Back to Leto SEO

Privacy Policy

Last updated: 2026-05-28

This Privacy Policy explains what data Leto SEO (“the Service”), operated by Caydev Innovations Ltd. (“Caydev,” “we,” “us”), collects, how we use it, who we share it with, and the rights you have over it. Caydev is incorporated in the Cayman Islands.

We act as the data controller for account, billing, and operational records, and as the data processor for the third-party analytics data you connect to Leto SEO (your GA4 / GSC / Clarity properties).

1. Data We Collect

1.1 Account data

  • Email address (from your Google account at signup).
  • Display name + profile photo URL (from Google OAuth, if provided).
  • Waitlist application content (free-text answer to “what do you want to use Leto SEO for?”).
  • IP address at sign-up (Cloudflare Turnstile + rate-limit purposes; not stored long-term).

1.2 Google OAuth tokens & scopes

When you connect a Google property, we request and store the following:

  • https://www.googleapis.com/auth/analytics.readonly — read-only access to your Google Analytics 4 data.
  • https://www.googleapis.com/auth/webmasters.readonly — read-only access to your Google Search Console data.
  • Access tokens and refresh tokens, encrypted at rest using Supabase Vault.

We do not request write scopes. We cannot modify any Google property you connect. You can revoke our access at any time at myaccount.google.com/permissions.

1.3 Analytics data from your connected properties

We periodically fetch and store metric snapshots from your GA4 and GSC properties (sessions, conversions, search queries, clicks, impressions, position, page-level metrics, Core Web Vitals). This data is fetched server-side, stored in our database, and used to render your dashboard. We do not enrich, resell, or share it with third parties beyond the processors listed in Section 4.

1.4 Microsoft Clarity (BYOK)

If you connect a Clarity project, you provide a personal API token (Bring Your Own Key). We store the token encrypted in Supabase Vault and use it only to fetch your Clarity insight metrics on the rate-limited schedule documented in our terms (max once per day per project).

1.5 Keyword tracking data

If you add keywords, we call DataForSEO on your behalf to fetch rank, search volume, keyword difficulty, and competitor data. Your keyword list, queries, and DataForSEO responses are stored in our database.

1.6 AI-generated narratives

We call Google Gemini and OpenAI to generate plain-language summaries of your data. The prompt contains a summary of your site’s metrics for the past 7 to 30 days — no raw user data, no personally identifiable information beyond what you have already shared with these providers via your own Google or OpenAI account. We do not send your email or account identifiers to these providers.

1.7 Operational records

We log API usage events (provider, operation, cost in micros, success or failure status) for billing, anomaly detection, and quota enforcement. After account deletion we retain anonymized financial and security audit records for as long as necessary for fraud prevention and to meet our legal and accounting obligations.

2. How We Use Your Data

  • To render your dashboard and the analytics features you sign up for.
  • To send transactional emails (waitlist confirmations, invite codes, re-consent prompts, account-deletion notifications, billing receipts).
  • To enforce per-tenant API quotas and our global spend kill-switch.
  • To detect abuse and respond to security incidents.
  • To comply with legal obligations.

We do not sell your data, share it with advertisers, or use it to train any third-party AI model.

3. Limited Use Compliance (Google API Services)

Leto SEO’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • The data is used only to provide and improve user-facing features within Leto SEO, as described in Section 2.
  • The data is not transferred except as necessary to provide the Service, for security purposes, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • The data is not used or transferred for serving advertisements.
  • Humans do not read the data, except (a) with your affirmative agreement, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized.

4. Sub-Processors

We use the following sub-processors to operate Leto SEO:

  • Supabase (database, authentication, storage) — hosted in AWS US-East.
  • Vercel (application hosting + edge compute) — global edge network.
  • Upstash (rate-limit and caching) — global Redis.
  • Resend (transactional email).
  • Cloudflare (Turnstile bot-prevention).
  • Sentry (error monitoring).
  • DataForSEO (keyword rank and difficulty data).
  • Google (OAuth, Analytics, Search Console, Gemini API, PageSpeed Insights).
  • Microsoft (Clarity Data Export API; only if you connect it).
  • OpenAI (GPT-4o-mini fallback for AI narratives).

A Data Processing Addendum (DPA) is available on request — email support@caydev.com.

5. Data Storage & Security

  • OAuth tokens are encrypted at rest in Supabase Vault. No plaintext tokens exist in the database.
  • Connections to our Service use TLS 1.2+.
  • Row-level security policies restrict every row to its owning user.
  • Service-role keys are confined to server-side cron jobs and are never exposed to client code.
  • Rate limits and a global spend kill-switch protect against abuse and runaway cost.
  • Errors are forwarded to Sentry with sensitive parameters (invite codes, OAuth state, session tokens) stripped before transmission.

6. Data Retention

We retain your account, sites, keywords, campaigns, and metric snapshots for as long as your account is active. After account deletion:

  • Sites, keywords, campaigns, and metric data are deleted immediately.
  • OAuth tokens are revoked at Google within five (5) minutes via our deletion outbox worker, then permanently destroyed.
  • Operational records (usage events, billing audit) are anonymized (your user ID is nulled) and retained for as long as necessary for fraud and abuse prevention and to meet our legal and accounting obligations.
  • Waitlist applications and invite codes associated with your email are anonymized within the same transaction as account deletion.

Unredeemed waitlist applications older than 30 days are anonymized automatically by a scheduled job.

7. Your Rights

Subject to applicable law, you have the right to:

  • Access & portability — download a copy of your data from /api/account/export (multi-section CSV).
  • Erasure — request account deletion from in-app settings; the deletion flow described in Section 6 runs automatically.
  • Withdraw consent — revoke Google OAuth at myaccount.google.com/permissions or disconnect a data source from the site settings page.
  • Rectification — email us to correct any account data.
  • Object / restrict processing — email us; we will respond within 30 days.

8. International Transfers

Your data may be processed in the United States and other countries where our sub-processors operate. Where we transfer personal data out of the European Economic Area or the UK, we rely on the Standard Contractual Clauses adopted by the European Commission and the UK International Data Transfer Addendum.

9. Cookies

We use first-party cookies for authentication (session cookie, invite cookie) and functional purposes (CSRF protection). We do not use third-party advertising or tracking cookies. We do not deploy a cookie-consent banner because we do not run any non-essential cookies.

10. Changes to This Policy

Material changes will be communicated by email at least seven (7) days before taking effect. Continued use of the Service after the effective date constitutes acceptance.

11. Contact

Privacy questions, data requests, or DPA requests: email support@caydev.com. We aim to respond within five (5) business days.