, “we”, “us”, “our”) is operated by IWD Holding BV, registered in the Netherlands.
This Privacy Policy describes what data we collect, why, how we use and protect it, who we share it with, and your rights. It applies to all users of InhouseSEO, including our website, application, API, and integrations such as the Anthropic Claude MCP connector.
1. Data we collect
1.1 Account data
When you sign up, we collect:
- Name and email address
- Authentication credentials (password hash or OAuth tokens)
- IP address and user agent string (stored with your session)
1.2 Google Search Console data
When you connect your Google account, we request the webmasters.readonly OAuth scope. This grants us read-only access to your Google Search Console properties. We collect:
- List of Search Console properties accessible to your account
- Search analytics data: queries (keywords), page URLs, countries, devices, clicks, impressions, click-through rate, and average position
- We do not request or access any other Google services, Gmail, Google Drive, or any data beyond Search Console
1.3 SEO analytics and enrichment data
To provide keyword research and competitive analysis features, we process:
- Keyword metrics (search volume, CPC, competition, keyword difficulty) obtained from third-party SEO data providers
- SERP (search engine results page) snapshots for tracked keywords
- Sitemap data and internal/external link structures from your connected properties
- Competitor domain rankings (for domains you choose to monitor)
1.4 Usage and preference data
- Notification preferences and alert settings
- Bookmarks and keyword groups you create
- Organization settings, property context, goals, and tasks you configure
- Feature usage and diagnostic logs for service reliability
1.5 Billing metadata
Payment processing is handled by third-party payment providers. We store plan type and billing status but do not store credit card numbers or payment credentials.
1.6 Cookies
We use a single session cookie (HTTP-only, Secure) for authentication. We do not use third-party tracking cookies, analytics pixels, or advertising trackers.
2. How we use your data
We use collected data solely to:
- Provide the Service — display analytics dashboards, generate reports, deliver alerts and notifications
- Improve the Service — diagnose errors, monitor performance, and develop features
- Secure accounts — authenticate sessions, detect unauthorized access, and prevent abuse
- Communicate with you — send email verification, password resets, weekly performance reports, and alert digests (all configurable)
- Comply with legal obligations — respond to lawful requests and enforce our Terms of Service
We do not use your data for advertising, profiling, or any purpose unrelated to providing and improving InhouseSEO.
3. Google API Services — Limited Use Disclosure
InhouseSEO’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only use Google Search Console data to provide and improve user-facing features of InhouseSEO that are prominent in our interface
- We do not transfer Google user data to third parties, except as necessary to provide the Service (see Section 5), with your explicit consent, for security purposes, or to comply with applicable law
- We do not use Google user data for advertising, serving ads, or sale to data brokers
- We do not use Google user data to determine creditworthiness or for lending purposes
- Humans may review Google user data only for security purposes, to comply with applicable law, or when the data is aggregated and anonymized for internal operations
Revoking Google access
You can revoke InhouseSEO’s access to your Google account at any time:
- In InhouseSEO: disconnect your Google account in Settings
- In Google: visit Google Account Permissions and remove InhouseSEO
Upon revocation, we stop fetching new data from your Google Search Console. Previously imported analytics data is retained according to our retention policy (Section 6) unless you request deletion.
4. Legal basis for processing (EU/EEA)
We process personal data on one or more of the following legal bases under the GDPR:
- Contract performance — processing necessary to provide the Service you signed up for
- Legitimate interest — security, fraud prevention, service improvement, and diagnostics
- Legal obligation — compliance with applicable laws and regulations
- Consent — where explicitly required, such as for optional email notifications; you can withdraw consent at any time
5. Data sharing and subprocessors
We do not sell personal data.
We share data only with the following categories of subprocessors, under contractual safeguards:
| Subprocessor category | Purpose | Data shared |
|---|---|---|
| Cloud hosting | Infrastructure and database hosting | All service data (encrypted at rest) |
| Google (OAuth & Search Console API) | Authentication and search analytics retrieval | OAuth tokens, Search Console API queries |
| SERP Crawl Service | Keyword enrichment, SERP tracking, competitor analysis | Domain names, keywords, location/language codes |
| Resend | Transactional and notification emails | Recipient email addresses, email content |
| Slack (optional, user-configured) | Alert notifications | Alert summaries and metrics |
| Anthropic (via MCP connector) | AI-powered SEO analysis through Claude | Property metrics, keyword data, and analytics as requested by the user through Claude |
| Payment provider | Billing and subscription management | Email, plan type, billing events |
Third-party subprocessors receive only the minimum data necessary to perform their function. We do not share raw Google Search Console data with third parties for their own purposes.
6. Data retention
| Data type | Retention period |
|---|---|
| Account data | Duration of account, plus as required by law |
| Google Search Console raw data | 90 days in primary database; aggregated data retained longer for trend analysis |
| Keyword enrichment data | Refreshed monthly; previous data overwritten |
| SERP snapshots | Retained for historical trend analysis |
| Competitor page changes | 90 days |
| Session data | 7 days per session |
| Email verification / OTP codes | 10 minutes |
| Diagnostic and error logs | 90 days |
| API usage logs | Retained for billing reconciliation and abuse prevention |
When your account is deleted, we remove your personal data and disassociate analytics data within 30 days, except where retention is required by law.
7. Data security
We apply reasonable technical and organizational safeguards, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Encrypted storage for databases at rest
- HTTP-only, Secure session cookies
- OAuth 2.0 for Google authentication (we never see or store your Google password)
- Parameterized database queries to prevent injection attacks
- Rate limiting on authentication and API endpoints
- Admin actions logged in an audit trail
- Automatic token refresh with expiry buffers (no long-lived tokens stored unnecessarily)
8. MCP connector (Anthropic Claude integration)
InhouseSEO provides an MCP (Model Context Protocol) connector that allows users to access their SEO data through Anthropic’s Claude assistant.
What data flows through the MCP connector
- When you use the MCP connector, Claude can query your connected Search Console properties, keyword rankings, traffic signals, competitor data, and page metrics
- Data is transmitted via authenticated API calls using OAuth 2.0 tokens scoped to your account
- The MCP connector provides read-only access to your analytics data; it cannot modify your account, settings, or connected integrations
Rate limiting and access control
- MCP requests are rate-limited to 100 calls per minute per organization
- Access requires valid OAuth authentication linked to your InhouseSEO account
- You can revoke MCP access at any time through your account settings
Anthropic’s data handling
Data transmitted through the MCP connector to Claude is subject to Anthropic’s Usage Policy and privacy practices. We recommend reviewing Anthropic’s privacy documentation for details on how Claude processes conversation data.
9. International data transfers
IWD Holding BV is based in the Netherlands (EU). Where data is transferred outside the EEA (for example, to US-based subprocessors), we rely on:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Other lawful transfer mechanisms as applicable
10. Your rights
Depending on your jurisdiction (including under GDPR), you have the right to:
- Access your personal data we hold
- Rectify inaccurate data
- Delete your personal data (right to erasure)
- Restrict processing in certain circumstances
- Port your data to another service in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent where processing is consent-based
- Lodge a complaint with your local data protection authority
To exercise any of these rights, contact us at info@inhouseseo.ai.
We will respond within 30 days (or as required by applicable law).
11. Children’s privacy
InhouseSEO is intended for professional use and is not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Notify you via email or in-product notification
Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
13. Contact
For privacy requests or questions:
IWD Holding BV Email: info@inhouseseo.ai General inquiries: info@inhouseseo.ai