HazeSEO logo

HazeSEO · Legal

Privacy Policy

Last updated: May 31, 2026

This Privacy Policy explains how Haze Tech Solutions (“we”, “us”) collects, uses, and shares information when you use HazeSEO (the “Service”). It applies to anyone who creates an account, visits our marketing site, or interacts with us by email.

1. Information we collect

Account information. Email, name, password (hashed), and any profile details you provide.

Business and brand data. Your business profile (name, industry, audience, tone, starter keywords, top organic competitors), brand voice settings, and FAQ entries you add. We use this to compose the system prompt that drives generated articles and the chat-widget assistant.

Connected sites. The URLs of websites you connect for SEO publishing and the credentials we need to publish on your behalf — Application Passwords for WordPress, OAuth tokens for Webflow / Shopify / WordPress.com, or an HMAC secret for headless / custom Next.js sites. Stored encrypted at rest with AES-256-GCM and never re-displayed after creation.

Keyword research and articles. Seed keywords you submit, the clustered topics returned by DataForSEO, and every AI-generated article we produce (title, body, meta tags, schema, hero image, internal-link choices). You can edit or delete any article at any time.

Site crawl index. When you connect a site we periodically crawl its public pages to build an internal-link candidate index and run on-page SEO audits. We store URLs, titles, H1s, meta descriptions, content excerpts, and audit findings. We respect robots.txt and conventional crawl signals.

Google connection. If you connect Google Calendar (for chat-widget bookings) or Google Search Console (for ranking data), we receive an OAuth access token + refresh token + the email of the connected account, all stored encrypted. We use the tokens only for the scopes you granted (calendar.events, userinfo.email, and optionally webmasters).

Chat-widget conversations. If you embed the HazeSEO chat widget on your site, we store the messages exchanged between your visitors and the assistant, the visitor’s lead-capture inputs (name / email / phone), and the session id from their browser.

Billing. Subscription tier, plan history, and payment metadata. Card details are handled by Stripe; we never see or store your full card number.

Usage data. Logs of which features you use, AI generations and their token / character counts (for quota tracking), error events, IP address, browser, device, and rough geolocation derived from IP.

Cookies. Strictly necessary cookies (authentication session, CSRF) and a small number of analytics cookies. You can decline non-essential cookies via your browser settings without losing core functionality.

2. How we use it

  • To run the Service — research keywords, generate SEO articles, crawl your sites, publish to your CMS, run on-page audits, deliver the chat widget.
  • To authenticate you, secure your account, and detect abuse.
  • To bill you and prevent payment fraud.
  • To send transactional email (verification, password reset, generation-complete notifications).
  • To send product updates if you opted in. You can unsubscribe at any time.
  • To improve the Service — measure feature usage in aggregate, debug failures, prioritize roadmap.
  • To comply with legal obligations and respond to lawful requests.

3. Who we share it with

We only share what each sub-processor needs to do its job, governed by their own data-processing terms.

  • AI providers — OpenAI (keyword clustering, article outlines, meta tags, internal-link selection, hero-image generation, chat-widget responses), Anthropic Claude (long-form article prose and the Haze AI co-pilot). The seeds, topics, brand voice context, and any text you submit are sent to these providers; outputs come back to us and are stored on your account.
  • DataForSEO — receives the seed keywords you submit and returns search-volume, difficulty, intent, and related-keyword data. No personally identifying information is sent.
  • Google — if you connect Calendar we send the visitor’s lead-capture details (name / email) when creating events on your calendar. If you connect Search Console we pull ranking, impression, and click data for your verified properties.
  • Your connected CMS — WordPress, Webflow, Shopify, or your headless-webhook endpoint receives the full article payload (title, body, meta tags, schema, hero image URL, internal links) whenever an article is published to that site, signed with your stored credentials.
  • Storage — Cloudflare R2 holds your generated hero images. Postgres (managed) holds your account and content records. Our VPS runs the BullMQ worker and the browser-agent crawler that fetches public pages on your connected sites.
  • Payments — Stripe processes your subscription. Stripe is the controller of your payment-card data; we are not.
  • Email — our SMTP provider delivers transactional and marketing email.
  • Analytics — limited, privacy-respecting tools to measure usage in aggregate.
  • Legal — we may disclose information when required by law, subpoena, or to protect our rights, users, or the public.

We do not sell your personal information.

4. Where data is stored

Most data is stored in the United States. Some sub-processors (e.g., social platforms, AI providers) may process data in other regions. We use providers that contract for appropriate safeguards (Standard Contractual Clauses where applicable).

5. Retention

  • Account data: kept while your account is active. We delete or anonymize within 30 days of account closure, except records we’re legally required to retain (typically tax/billing for 7 years).
  • Generated articles and hero images: kept until you delete them or close your account.
  • Keyword research and crawl indices: kept for the lifetime of the connected site; deleted within 30 days of you disconnecting it.
  • Chat-widget conversations and lead captures: kept until you delete them or close your account. Visitor-initiated deletion requests honored within 30 days.
  • Connected-site credentials: kept until you disconnect the site, at which point they’re purged from the database.
  • Logs: retained for up to 90 days for debugging and abuse detection, then aggregated.

6. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct or delete it.
  • Receive a portable copy.
  • Restrict or object to certain processing.
  • Withdraw consent for marketing email at any time.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email us at info@hazetechsolutions.com. We’ll respond within 30 days.

7. Security

We protect data with industry-standard measures: TLS in transit, encryption at rest for media storage, hashed passwords, scoped API tokens, signed OAuth flows, and audit logging on admin actions. No system is perfectly secure — if we ever discover a breach affecting your data, we’ll notify you and the relevant authorities as required by law.

8. Children

The Service is not intended for children under 16. We don’t knowingly collect personal information from anyone under 16. If you believe a child has given us their data, contact us and we’ll delete it.

9. Changes

We may update this Policy. If the changes are material we’ll notify you (e.g., by email or in-product banner) before they take effect. The “Last updated” date at the top will always reflect the current version.

10. Contact

Questions about your data? info@hazetechsolutions.com.

11. Chat widget

If you embed the HazeSEO chat widget on your site, the widget is served from hazeseo.com inside an iframe. Visitor messages are sent to our servers and forwarded to OpenAI for assistant responses. We store the conversation, the visitor’s session id, and any fields the visitor submits through the lead-capture form (name / email / phone).

Cross-origin: the widget only loads on domains that match a website you’ve connected through HazeSEO. Requests from unknown origins are blocked with a 403.

Booking: if you connect Google Calendar and the visitor asks to book a call, the widget creates a calendar event on your behalf and sends a calendar invite to the visitor’s email.

Retention: chat conversations are retained until you delete them or close your account. Visitor-initiated deletion requests are honored within 30 days — contact privacy@hazeseo.com.

Disclosure: visitors are told they’re chatting with an AI assistant. The widget’s default greeting and system prompt make clear it is automated.