Privacy Policy
Last updated: 2026-06-02
This Privacy Policy explains how Topical Authority Engine ("we", "us", "our") collects, uses, and protects your personal data when you use the service at https://topicalauthority.app.
We handle your data lawfully under the EU General Data Protection Regulation (GDPR).
1. Who we are
- Service: Topical Authority Engine
- Website: https://topicalauthority.app
- Contact for privacy: [email protected]
- General contact: [email protected]
If you have a concern about how we handle your data and we can't resolve it directly, you can lodge a complaint with the data protection authority in your country of residence.
2. The Service in plain language
Topical Authority Engine is a tool for SEO practitioners and indie operators. It plans topical authority maps, runs content audits, and tracks audit history. The Service has two parts:
- A local MCP server that runs on your own machine inside your AI IDE (Claude Code, Cursor, Cline, Windsurf, etc.). This component does the work. Your project files, generated content, and AI inference all stay on your machine and inside your IDE's vendor stack (e.g., Anthropic via Claude Code).
- A hosted dashboard at topicalauthority.app where we store your account, billing, project metadata, ticket history, and audit summaries posted from your local MCP server.
This split matters for privacy: most of your content never leaves your machine. We only receive what the MCP explicitly posts back (run summaries, audit findings, ticket state).
3. What data we collect
3.1 Data you provide directly
- Account data: email address, password (hashed via bcrypt), name (optional)
- Project data: verified root domain you're working on, project name
- Billing data: billing address, VAT number (B2B), country. Payment card details are handled directly by Stripe and never touch our servers.
- Communications: emails, support tickets, feedback you send us
3.2 Data the local MCP server posts back to us
When you use a tool inside your IDE, the MCP server posts a run summary to our API. These summaries include:
- Tool name and parameters (e.g., "topical_map", "rewrite_blog")
- Run status, duration, credit cost
- For ticket tools: ticket IDs and state transitions
- For audit tools: audit findings (anomalies, missing pages, phrase gaps)
- Idempotency keys to deduplicate retried requests
The MCP server does NOT post back:
- The full text of content you generate
- Your IDE's AI conversation history
- Your repository contents (unless you explicitly use a tool that needs them)
3.3 Data we collect from connected integrations (optional, with your consent)
When you connect optional integrations, we process:
- Google Search Console (OAuth): read-only access to search performance data (impressions, clicks, position, query, page) for properties you authorize. We use this to detect phrase gaps and ranking anomalies. We never write to your GSC account.
- GitHub (OAuth, future): read access to specific repositories you grant, and write access to post pull requests when you ask us to.
You can disconnect any integration from your account settings at any time. We revoke our access immediately and delete the cached data within 30 days.
3.4 Data we send to data vendors
To enable keyword and SERP features, we send keywords and domain names you query to DataForSEO (our keyword and SERP data provider). DataForSEO processes only the keyword strings and domains needed to return SERP results. They do not receive your account identity.
3.5 Data collected automatically
- Technical data: IP address, browser, device, operating system, request timestamps
- Usage data: which pages of the dashboard you visit, which features you use, time spent (collected via our self-hosted Umami analytics, which does not use cookies or share data with third parties)
- Audit logs: authentication events, API token use, security-relevant actions
3.6 Data we do NOT collect
- We do not buy personal data from third parties
- We do not collect special categories of data (health, racial origin, political opinions, biometrics)
- We do not run third-party advertising or marketing pixels
- We do not sell your data, ever
- We do not process your content through AI ourselves. AI inference happens in your IDE under your vendor relationship (Anthropic, OpenAI, etc.). We are not a subprocessor of those vendors on your behalf.
4. Why we collect it (legal basis under GDPR Art 6)
| Purpose | Data | Legal basis |
|---|---|---|
| Provide the Service | Account, project, run summaries | Contract performance (Art 6(1)(b)) |
| Process payments | Billing data | Contract performance |
| Send transactional emails (password resets, receipts, audit digests) | Email address | Contract performance |
| Customer support | Communications, account | Contract performance |
| Send product updates (only if you opt in) | Email address | Consent (Art 6(1)(a)) |
| Run scheduled audits on your behalf (e.g., weekly GSC, weekly Pattern 2 scan) | GSC data, keywords | Contract performance |
| Detect abuse and secure the Service | Technical, audit logs | Legitimate interest (Art 6(1)(f)) |
| Aggregate, anonymized product analytics | Usage | Legitimate interest |
| Comply with tax and accounting law | Billing | Legal obligation (Art 6(1)(c)) |
5. How long we keep your data
| Data category | Retention |
|---|---|
| Account data | Until you delete your account, then 30 days |
| Project data, topical maps, audit history | Until you delete it or your account, then 30 days |
| Connected integration tokens (Google, GitHub) | Until you disconnect, then deleted immediately |
| Cached GSC data | 90 days rolling window |
| Cached SERP and keyword data | Per cache policy (7-90 days depending on data type), then auto-purged |
| Billing and invoice records | 7 years (Dutch tax law requirement under Algemene wet inzake rijksbelastingen) |
| Support communications | 2 years |
| Email opt-in records | Until you opt out, plus 1 year (proof of consent) |
| Backups | Up to 7 days (Litestream streaming), up to 30 days (daily snapshots), then auto-deleted |
| Server logs | 30 days |
| Audit logs (security events) | 1 year |
When you delete your account, we anonymize or delete your personal data within 30 days, except where retention is required by law (invoices: 7 years).
