Privacy Policy
Last Updated: February 20, 2026
This Privacy Policy explains how Serploom ("we," "us," or "our") collects, uses, discloses, retains, and protects your personal information when you visit our website at serploom.com, use our platform, API, or any related services (collectively, the "Service"). This policy applies to all users of the Service, regardless of location.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this policy, you must not use the Service.
We collect information in the following categories:
1.1 Information You Provide Directly
Account Registration Data:
- Full name
- Email address
- Password (stored using industry-standard bcrypt hashing — we never store plaintext passwords)
- Profile picture (optional)
Social Authentication Data: If you register or sign in using a third-party provider (e.g., Google OAuth), we receive and store your name, email address, and profile image as provided by that service. We do not receive or store your third-party account password.
Customer Data:
- Keywords you add manually or configure for tracking
- Domains and URLs you associate with your account
- Custom analysis configurations and preferences
- Communication content when you contact our support team
1.2 Information Collected Through Integrations
Google Search Console Data: When you connect your Google Search Console account via OAuth 2.0, we access and store:
- Search queries (keywords your website ranks for)
- Impressions, clicks, click-through rates, and average position per query
- Page URLs associated with search queries
- List of verified properties in your GSC account
- Date range of available data (up to 16 months historical)
We access GSC data in read-only mode. We do not modify, submit, or delete any data in your Google Search Console account.
Payment Data (via Stripe): All payment processing is handled by Stripe, Inc. We never receive, process, or store your full credit card number, CVV, or complete banking details. Stripe shares with us:
- Last four digits of your payment card
- Card brand (Visa, Mastercard, etc.) and expiration date
- Billing name and address
- Payment status, amounts, and transaction identifiers
- Subscription status and billing cycle information
For details on Stripe's data practices, please review Stripe's Privacy Policy.
1.3 Information Generated by the Service
AI Analysis Data:
- Content crawled from publicly accessible web pages you request analysis for
- AI-generated optimization recommendations and competitor insights
- Analysis status, timestamps, and configuration parameters
AI Mention Data:
- Results from querying third-party AI models (OpenAI, Perplexity, Google Gemini) about your brand
- Model responses, mention detection results, and contextual excerpts
Aggregated Analytics:
- Keyword performance trends and historical position data
- Dashboard analytics (ranking distributions, competitor overlaps, click potential)
1.4 Information Collected Automatically
Usage and Technical Data:
- Pages visited and features used within the Service
- Interaction patterns (clicks, searches, filters applied)
- Browser type and version, operating system, and device type
- Screen resolution and viewport dimensions
- Referral source (how you arrived at our website)
- Session duration and timestamps of activity
- IP address (used for security, fraud prevention, and approximate geolocation at the country level)
Analytics: We use OpenPanel for privacy-friendly analytics. OpenPanel:
- Does not use cookies for user tracking
- Does not create cross-site user profiles
- Does not share data with third-party advertisers
- Collects anonymized, aggregated usage events
1.5 Cookies and Similar Technologies
We use cookies and similar technologies for the following purposes:
| Cookie Type | Purpose | Duration | Required |
|---|---|---|---|
| Authentication | Maintain your signed-in session | Session / 30 days | Yes |
| Preferences | Remember your settings (theme, language, sidebar state) | 1 year | Yes |
| Cookie Consent | Record your cookie preferences | 1 year | Yes |
| Analytics | Collect anonymized usage data via OpenPanel | Session | No (consent required) |
We do not use:
- Advertising or retargeting cookies
- Third-party tracking pixels
- Cross-site tracking technologies
- Fingerprinting techniques
You can manage cookie preferences through the cookie consent banner displayed on your first visit, or by adjusting your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.
