Skip to content
EBQ
Get started

Legal

Privacy Policy

Last updated: April 30, 2026

This policy explains what information EBQ collects, why we process it, how we share and protect it, and how you can exercise your privacy rights. It applies to the EBQ web application at ebq.io and the EBQ SEO WordPress plugin when connected to an EBQ workspace.

1. Data we collect

1.1 Account data

  • Name and email address you provide on registration.
  • Encrypted password hash (or, if you sign in with Google, your Google account email and Google user ID for authentication only).
  • Workspace metadata you create: website domains, team members, plan tier, settings.

1.2 Google user data

When you connect a Google account, EBQ accesses Google user data using the OAuth scopes listed below. We request these scopes only after you click "Connect Google" and review Google's consent screen. You can revoke access at any time from your Google account permissions page; once revoked, EBQ stops fetching new data and removes the stored OAuth tokens.

  • Google Search Console — scope https://www.googleapis.com/auth/webmasters.readonly. Read-only access to: site list and site verification status; search analytics (queries, pages, clicks, impressions, click-through rate, average position) for properties you select; URL inspection / indexing status; sitemap submission state; mobile-usability and Core Web Vitals reports exposed via the API.
  • Google Analytics 4 — scope https://www.googleapis.com/auth/analytics.readonly. Read-only access to: GA4 property list and property metadata; aggregated reporting data (sessions, users, engaged sessions, conversions, traffic source/medium, landing page) for properties you select. EBQ does not access individual visitor profiles, user-level identifiers, or any data that can identify an end visitor.
  • Google Indexing API — scope https://www.googleapis.com/auth/indexing. Permission to submit "URL_UPDATED" / "URL_DELETED" notifications for URLs on properties you've verified, so EBQ can request re-crawl after content changes (the "Quick-submit" feature on Pro plans). EBQ does not read any data via this scope; it only sends notifications.
  • Google account profile — basic email and unique user ID returned during OAuth, used to link the Google connection to your EBQ account.

1.3 Operational telemetry

  • IP address, user-agent string, and request timestamps in server access logs.
  • Application performance metrics (response times, error counts) for diagnostics.
  • Audit log of administrative actions (settings changes, billing changes, member invites).

1.4 Billing metadata

  • Plan tier, subscription status, trial-end date, last-four card digits, card brand. We do not store full payment card numbers or CVV; payment is processed by Stripe under Stripe's privacy policy.

2. How we use data

2.1 How we use Google user data

EBQ's use of Google user data follows the Google API Services User Data Policy, including its Limited Use requirements. The specific purposes are:

  • Search Console data is used to: render performance dashboards (clicks, impressions, CTR, position) inside your EBQ workspace and inside the connected WordPress plugin's editor sidebar; compute SEO recommendations (which queries you rank for, which pages drop, which keywords have the most opportunity); detect ranking drops and traffic anomalies for alert emails you've enabled; produce per-post insights surfaced when you edit a page in WordPress.
  • Analytics 4 data is used to: render traffic and conversion dashboards in your EBQ workspace; cross-reference Search Console queries with downstream conversion metrics in unified reports; populate scheduled email reports.
  • Indexing API is used solely to submit URL notifications when you click "Quick-submit" on a post or run a bulk submit in the EBQ admin. No other operations are performed against this scope.
  • Google profile data (email, user ID) is used only to identify which Google account is linked to which EBQ account and to display the connected email in your settings.

EBQ does not use Google user data for any of the following:

  • Selling, renting, or transferring it to data brokers or information resellers.
  • Advertising, ad targeting, or audience profiling.
  • Training, fine-tuning, or otherwise developing general-purpose AI or machine learning models. (AI features in EBQ that touch your content, such as the AI snippet rewriter, send only the post excerpt and your focus keyphrase to the model. They do not include Search Console or Analytics data, and the model provider is contractually prohibited from training on the input.)
  • Determining creditworthiness or eligibility for any financial or insurance product.
  • Any purpose unrelated to providing or improving user-visible EBQ features.

2.2 How we use other data

  • Account data is used to authenticate you, scope access to workspaces and websites you own, and contact you about service-impacting events.
  • Operational telemetry is used to operate, secure, and debug the service.
  • Billing metadata is used to bill the correct plan, send receipts, and process refunds when applicable.
  • Aggregated, non-identifying usage statistics are used to improve the product (for example, which features are most-used). Aggregates never include Google user data.