6. Subprocessors
We share necessary data with the following processors to operate the Service:
| Vendor | Purpose | Data | Location | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Server hosting | All hosted user data | EU (Germany / Finland) | Yes |
| Cloudflare, Inc. | DNS, CDN, security, R2 backup storage | Technical, usage, encrypted backups | Global (US-headquartered, EU PoPs) | Yes |
| Stripe Payments Europe Ltd. | Payment processing | Payment, billing | Global | Yes |
| AWS (SES) | Transactional email delivery | Email addresses, message content | EU (eu-central-1) | Yes |
| Backblaze, Inc. (B2) | Database backups | All hosted user data (encrypted at rest) | US | Yes (with SCCs) |
| DataForSEO LLC | Keyword and SERP data | Keyword strings, domains you query | US | Yes (with SCCs) |
| Google LLC (Search Console API) | Read your GSC data on your behalf when you connect | OAuth tokens, fetched GSC data | Global | Yes |
| GitHub, Inc. (future, optional) | Read repositories and post PRs when you connect | OAuth tokens, repo contents we explicitly fetch | US | Yes |
We do NOT use the following despite some appearing in standard SaaS stacks:
- No AI model providers (Anthropic, OpenAI, Google Gemini, etc.) as subprocessors. AI inference happens in your IDE.
- No marketing automation, ad networks, or CRM that processes your personal data.
The current, dated list lives at https://topicalauthority.app/subprocessors. We notify you by email at least 30 days before adding a new subprocessor that processes your personal data.
For international transfers (US-based vendors), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
7. AI processing disclosure
The Service itself does not perform AI inference on your content. The AI features you see in your IDE (Claude Code, Cursor, etc.) run under your relationship with that IDE's AI vendor (Anthropic, OpenAI, etc.). We do not send your content to AI vendors on your behalf, and we are not a subprocessor of those vendors.
This is an architectural choice: we built Topical Authority Engine as a tool layer, not an AI wrapper. Your IDE owns the AI runtime.
For the avoidance of doubt:
- Outputs you generate inside your IDE are governed by your IDE vendor's privacy policy (Anthropic, OpenAI, etc.), not ours.
- We do not train any model on your data, because we do not operate any model.
If we ever add server-side AI features (e.g., an optional AI summarization endpoint), we will update this Privacy Policy at least 30 days before that change takes effect.
8. Cookies
We use the minimum cookies needed to operate the Service:
- Strictly necessary cookies (always on): session cookies for authentication, CSRF protection, cookie consent state
- Functional cookies (on with consent): remembering theme preference, dashboard view preferences
- Analytics: we use self-hosted Umami, which does not set cookies and does not track users across sites
- Marketing cookies: we do not use any
You can manage cookie preferences via the banner shown on your first visit or via the "Cookie Preferences" link in our footer.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies that share data with third parties. Our self-hosted Umami analytics does not set cookies. This means your visit to topicalauthority.app does not contribute to any cross-site profile.
9. Your rights under GDPR
You have the right to:
- Access your personal data (Art 15)
- Rectify inaccurate data (Art 16)
- Erase your data, the "right to be forgotten" (Art 17)
- Restrict processing (Art 18)
- Port your data to another service (Art 20). We provide a JSON export from your account settings.
- Object to processing based on legitimate interest (Art 21)
- Withdraw consent at any time, without affecting prior processing (Art 7(3))
How to exercise these rights
Email [email protected] with your request. We respond within 30 days as required by GDPR (Art 12(3)).
If you're not satisfied with our response, you can complain to the data protection authority in your country of residence.
You can also delete your account directly from your account settings at any time. Deletion is one-click and follows the EU Digital Services Act and Consumer Rights Directive 2026 requirements for paid services.
10. Security
We implement reasonable technical and organizational measures, including:
- TLS 1.2+ encryption for all data in transit (HSTS-preloaded at the .app TLD level, so HTTP is impossible)
- Encrypted backups at rest (Backblaze B2 + Cloudflare R2)
- Server access restricted via Tailscale VPN and SSH keys (no public SSH port open)
- Cloudflare WAF and DDoS protection
- Automatic security patching via Ubuntu unattended-upgrades
- Application-level rate limiting and bot protection (Cloudflare Turnstile on signup)
- Hashed passwords using bcrypt with strong work factor
- API authentication via revocable tokens (Laravel Sanctum)
- Audit logs of security-relevant events (1-year retention)
If we discover a data breach affecting your personal data, we notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Art 33-34.
11. Children
The Service is not intended for users under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, email [email protected] and we'll delete it.
12. International users
By using the Service, you understand that your personal data will be processed primarily in the EU and, for certain subprocessors, in the US under appropriate safeguards (Standard Contractual Clauses).
13. Changes to this Policy
We may update this Privacy Policy. Material changes will be notified via email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version. If you need a copy of an earlier version, email [email protected].
14. Contact
- Privacy questions and GDPR requests: [email protected]
- General support: [email protected]