Privacy Policy
Last updated: June 17, 2026
Effective date: June 17, 2026
Summary: Semly Pro processes your SEO data, generated content, and analytics to provide our Services. We do not sell your data or use it to train AI models. You control your data and can export or delete it at any time. This policy explains our practices in detail.
1. Who We Are
Semly Pro (Amsterdam, Netherlands) provides an AI-powered SEO content optimization platform. This Privacy Policy covers data processed through:
- The Semly Pro web application (app.semlypro.com)
- Our marketing website (semlypro.com)
- AI assistant connectors via MCP server (Claude, ChatGPT, and other MCP clients)
- WordPress plugin and CMS integrations
Data Controller: Semly Pro acts as the data controller for your account data and as a data processor for personal data you process through our Services (see our Data Processing Agreement).
Contact: For privacy questions, contact our Data Protection Officer at privacy@semlypro.com or dpo@semlypro.com.
2. Information We Collect
2.1 Account Information (Controller)
When you create an account, we collect:
- Identity data: Name, email address, organization name
- Contact data: Phone number (optional), billing email
- Authentication data: Password (hashed with Argon2), email verification status
- Organization data: Organization type, team member information, roles
- Payment data: Stripe customer ID or Razorpay customer ID (we do not store raw credit card numbers)
- Tax data: VAT ID (EU), GSTIN (India) for invoicing
2.2 SEO Workspace Data (Mixed Controller/Processor)
When you use our Services, we process:
- Projects and domains: Website URLs, domain names, SEO projects you create
- Crawled data: Page HTML, metadata, headings, links, images from websites you analyze
- Keywords: Target keywords, search queries, ranking data, competition analysis
- Content gaps: Competitor content analysis, topic opportunities
- Generated content: AI-generated articles, meta titles, SEO-optimized content you create
- Audit results: 83-point SEO checklist results, technical issues, recommendations
- Analytics data: Google Analytics 4 data, Search Console data (when you connect these integrations)
- AI tracking data: Your brand mentions in ChatGPT, Claude, Perplexity, Google Gemini
Note: For SEO workspace data that includes personal data about your end-users (e.g., analytics data with IP addresses), you act as the controller and we act as your processor under our Data Processing Agreement.
2.3 CMS Integration Data (Processor)
When you connect CMS platforms, we collect:
- Credentials: API tokens, OAuth tokens, application passwords (encrypted with AES-256-GCM)
- Configuration: CMS URL, content types, author mappings, category settings
- Publish logs: Records of content published via our platform
Supported CMS: WordPress, Sanity, Contentful, Ghost, Webflow, Shopify, HubSpot, Strapi, Storyblok, Hygraph, DatoCMS, Prismic, Framer.
2.4 MCP Connector Data (Processor)
When you connect AI assistants (Claude, ChatGPT) via our MCP server, we collect:
- OAuth registrations: Client IDs for connected AI assistants
- Access tokens: Scoped access tokens for MCP tool calls
- Tool requests: Which MCP tools the AI assistant calls and when
- Prompts and responses: Data passed to/from the AI assistant during tool calls
Important: Data you share with AI assistants is also processed by their providers (Anthropic, OpenAI) under their privacy policies.
2.5 Usage and Technical Data (Legitimate Interest)
We automatically collect:
- Log data: IP address (anonymized after 30 days), user agent, request timestamps
- Device data: Browser type, operating system, screen resolution
- Usage data: Features used, pages viewed, session duration, API calls
- Performance data: Error logs, crash reports (via Sentry), performance metrics
- Security data: Login attempts, bot detection fingerprints, fraud signals
2.6 Cookies and Tracking (Consent/Legitimate Interest)
We use cookies for:
- Essential cookies: Authentication (auth-token), session management, security (CSRF protection)
- Analytics cookies: Google Analytics 4, Google Tag Manager (with your consent)
- Preference cookies: Language, theme, consent choices
See our Cookie Policy for details. Manage your cookie preferences through our consent banner.