3. How we share data

3.1 Google user data

EBQ does not share Google user data with any third party except in the following narrowly-scoped cases, all of which are required to operate the service:

  • Hetzner Online GmbH (cloud hosting infrastructure, EU). EBQ runs on Hetzner Cloud servers; cached Google data and the application database live on this infrastructure under Hetzner's data-protection terms and DPA. Hetzner provides infrastructure only and does not access stored data for its own purposes.
  • Error monitoring may receive a stack trace if a request involving Google data fails. Stack traces are scrubbed of secrets and personally identifiable information before transmission, and the monitoring vendor processes them strictly to alert us about errors.
  • Other end users you authorise: if you invite a teammate to your EBQ workspace, they will see the Google-derived dashboards for the websites you grant them access to. You control invitations and can revoke them at any time.

EBQ does not share Google user data with advertisers, data brokers, AI training providers, analytics vendors, or any party for monetisation, marketing, or product-development purposes outside our own service.

3.2 Other data

  • Stripe (payments) processes plan upgrades, charges, and invoices. We send Stripe your name, email, plan, and billing address; Stripe returns subscription status and last-four card digits. See Stripe's privacy policy.
  • Transactional email provider handles password resets, billing receipts, and report emails on our instructions.
  • Legal disclosure — we may disclose data when required by valid legal process, to defend our rights, or to protect users from imminent harm.

All sub-processors process data on our written instructions, under confidentiality obligations, and only to provide their narrowly-scoped service.

4. How we store and protect data

4.1 Storage location

  • Application servers and the primary database are hosted on Hetzner Cloud infrastructure in EU datacenters (Germany / Finland).
  • Google user data (cached Search Console / Analytics responses, OAuth refresh tokens) is stored alongside your EBQ workspace on the same infrastructure.

4.2 Encryption

  • In transit: all traffic between your browser, the WordPress plugin, EBQ servers, and Google's APIs is encrypted with TLS 1.2 or higher.
  • At rest: database volumes are encrypted at the disk level. OAuth refresh tokens are additionally encrypted at the application layer using a per-installation key, so they cannot be read directly from a database backup.

4.3 Access controls

  • Production access is restricted to a small number of operators with two-factor authentication and audited SSH access.
  • Application-level authorization scopes data by workspace and website membership: a user only ever sees Google data for sites they own or have been invited to.
  • The WordPress plugin uses a per-website API token, scoped to that site's data only.

4.4 Retention

  • OAuth refresh tokens are retained while your Google connection is active. They are deleted within 7 days of you revoking access in your Google account or disconnecting in EBQ.
  • Cached Search Console and Analytics responses are retained while your EBQ account is active and refreshed on a rolling basis. They are deleted within 30 days of account closure.
  • Account data is retained while your account is active. On account closure, account data is deleted or anonymised within 30 days, except where retention is required for legal, fraud-prevention, billing, or accounting obligations.
  • Audit logs and request logs are retained up to 90 days, then rotated.

4.5 Deletion requests

You can disconnect Google access at any time from your Google account permissions page or from the Settings page inside EBQ. To request deletion of your EBQ account and all associated data, email privacy@ebq.io; we will confirm completion within 30 days.

5. Limited Use disclosure

EBQ's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We affirm:

  • We use Google user data only to provide or improve user-facing features that are prominent in the EBQ product experience.
  • We do not transfer Google user data except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data to serve advertisements, including remarketing, personalised, or interest-based advertising.
  • We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymised.

6. Your rights

You can request access, correction, deletion, restriction, or portability of your personal data by contacting privacy@ebq.io. We respond within 30 days. EU/UK residents have rights under the GDPR; California residents have rights under the CCPA. We honour these rights for all users globally.

7. Children

EBQ is not directed to children under 16 and we do not knowingly collect their data.

8. Changes to this policy

We may update this Privacy Policy to reflect legal, product, or security changes. Material changes will be posted on this page with an updated effective date and, where required, communicated to active users by email.

9. Contact

Privacy requests and questions: privacy@ebq.io. Data controller: EBQ.