Back to app

SEODrafts

Privacy

Last updated: July 17, 2026 · Version 2026-07-17

This notice explains how SEODrafts processes personal data for workspace sign-in, SEO operations, publishing workflows, analytics, Google Search Console connections, and support. It is written for GDPR transparency and should be read together with the Terms.

Controller And Contact

The service provider and controller for SEODrafts account administration, the public waitlist, billing, security, legal compliance, and support is Wotaso GmbH, Bostonring 5, 71686 Remseck am Neckar, Germany. Managing Director: Lucas Damian Orzan. Email: contact@wotaso.com. Further company details are available in the Imprint.

The workspace operator using SEODrafts is the controller for its users, projects, website data, editorial content, publication decisions, legal bases, notices, and connected third-party accounts. Wotaso acts as a processor where it processes that workspace data solely on the workspace operator's documented instructions. The workspace operator remains responsible for ensuring that content, prompts, source material, analytics data, and personal data uploaded to or published through the service may lawfully be processed and disclosed.

Wotaso is an independent controller for data it processes for its own account administration, billing, service security, abuse prevention, legal compliance, and support purposes. The exact allocation of controller and processor responsibilities may be further specified in a data processing agreement. Connecting an integration does not make Wotaso responsible for the workspace operator's privacy notices, consent collection, retention decisions, or use of data on the operator's website.

Privacy contact: contact@wotaso.com. Requests for access, correction, export, deletion, restriction, or objection can be sent to this address or submitted from inside the authenticated app where available.

Data We Process

Account data: email address, workspace membership, role, session metadata, device name, user agent, hashed IP address, and sign-in code metadata. Magic codes are stored only as hashes and are short-lived.

Workspace data: project names, domains, blog route patterns, project context, draft content, editorial notes, source URLs and capture timestamps for website-derived context, SEO opportunities, Google Search Console and Bing property references and performance data, backlink snapshots, citation observations, generated images, publishing state, and analytics events sent by connected websites.

Public Website Context

When an authorized user enters a domain and chooses to analyze it, SEODrafts reads a limited number of public business pages on that same domain to suggest an editable project context. The intended data is company, product, service, pricing, feature, solution, and use-case information. We exclude people, contact, legal, careers, login, and signup pages, filter likely email addresses and phone numbers on a best-effort basis, and respect a site-wide robots.txt prohibition. Other personal data may remain, so the user must review the suggestion. The preview is not stored until the user creates the project. We then store the edited context, up to four source URLs, capture time, and capture mode, but not the raw page HTML.

The purpose is to configure the requested SEO workspace without requiring manual context entry. The workspace operator must be authorized to analyze the submitted domain. Where incidental personal data is processed, the relevant controller must document an applicable legal basis, necessity and balancing where legitimate interests are relied upon, and any required information to data subjects. Website terms, copyright, database rights, and crawler directives remain separate obligations.

Third-party integration data: OAuth refresh tokens for Google Search Console are encrypted server-side when connected. Publish tokens and admin tokens are stored as hashes where possible and must not be placed in client bundles or public repositories.

Purposes And Legal Bases

We process data to authenticate users, secure sessions, operate workspace access, generate and review SEO drafts, schedule publishing, sync Search Console data, provide analytics, prevent abuse, keep audit records, and answer support or privacy requests. Depending on context, the legal bases are contract performance, legitimate interests in secure service operation, legal obligations, and consent where a third-party OAuth account is connected.

Email Magic Codes

Sign-in codes are sent to the workspace email address. The service stores a hash of the code, the normalized email address, workspace slug, hashed IP address, user agent, attempts, expiry time, and consumption time. Codes expire quickly and old code records are deleted automatically after the configured retention period.

Private Beta Waitlist

When you join the private beta waitlist, we store the website address you submitted, your normalized email address, signup source, locale, consent version and timestamp, an HMAC-pseudonymized IP address, a shortened user-agent string, confirmation delivery and confirmation timestamps, and invitation status. We first send a transactional confirmation email. Beta or launch updates are sent only after you confirm the time-limited link (double opt-in). The legal basis for those updates is your consent. Every confirmation email contains a direct removal link; later beta marketing must contain an equally functional unsubscribe option. You may also withdraw consent by emailing contact@wotaso.com. Authorized operators can resend a confirmation, mark the beta access lifecycle, unsubscribe an address, or delete its waitlist record from the protected dashboard.

Processors And Subprocessors

The service may use infrastructure, database, email delivery, AI model, analytics, and hosting providers to operate the product. For magic-code email, Cloudflare Email Service or Resend may be used depending on the production configuration. Where personal data is processed by a provider, an appropriate data processing agreement and subprocessor review is required before production use.

Discord Operational Notifications

If enabled by Wotaso, the API sends operational event notifications for a new waitlist entry, a completed registration, or an initial subscription purchase to a restricted Discord channel. These messages deliberately exclude email addresses, names, workspace, account and customer identifiers, IP hashes, user agents, payment identifiers, and customer content. They contain only the event type and limited operational attributes such as signup source and locale or plan, quantity, currency, environment, and subscription status. The purpose is internal launch and sales operations based on Wotaso's legitimate interest in operating and monitoring the service. Discord receives the message and technical transmission metadata and may process data in the United States. Before this integration is enabled, Wotaso must review the applicable Discord contractual terms, recipient role, access controls, retention, and international-transfer safeguards. If no Discord webhook is configured, no event data is sent to Discord.

Retention

Authentication sessions expire automatically. Magic-code records are retained only briefly for abuse prevention and troubleshooting. Workspace content, project configuration, publishing state, and analytics events are kept while the workspace uses the service, unless a shorter contract or deletion request applies.

A daily cleanup removes unconfirmed waitlist requests after seven days, active confirmed records after no more than 24 months, and joined or unsubscribed records after the shorter configured terminal retention period, currently 30 days. Legal retention duties or a documented need to establish or defend claims may require narrowly scoped data to be kept for a different period.

Your Rights

Depending on applicable law, you may request access, correction, export, deletion, restriction of processing, objection, and withdrawal of consent. Authenticated users can generate a JSON export and submit a deletion request from the API. Deletion requests are reviewed to avoid deleting another user's workspace content without authorization.

You also have the right to lodge a complaint with a competent data protection supervisory authority. For Wotaso's establishment in Baden-Württemberg, you may contact the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg; information and the online complaint form are available at baden-wuerttemberg.datenschutz.de/beschwerde.

International Transfers

Some providers may process data outside the European Economic Area. Where required, transfers must rely on an adequacy decision, standard contractual clauses, or another valid transfer mechanism.

Security

The service uses HTTPS, short-lived one-time codes, hashed sessions, encrypted OAuth secrets, role-scoped accounts, and server-side secrets. Users remain responsible for protecting their email account, connected Google account, website publishing credentials, and repository secrets.