Privacy Policy
Last Updated: [DATE]
Important: This Privacy Policy explains how Onpage Pilot Inc. ("we", "us", "our", "OnPagePilot") collects, uses, stores, and protects your personal data when you use our SEO intelligence platform. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), and the ePrivacy Directive.
1. Data Controller
The data controller responsible for the processing of your personal data is:
[REGISTERED ADDRESS]
[POSTAL CODE] [CITY]
CVR: [CVR NUMBER]
VAT: [VAT NUMBER]
Email: [LEGAL EMAIL ADDRESS]
If you have questions about how we process your personal data, or if you wish to exercise your data protection rights, please contact us at the email address above.
2. Data Protection Officer (DPO)
Given the nature and scale of our data processing activities, we have designated a Data Protection Officer. The DPO can be contacted at:
3. What Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Data You Provide Directly
- Account Information: Name, email address, company name, and password (stored as a cryptographic hash — we never store your actual password).
- Billing Information: Payment details are processed by our third-party payment processor. We do not store credit card numbers or full payment credentials on our servers.
- Service Input Data: URLs and domains you submit for SEO analysis, content prompts you enter for AI-assisted content generation, and competitor domains you specify for analysis.
- Communications: Any information you provide when contacting our support team or communicating with us via email.
3.2 Data We Collect Automatically
- Technical Data: IP address, browser type, operating system, referring URL, and device information.
- Usage Data: Pages visited within the platform, features used, timestamps, and session duration.
- Application Logs: Error logs and diagnostic data necessary for maintaining service stability and security.
3.3 Data Generated Through Our Services
- SEO Analysis Results: Technical audit findings, page indexation data, site structure analysis, and health monitoring reports.
- AI-Generated Content: Text and content generated by our AI pipeline based on your prompts and parameters.
- Competitor Analysis Data: Publicly available data about competitor domains and their search engine performance.
4. Purposes and Legal Basis for Processing
We process your personal data for the following purposes, each with a specific legal basis under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — Performance of contract |
| Providing SEO analysis, technical audits, and reporting | Art. 6(1)(b) — Performance of contract |
| AI-assisted content generation | Art. 6(1)(b) — Performance of contract |
| Competitor domain analysis using publicly available data | Art. 6(1)(f) — Legitimate interest (providing competitive intelligence) |
| Processing payments and billing | Art. 6(1)(b) — Performance of contract |
| Sending service-related communications (account alerts, security notices) | Art. 6(1)(b) — Performance of contract |
| Application logging, error diagnostics, and service stability | Art. 6(1)(f) — Legitimate interest (maintaining service quality and security) |
| Functional and session cookies | Art. 6(1)(f) — Legitimate interest / Consent (where required) |
| Complying with legal obligations (tax, accounting, law enforcement requests) | Art. 6(1)(c) — Legal obligation |
Where we rely on legitimate interest as the legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
5. Recipients and Third-Party Processors
We may share your personal data with the following categories of recipients, all of whom are contractually bound to process data only on our instructions and in compliance with GDPR:
| Recipient | Purpose | Data Shared |
|---|---|---|
| DataForSEO | SEO data provider (keyword metrics, SERP data, backlink analysis) | Domain names, URLs, keywords submitted for analysis |
| AI Model Providers (via OpenRouter) | AI-assisted content generation pipeline | Content prompts and parameters (no personally identifiable user data) |
| Payment Processor | Subscription billing and payment handling | Billing details as required for transaction processing |
| Hosting Infrastructure Provider | Server hosting and data storage | All data as stored on our servers |
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
6. International Data Transfers
OnPagePilot is operated by Onpage Pilot Inc. Our servers are located in the United States. When you use our service from within the European Economic Area (EEA), your personal data is transferred to the United States.
We rely on the following safeguards for international transfers:
- EU-U.S. Data Privacy Framework (DPF): The European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023 (Implementing Decision (EU) 2023/1795). This decision was upheld by the EU General Court on 3 September 2025 (Case T-553/23, Latombe v Commission). We rely on this framework as our primary transfer mechanism.
- Standard Contractual Clauses (SCCs): As a supplementary safeguard, and in the event the DPF adequacy decision is invalidated or modified, we maintain EU Commission-approved Standard Contractual Clauses with our data processors to ensure an adequate level of protection for your personal data.
You may request a copy of the applicable transfer safeguards by contacting us.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:
| Data Category | Retention Period |
|---|---|
| Account information (name, email, company) | Duration of your account plus 30 days after deletion |
| SEO analysis data, technical audit results | Duration of your active subscription |
| AI-generated content and prompts | Duration of your active subscription |
| Competitor analysis data | Duration of your active subscription |
| Application logs and error diagnostics | 90 days |
| Billing and payment records | As required by applicable tax and accounting law (typically 5 years under Danish Bogføringsloven) |
| Session cookies | Duration of browser session |
Upon termination of your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law or for the establishment, exercise, or defence of legal claims.
