This Privacy Policy explains how SEM Optimiser Pty Ltd ("SEMOptimiser", "we", "us") collects, uses, discloses and protects information when you use semoptimiser.com and our hosted product (together, the "Service"). It applies to all visitors, account holders, and team members on a workspace. Last updated 2026-05-30.
1. Information we collect
1.1 Information you give us
- Account: name, email, password hash (never the password itself), avatar URL if you sign in with Google.
- Profile (optional): phone, company, country, timezone.
- Billing: handled by Stripe. We never see or store your card details – Stripe gives us only the card brand and last four digits.
- Support correspondence: emails, chat messages, attachments you send us.
1.2 Information you ask us to fetch
- SEO data on URLs you submit: page HTML, meta data, headings, links, performance metrics.
- Search engine data via your connected accounts (Search Console, Bing Webmaster, Analytics).
- Server credentials (SFTP/FTP/cPanel/Plesk/WordPress) only if you explicitly connect them. Stored encrypted at rest.
1.3 Information we collect automatically
- Usage logs: pages visited, features used, timestamps, IP address (truncated for analytics).
- Device info: browser type, OS, screen size.
- Cookies and similar technologies (see Section 6).
2. How we use information
We use the information above to:
- Operate the Service: run audits, sync data, render dashboards.
- Authenticate you and protect your account from abuse.
- Bill you for paid plans (via Stripe).
- Respond to support requests and improve documentation.
- Send transactional emails (e.g. password resets, audit completion notices).
- Send product emails (e.g. release notes) that you can opt out of at any time.
- Detect, prevent and respond to security incidents and fraud.
- Comply with legal obligations.
We do not sell personal data. We do not share personal data with advertisers. We do not use your SEO data to train AI models for anyone other than your own workspace.
3. Sub-processors
We use a small number of vendors to operate the Service. We sign Data Processing Agreements with each one. Current list:
| Amazon Web Services | Primary hosting (us-east-1 and ap-southeast-2 regions). |
| Stripe | Payment processing and card-on-file storage. |
| Resend | Transactional and product email delivery (when configured). |
| Cloudflare | DNS, edge caching and DDoS protection. |
| Google Cloud | AI Visibility runner inference (when configured). |
A current sub-processor list is available on request from privacy@semoptimiser.com.
4. Data location and transfers
By default, your data is stored in AWS ap-southeast-2 (Sydney) for Australian and Asia-Pacific customers, and us-east-1 (Virginia) for North American customers. EU customers can elect eu-west-1 (Ireland) data residency on the Enterprise plan. We use Standard Contractual Clauses for any cross-border transfers required for support or operations.
5. Data retention
We retain personal data only as long as we need it:
- Account and workspace data: while your account is active. Deleted on request (see Section 7).
- Audit logs of administrative actions: 12 months for security investigations.
- Invoice records: 7 years (Australian tax law minimum).
- Email opt-out preferences: indefinitely so we don't re-spam you.
- Backups: encrypted, retained 90 days, never restored except for disaster recovery.
6. Cookies and similar technologies
We use a small number of essential cookies (session cookie, CSRF token, theme preference) and no third-party advertising cookies. Analytics cookies (Plausible) are aggregated and not linked to your account. You can disable non-essential cookies in your browser without breaking the product.
7. Your rights
Regardless of where you live, you can:
- Access all data we hold about you (Settings → Profile → Data export).
- Correct inaccurate data (Settings → Profile).
- Delete your account and all associated data (Settings → Profile → Delete account).
- Object to processing based on legitimate interest.
- Lodge a complaint with your local data protection authority.
EU/UK users have the additional GDPR rights of data portability and the right to be forgotten. California users have full CCPA rights including the right to know what data we sell – the answer is none. Australian users are protected under the Privacy Act 1988.
To exercise any right, email privacy@semoptimiser.com from your account email. We respond within 30 days as required by GDPR; usually within 5 business days in practice.
8. Security
We use industry-standard security practices: AES-256 encryption at rest, TLS 1.3 in transit, bcrypt password hashing, HTTP-only/Secure/SameSite session cookies, server-side session revocation, rate limiting on auth endpoints, regular dependency scanning, and periodic third-party penetration tests.
If you discover a security vulnerability, please report it to security@semoptimiser.com. We acknowledge within 48 hours and credit reporters who follow responsible disclosure.
9. Children
The Service is not intended for users under 16. We do not knowingly collect personal data from children. If you believe we have, contact privacy@semoptimiser.com and we will delete it.
10. Changes to this policy
We update this policy occasionally. Material changes are emailed to all account holders at least 30 days before they take effect. Minor clarifications are reflected in the "Last updated" date at the top.
11. Contact
Privacy questions: privacy@semoptimiser.com. Postal: SEM Optimiser Pty Ltd, Sydney NSW 2000, Australia. ABN 13 680 271 434.