Effective date: July 12, 2026
Privacy Policy
This Policy explains how KiraSEO accesses, uses, stores, shares, and deletes your personal information and Google user data. By using KiraSEO or authorizing a Google account, you acknowledge this Policy.
1. Scope and data controller
This Policy applies to the KiraSEO website, dashboards, and related data synchronization services. The operator of KiraSEO is the controller of personal information processed by the Service. If you use the Service for an organization, you must be authorized to connect that organization's Google Search Console and Google Analytics resources.
2. Information we collect
- Account information: name, email address, profile image, and Google account identifier supplied by Google for sign-in and account identification.
- Google authorization information: OAuth authorization status and a refresh token. The refresh token is stored in a server-only database table and is used to renew the read-only access you authorize.
- Search Console data: selected sites, permission levels, and daily aggregated clicks, impressions, click-through rate, and average position.
- Google Analytics 4 data: selected property names and identifiers, and daily aggregated active users, sessions, views, engagement rate, default channel groups, and page paths.
- Technical and usage information: necessary cookies, session data, request times, error logs, IP addresses, and coarse device or usage statistics used for security, troubleshooting, and service improvement.
3. Google API permissions and data use
KiraSEO requests the webmasters.readonly and analytics.readonly scopes. We cannot use these permissions to modify your Search Console sites, GA4 configuration, or source Google data.
Data obtained from Google APIs is used only to provide prominent user-facing dashboards, period comparisons, traffic channels, and top-page features, and to maintain or improve those visible features. KiraSEO's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.
- We do not sell Google user data or provide it to data brokers or advertising platforms.
- We do not use Google user data for advertising, retargeting, credit assessment, or lending.
- We do not use Google user data to train general-purpose or unrelated artificial intelligence models.
- Personnel do not manually read specific Google user data unless you affirmatively consent, access is necessary for a security investigation, or access is required by law.
4. How we use information
- Authenticate you, maintain sessions, and protect account security.
- Discover GSC sites and GA4 properties that your Google account may access.
- Perform user-initiated and daily incremental synchronization and display aggregated dashboard data.
- Diagnose errors, prevent abuse, maintain reliability, and provide support.
- Meet legal obligations and enforce the Terms of Service.
5. Cookies and analytics
We use strictly necessary cookies to store PKCE verification data and Supabase authentication sessions. Disabling these cookies prevents Google sign-in from working. We may also use Vercel Web Analytics for aggregated traffic statistics; this information is not used for cross-site advertising profiles.
6. Storage and security
Account details, authorization credentials, and synchronized data are stored in a Supabase-hosted database; Vercel provides application hosting and request processing. Data is transmitted over HTTPS. Google refresh tokens are accessible only to trusted server code, not browser code, and database row-level security limits users to their own data.
We use technical and organizational safeguards appropriate to the size of the Service and sensitivity of the data, but no internet service can guarantee absolute security. If a security incident affects your data, we will notify you where required by applicable law.
7. Sharing and processors
We do not sell or rent personal information. We use Google, Supabase, and Vercel as infrastructure or data processors to the extent necessary to operate the Service. We may also disclose necessary information when required by law, to protect users and the Service, or with your explicit consent.
If KiraSEO is involved in a merger, acquisition, or asset transfer, we will provide legally required notice. Any transfer involving Google user data will comply with the Google Limited Use requirements and obtain prior consent where required.
8. Retention, disconnection, and deletion
While your account is active and a source remains connected, we retain account information, refresh tokens, and synchronized metrics needed to provide the dashboards. You may revoke KiraSEO through the third-party connections settings in your Google Account. Revocation stops future synchronization but does not automatically delete previously synchronized data.
You may request deletion of your account, Google tokens, and synchronized data using the email below. After verifying the requester, we aim to delete active data under our control within 30 days. Logs and backup copies retained for security, audit, or disaster recovery may remain for up to 90 days before normal rotation deletes them, except where longer retention is legally required.
9. Your choices and rights
Depending on applicable law, you may have rights to access, correct, export, restrict, object to processing, or delete personal information, and to withdraw consent. You may also revoke OAuth access directly through your Google Account. Submit requests using the contact email below; we may need to verify your identity.
10. International processing and children
Our service providers may process information outside your country or region. We use legally required safeguards for cross-border processing where applicable. KiraSEO is intended for developers and teams able to enter a binding contract and is not directed to anyone under 18. We do not knowingly collect personal information from children.
11. Changes to this Policy
If our data practices materially change, we will update this Policy and its effective date and provide in-product or other reasonable notice where appropriate. If a new purpose exceeds the Google user-data use you originally authorized, we will explain it and obtain renewed consent before processing.