We process your information for the following purposes:
2.1 Service Delivery
- Create and manage your Account
- Sync and display GSC keyword data
- Run AI-powered content analyses and generate recommendations
- Perform AI brand mention checks across supported platforms
- Display analytics dashboards and keyword performance trends
- Process keyword imports (manual entry and CSV uploads)
2.2 Billing and Payments
- Process subscription payments and manage billing cycles through Stripe
- Send invoices, payment confirmations, and failed payment notifications
- Manage plan upgrades, downgrades, and add-on subscriptions
2.3 Communication
- Send transactional emails (welcome, password reset, email verification, integration connection expiry)
- Respond to support inquiries via email or live chat
- Send product update notifications and feature announcements (with opt-out option)
2.4 Security and Fraud Prevention
- Detect, investigate, and prevent unauthorized access, fraud, and abuse
- Monitor for suspicious login activity and account compromise
- Enforce our Terms of Service and Acceptable Use Policy
- Maintain audit logs for security purposes
2.5 Service Improvement
- Analyze aggregated, anonymized usage patterns to identify bugs and performance issues
- Develop, test, and deploy new features and improvements
- Conduct internal research and analytics on Service usage trends
2.6 Legal Compliance
- Comply with applicable laws, regulations, and legal processes
- Respond to lawful requests from public and government authorities
- Establish, exercise, or defend legal claims
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance (Art. 6(1)(b) GDPR) | Account creation, service delivery, payment processing, customer support |
| Legitimate Interest (Art. 6(1)(f) GDPR) | Security and fraud prevention, service improvement, analytics, product notifications |
| Consent (Art. 6(1)(a) GDPR) | Analytics cookies, marketing communications |
| Legal Obligation (Art. 6(1)(c) GDPR) | Compliance with applicable laws, responding to legal requests |
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
We do not sell, rent, or trade your personal information to third parties.
We share your information only in the following circumstances:
4.1 Service Providers
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| Stripe | Email, billing details, transaction data | Payment processing | USA / EU |
| OAuth tokens, API requests | GSC data access | USA / EU | |
| OpenAI | Keywords, page content, domain | AI content analysis, mention checks | USA |
| Perplexity AI | Keywords, domain | AI mention checks | USA |
| Google Gemini | Keywords, domain | AI mention checks, analysis | USA |
| OpenPanel | Anonymized usage events | Privacy-friendly analytics | EU |
| Email provider | Email address, name | Transactional email delivery | EU |
| Crisp | Name, email (for live chat) | Customer support live chat | EU |
All service providers are contractually obligated to process data only for the purposes we specify and to implement appropriate security measures. We are not responsible for the data practices, security measures, or privacy policies of our third-party service providers. While we exercise reasonable diligence in selecting service providers, we do not guarantee and shall not be liable for any acts, omissions, data breaches, or failures by third-party providers.
4.2 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to:
- Comply with applicable law or legal process
- Protect the rights, property, or safety of Serploom, our users, or the public
- Detect, prevent, or address fraud, security, or technical issues
- Enforce our Terms of Service
4.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, or sale of all or substantially all of our assets, your personal information may be transferred as part of the transaction. By using the Service, you consent to such transfer. We will use reasonable efforts to notify you via email or a prominent notice on our website of any material change in ownership or use of your personal information, but we shall not be liable for any privacy impacts resulting from such business transfer.
4.4 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
Your data may be processed and stored in countries outside your country of residence, including but not limited to member states of the European Union and the United States. When we transfer personal data outside the EEA, we ensure adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where the European Commission has determined that a country provides adequate data protection
- Contractual commitments with service providers requiring equivalent data protection standards
For transfers to the United States, our service providers participate in applicable data privacy frameworks or have entered into SCCs.
We retain your information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.
| Data Type | Retention Period |
|---|---|
| Account data (name, email, profile) | Duration of active account + 30 days after deletion |
| GSC keyword data | Up to 16 months of historical data, continuously refreshed |
| AI analysis results | Duration of active account |
| AI mention check results | Duration of active account |
| Deleted keywords | Permanently removed within 30 days of deletion |
| Payment records | As required by applicable tax and accounting laws (typically 7 years) |
| Usage and analytics data | Up to 24 months (anonymized and aggregated) |
| Security and audit logs | Up to 12 months |
| Support communications | Duration of active account + 90 days |
Account Deletion: When you delete your Account, we initiate deletion of your personal data within 30 days. Some data may be retained in encrypted backups for a limited period (up to 90 days) and will be automatically purged. Anonymized, aggregated data that cannot be used to identify you may be retained indefinitely for statistical and analytical purposes.
