🇪🇺 GDPR Compliance

Full GDPR Compliance

LocalSEOFlow is committed to full compliance with the General Data Protection Regulation (GDPR). Here is every detail of how we handle EU/EEA user data.

📅 Last updated: March 26, 2026·Regulation (EU) 2016/679

📖

GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive EU data privacy law that came into effect on May 25, 2018 and was integrated into UK law via the UK GDPR post-Brexit. It establishes the rules for how organizations collect, use, and protect the personal data of individuals in the EU and EEA.

LocalSEOFlow takes GDPR compliance seriously. We have implemented technical and organizational measures throughout our platform to ensure your rights are respected and your data is protected.

Our Role: LocalSEOFlow acts as a Data Controller for user account data. When users upload images for processing, we act as a Data Processor — briefly and temporarily — with all image data deleted immediately after processing.

🌍

Who This Applies To

GDPR applies to all individuals who are:

Located in the European Union (EU) — all 27 member states
Located in the European Economic Area (EEA) — includes Norway, Iceland, Liechtenstein
Located in the United Kingdom (under UK GDPR)

It applies regardless of your citizenship. Even if you are a US citizen visiting the EU, GDPR protects you.

As a service accessible globally, LocalSEOFlow applies GDPR standards to all users worldwide as our baseline privacy standard, not just EU residents.

⚖️

Lawful Basis for Processing

Under GDPR Article 6, every processing activity must have a lawful basis. Here is our basis for each type of processing:

📝 Contract (Art. 6(1)(b))

Providing the Service you signed up for — authentication, tool access, plan management

✅ Consent (Art. 6(1)(a))

Marketing emails and non-essential cookies (you can withdraw at any time)

⚖️ Legitimate Interest (Art. 6(1)(f))

Security monitoring, fraud prevention, service improvement via aggregate analytics

📋 Legal Obligation (Art. 6(1)(c))

Tax records, responding to legal process, regulatory compliance

🔐

Your GDPR Rights

Under GDPR, you have eight core rights. Here is what each means and how to exercise it:

1. Right to be Informed (Art. 13-14)

You have the right to know how your data is processed. This GDPR page and our Privacy Policy fulfill this obligation.

2. Right of Access (Art. 15)

Request a copy of all personal data we hold about you. We will respond within 30 days. Email: privacy@localseoflow.com

3. Right to Rectification (Art. 16)

Correct inaccurate personal data via your account settings, or contact us.

4. Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your account and all personal data. We will comply within 30 days, unless we have a legal obligation to retain data.

5. Right to Restrict Processing (Art. 18)

Ask us to temporarily stop processing your data while a dispute is resolved.

6. Right to Data Portability (Art. 20)

Receive your personal data in a structured, machine-readable format (JSON/CSV). Available on request.

7. Right to Object (Art. 21)

Object to processing based on legitimate interests. We will cease unless we have compelling legitimate grounds.

8. Rights Related to Automated Processing (Art. 22)

We do not make automated decisions with legal or significant effects on you. No automated profiling.

🤝

Data Processing Agreements

All third-party services that process personal data on our behalf have signed Data Processing Agreements (DPAs) in compliance with GDPR Article 28:

Supabase — DPA signed; offers EU data residency
Stripe — GDPR-compliant; DPA available; PCI DSS Level 1
Google (Gemini API) — No personal data transmitted to AI APIs
Vercel — DPA signed; offers EU region for data localization

If you are a business using LocalSEOFlow and require a DPA (e.g., because you are a data controller using us as a processor), contact us at legal@localseoflow.com.

🌐

International Data Transfers

Some of our service providers are located outside the EU/EEA. We ensure all international transfers are compliant via:

Standard Contractual Clauses (SCCs) — EU-approved contract terms for transfers to non-adequate countries
Adequacy Decisions — For transfers to countries the EU has deemed adequate (e.g., UK)
EU-U.S. Data Privacy Framework — For applicable US-based processors

👤

Data Protection Officer

Given our size and processing activities, a formal DPO appointment may not be legally required. However, we have designated a privacy point of contact:

Privacy Contact

📧 Email: privacy@localseoflow.com

⏱️ Response time: Within 30 days (as required by GDPR)

🚨

Data Breach Response

In the event of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33)
Notify affected users without undue delay if the breach poses a high risk to their rights (GDPR Art. 34)
Provide: the nature of the breach, categories of data affected, likely consequences, and mitigation steps taken

To report a suspected security issue, contact: security@localseoflow.com

📬

Exercising Your Rights

To exercise any GDPR right:

Email privacy@localseoflow.com with the subject line: “GDPR Request — [Your Right]”
We will verify your identity and respond within 30 days
Extension of up to 2 months may apply for complex requests
Requests are free of charge (unless manifestly unfounded or excessive)

If you are unsatisfied with our response, you have the right to lodge a complaint with your national Data Protection Authority:

🇬🇧 UK: Information Commissioner's Office (ICO)
🇩🇪 Germany: BfDI
🇫🇷 France: CNIL
🇪🇺 Full list: European Data Protection Board