2.7 Free Demo and Preview Pages (Legitimate Interest / Consent)
When you generate or view a free demo article on our public pages (e.g. content-pro-trial, try, and shared demo/preview links, which need no account), we collect:
- Submitted details: the website domain and topic you enter, and, if you complete the lead form, your name, email and phone (we email you about the Services only with your consent, given via the form checkbox)
- Visitor and location data: approximate country and IP address (anonymized at collection to the network level, i.e. the final octet of the address is removed), plus browser and device type
- On-page engagement: page views, scroll depth, tab and button interactions, and time spent on the page, used to measure interest and improve the funnel
We process this on the basis of legitimate interest, and rely on your consent for marketing emails. You can withdraw consent or request deletion at any time, see Section 7 and our GDPR rights page.
3. How We Use Information
3.1 To Provide the Services (Contractual Necessity)
- Create and manage your account
- Run SEO analyses, crawl websites, identify content gaps
- Generate AI-powered content using Anthropic Claude, OpenAI GPT, Azure OpenAI, Google Gemini
- Publish content to your connected CMS platforms
- Track your brand visibility in AI search engines
- Process payments and send invoices
- Provide customer support
3.2 To Improve and Secure the Services (Legitimate Interest)
- Monitor system performance and reliability
- Detect and prevent fraud, abuse, and security threats
- Debug errors and fix bugs (via Sentry)
- Analyze usage patterns to improve features (anonymized)
- Enforce plan limits and Terms of Service
3.3 To Communicate with You (Contractual Necessity / Legitimate Interest)
- Send transactional emails (password resets, billing, security alerts)
- Respond to support requests
- Send product updates and feature announcements (you may opt out)
- Request feedback on the Services
3.4 To Comply with Legal Obligations (Legal Requirement)
- Respond to lawful requests from authorities
- Comply with GDPR, CCPA, and other data protection laws
- Enforce our Terms of Service
- Protect our rights and the rights of others
3.5 What We Do NOT Do
We do NOT:
- Sell your personal data or SEO workspace data to third parties
- Use your content to train third-party AI models (our AI providers have zero-retention policies for API data)
- Share your data with advertisers
- Track you across third-party websites
4. How We Share Information
4.1 Sub-processors (Necessary for Service Provision)
We share data with the following categories of sub-processors:
| Category | Providers | Purpose |
|---|---|---|
| Infrastructure | Vercel, Supabase, Upstash | Hosting, database, caching |
| AI Providers | Anthropic, OpenAI, Microsoft, Google | Content generation |
| Analytics | Google (GA4, GSC, Ads) | SEO data integration |
| Payments | Stripe, Razorpay | Payment processing |
| Monitoring | Sentry, Axiom | Error tracking, security logs |
| Communications | Resend | Transactional emails |
See our complete Sub-processors List with data locations and data protection measures. We provide 30 days advance notice before adding new sub-processors.
4.2 CMS Publishing (Your Instruction)
We send content to your connected CMS platforms only when you explicitly confirm publication. You control which CMS to use and what to publish.
4.3 Legal Requirements
We may disclose data when required by law or to:
- Comply with legal process (subpoenas, court orders)
- Protect our rights, property, or safety
- Prevent fraud or illegal activity
- Enforce our Terms of Service
4.4 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you and ensure the recipient honors this Privacy Policy.
5. International Data Transfers
5.1 Data Storage Location
Personal data is primarily stored in ap-south-1 (Mumbai, India) on Supabase PostgreSQL infrastructure. Some sub-processors store data in other regions (see Sub-processors List).
5.2 Transfer Safeguards
For transfers from the EU/EEA, UK, or Switzerland to third countries, we use:
- EU Standard Contractual Clauses (SCCs Module 2): Controller-to-Processor clauses approved by European Commission Decision 2021/914
- UK International Data Transfer Agreement (IDTA A1.0): For UK transfers
- EU-US Data Privacy Framework (DPF): For transfers to certified US providers (Google, Microsoft)
- Adequacy decisions: Where applicable (currently limited; monitoring CJEU developments)
See our Data Processing Agreement Section 4 for full details on international transfer mechanisms.
