Privacy Policy Last Updated: March 2026 | UtilitySEO Ltd | Company No. 17055142 This Privacy Policy explains how UtilitySEO Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website at utilityseo.com and our application at app.utilityseo.com (together, the "Services"). We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are Data Controller: UtilitySEO Ltd | Company Number: 17055142 | Registered Address: 4 Frances Street, Cheadle, SK8 2AE | Email: support@utilityseo.com | ICO Registration: C1885551

2. What Personal Data We Collect 2.1 Account & Identity Data

Full name Email address Password (stored as a one-way bcrypt hash — we never store your plain text password) Account creation date and time Subscription tier (Free, Pro, Pro Plus)

2.2 Payment & Billing Data

Stripe Customer ID (a reference token — we never store raw card numbers) Last 4 digits of payment card (provided by Stripe for your reference) Card fingerprint (a unique hash of your card, used for fraud prevention — not reversible to obtain card details) Billing address (if provided during checkout) Transaction history and subscription status

We do not store full card numbers, CVV codes, or complete payment card details. All payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified processor. 2.3 Usage & Technical Data

IP address (logged at account creation and on each login for fraud and security purposes) Browser type and version Operating system URLs you have analysed using our tool Daily scan usage counts Login timestamps Error logs

2.4 Cookie & Tracking Data Please see our Cookie Policy for full details of the cookies we use.

3. How We Use Your Personal Data 3.1 Lawful Bases for Processing Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

Contract Performance: To create and manage your account, process your subscription, and deliver the Services you have requested. Legitimate Interests: To detect and prevent fraud, abuse, and misuse of our Services; to maintain security of our systems; to enforce our Terms of Service. Legal Obligation: To comply with applicable laws, respond to lawful requests from authorities, and maintain financial records. Consent: To send you marketing communications (where you have opted in); to place non-essential cookies on your device.

3.2 Specific Purposes

Providing and improving the Services Processing your subscription and managing billing Sending transactional emails (account creation, password reset, subscription confirmations) Detecting fraud and abuse including identifying repeat misuse of free trial cancellations Complying with our legal and regulatory obligations Responding to your support queries

4. Data Retention We retain your personal data for as long as necessary to provide the Services and comply with our legal obligations:

Active account data: Retained for the duration of your account plus 6 years after closure (UK statutory limitation period for contract claims) Payment records: Retained for 7 years to comply with HMRC requirements Cancellation records (including fraud prevention data such as card fingerprint): Retained for 3 years from cancellation date IP address logs: Retained for 12 months from collection Server and error logs: Retained for 90 days Marketing consent records: Retained until consent is withdrawn plus 3 years

5. Who We Share Your Data With We do not sell your personal data. We may share your data with the following third-party processors who act on our instructions:

Stripe, Inc. — Payment processing. stripe.com/privacy. PCI DSS Level 1 certified. Vercel, Inc. — Frontend hosting and content delivery. Railway Corporation — Backend hosting and database infrastructure. Google LLC — PageSpeed Insights API. URLs you submit for analysis are sent to Google's API. Email service provider — Transactional email delivery.

All our processors are bound by Data Processing Agreements (DPAs) and are required to handle your data only on our instructions and in compliance with applicable data protection law.

6. International Transfers Some of our processors (including Vercel and Stripe) may process data in the United States or other countries outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), or we verify that the recipient is in a country with an adequacy decision.

7. Your Rights Under UK GDPR You have the following rights in relation to your personal data:

Right of Access: You can request a copy of the personal data we hold about you (Subject Access Request) Right to Rectification: You can ask us to correct inaccurate or incomplete data Right to Erasure ('Right to be Forgotten'): You can ask us to delete your personal data in certain circumstances Right to Restriction: You can ask us to restrict processing of your data while a complaint is resolved Right to Data Portability: You can request your data in a structured, machine-readable format Right to Object: You can object to processing based on legitimate interests, including direct marketing Rights related to automated decision-making: We do not make solely automated decisions that have legal or significant effects on you

To exercise any of these rights, please email support@utilityseo.com. We will respond within one calendar month. You also have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

8. Data Security We implement appropriate technical and organisational measures to protect your personal data, including:

HTTPS encryption for all data in transit Passwords stored using bcrypt hashing (not reversible) Database encryption at rest JWT-based authentication with secure token handling Access controls limiting employee access to personal data Regular security reviews

In the event of a personal data breach that poses a risk to individuals, we will notify the ICO within 72 hours of becoming aware and will notify affected individuals without undue delay where required.

9. Children's Privacy Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at support@utilityseo.com.

10. Changes to This Policy We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice on our website. Continued use of the Services after any changes constitutes your acceptance of the updated policy.

11. Contact Us

Email: support@utilityseo.com Post: UtilitySEO Ltd, 4 Frances Street, Cheadle, SK8 2AE ICO Registration: C1885551

We aim to respond to all queries within 5 business days.