1. Controller
The controller of your personal data is Serff Webdevelopment, KvK 51584263, Havenstraat 5a, 3441BH Woerden, Nederland. Reach us at info@serff-webdevelopment.nl.
2. What we collect
| Category | Examples | Source |
|---|---|---|
| Account | name, email, hashed password, locale, onboarding answers | you |
| Billing | Stripe customer ID, subscription tier, last 4 digits of card, invoice history | you + Stripe |
| Content | websites, keywords, articles, clusters, competitors, author profiles, CMS credentials | you |
| Integrations | Google OAuth tokens (Search Console), CMS API keys, encrypted at rest | you via OAuth/manual |
| Usage | IP address, user-agent, timestamps, feature usage, error logs, support tickets | automatic |
| support replies, waitlist subscription, transactional emails | you + us |
3. Why we process data (legal bases)
- Contract (art. 6(1)(b) GDPR): providing the Service, processing payments, running integrations you configure.
- Legitimate interest (art. 6(1)(f)): securing the platform against abuse, preventing fraud, error monitoring, improving the product (aggregate metrics only).
- Legal obligation (art. 6(1)(c)): keeping invoices for the period required by Dutch tax law (currently 7 years).
- Consent (art. 6(1)(a)): for marketing emails you explicitly opt in to. You can withdraw consent at any time.
4. Who we share data with
We use a limited set of sub-processors who process data on our instructions, grouped here by category:
| Category | Purpose | Location |
|---|---|---|
| Payment processor | subscription billing and invoicing | EEA |
| LLM provider(s) | content generation and AI-detection scoring | EEA / US (SCCs or DPF) |
| SEO data provider | keyword volume and SERP data | US (SCCs) |
| Search Console API | only when you connect Google Search Console | US (SCCs / DPF) |
| AI image generation provider(s) | image generation (opt-in per website) | EEA / US (SCCs) |
| Transactional email provider | account, billing, and support emails | EEA |
| Error monitoring provider | production error monitoring (errors only, no analytics) | EU |
| EU cloud hosting provider | application and database hosting | EU (Germany / Netherlands) |
We sign a Data Processing Agreement with every sub-processor and use Standard Contractual Clauses for transfers outside the EEA. We never sell your personal data.
A current list naming each specific sub-processor is available to business customers under their Data Processing Agreement, on request via info@serff-webdevelopment.nl.
5. International transfers
Some sub-processors are based in the United States. We rely on the EU-US Data Privacy Framework where the provider is certified, and on Standard Contractual Clauses (SCCs) otherwise. On request we will share the SCCs we have in place.
6. How long we keep data
- Account and content: for the lifetime of your subscription, plus 30 days after cancellation for restoration purposes.
- Invoices: 7 years (Dutch tax law).
- Support tickets: 24 months after the last message.
- Error logs: 90 days.
- Aggregate analytics: indefinitely, but only in a form that cannot identify you.
7. Security
- Data in transit is encrypted with TLS 1.2+.
- Passwords are hashed with bcrypt. Third-party access tokens are encrypted at rest.
- Database backups are encrypted and retained for 30 days.
- Access to production data is restricted to named staff and logged.
- We monitor for suspicious activity and rate-limit sensitive endpoints.
8. Your rights
You have the right to:
- access the personal data we hold about you (art. 15);
- have inaccurate data corrected (art. 16);
- have your data erased (art. 17) — full account deletion from the profile page;
- restrict or object to processing (arts. 18, 21);
- receive your data in a portable format (art. 20) — available via the "Export my data" button on the profile page;
- withdraw consent at any time where processing is based on consent;
- lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
To exercise any right, email info@serff-webdevelopment.nl. We respond within 30 days (extendable by 60 days for complex requests).
9. Automated decision-making
Scrivio does not use your personal data for automated decisions that have legal or similarly significant effects on you. AI-generated content is created at your instruction — you review and decide what to publish.
10. Children
The Service is not directed at children under 16. We do not knowingly collect data from them.
11. Changes
We update this policy when our processing changes. The "last updated" date above reflects the current version. Material changes are communicated by email.
12. Contact
Privacy questions, data requests, or complaints: info@serff-webdevelopment.nl.