Privacy Policy
Last Updated: April 1, 2026 | Version: 1.0
1. Data Controller
OnDigital ("we", "us", "our") operates the OnDigital SEO Audit Tool at audit.ondigital.team. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
2. Data We Collect
| Category | Data | Legal Basis |
|---|---|---|
| Account | Email, username, password (hashed) | Contract performance (Art.6(1)(b)) |
| Profile | Full name, company, phone (optional) | Consent (Art.6(1)(a)) |
| Technical | IP address, user agent, session data | Legitimate interest (Art.6(1)(f)) |
| Billing | Transaction IDs, amounts, dates | Legal obligation (Art.6(1)(c)) |
| Audit Data | Domain URLs, SEO audit results | Contract performance (Art.6(1)(b)) |
3. How We Use Your Data
- Provide and maintain the SEO audit service
- Process payments via PayPal (we do not store credit card numbers)
- Send service notifications and verification emails
- Monitor and improve security (rate limiting, audit logging)
- Comply with legal obligations (tax records, security incidents)
4. Data Security
We implement the following security measures:
- AES-256-GCM encryption for personal data at rest (FIPS 140-2 compliant)
- Encrypted sessions and HTTPS-only connections
- Bcrypt password hashing with automatic rehashing
- CSRF protection, rate limiting, and WAF (ModSecurity)
- Role-based access control with least-privilege principle
- Tamper-evident audit logging with HMAC chains
5. Data Retention
- Account data: Until account deletion
- Audit reports: 2 years
- Payment records: 7 years (legal obligation)
- Security logs: 1 year
- Session data: 24 hours
- Inactive accounts: Anonymized after 12 months of inactivity
6. Your Rights
Under GDPR and CCPA, you have the right to:
- Access your data (Art.15 / CCPA 1798.100) - via Settings > Export My Data
- Rectification of inaccurate data (Art.16) - via Profile settings
- Erasure of your data (Art.17 / CCPA 1798.105) - via Settings > Delete Account
- Data portability (Art.20) - JSON export available
- Withdraw consent at any time (Art.7(3))
- Opt-out of sale (CCPA) - We do not sell personal data
7. Cookies
We use:
- Essential cookies: Session management, CSRF protection (always active)
- Analytics cookies: Optional, with your consent
We do not use advertising or tracking cookies.
8. Third-Party Services
- PayPal: Payment processing (PayPal Privacy Policy)
- Google Fonts: Typography (no tracking)
- IONOS: Email delivery
9. Data Transfers
Your data is processed on servers located in the EU/EEA. When third-party services process data outside the EEA, we ensure appropriate safeguards (Standard Contractual Clauses) are in place.
10. Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with all third-party sub-processors in accordance with GDPR Article 28. Sub-processors are contractually bound to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures. Our current sub-processors are:
- PayPal (Europe): Payment processing — DPA available at paypal.com/dataprocessingagreement
- IONOS SE: Email delivery and hosting — DPA available on request
11. Payment Security (PCI DSS)
We do not store, process, or transmit payment card data. All payment processing is delegated to PayPal, a PCI DSS Level 1 certified service provider. We only store transaction identifiers, amounts, and dates for accounting purposes. No credit card numbers, CVVs, or cardholder names are collected by our systems.
12. Children's Privacy
Our service is not intended for individuals under 16 years of age.
13. Changes to This Policy
We will notify you of material changes via email and update the version number above.
14. Contact
For privacy inquiries or to exercise your rights, contact us at: [email protected]