MON, 08 JUN 2026
Live · Daily brief on the shift from search to AI answers
08:21:31 UTC
LEGAL / Privacy Policy

Privacy Policy

Effective: 20 May 2026 · Last updated: 28 May 2026 (revised)

This Privacy Policy describes how SEO ("we", "us", "our") collects, uses, stores, and shares personal data when you read the website at searchengineoptimization.blog, subscribe to our newsletter, or contact us. We aim to apply the most protective standard across the jurisdictions where our readers live, which means EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (collectively, "CCPA").

1. Who we are

SEO is an independent daily editorial publication. The data controller for the purposes of GDPR and the business for the purposes of the CCPA is Alessandro Benigni, operating as SEO.

For any question about this policy, to exercise your rights described below, or to file a complaint, contact us at: hello@searchengineoptimization.blog

2. What data we collect and why

We collect only what we need to operate the publication. We do not run advertising trackers, behavioural retargeting, or third-party marketing pixels. We do use Google Analytics 4 for aggregate traffic measurement, but only after you grant consent via our cookie notice (see section 2.6).

2.1 Newsletter subscribers

When you submit our newsletter signup form, we store:

  • Your email address.
  • The IP address Cloudflare attaches to the request, and the country it derives from that IP.
  • The source page that submitted the signup ("website").
  • The timestamp of your signup and your subscription status.

Purpose. To send you the SEO newsletter and to operate basic anti-abuse and deliverability controls.
Lawful basis (GDPR). Your consent, given by submitting the form. You may withdraw consent at any time by unsubscribing through any newsletter link or by emailing us.

2.2 Sponsor inquiries

When you submit the sponsor inquiry form at /sponsor, we collect your name, company, work email, optional company URL, selected sponsorship package, target timing, and message body. This information is transmitted to the operator's inbox via our email provider (see section 4).

Purpose. To evaluate and respond to your sponsorship inquiry.
Lawful basis (GDPR). Our legitimate interest in operating commercial relationships, balanced against your reasonable expectation that we will reply to a sales inquiry you submitted.

2.3 Anti-bot challenge (Cloudflare Turnstile)

Our sponsor inquiry form uses Cloudflare Turnstile to distinguish humans from automated submissions. Turnstile is provided by Cloudflare, Inc. and may set its own functional storage and analyse browser signals as part of the challenge. Cloudflare publishes its own privacy notice for Turnstile.

Purpose. To prevent automated abuse of the sponsor form.
Lawful basis (GDPR). Our legitimate interest in protecting the site from spam and abuse.

2.4 Server logs

Cloudflare, our hosting provider, automatically records request metadata for every page view: IP address, approximate country, browser user-agent, the URL requested, the response status code, and the timestamp. These logs are kept for a limited window for security, abuse prevention, and operational debugging, consistent with Cloudflare's retention policies.

Purpose. Security, abuse prevention, reliability.
Lawful basis (GDPR). Our legitimate interest in maintaining a secure and reliable service.

2.5 Local storage on your device

We use a small amount of first-party browser storage:

  • aii.theme: remembers your light or dark theme preference.
  • aii.subs: a local record of email addresses you have subscribed with, used to avoid asking returning visitors to subscribe again.
  • aii.cookie-consent: records your Accept or Decline decision on the cookie notice. Controls whether Google Analytics is allowed to run.
  • aii.push-subscribed: set to 1 after you opt in to browser push notifications. Used to avoid offering the opt-in again.
  • aii.push-dismissed-at: timestamp of the last time you dismissed the push opt-in offer. Used to silence the offer for thirty days.

This storage stays on your device. It is not transmitted to us. See our Cookie Policy for full detail.

2.6 Google Analytics 4 (only after consent)

We use Google Analytics 4 (measurement ID G-NTKT6MVLQP) to understand aggregate site traffic and how readers move between articles. Analytics only fires after you click Accept on the cookie notice. Google Consent Mode v2 enforces this gate at the gtag layer: before consent, no analytics cookies are written and no events are sent. IP anonymisation is enabled, so your full IP address is not stored in the analytics property.

Purpose. Measure aggregate traffic to operate and improve the publication.
Lawful basis (GDPR). Your consent, given by clicking Accept. You may withdraw consent at any time by clearing the aii.cookie-consent storage item in your browser; the notice will reappear and let you choose again.

Google LLC is the controller for the analytics data it processes. Their privacy notice is published at policies.google.com/privacy. We may extend this stack with Firebase product features in the future (for example, authentication or messaging). Firebase Analytics shares the same Google Analytics property; this policy will be updated and the cookie notice will reappear if and when Firebase features ship.

2.7 Browser push notifications (only after opt-in)

We offer browser push notifications when a new edition publishes. The offer appears as a small floating card after you have spent time reading. If you click Yes, your browser asks for permission, and on grant the browser provides Google's Firebase Cloud Messaging service with a registration token bound to your device. We store that token, together with the page you opted in from and your browser's user-agent string, in our subscribers database (Cloudflare D1).

The registration token is opaque, anonymous, and does not include your email, IP address, or any identifier you can be looked up by outside this token. If you revoke notification permission at the operating-system or browser level, the token becomes invalid and we remove it from our database the next time we attempt to send to it. You can also clear it proactively by clearing your browser's site data for searchengineoptimization.blog.

Purpose. To deliver a single push notification when each new daily edition is published. We do not use the channel for marketing, promotion, or content unrelated to the daily editions.
Lawful basis (GDPR). Your consent, given by clicking Yes on the floating card and granting permission at your browser's prompt.
Processor. Google LLC (Firebase Cloud Messaging) on our behalf. Their privacy notice is at policies.google.com/privacy.

3. What we do not do

For clarity, SEO does not:

  • Sell, rent, or share your personal data with third parties for advertising or marketing.
  • Embed advertising trackers, social-media pixels, or remarketing scripts on this site. Google Analytics is configured for measurement only, with advertising features disabled.
  • Set cookies for marketing or behavioural profiling.
  • Combine your reading behaviour with third-party datasets to build profiles.
  • Use your data to train machine-learning models.

4. Who processes your data on our behalf

We use a small number of service providers (processors under GDPR, service providers under CCPA) to operate the publication. Each is bound by a data-processing agreement and may process your data only on our instruction.

  • Cloudflare, Inc. (San Francisco, California, USA): hosting, CDN, Workers runtime, the D1 database that stores subscribers, Email Routing, Turnstile bot protection. Cloudflare Privacy Policy.
  • Resend, Inc. (Delaware, USA): transactional email delivery, used to forward sponsor inquiries to the operator and to send operator notifications when someone subscribes. Resend Privacy Policy.

We do not engage processors outside the list above. If we do in the future, we will update this notice and tell subscribers in the newsletter.

5. International transfers

Both Cloudflare and Resend are headquartered in the United States and operate global infrastructure. If you access SEO from the European Economic Area, the United Kingdom, or Switzerland, your personal data may be processed in the United States or at edge locations worldwide.

For these transfers we rely on a combination of: (a) the EU-US Data Privacy Framework, the UK Extension to the DPF, and the Swiss-US DPF, where the recipient is certified, and (b) the European Commission's Standard Contractual Clauses (SCCs) where the DPF is not applicable, together with supplementary measures (encryption in transit and at rest, access controls). You may request a copy of the relevant transfer safeguards at hello@searchengineoptimization.blog.

6. How long we keep your data

  • Newsletter subscribers: until you unsubscribe. We may delete records that bounce permanently or that have been inactive for more than 24 months.
  • Sponsor inquiries: retained in the operator's email inbox until the inquiry is resolved and for a reasonable period afterward to support audit and tax recordkeeping.
  • Server logs: typically up to 30 days, per Cloudflare defaults.
  • Local storage on your device: until you clear your browser data.

7. Your rights

Depending on where you live, you have some or all of the following rights. We honour the strictest applicable standard across the laws below.

7.1 GDPR and UK GDPR rights (EEA, UK, Switzerland)

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erasure ("right to be forgotten") of your data, subject to limited exceptions.
  • Restriction of processing in specified circumstances.
  • Portability: receive your data in a machine-readable format.
  • Object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent at any time, where processing relies on consent.
  • Lodge a complaint with your national supervisory authority. A list is at edpb.europa.eu; UK residents can complain to the Information Commissioner's Office (ICO).

7.2 CCPA / CPRA rights (California residents)

  • Right to know what categories of personal information we have collected, the sources, the business purposes, and the categories of third parties we share with.
  • Right to delete the personal information we hold about you.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising, but you may exercise this right as a matter of record.
  • Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
  • Right to non-discrimination for exercising any of the above.

California residents may also designate an authorised agent to make requests on their behalf. We may require reasonable verification before processing.

7.3 How to exercise your rights

Email hello@searchengineoptimization.blog with the right you wish to exercise and the email address associated with your data. We respond within 30 days for GDPR requests and 45 days for CCPA requests, extendable once where permitted by law. There is no fee for reasonable requests.

8. Security

We protect your data with industry-standard controls: TLS 1.2+ for all connections, HSTS with preload, Cloudflare-managed DDoS protection, encrypted storage at rest (D1, Resend), Cloudflare Turnstile for the sponsor form, and a minimal third-party processor footprint. We cannot guarantee absolute security and do not promise one, but we work to apply the standards a reader would reasonably expect of an editorial publication.

9. Children

SEO is intended for adult readers and is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

10. Cookies and similar technologies

See our Cookie Policy for a full inventory of the first-party storage we use, the third-party challenge service on the sponsor form, and how to control or delete them.

11. Changes to this policy

We may update this policy as our practices evolve. The "Last updated" date at the top of the page reflects the most recent revision. Material changes that affect how we process subscriber data will be announced in the newsletter before they take effect. Continued use of the site after the effective date of an update constitutes acceptance of the updated policy.

12. Contact

Questions, requests, or complaints can be sent to hello@searchengineoptimization.blog. For postal contact, message us first via email so we can confirm a delivery address.

This policy is provided in plain English. Where any term has a legal meaning under GDPR, UK GDPR, or the CCPA, that meaning applies. Nothing in this policy limits any statutory right you have under applicable law.