Privacy Policy

1. Data Controller

The controller within the meaning of the GDPR is:

Antonio Blago
Email: info@antonioblago.com
Website: www.antonioblago.com

If you have any questions about data protection, you can contact us at any time at the above email address.

2. General Information on Data Processing

2.1 Scope of Processing

We only process personal data of our users to the extent necessary to provide a functional website and our services. Processing is generally only carried out with the user's consent or where processing is permitted by law.

2.2 Legal Basis

The processing of personal data is based on the following legal bases of the GDPR:

• Art. 6(1)(a) GDPR: User consent
• Art. 6(1)(b) GDPR: Contract performance or pre-contractual measures
• Art. 6(1)(c) GDPR: Legal obligations
• Art. 6(1)(f) GDPR: Legitimate interests of the controller

2.3 Data Deletion and Storage Period

Personal data is deleted as soon as the purpose of storage no longer applies. Storage may continue if required by law (e.g., tax retention periods of 6-10 years).

3. Collection and Processing of Personal Data

3.1 Registration and User Account

Data collected:

• Email address (required)
• Password (stored encrypted)
• Registration date
• Login history (timestamp, IP address)

Purpose: Provision of user account, authentication, security

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Storage period: Until account deletion plus 30 days backup period

3.2 Subscriptions and Payment Data

Data collected:

• Payment information (processed via Stripe)
• Billing address (if provided)
• Transaction history
• Subscription status and duration
• Purchased credits and usage

Purpose: Payment processing, invoicing, contract management

Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligations)

Storage period: 10 years (tax retention requirement)

3.3 Usage Data and Analytics

Data collected:

• Analyzed websites and domains (entered by you)
• EEAT analyses and projects
• Keyword research
• Backlink analyses
• SEO Copilot conversations (temporary for session management)
• Credit usage and API usage

Purpose: Provision of SEO services, platform optimization

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Storage period: As long as the account is active; 30 days after account deletion

4. Cookies and Tracking

4.1 Use of Cookies

Our website uses cookies. Cookies are small text files stored on your device that contain certain information for exchange with our system.

4.2 Types of Cookies

Cookie Type	Purpose	Storage Period
Session Cookies	Authentication, login status	Until browser session ends
Functional Cookies	Language settings, preferences	Up to 1 year
Security Cookies	CSRF protection, abuse detection	Session or 24 hours

4.3 No Third-Party Tracking Tools

5. Integration of Third-Party Services

5.1 Stripe (Payment Processing)

For payment processing, we use Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA.

Data transferred: Email, payment information, transaction data

Purpose: Secure payment processing, fraud prevention

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Privacy Policy: stripe.com/privacy

5.2 DataForSEO (SEO Data API)

For SEO analyses (keywords, backlinks, traffic), we use the DataForSEO API.

Data transferred: Analyzed domains and websites (entered by you)

Purpose: Provision of SEO analysis data

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Important: No personal data about you is transferred to DataForSEO, only the websites to be analyzed.

5.3 Anthropic Claude (AI Analyses)

For AI-powered EEAT analyses and the SEO Copilot, we use the Claude API from Anthropic.

Data transferred: Website content (for analysis), chat queries

Purpose: AI-based SEO analyses and recommendations

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Privacy Policy: anthropic.com/privacy

5.4 OpenAI (Fallback AI System)

As a fallback system for AI analyses, we use the OpenAI API (GPT-4).

Data transferred: Website content (for analysis), chat queries (only when fallback is activated)

Purpose: AI-based SEO analyses as backup when primary system is unavailable

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Privacy Policy: openai.com/privacy

5.5 Google Search Console & Analytics API (OAuth Integration)

For extended SEO analyses, we offer an optional integration with the Google Search Console API and Google Analytics Data API (GA4). This feature requires your explicit consent via Google OAuth 2.0.

Data collected upon connection:

• Google account email address
• List of verified Search Console properties (websites)
• Search performance data (clicks, impressions, CTR, position)
• Keyword data and search queries
• Indexing status and crawling statistics
• Google Analytics 4 properties (if available)
• Analytics data: Sessions, users, page views, traffic sources

Purpose: Provision of detailed SEO analyses based on your actual Google search data and website statistics

Legal basis: Art. 6(1)(a) GDPR (explicit consent)

Storage period: OAuth tokens are stored encrypted with Fernet (AES-128-CBC) until you disconnect. Retrieved analysis data is cached for a maximum of 30 days.

