Privacy Policy

This Privacy Policy explains how TODO_LEGAL_NAME(“KwikScaleAI”, “we”, “us” or “our”), a TODO_LEGAL_FORM registered in France under SIREN TODO_SIREN (RCS TODO_RCS_CITY) with its registered office at TODO_STREET, TODO_POSTAL_CODE TODO_CITY, France, collects and processes your personal data when you use the KwikScaleAI service available at https://kwikscaleai.com (the “Service”).

For the purposes of the EU General Data Protection Regulation (“GDPR”), TODO_LEGAL_NAMEacts as the “controller” of personal data described in this Policy. You can reach us at any time at contact@kwikscaleai.com.

This Policy applies to personal data we collect through the KwikScaleAI website, the web application, our APIs, and any data you authorize us to access from third-party services you choose to connect to your account (such as Google Search Console).

3.1 Account data

When you create an account, we collect your email address, your chosen password (stored as a salted hash — never in plaintext), and optionally a display name and profile picture. If you sign in with Google, we receive your email, name, and Google account identifier from Google.

3.2 Site and content data you provide

When you connect a website to KwikScaleAI, you provide the domain name, URLs, page content, target keywords, brand guidelines, and any other information you choose to enter so the Service can analyze and generate SEO content for your site. You retain ownership of all such content.

3.3 Connected-services data (Google Search Console)

If you choose to connect a Google Search Console account, you grant us read-only access to your verified properties via the Google OAuth flow. We receive an OAuth access token and refresh token, both of which we encrypt at rest using AES-256-GCM before storing. We use these tokens solely to fetch search analytics data (clicks, impressions, position, CTR, top queries, top pages) for the properties you have connected. We do not modify, delete, or write any data back to your Google Search Console account.

3.4 Technical data

When you interact with the Service we automatically collect minimal technical data: IP address, user-agent string, request timestamps, and pages visited. We use this strictly for security, abuse prevention, and debugging.

KwikScaleAI uses a single, strictly necessary cookie to keep you signed in (the Supabase authentication session cookie). We do not use any tracking, analytics, or advertising cookies, and we do not embed third-party tracking scripts. Because the only cookie we set is strictly necessary to provide the Service you have requested, no consent banner is required under Article 82 of the French Data Protection Act and the ePrivacy Directive.

We process your personal data to:

• Create and maintain your account and provide the Service.
• Fetch, store, and display data from third-party services you have authorized us to access (such as Google Search Console analytics).
• Analyze your sites and generate SEO content drafts on your behalf.
• Send service emails (account verification, password reset, billing and security notices). We do not send marketing emails without your explicit opt-in consent.
• Detect, prevent, and respond to security incidents, abuse, and fraud.
• Comply with our legal obligations.

We use a limited number of carefully selected service providers (“subprocessors”) to operate the Service. We share only the data strictly necessary for each subprocessor to perform its function, and we have data processing agreements in place with each one.

We will update this list and notify users in advance of any material changes to our subprocessors.

Some of our subprocessors are located outside the European Economic Area (notably DataForSEO, Spider.cloud, and OpenRouter, which are based in the United States). When we transfer personal data outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the legal mechanism for the transfer, and we apply additional safeguards such as encryption in transit (TLS) and minimization of the data shared.

• Account data: for as long as your account is active, plus 30 days after deletion to allow for recovery and audit, unless a longer retention is required by law.
• Google Search Console OAuth tokens: until you disconnect your GSC account, after which we delete the tokens immediately.
• Site data, content drafts, and generated articles: up to 24 months from your last modification, or until you delete them.
• Technical logs: 90 days, then automatic deletion.
• Billing records: 10 years, as required by French commercial law.

We take the security of your data seriously. Our principal technical and organizational measures include:

• All Google Search Console OAuth tokens are encrypted at rest using AES-256-GCM with a key that is never logged or exposed to client code.
• All data is transmitted over TLS 1.2 or higher between your browser, our servers, and our subprocessors.
• Tenant isolation is enforced at the database layer using PostgreSQL Row-Level Security (RLS), so users can only ever see their own data.
• Our infrastructure runs on a dedicated VPS with no shared tenancy. Backups are encrypted.
• Access to production systems is restricted to authorized personnel and audited.

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your data, subject to our legal retention obligations.
• Right to restriction (Art. 18): request that we limit how we process your data.
• Right to portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): object to processing based on our legitimate interest.
• Right to withdraw consent (Art. 7): where we process data based on your consent (e.g. OAuth-connected services), you can withdraw consent at any time by disconnecting the service.

To exercise any of these rights, email us at contact@kwikscaleai.com. We will respond within one month. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority.

KwikScaleAI’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain language, that means:

• What Google data we access: only thewebmasters.readonlyscope, which lets us read (but never modify) the search analytics data, indexed pages, and sitemap status of the Search Console properties you choose to connect.
• Why we access it: to display your search performance in our analytics dashboard, and to surface keyword and content opportunities in our content planner. Without this scope, the core SEO automation features of the Service would not function.
• Where we store it: the OAuth access and refresh tokens are encrypted at rest with AES-256-GCM in our self-hosted database. Search analytics data we fetch on your behalf is stored in your tenant of our database, isolated from other tenants by Row-Level Security.
• How long we keep it: until you disconnect your Google account from KwikScaleAI, after which we delete the OAuth tokens immediately and delete the cached analytics data within 30 days.
• Who we share it with: nobody. We do not transfer Google user data to any third party. We do not use Google user data to serve advertisements. We do not allow humans to read your Google user data, except when required for security investigations, with your explicit consent, or to comply with applicable law.
• How to revoke access: you can disconnect your Google account from KwikScaleAI at any time from the integration settings page in the dashboard, which immediately deletes the stored OAuth tokens. You can also revoke our access directly from your Google Account at myaccount.google.com/permissions.

The Service is not directed at, and we do not knowingly collect data from, anyone under the age of 15. If you become aware that a minor has provided us with personal data, please contact us so we can delete it.

We may update this Policy from time to time. When we make material changes, we will notify you by email and/or via an in-app banner at least 30 days before the change takes effect, unless an earlier change is required by law.

Questions, requests under the GDPR, or any other privacy concerns:

TODO_LEGAL_NAME
TODO_STREET, TODO_POSTAL_CODE TODO_CITY, France
Email: contact@kwikscaleai.com