Privacy Policy
Effective May 19, 2026 · plain English · we collect the minimum.
This is how Rapid Indexer ("Rapid Indexer", "we", "us") handles your data when you use our website at rapidseoindexer.com or our API. It applies to everyone who signs up, submits a URL, configures a publisher integration, or just browses the landing page. If something here is unclear, email [email protected]and we'll fix it.
1. What we collect
We only collect what we need to run the service:
- Account data — email address, name (optional), encrypted password or OAuth identifier (Google). Stored by our auth provider (Supabase).
- Billing data — name, billing email, country, last 4 digits and brand of your card. We never see your full card number — it goes directly to Stripe / PayPal.
- Service usage — the URLs you submit, submission timestamps, status transitions, and the indexer attempts we made on your behalf.
- Integration credentials — when you connect a WordPress / Blogspot / Tumblr account, we store the OAuth refresh token encrypted at rest (Fernet). We use it only to publish on your behalf when you ask.
- Support tickets — the messages you send us via the in-app support form, plus our replies.
- Analytics / product telemetry — page views, click events, and session replays via PostHog. We capture IP at network ingress so PostHog can derive your country (we never display the raw IP back to anyone). Input fields are automatically masked from session replays.
- Logs — request method, path, response code, IP, user-agent, and for errors a stack trace. Retained 30 days for debugging and security forensics.
2. What we do with it
- Deliver the service you signed up for (submit URLs, publish backlinks, send invoices).
- Send transactional email (account confirmations, payment receipts, indexed-URL alerts).
- Improve the product based on aggregate usage patterns.
- Detect abuse (e.g. submitting URLs that violate the Terms).
- Comply with legal obligations (tax records, lawful requests from authorities).
We do not sell your data, share it with advertisers, or use it to train AI models. We do not run ad pixels (no Meta Pixel, no Google Ads remarketing).
3. Subprocessors
We rely on the following third-party providers ("subprocessors") to operate. Each handles a narrow slice of data under their own privacy policy. We update this table whenever we add or remove a vendor.
| Provider | Purpose | Region | Data passed |
|---|---|---|---|
| Supabase | Authentication + user database | EU (Frankfurt) | Email, encrypted password, OAuth identifiers |
| Stripe | Payment processing | USA / IE | Name, email, billing address, card metadata (we never see the card number) |
| PayPal | Alternative payment processing | USA / LU | Email + PayPal account identifier |
| Resend | Transactional email delivery | USA / EU | Email address + message content |
| PostHog | Product analytics + session replay | EU (Frankfurt) | Page views, click events, IP (used to derive country), anonymized user ID |
| ScraperAPI | Google index verification + scraping support | USA | Submitted URLs (proxied to Google search) |
| Cloudflare | DDoS protection + CDN | Global edge network | Request metadata (IP, user-agent) at the network layer |
| Linode (Akamai) | Application hosting | Germany (Frankfurt) | All processed data resides here at rest |
| Google APIs | Indexing API + Drive/Docs publishing | USA / EU | Submitted URLs + user-configured service-account credentials |
| Facebook (Meta) Graph API | Open Graph metadata refresh on submitted URLs | USA / EU | Submitted URLs (sent to FB to force a recrawl) |
| Internet Archive (Wayback Machine) | Optional URL archival (admin-toggled, not enabled by default) | USA | Submitted URLs |
| Sentry (optional) | Backend error monitoring | EU | Stack traces — may include URL paths but never request bodies |
4. Cookies & similar technologies
We use a small number of first-party cookies:
- Authentication cookies (Supabase) — required to keep you signed in. Cannot be disabled without breaking sign-in.
- PostHog cookies / localStorage — used to stitch your anonymous sessions together so we can debug funnels. Honored if you set a Do-Not-Track header or use an ad-blocker. EU visitors can opt out via the cookie banner.
- Cloudflare cookies — set by our CDN for security (e.g. detecting bot abuse on the login form).
We do not use cross-site tracking cookies (no Facebook Pixel, no Google Ads tag).
5. Data retention
- Account data — kept while your account is active. Deleted within 30 days of account closure.
- Billing records — kept 7 years (tax legal requirement) even after account closure.
- URL submissions — kept while your account is active. Deleted on account closure.
- Server logs — 30 days, then auto-purged.
- Session replays — 30 days, then auto-purged by PostHog.
- Support tickets — kept while your account is active so context isn't lost between conversations.
6. Your rights (GDPR & equivalents)
If you're in the EU/EEA, UK, or California, you have the right to:
- Access — request a copy of every piece of data we have on you.
- Rectify — fix anything inaccurate.
- Delete — close your account and have your data erased (subject to the billing-records exception above).
- Restrict — limit how we process your data (e.g. pause notifications without deleting the account).
- Port — export your data in a machine-readable format.
- Object — opt out of analytics, session replay, or product-update emails.
- Withdraw consent — at any time, with no penalty.
To exercise any of these rights, email [email protected]. We respond within 30 days (usually within 48 hours). You can also lodge a complaint with your local data protection authority — in Morocco, that's the CNDP.
7. International data transfers
Some subprocessors (Stripe, ScraperAPI, Google APIs) operate from the United States. Where required, we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework to lawfully transfer EU data outside the EU.
8. Security
How we protect your data day-to-day:
- All connections force HTTPS (Cloudflare-issued TLS).
- OAuth tokens and integration credentials are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256).
- Database hosted in a private network; no public Postgres listener.
- Admin actions are logged to an append-only audit table.
- We run security updates on the host weekly and rotate secrets when staff leaves (currently no other staff).
We have not had a known data breach. If we do, we'll notify affected users by email within 72 hours, as required by GDPR.
9. Children
Rapid Indexer is a B2B service. It is not directed at anyone under 16. We do not knowingly collect data from children. If you believe a child has created an account, email [email protected] and we will delete it.
10. Changes
We'll update this page whenever we add a subprocessor, change retention periods, or roll out a feature that materially affects how we process data. We'll notify active users by email at least 14 days before changes take effect.
11. Contact
Data Controller: Imad Benzrak, Tangier, Morocco.
Email: [email protected].