SEOlvl · Legal

Privacy Policy

Effective May 16, 2026 · GM Sunshine LLC (d/b/a SEOlvl)

This Privacy Policy explains how GM Sunshine LLC, doing business as SEOlvl ("we", "us"), collects, uses, shares and protects personal data when you use https://seolvl.com and the Service. We are the data controller for personal data described here. Our address is 8 McCullough Dr, New Castle, DE 19720, USA and you can reach us at [email protected].

1. Data we collect

Data you provide

  • Account data: email address, password (stored hashed), and any name or organization you supply.
  • Domains and settings: the domains, competitors, webhooks and preferences you add.
  • Billing data: processed by Stripe. We do not see or store your full card number; we receive limited billing metadata (e.g. plan, last4, country, invoice status) from Stripe.
  • Communications: messages you send us by email or support.

Data collected automatically

  • Strictly-necessary cookies: a session cookie and a CSRF (XSRF-TOKEN) cookie used to keep you logged in and protect form submissions. These are essential and set no tracking.
  • Analytics (Google Analytics 4, cookieless by default): we use Google Analytics in Consent Mode. By default — and for everyone who declines, or whose browser sends a Global Privacy Control or Do-Not-Track signal — GA4 runs in cookieless mode: it sets no cookies, uses no persistent identifier, does not track you across sessions, and sends only anonymized, aggregated measurement with a truncated IP. Only if you click "Accept" on our cookie banner do we enable analytics cookies (e.g. _ga) for fuller insights. We never enable Google advertising features, ad personalization or data sharing for ads.
  • Server logs: IP address, user agent, timestamps and requested URLs, retained for security and debugging.

Domain data (not personal data)

We collect and derive information about websites and domains — estimated authority, backlinks, technical and on-page signals, registration and SSL metadata — from public sources and third-party data providers (e.g. Common Crawl, Open PageRank, Google PageSpeed Insights, public WHOIS/RDAP). This is information about domains, not about individuals, and is used to power scores, profiles, leaderboards and the directory.

2. How we use data

  • To provide, maintain and secure the Service and your account.
  • To process subscriptions and payments (via Stripe).
  • To send transactional and service email (account, alerts, digests, billing) via our self-hosted mail system.
  • To respond to support requests and enforce our Terms and Acceptable Use Policy.
  • To comply with legal obligations and prevent fraud and abuse.

We do not sell your personal data, and we do not use third-party advertising or marketing trackers.

3. Legal bases (EEA/UK)

Where the EU GDPR or UK GDPR applies, we process personal data on these bases: performance of a contract (providing the Service and billing), legitimate interests (security, fraud prevention, service improvement, transactional communications), legal obligation (tax, accounting, lawful requests), and consent where specifically requested. We do not currently target the EEA/UK but do not block users there; this Policy applies to all users.

4. Cookies

Strictly-necessary cookies (session and CSRF) are always active; under the ePrivacy Directive and GDPR these do not require consent. For analytics we use Google Analytics in Consent Mode: by default it operates without any cookies and without a persistent identifier, sending only anonymized, aggregated measurement — this stores and reads nothing on your device and therefore does not require consent. Analytics cookies (e.g. _ga) are set only if you click "Accept" on our cookie banner; if you decline, or send a Global Privacy Control or Do-Not-Track signal, analytics stays cookieless and anonymous. You can change your choice at any time by clearing site data in your browser. We use no advertising or social-media cookies and do not enable Google's advertising features.

5. Sharing and sub-processors

We share personal data only with service providers ("sub-processors") that help us run the Service, under contractual confidentiality and data-protection obligations, and with authorities where legally required or to protect rights and safety. We do not sell or rent personal data. Our current sub-processors are listed at Sub-processors.

6. International transfers

We and our sub-processors may process data in the United States and other countries. Where personal data is transferred out of the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses or the sub-processor's recognized transfer mechanism.

7. Retention

We keep account and domain data for as long as your account is active and as needed to provide the Service. After account closure we delete or anonymize personal data within a reasonable period, except where retention is required for legal, tax, accounting, security or dispute purposes. Server logs are kept for a limited period for security and operations.

8. Security

We use technical and organizational measures including encryption in transit (HTTPS), hashed passwords, access controls and network protection (Cloudflare). No system is perfectly secure; we cannot guarantee absolute security.

9. Your rights

Subject to applicable law (including GDPR/UK GDPR and the CCPA/CPRA), you may have the right to access, correct, delete, port, restrict or object to the processing of your personal data, and to withdraw consent. California residents have the right to know, delete and opt out of "sale"/"sharing" — we do not sell or share personal data as defined by the CCPA. To exercise rights, email [email protected]. We will verify your request and respond within the timeframe required by law. You may also lodge a complaint with your local data protection authority.

10. Domain owners

If you own a domain that appears as a public profile and want to make it private or have it removed, you can use the in-app privacy controls (if you register the domain) or contact [email protected]. See the Acceptable Use Policy for details.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

12. Changes

We may update this Policy; the effective date above reflects the latest version. Material changes will be communicated by email or in-app notice where appropriate.

13. Contact

GM Sunshine LLC (d/b/a SEOlvl)
8 McCullough Dr, New Castle, DE 19720, USA
[email protected]

These documents are provided in good faith for transparency and are not legal advice. For questions contact [email protected].