AI SEO Agents is designed with privacy-by-default principles. This page documents what data we collect, how long we retain it, how we isolate tenant data, and how you can request deletion.
What Data We Store
| Data Type | Storage Location | Purpose |
|---|---|---|
| User accounts | AWS Cognito User Pool | Authentication and identity management |
| Agent configurations | DynamoDB (seo-agent-configs) | Agent settings, keywords, and scheduling preferences |
| Generated articles | S3 (seo-reports bucket) | Content artifacts produced by the Content Agent |
| Job records | DynamoDB (seo-content-jobs) | Job status, progress events, and metadata |
| WordPress credentials | AWS Secrets Manager | Site connectivity (encrypted with KMS CMK) |
| API keys | DynamoDB (seo-api-keys) | Programmatic access (SHA-256 hashed, irreversible) |
| Site registry | DynamoDB (seo-agent-sites) | Connected site URLs and configuration |
| WebSocket connections | DynamoDB (seo-ws-connections) | Real-time progress delivery (TTL: 2 hours) |
Data Retention
| Data | Retention Period | Notes |
|---|---|---|
| Generated articles (S3) | 90 days | S3 lifecycle policy. Versioned — previous versions retained for 90 days. |
| Job records | Indefinite | Kept for audit trail. Can be purged on request. |
| WebSocket connections | 2 hours | DynamoDB TTL auto-deletes ephemeral connection records. |
| CloudWatch logs | 30 days | Application logs auto-expire. No credential data logged. |
| API Gateway access logs | 90 days | Request metadata (IP, path, status code). No request bodies. |
Tenant Isolation
All data is partitioned by user_id. Every API request is authenticated, and the resolved user ID is used as a partition key or filter condition on all database queries. There is no mechanism for one user to access another user's data — the isolation is enforced at the application layer and reinforced by DynamoDB partition key design.
- DynamoDB tables use
user_idas a GSI partition key for all list operations. - S3 article keys include the agent ID, which is owned by a specific user.
- API key lookups resolve to a
user_idand all subsequent operations are scoped to that user. - WebSocket subscriptions verify job ownership before delivering progress events.
GDPR Compliance
AI SEO Agents supports GDPR requirements for EU users:
- Right to access — Request a full export of your data via the contact page.
- Right to erasure — Request deletion of all your data. We process deletion requests within 30 days.
- Data portability — Articles can be exported as Markdown files from the dashboard at any time.
- Consent management — Cookie consent banner on the marketing site. No tracking in the application dashboard beyond essential session cookies.
- Data processing agreement (DPA) — Available for Enterprise customers on request.
Third-Party Data Processing
| Service | Data Shared | Purpose |
|---|---|---|
| Amazon Bedrock (Claude) | Article content (no PII) | AI content generation and analysis |
| Firecrawl | Target keywords and URLs | Web scraping and SERP research |
| Unsplash | Search queries (keywords) | Stock image sourcing |
| Google (OAuth) | Access tokens | Search Console and Analytics data sync |
| Stripe | Email, subscription tier | Payment processing and billing |
Amazon Bedrock does not use your prompts or completions to train foundation models. Your content remains private. See AWS Bedrock FAQ for details.
Data Deletion
To request complete deletion of your data, contact us via the contact page. We will:
- 1Delete your Cognito user account and all associated tokens.
- 2Remove all agent configurations and job records from DynamoDB.
- 3Delete all generated articles from S3 (including versioned copies).
- 4Remove WordPress credentials from Secrets Manager.
- 5Purge API keys and site registry entries.
- 6Confirm deletion via email within 30 days.
Data Collection Practices
AI SEO Agents follows the principle of data minimization — we collect only the data necessary to provide the service you have subscribed to. We do not collect data speculatively, and we do not monetize your data through advertising or selling to third parties. This section provides a detailed breakdown of what data is collected at each stage of the service lifecycle.
- Account registration: Email address, password (hashed by Cognito, never stored by us), and optional profile information (name, company). We do not require phone numbers or physical addresses for account creation.
- Site connection: WordPress site URL, Application Password credentials (encrypted with KMS CMK in Secrets Manager), and optional site metadata (name, description). We never access your WordPress admin dashboard directly — all interactions use the WordPress REST API.
- Content generation: Target keywords, tone preferences, and word count targets are stored in agent configurations. Generated article content is stored in S3. The AI model (Amazon Bedrock Claude) processes your keywords and content during generation but does not retain them after the request completes.
- Publishing: Post titles, URLs, WordPress post IDs, and publishing metadata are stored in job records. Published content is stored on your WordPress site, not on our infrastructure (we retain the source article in S3 for versioning purposes).
- Analytics integration: When you connect Google Search Console or Analytics, we store OAuth tokens (encrypted in Secrets Manager) and sync aggregated search performance data. We do not access individual user-level data from your Google properties.
