Privacy Policy

1. Who We Are

UnfoldSEO ("we", "us", "our") is a white-label SEO reporting platform operated by UnfoldCRO. Our website is white-seo.unfoldcro.com. For any privacy-related inquiries, contact us at privacy@unfoldcro.com.

2. Data We Collect

We collect the minimum data necessary to provide our services:

• Account data: Name, email address, and agency name provided during registration.
• Integration data: OAuth tokens for Google Search Console, Google Analytics, Google Business Profile, and Shopify. These are stored encrypted and used solely to fetch analytics on your behalf.
• Shopify store data: Product catalog metadata, order totals (revenue, order count), collection names, and theme publish events. We do not store personally identifiable customer information from Shopify stores.
• Usage data: Pages visited, feature usage, and error logs for improving the platform.

3. How We Use Your Data

• Generate automated SEO and e-commerce reports for your clients.
• Display analytics dashboards (revenue, product changes, SEO metrics).
• Send email notifications about report generation and account activity.
• Improve platform performance and fix bugs.

4. Shopify Data Handling

When you connect a Shopify store through our platform:

• We request read-only access to products, orders, analytics, themes, and content.
• We never store end-customer personal data (names, emails, addresses, payment details) from Shopify.
• We store only aggregated order data (total revenue, order counts) and product metadata (titles, statuses, change history).
• When a store owner uninstalls the app, we immediately mark the integration as disconnected and stop fetching data.
• When Shopify sends a shop/redact webhook (48 hours after uninstall), we permanently delete all stored data for that store, including change logs and integration records.

5. Data Security

• All data is transmitted over HTTPS/TLS 1.2+.
• OAuth access tokens are stored securely in our database and never exposed to the browser.
• Webhook payloads are verified using HMAC-SHA256 signatures before processing.
• We enforce strict Content Security Policy and security headers on all pages.
• Server-side rendering ensures sensitive data is never included in client-side bundles.

6. Data Sharing

We do not sell, rent, or share your data with third parties, except:

• Infrastructure providers: Neon (database hosting), Contabo (VPS hosting) — bound by their own privacy policies.
• Payment processors: Razorpay and Stripe process subscription payments. We do not store your payment card details.
• Legal requirements: If required by law, court order, or government regulation.

7. Data Retention & Deletion

• Account data is retained while your account is active. You may request deletion at any time by emailing privacy@unfoldcro.com.
• Shopify integration data is deleted automatically upon receiving a shop/redact webhook, or immediately upon request.
• Google integration tokens are revoked and deleted when you disconnect an integration.

8. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Request erasure of your data.
• Object to or restrict processing.
• Data portability — receive your data in a structured format.

To exercise any of these rights, contact privacy@unfoldcro.com.

9. Cookies

We use essential cookies for authentication (session management via NextAuth). We do not use third-party tracking cookies or advertising cookies.

10. Changes to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated via email or an in-app notification. Continued use of the platform after changes constitutes acceptance.