8. Your Rights as a Data Subject
Under the GDPR and the Danish Data Protection Act, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | You may request a copy of the personal data we hold about you. |
| Right to Rectification (Art. 16) | You may request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | You may request deletion of your personal data where there is no compelling reason for continued processing. |
| Right to Restriction (Art. 18) | You may request that we restrict the processing of your personal data in certain circumstances. |
| Right to Data Portability (Art. 20) | You may request your personal data in a structured, commonly used, machine-readable format. |
| Right to Object (Art. 21) | You may object to processing based on legitimate interest or for direct marketing purposes at any time (cf. Danish Data Protection Act §22). |
| Right to Withdraw Consent (Art. 7(3)) | Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing. |
To exercise any of these rights, please contact us at [LEGAL EMAIL ADDRESS]. We will respond to your request within one (1) month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests (Art. 12(3)).
You will not be charged a fee for exercising your rights unless your request is manifestly unfounded or excessive.
9. Automated Decision-Making and AI Processing
OnPagePilot uses artificial intelligence and automated processing in the following areas:
- AI Content Generation: Our platform uses large language models (LLMs) accessed through the OpenRouter API to generate SEO-optimised content based on your prompts and parameters. The AI models process the text prompts you provide and return generated content. No personal data is used as training data for these models.
- Technical SEO Audits: Automated crawling and analysis of websites you submit to identify technical SEO issues across 134 error types in 15 categories.
- Competitor Analysis: Automated collection and analysis of publicly available data about competitor domains.
- AI Model Routing: Our system automatically selects the most appropriate AI model for each generation task based on content type, language, and complexity. This routing is database-driven and does not process personal data.
In accordance with EU AI Act Article 50, we disclose that content generated through our AI pipeline is produced by artificial intelligence. Users are responsible for reviewing, editing, and verifying all AI-generated content before publication.
None of our automated processing produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Article 22. The AI features are tools that assist your SEO work — all final decisions regarding content publication and strategy remain with you.
10. Cookies and Similar Technologies
OnPagePilot uses the following categories of cookies:
| Category | Purpose | Legal Basis | Duration |
|---|---|---|---|
| Strictly Necessary | Authentication, session management, security (CSRF protection) | Exempt from consent (ePrivacy Art. 5(3)) | Session |
| Functional | Remembering your preferences, language settings, UI state | Art. 6(1)(f) — Legitimate interest | Up to 1 year |
OnPagePilot does not use analytics cookies, advertising cookies, or third-party tracking cookies. We do not participate in cross-site tracking or behavioural advertising.
In accordance with the Danish Executive Order on Cookies (implementing the ePrivacy Directive), strictly necessary cookies do not require your consent. For any non-essential cookies we may introduce in the future, we will obtain your prior consent.
11. Children's Data
OnPagePilot is a professional SEO intelligence platform designed for business use. Our services are not directed at children.
In accordance with the Danish Data Protection Act, the age of consent for information society services in Denmark is 13 years. We do not knowingly collect personal data from anyone under the age of 13. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take steps to delete that information promptly.
If you believe a child under the age of 13 has provided personal data to us, please contact us at [LEGAL EMAIL ADDRESS].
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption: All data in transit is encrypted using TLS/SSL. Passwords are stored using cryptographic hashing (never in plaintext).
- Access Controls: Role-based access controls limit data access to authorised personnel only.
- Infrastructure Security: Our server infrastructure is professionally managed with regular security updates and monitoring.
- Database Security: All database operations are executed through stored procedures, preventing SQL injection and enforcing data access patterns.
- Incident Response: We maintain a data breach response procedure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (Datatilsynet) within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where the breach is likely to result in a high risk (GDPR Articles 33 and 34).
13. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR or the Danish Data Protection Act, you have the right to lodge a complaint with a supervisory authority.
For individuals in Denmark, the competent supervisory authority is:
Carl Jacobsens Vej 35
2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: [email protected]
Website: www.datatilsynet.dk
You also have the right to lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
14. Provision of Data — Contractual Requirement
The provision of certain personal data (name, email address) is a contractual requirement necessary for us to create your account and provide our services. Without this data, we cannot enter into or perform our contract with you.
The provision of additional data (such as URLs and domains for analysis) is necessary for us to perform specific services you request. You are under no statutory obligation to provide this data, but without it, we cannot deliver the corresponding service features.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or service features. When we make material changes:
- We will update the "Last Updated" date at the top of this page.
- For significant changes affecting your rights, we will provide notice through the platform or via email to the address associated with your account.
- Where required by applicable law, we will obtain your consent to material changes before they take effect.
We encourage you to review this Privacy Policy periodically.
16. Contact Information
For any questions, concerns, or requests related to this Privacy Policy or our data processing activities, please contact us:
[REGISTERED ADDRESS]
[POSTAL CODE] [CITY]
Email: [LEGAL EMAIL ADDRESS]
Data Protection Officer:
Email: [DPO EMAIL ADDRESS]
Regulatory References: This Privacy Policy is drafted in compliance with Regulation (EU) 2016/679 (GDPR), the Danish Data Protection Act (Lov nr. 502 af 23. maj 2018), the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), and EU AI Act Regulation (EU) 2024/1689 Article 50 (transparency obligations for AI-generated content).
Disclaimer: This Privacy Policy has been prepared with care but must be reviewed by a qualified legal professional or Data Protection Officer before being published. AI-generated legal documents are a starting point, not a final product.