6. Data Storage and Security
6.1 Security Measures
We implement industry-standard security measures:
- Encryption at rest: AES-256-GCM for sensitive credentials, database encryption via Supabase
- Encryption in transit: TLS 1.3 for all connections
- Authentication: Argon2 password hashing, JWT-based sessions, optional MFA
- Access controls: Role-based access control (RBAC), organization-scoped data isolation
- Infrastructure security: SOC 2 Type II certified hosting (Vercel, Supabase)
- Monitoring: 24/7 security monitoring, automated threat detection
- Incident response: 72-hour breach notification procedures per GDPR Article 33
See our Security Practices page for more details.
6.2 Data Breach Notification
In the event of a data breach, we will notify affected users and supervisory authorities within 72 hours as required by GDPR Article 33. Notifications will be sent to your registered email address.
7. Data Retention
7.1 Account Data
We retain account data for:
- Active accounts: Duration of your subscription
- Canceled accounts: 90 days after cancellation (for account recovery and billing reconciliation)
- Deleted accounts: 30 days in production databases, 90 days in backups, then permanently deleted
7.2 SEO Workspace Data
Workspace data is retained according to your plan:
- Active projects: Indefinitely while your account is active
- Deleted projects: Soft-deleted for 30 days (recoverable), then permanently deleted
- Generated content: Retained until you delete it or your account is deleted
7.3 Logs and Analytics
- Application logs: 90 days
- Security logs: 1 year
- Anonymized analytics: Indefinitely (cannot be linked back to you)
7.4 Legal Holds
We may retain data longer if required by legal hold, litigation, investigation, or regulatory requirement. We will notify you if such retention applies to your data.
8. Your Rights
8.1 GDPR Rights (EU/EEA/UK Residents)
Under GDPR and UK GDPR, you have the right to:
- Access: Request a copy of your personal data (self-service export available)
- Rectification: Correct inaccurate or incomplete data (edit in account settings)
- Erasure ("right to be forgotten"): Delete your data (account deletion feature)
- Restriction: Limit how we process your data
- Portability: Receive your data in machine-readable format (JSON export)
- Objection: Object to processing based on legitimate interests
- Withdraw consent: For processing based on consent (e.g., marketing emails, analytics cookies)
- Lodge a complaint: File a complaint with your supervisory authority (Autoriteit Persoonsgegevens for Netherlands)
Exercise your rights through our GDPR Rights Request Form or by emailing privacy@semlypro.com.
8.2 CCPA Rights (California Residents)
Under California Consumer Privacy Act (CCPA), you have the right to:
- Know: What personal information we collect and how we use it
- Access: Request a copy of your personal information
- Delete: Request deletion of your personal information
- Opt-out: Opt out of sale of personal information (we do not sell personal information)
- Non-discrimination: Not be discriminated against for exercising your rights
California residents can submit requests at privacy@semlypro.com or through our rights request form.
8.3 Response Timeframe
We will respond to rights requests within 30 days as required by GDPR Article 12(3). For complex requests, we may extend by an additional 30 days with notice.
9. Children's Privacy
Our Services are not directed to children under 16 (or the minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us at privacy@semlypro.com and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting a notice on our website and app
- Sending an email to your registered email address
- Updating the "Last updated" date at the top of this page
Changes take effect 30 days after notice. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.
11. Contact and Supervisory Authority
11.1 Contact Us
Semly Pro Privacy Team
Privacy: privacy@semlypro.com
DPO: dpo@semlypro.com
Address: Amsterdam, Netherlands
11.2 Supervisory Authority
If you are in the EU/EEA, you have the right to lodge a complaint with your data protection authority. For Netherlands:
Autoriteit Persoonsgegevens (Dutch DPA)
Website: autoriteitpersoonsgegevens.nl
Phone: (+31) - (0)70 - 888 85 00
Related legal documents:
Terms of Service | Data Processing Agreement | Cookie Policy | Sub-processors List | Exercise Your Rights