We implement technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
Technical Measures:
- All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS)
- Passwords are hashed using bcrypt with industry-standard salt rounds
- OAuth tokens and sensitive credentials are encrypted at rest using AES-256
- Database access is restricted through network-level controls and authentication
- API access is secured through unique, revocable API keys
- Regular security patches and dependency updates
Organizational Measures:
- Access to personal data is restricted to authorized personnel on a need-to-know basis
- Employees and contractors are subject to confidentiality obligations
- Regular security reviews and vulnerability assessments
- Incident response procedures for data breaches
Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot and do not guarantee absolute security of your data. You acknowledge that you provide personal information at your own risk. We shall not be liable for any unauthorized access, breach, or loss of personal data except to the extent directly caused by our gross negligence or willful misconduct and subject to the limitations of liability set forth in our Terms of Service. If we become aware of a security breach affecting your personal data, we will notify you in accordance with applicable law.
Depending on your jurisdiction, you have the following rights regarding your personal information:
8.1 Rights Under GDPR (EEA, UK, Switzerland)
- Right of Access — Request a copy of the personal data we hold about you
- Right to Rectification — Request correction of inaccurate or incomplete data
- Right to Erasure ("Right to Be Forgotten") — Request deletion of your personal data, subject to legal retention requirements
- Right to Restriction — Request that we restrict processing of your data in certain circumstances
- Right to Data Portability — Receive your personal data in a structured, machine-readable format
- Right to Object — Object to processing based on legitimate interest, including direct marketing
- Right to Withdraw Consent — Withdraw consent at any time for consent-based processing
- Right to Lodge a Complaint — File a complaint with your local data protection authority
Supervisory Authority: If you are in Portugal, the relevant authority is the Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt.
8.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know — Request information about the categories and specific pieces of personal information we collect, use, and disclose
- Right to Delete — Request deletion of your personal information
- Right to Correct — Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights
Categories of personal information collected: Identifiers, internet activity, commercial information, geolocation data (approximate).
We do not sell personal information. We have not sold personal information in the preceding 12 months.
8.3 Rights Under LGPD (Brazilian Residents)
If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados, including confirmation of processing, access, correction, anonymization, portability, deletion, and information about shared data.
8.4 Exercising Your Rights
To exercise any of your rights, contact us at [email protected]. We will:
- Verify your identity before processing the request
- Respond within 30 days (or as required by applicable law)
- Provide the requested information or action free of charge (reasonable fees may apply for excessive or repetitive requests)
You may also exercise certain rights directly through the Service, including downloading your data, updating your profile, and deleting your account from the Settings page.
The Service is not intended for, and we do not knowingly collect personal information from, children under the age of 16 (or such higher age as applicable in your jurisdiction). If we learn that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided personal information to us, please contact us at [email protected].
The Service may contain links to third-party websites, products, or services that are not owned or controlled by Serploom. We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to read the privacy policies of any third-party services you access.
Some browsers transmit "Do Not Track" (DNT) signals. As there is currently no industry standard for recognizing or honoring DNT signals, we do not currently respond to DNT signals. However, our analytics provider (OpenPanel) is privacy-focused and does not engage in cross-site tracking regardless of DNT settings.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required under GDPR)
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document the breach, its effects, and the remedial actions taken
For privacy-related inquiries, you may contact us at:
- Email: [email protected]
- Subject line: "Privacy Inquiry"
We will route your request to the appropriate personnel.
14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
14.2. For material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify you via email to the address associated with your Account
- Provide at least 30 days' notice before changes take effect
14.3. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes acceptance of the updated practices. If you do not agree with the changes, you should stop using the Service and delete your Account.
14.4. Non-material changes (formatting corrections, clarifications) may be made without prior notice.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: [email protected]
- Live Chat: Available on our website at serploom.com
- Response Time: We aim to respond to all privacy-related inquiries within 5 business days.