LeanSEO
Log inGet early access
Privacy

Privacy policy

Last updated: 23 May 2026. EN only — an Estonian version is on the way. If you spot a conflict between this page and our Data Processing Agreement, the DPA wins.

Who we are

The data controller for leanseo.app is Blue Networks OÜ, an Estonian company operating the LeanSEO service.

Company
Blue Networks OÜ
Registrikood
11490042
VAT (KMKR)
EE101373584
Address
Liivaoja 4A, Tallinn 10155, Estonia
Contact
[email protected]

We are based in the EU and our infrastructure runs on EU-based providers. Questions about anything on this page: [email protected].

The short version

  • We collect what we need to run the service — your account, the Google Search Console and Analytics properties you connect, and the SEO data we derive for you.
  • We do not sell your data and we do not use your Google-derived data for advertising or general analytics.
  • Everything runs in the EU. We use Stripe (US) for billing only, under standard contractual clauses.
  • You can export everything and delete your account at any time. Erasure is real, not a soft toggle.

What we collect, and why

1. Account data

Email, name, password hash (bcrypt — we never see your cleartext password), preferred locale and timezone, 2FA / passkey credentials if you enrol. Lawful basis: contract performance.

2. Google-derived data

When you connect Search Console or Analytics, we fetch and store the daily rows that Google exposes via their APIs — search queries, page URLs, impressions, clicks, sessions, and the metrics derived from them. Lawful basis: contract performance and your tenant's own legal basis with your visitors. We act as a Data Processor for this data under our DPA.

Limited Use disclosure.LeanSEO's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve ads, we do not transfer it for any purpose unrelated to providing or improving the user-facing features of LeanSEO, and we do not allow humans to read it except with your explicit consent, for security investigations, or where required by law.

3. Operational data

IP address and user-agent on authentication events and in our audit log (kept for security investigations). Standard session cookies (strictly necessary; no banner required under EU rules).

4. Marketing email opt-in (optional)

Only if you tick the box at sign-up — or, on this marketing site, when you submit your email to the waitlist. Stored in our consent records with timestamp, source, and IP. You can opt out from any email, and we record the opt-out the same way.

What we do NOT collect

  • Your password. We only store a bcrypt hash, and we do not write it to logs.
  • Your Google profile picture or any social profile data beyond what is strictly needed to identify the account.
  • Card numbers, CVCs, or full bank details. All payment data is held by Stripe (PCI-DSS Level 1).
  • Cross-tenant analytics. We never aggregate your site's data with another tenant's for benchmarks.

Children

LeanSEO is a tool for site owners and is not directed at children. We do not knowingly create accounts for, or collect personal data from, anyone under 16. If you believe a child has created an account, email us at [email protected] and we'll delete the account and any associated data.

How long we keep it

DataRetention
Account rowLifetime of account + 30-day deletion grace
Search Console daily rowsUp to 16 months (matches Google's own retention)
Analytics daily rowsUp to 14 months
Page snapshot raw HTML90 days after a change alert
Notification deliveries18 months
Activity log24 months
Consent records7 years after last action
Backups30 days rolling

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data.

  • Access & portability: request a one-click export from your account page. We email you a signed ZIP of CSV and JSON copies of everything we hold.
  • Rectification: most fields are editable in the app. For anything else, email us.
  • Erasure: delete your account or tenant from the app. After a short grace period we replace PII with placeholders and drop all derived data. Backups expire on their rolling window.
  • Restriction: you can pause syncs on any site; new data stops flowing.
  • Objection: if you object to analytics processing entirely, the only option is to close the account — the product is, definitionally, analytics.

Automated decision-making

LeanSEO ranks and prioritises suggested fixes for your site — for example, “your meta description is missing, fix this first” — using a rules-based scoring model on the data you connect. These are recommendations, not decisions with legal or similarly significant effects on you or your visitors. You are free to act on them, ignore them, or disagree with them; nothing changes on your site without your action. Within the meaning of GDPR Article 22, we do not carry out automated decision-making that produces legal or similarly significant effects, and we do not profile individual end-users of your site.

If you ever want a human to walk you through why a fix was prioritised the way it was, email us at [email protected].

Sub-processors we use

We rely on the following sub-processors to run LeanSEO. Each is subject to the same DPA terms we offer you.

  • Stripe (US) — billing, invoicing, refunds. SCC and adequacy in place.
  • Google APIs (US/EU) — read-only access to Search Console and Analytics on your behalf.
  • Hetzner Cloud (EU) — application and database hosting (Falkenstein / Helsinki).
  • Aiven (EU) — managed MySQL or MariaDB and Redis.
  • Cloudflare (EU resolvers) — CDN, DDoS protection, and marketing-site hosting (Cloudflare Pages).
  • Resend (EU) — transactional email delivery and waitlist signups.
  • Google Analytics 4 (EU regional) — visitor analytics on leanseo.app only, fired after consent. See our cookies page for the full list.
  • Sentry (EU) — error monitoring.

We notify you at least 30 days before adding or replacing a sub-processor. Objections are handled by support.

International data transfers

Our infrastructure is in the EU. Two of the sub-processors above involve transfers outside the EEA, and for each we rely on a specific GDPR transfer mechanism:

  • Stripe (United States)— we use Stripe's Standard Contractual Clauses (Module 4), and where applicable Stripe's self-certification under the EU-US Data Privacy Framework. Only billing data flows to Stripe; we do not pass Google-derived data to it.
  • Google APIs (United States / EU)— Google operates under EU-US Data Privacy Framework self-certification and Standard Contractual Clauses. Read access to your Search Console and Analytics is initiated by you through Google's OAuth consent screen.

All other sub-processors (Hetzner, Aiven, Cloudflare, Resend, Sentry) store and process data within the European Economic Area. If we ever add a sub-processor that requires a new transfer mechanism, we disclose it on this page before the transfer begins.

Information security

We follow the practices below to protect your account and the data you connect:

  • In transit: TLS 1.2+ on every connection to the app, the marketing site, and Google APIs.
  • At rest: passwords are stored as bcrypt hashes; customer data lives on Aiven-managed, encrypted-at-rest Postgres with daily backups on a 30-day rolling window.
  • Google connections: OAuth 2.0 only. We never see your Google password. The OAuth refresh token we store is encrypted in the database and only used to fetch the data scopes you granted.
  • Account hardening: 2FA and passkey enrolment are available to every user. Agency-tier plans get SSO on request.
  • Audit log: we log authentication, OAuth grants, data exports, and administrative actions on every account. Logs are retained for 24 months for security investigations.
  • Access: only Blue Networks OÜ staff whose role requires it can access production data, and only via short-lived, audited sessions.
  • Reporting:if you think you've found a vulnerability, email [email protected]with “security” in the subject line. We aim to acknowledge within 1 working day and we don't pursue good-faith researchers.

Cookies

The app uses one session cookie and one CSRF token cookie — both strictly necessary. The marketing site (leanseo.app) sets Google Analytics 4 cookies only after you accept; without consent, no analytics cookies are written. The full cookie inventory and opt-out steps live on the cookies page.

Breach notification

If we detect a personal-data breach, we notify the Estonian Data Protection Inspectorate within 72 hours and we notify affected tenants as soon as the impact is scoped.

Contact

Privacy questions: [email protected]. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee).