Last updated: March 17, 2026
Privacy Policy
SEO Toolkit ("we", "us", or "our"), operated at metagenerator.org, is committed to protecting your privacy. This Privacy Policy describes what information we collect, how we use it, who we share it with, how we disclose it, and the security measures we use to protect it. By using our Service, you consent to the practices described in this policy.
1. Information We Collect
We collect the minimum amount of information necessary to provide and improve the Service. The information we collect falls into the following categories:
1.1 Information You Provide Directly
| Data Type | What We Collect | When |
|---|---|---|
| Account Data | Email address, hashed password (or Google OAuth token) | When you sign up |
| Tool Input Data | URLs, text content, keywords you enter into our tools | When you use AI-powered tools |
| Tool Output Data | AI-generated results (meta tags, schema markup, scores) | When results are saved to your history |
| Support Data | Bug reports, suggestions, feedback messages | When you submit a support ticket |
| Payment Data | Email used for payment (card details are handled entirely by Stripe) | When you subscribe to a paid plan |
1.2 Information Collected Automatically
| Data Type | What We Collect | Purpose |
|---|---|---|
| Usage Analytics | Pages visited, tools used, feature interactions | Improve the Service |
| Device Information | Browser type, operating system, screen resolution | Ensure compatibility |
| Log Data | IP address, request timestamps, referrer URLs | Security and abuse prevention |
| Cookies | Session cookies for authentication | Keep you logged in |
1.3 Information We Do NOT Collect
- Credit card numbers or full payment details (handled entirely by Stripe)
- Government-issued identification
- Precise geolocation data
- Biometric data
- Data from your social media profiles (beyond what Google OAuth provides during sign-up)
2. How We Use Your Information
We use the information we collect for the following purposes:
We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.
3. Who We Share Your Information With
We share your information only with the service providers necessary to operate the Service. We do not sell, rent, or trade your personal information to third parties for marketing purposes.
| Provider | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|
| Supabase | Email, hashed password, user ID, request history | Authentication and database | Link |
| Stripe | Email, payment method, billing address | Payment processing | Link |
| OpenAI | Tool inputs (URLs, text) for AI processing | AI-powered analysis and generation | Link |
| Vercel | IP address, request logs | Website hosting and CDN | Link |
| Anonymized usage data (via Google Analytics) | Website analytics | Link |
We may also disclose your information if required by law, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4. How Information Is Disclosed
When your information is shared with third-party service providers, it is transmitted through the following methods:
- Encrypted API Calls: All data transmitted to Supabase, Stripe, OpenAI, and Vercel is sent over HTTPS/TLS encrypted connections. No data is transmitted in plaintext.
- Server-Side Processing: Your tool inputs are sent from our server to OpenAI's API — they never pass through unencrypted client-side channels. For Pro users who provide their own API key, the key is used for the duration of the request only and is never stored.
- Stripe Hosted Payment: Payment information is entered directly on Stripe's hosted checkout page. Credit card details never touch our servers.
- OAuth Tokens: Google sign-in uses the OAuth 2.0 protocol. We receive only your email and profile name — never your Google password.
- No Bulk Exports: We do not perform bulk exports of user data to third parties. Data is shared on a per-request, as-needed basis only.
5. Security Practices
We take the security of your information seriously and implement the following safeguards:
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Our domain enforces HTTPS via HSTS headers.
Encryption at Rest
User data stored in Supabase is encrypted at rest using AES-256 encryption. Database backups are also encrypted.
Password Security
Passwords are hashed using bcrypt with salt rounds before storage. We never store plaintext passwords. Authentication is managed by Supabase Auth, which follows industry-standard security practices.
Access Control
Database access is restricted through Row Level Security (RLS) policies. Users can only access their own data. Administrative access is limited to authorized personnel.
API Key Protection
Server-side API keys (OpenAI, Stripe) are stored as encrypted environment variables on Vercel and are never exposed to the client. Pro users' API keys are used in-memory during request processing and are never written to disk or logged.
Infrastructure Security
Our application is hosted on Vercel's globally distributed edge network, which provides DDoS protection, automatic SSL certificate management, and isolated serverless function execution. Our database is hosted on Supabase's managed PostgreSQL infrastructure with automated backups and point-in-time recovery.
Incident Response
In the event of a data breach, we will notify affected users via email within 72 hours of discovery, as required by GDPR. We will also notify the relevant supervisory authority and take immediate steps to mitigate the breach.
6. Cookies and Tracking
We use the following types of cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Authentication | Keeps you signed in and maintains your session | Session / 7 days |
| Preferences | Remembers your settings (e.g., sidebar state) | 1 year |
| Analytics (Google) | Collects anonymized usage data to help us improve | 2 years |
You can control cookies through your browser settings. Disabling authentication cookies will prevent you from signing in. Disabling analytics cookies will not affect your use of the Service.
7. Data Retention
We retain your information for the following periods:
- Account Data: Retained for as long as your account is active. Upon account deletion, your data is permanently removed within 30 days.
- Request History: Stored for as long as your account is active. You can delete individual history entries at any time.
- Support Tickets: Retained for up to 2 years after resolution for quality assurance and dispute resolution purposes.
- Payment Records: Retained by Stripe in accordance with their data retention policies and applicable tax/financial regulations.
- Server Logs: Automatically purged after 30 days.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Portability
Request your data in a structured, machine-readable format.
Right to Object
Object to processing of your data for certain purposes.
Right to Restrict
Request that we limit the processing of your data.
To exercise any of these rights, contact us at cucu1116@outlook.com or through our Support page. We will respond to your request within 30 days.
9. GDPR Compliance (EEA Users)
If you are located in the European Economic Area (EEA), including Romania where we are based, the following applies:
- Legal Basis: We process your data based on: (a) your consent (e.g., creating an account), (b) contractual necessity (e.g., providing the Service you subscribed to), (c) legitimate interests (e.g., improving the Service and preventing abuse), and (d) legal obligations.
- Data Transfers: Some of our service providers (OpenAI, Vercel, Stripe) are based in the United States. Data transfers to the US are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.
- Data Protection Officer: For GDPR-related inquiries, contact us at cucu1116@outlook.com.
- Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
10. Children's Privacy
The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete that information immediately. If you believe a child under 16 has provided us with personal data, please contact us at cucu1116@outlook.com.
11. Third-Party Links
Our Service may contain links to third-party websites (e.g., Google Search Central, Schema.org, blog references). We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users by email for significant changes
- Post a prominent notice on our website
Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us through: