← Back to SEOBetter

SEOBetter Privacy Policy

Last updated: 2026-05-03 · Effective: 2026-05-03

SEOBetter is a WordPress plugin published by SEOBetter ("we", "us", "our"). This Privacy Policy explains what data we collect, how we use it, and your rights, with specific attention to data accessed via Google APIs.

1. Who is the data controller

The plugin runs on your own WordPress site. We do not host your content, your articles, or your Google Search Console data. You are the data controller for any data processed by your install.

SEOBetter operates a small set of cloud endpoints (the "Cloud API") that handle research aggregation and the OAuth proxy. Where the Cloud API processes data on your behalf, we are a data processor.

2. What data we access via Google APIs

If you choose to connect Google Search Console (GSC) inside the plugin, SEOBetter requests the following Google API scopes:

• https://www.googleapis.com/auth/webmasters.readonly — read-only access to your verified GSC properties' performance data (clicks, impressions, position, queries, pages)
• https://www.googleapis.com/auth/userinfo.email — your Google account email address, displayed in plugin settings as "connected as user@example.com"

We do not request, access, or store any other Google data. We do not request write access to your Search Console properties.

3. How GSC data is used

Performance data retrieved from your GSC properties is used to:

• Display a Content Freshness inventory inside your WordPress admin showing which posts are losing traffic
• Compute per-post refresh-priority scores
• Surface "striking distance" pages ranking just off page 1
• Show top queries each post is ranked for

This data is stored only in your own WordPress database (in the wp_seobetter_gsc_snapshots table). It never leaves your server.

4. OAuth tokens — how they're stored

When you complete the OAuth flow, Google issues an access token (1-hour validity) and a refresh token (long-lived). These are:

• Stored encrypted in your WordPress database in the wp_options table under the seobetter_gsc_connection option, using AES-256-CBC with the encryption key derived from your site's SECURE_AUTH_KEY WordPress salt
• Never logged on the OAuth proxy server (Cloud API). The proxy passes tokens through to your install via a single-use 5-minute pickup-token mechanism that never writes the token to logs or persistent storage longer than the redemption window
• Never shared with third parties
• Revocable at any time by clicking "Disconnect" in plugin Settings, which deletes the stored tokens and revokes them at Google's token endpoint

5. The OAuth proxy — what it does and doesn't do

To avoid requiring every plugin user to create their own Google Cloud Console project (an hour of friction with security pitfalls for non-technical users), SEOBetter runs a centralized OAuth proxy on our Cloud API.

The proxy:

• Holds the OAuth client_id and client_secret of the verified SEOBetter Google Cloud project
• Forwards the user's auth-code exchange back to Google with our credentials
• Returns the resulting tokens to the user's WordPress install via a single-use pickup token (5-minute TTL via Upstash Redis)
• Refreshes expired access tokens when the install's refresh_token is presented

The proxy does not:

• Log access tokens, refresh tokens, or any user content
• Store tokens longer than the 5-minute pickup window
• Read or modify your GSC data on its own
• Have direct access to your GSC properties (only you, via your install's access_token, do)

6. Compliance with Google API Services User Data Policy

SEOBetter's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google API user data only to provide and improve user-facing features that are visible in the plugin's admin UI
• We do not transfer or sell Google API user data to third parties
• We do not use Google API user data for serving advertising
• We do not allow humans to read Google API user data unless we have your explicit consent for specific support cases, the data is necessary for security purposes, or the data is aggregated and de-identified

7. Data we collect outside Google APIs

Plugin telemetry is opt-in. By default, the plugin does not transmit usage data to us. If you optionally enable telemetry, the plugin sends:

• Plugin version, WordPress version, PHP version
• License key (if Pro/Pro+/Agency)
• Anonymous error logs (no post content)

License validation requests sent to our Cloud API include the site URL (so we can scope licenses per-site) and the license key. No content data.

8. Cookies

The plugin's admin UI uses standard WordPress session cookies. The Cloud API does not set cookies on your browser.

9. Data retention

• OAuth tokens: until you click Disconnect or the refresh_token is revoked by you at Google. We do not auto-expire.
• GSC snapshots in your DB: indefinite — stored locally on your site, you control retention
• Pickup tokens (Cloud proxy): 5 minutes, then automatically deleted
• Server logs (Cloud API): 30 days. Logs do not contain access tokens, refresh tokens, or user content. They contain timestamps, request paths, and error diagnostics

10. Your rights

• Access: all GSC data we access is in your own WordPress database — you have direct access
• Disconnect: click Disconnect in plugin Settings; tokens are revoked and deleted
• Revoke at Google: visit myaccount.google.com/permissions and remove SEOBetter
• GDPR / CCPA requests: email privacy@seobetter.com

11. Children

SEOBetter is a B2B WordPress plugin. We do not knowingly collect data from anyone under 18.

12. Changes to this policy

We will update this policy when we add or change features that affect data handling. The "Last updated" date at the top reflects the most recent change. Material changes are also announced on the plugin's settings page.

13. Contact

Questions or requests:

Email: privacy@seobetter.com