5.6 Hosting (PythonAnywhere)

Our website is hosted on servers of PythonAnywhere LLP, Kenilworth House, 77-85 Hagley Road, Edgbaston, Birmingham B16 8QG, UK.

Data transferred: All data collected on the website

Purpose: Provision of website infrastructure

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

6. Data Transfer to Third Countries

Some of the services used (Stripe, Anthropic, OpenAI) are based in the USA or process data in the USA. The USA is not considered a safe third country from the EU's perspective under GDPR.

Data transfer is based on:

• Standard Contractual Clauses (SCC): Stripe, Anthropic, OpenAI
• Adequacy Decision: Where applicable (EU-US Data Privacy Framework)
• Your Consent: Art. 6(1)(a) GDPR in conjunction with Art. 49(1)(a) GDPR

7. Your Rights as a Data Subject

7.1 Exercising Your Rights

To exercise your rights, please contact:

Email: info@antonioblago.com

We will respond to your request within 30 days.

7.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data.

8. Data Security

8.1 Technical Measures

We implement the following security measures:

• SSL/TLS Encryption: All data transfers are encrypted (HTTPS)
• Password Hashing: Passwords are hashed with bcrypt, not stored in plain text
• Access Control: Strict permission management for database access
• Firewall: Protection against unauthorized access
• Regular Backups: Daily database backups
• Security Updates: Regular updates of all systems

8.2 Encryption of Sensitive Data (Encryption at Rest)

Encrypted data categories:

Data Category	Encryption Method	Key Derivation
Google OAuth Tokens	Fernet (AES-128-CBC)	Individual per user
Revenue Analysis Data	Fernet (AES-128-CBC)	Individual per user
API Credentials	Fernet (AES-128-CBC)	Individual per user

Detailed Technical Documentation: A comprehensive description of our encryption procedures can be found on our Data Encryption page.

9. AI Transparency and EU AI Act Compliance

9.1 AI Systems Used

We use the following AI models:

• Anthropic Claude (Primary): Claude 3.5 Sonnet / Claude 3 Opus for EEAT analyses and SEO Copilot
• OpenAI GPT-4 (Fallback): As backup system when primary system is unavailable

9.2 Risk Classification

Our AI applications fall under the "limited risk" category pursuant to EU AI Act (Art. 52), as they:

• Do not make automated decisions with legal effect
• Are exclusively for analysis and information purposes
• Provide transparent labeling of AI-generated content
• Ensure human control (human-in-the-loop)

9.3 Transparency Requirements

We fulfill the following transparency requirements:

• Labeling: AI-generated content is labeled as such
• No Training: User data is NOT used to train AI models
• Data Processing: Clear documentation of what data is transmitted to AI systems
• Retention Periods: Defined deletion periods (max. 30 days with third-party providers)

9.4 Data Processing Agreements (DPA)

We have concluded Data Processing Agreements (DPA) pursuant to GDPR Art. 28 with all AI providers:

Provider	DPA Status	Training Opt-Out	Retention
OpenAI	Concluded	Activated (API)	30 days
Anthropic	Concluded	Activated (Business)	30 days

9.5 Human Control (Human-in-the-Loop)

All AI-generated analyses and recommendations are designed as decision support. The final assessment and implementation is always up to the user. The AI:

• Does not make automated decisions
• Does not perform independent actions
• Does not change data without explicit user approval
• Only provides recommendations and analyses

9.6 Your Rights Regarding AI Processing

You have the right to:

• Know when AI is used in processing your requests
• Decline AI use (alternative manual analysis on request)
• Receive information about data transmitted to AI systems
• Request deletion of data stored with AI providers

10. Protection of Minors

Our services are intended exclusively for persons aged 18 and over. We do not knowingly collect data from minors. If we become aware that data from minors has been stored, it will be deleted immediately.

11. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy to reflect changes in the legal situation or changes to our services. The current version can always be found on this page.

Last updated: 2026-01-18