Retention Policies in Detail
Our data retention policies are designed to balance operational needs (maintaining audit trails and enabling content versioning) with privacy obligations (not retaining data longer than necessary). Different data types have different retention periods based on their purpose and sensitivity.
| Data Category | Retention | Justification | Can You Shorten It? |
|---|---|---|---|
| Generated articles | 90 days (S3 lifecycle) | Versioning allows rollback to previous versions | Yes — Enterprise customers can configure custom retention periods |
| Job records | Indefinite | Audit trail for content provenance and billing | Yes — request purge via contact page |
| Agent configurations | Until deleted | Active configuration needed for agent operations | Deleted when agent is removed |
| WordPress credentials | Until site is disconnected | Required for active site connectivity | Immediately deleted on site disconnection |
| OAuth tokens | Until integration is disconnected | Required for Google data sync | Revoked immediately on disconnect |
| CloudWatch logs | 30 days (standard) / 6 years (HIPAA) | Operational monitoring and compliance | HIPAA retention is regulatory; standard can be shortened on request |
| Access logs | 90 days | Security monitoring and incident investigation | Enterprise customers can configure custom retention |
User Rights Under GDPR and CCPA
AI SEO Agents is committed to supporting your data rights under both GDPR (for EU/EEA residents) and CCPA (for California residents). These regulations grant you specific rights over your personal data, and we have built processes to honor these rights efficiently.
| Right | GDPR | CCPA | How to Exercise |
|---|---|---|---|
| Right to access | Yes (Article 15) | Yes (right to know) | Request a data export via contact page or Settings > Privacy |
| Right to deletion | Yes (Article 17) | Yes (right to delete) | Request via contact page. Processed within 30 days. |
| Right to portability | Yes (Article 20) | Limited | Export articles as Markdown from the dashboard at any time |
| Right to rectification | Yes (Article 16) | Not explicit | Update account details in Settings. Contact us for data corrections. |
| Right to restrict processing | Yes (Article 18) | Not explicit | Pause all agents to stop data processing. Contact us for specific restrictions. |
| Right to object | Yes (Article 21) | Yes (right to opt out) | Contact us to object to specific processing activities |
| Non-discrimination | N/A | Yes | Exercising privacy rights will not affect your service quality or pricing |
To exercise any of these rights, contact us via the contact page with the subject line "Privacy Request" and include the specific right you are exercising. We verify your identity before processing any request to prevent unauthorized data access or deletion. Requests are processed within 30 days as required by both GDPR and CCPA.
Data Processing Agreements
A Data Processing Agreement (DPA) establishes the legal framework under which AI SEO Agents processes personal data on your behalf. Under GDPR, a DPA is required whenever a data controller (you) engages a data processor (AI SEO Agents) to handle personal data. Enterprise customers can request a DPA that covers the specific processing activities relevant to their use case.
- Standard DPA: Available for all Enterprise customers at no additional cost. Covers standard processing activities including content generation, storage, publishing, and analytics integration.
- Custom DPA: For organizations with specific regulatory requirements or internal compliance policies, our legal team can work with you to create a custom DPA that addresses your specific needs.
- Sub-processor list: The DPA includes a current list of all sub-processors (AWS, Firecrawl, Unsplash, Stripe, Google) along with the type of data they process and the safeguards in place. You will be notified 30 days before any new sub-processor is added.
- International transfers: For data transfers outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. AWS infrastructure in eu-north-1 (Stockholm) ensures your primary data processing occurs within the EU.
Third-Party Data Sharing Policies
AI SEO Agents shares data with third-party services only when necessary to provide the core functionality of the platform. We never sell your data, share it for advertising purposes, or provide it to data brokers. Each third-party integration is governed by a specific data processing agreement that restricts the sub-processor to using your data solely for the purpose of providing service to you.
Amazon Bedrock (which powers the AI content generation) does not use your prompts or generated content to train or improve foundation models. Your content is processed in real-time and not retained by the model provider after the request completes. This is documented in the AWS Bedrock FAQ and is a contractual commitment from AWS.
Cookie and Tracking Policies
The AI SEO Agents platform uses a minimal set of cookies that are essential for providing the service. We do not use tracking cookies, advertising pixels, or third-party analytics on the application dashboard. The marketing website uses a limited set of analytics cookies with explicit consent.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| cognito_session | Essential | Maintains authenticated session state | Session (expires on browser close) |
| cognito_refresh | Essential | Enables token refresh without re-authentication | 24 hours |
| seo_api_base_url | Functional (localStorage) | Stores configured API URL | Persistent until cleared |
| seo_ws_url | Functional (localStorage) | Stores WebSocket connection URL | Persistent until cleared |
The application dashboard does not use Google Analytics, Facebook Pixel, or any other third-party tracking technology. The marketing website (aiagentssee.com) uses privacy-respecting analytics that do not track individual users across sites, and all non-essential cookies require explicit opt-in consent via the cookie banner. Your use of the platform is not monitored for advertising purposes, and your content is not analyzed for any purpose other than providing the SEO services you have requested. For complete details on our security practices, see the Security Overview.
Related Documentation
- Security Overview — Infrastructure security and encryption architecture.
- HIPAA Compliance — Healthcare-specific data handling requirements.
- SSO Configuration — Enterprise authentication and user provisioning.