Free SEO by IBS Group
Legal

Data Processing Addendum

Last updated: May 17, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Interest Bud Solutions Private Limited ("Processor", "we") and the customer ("Controller", "you") and applies whenever we process personal data on your behalf in connection with Free SEO.

By using Free SEO you accept this DPA. If you require a counter-signed copy, email support@interestbudsolutions.com with your legal entity name and we'll return a signed PDF within 5 business days at no charge.

1. Definitions

Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Supervisory Authority" have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR.

2. Scope and roles

  • You (Customer) act as Controller of any Personal Data you submit to Free SEO.
  • We (Interest Bud Solutions Private Limited) act as Processor and process Personal Data only on your documented instructions, as set out in this DPA and the Terms.

3. Subject matter, duration and nature of processing

  • Subject matter: provision of the Free SEO service (audits, monitoring, reports, AI optimisation).
  • Duration: for the term of your subscription plus the retention periods described in our Privacy Policy.
  • Nature: hosting, scanning, storage, transmission, analysis and display of Personal Data.
  • Purpose: to deliver SEO audit, monitoring, optimisation and reporting features you request.

4. Categories of data and data subjects

  • Account data: name, email, hashed password (or OAuth identifier) of your authorised users.
  • Site data: URLs you submit, HTML and metadata collected during crawls, derived issues and scores.
  • Integration credentials: WordPress Application Passwords stored encrypted at rest.
  • Usage data: log of actions performed in the product.

5. Processor obligations

  • Process Personal Data only on documented instructions from you.
  • Ensure personnel authorised to process Personal Data are bound by confidentiality.
  • Implement the technical and organisational measures described in our Security overview, including encryption in transit and at rest, row-level isolation, least-privilege access and MFA.
  • Assist you, taking into account the nature of processing, in responding to Data Subject requests.
  • Notify you without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting your data.
  • On termination, delete or return Personal Data within 30 days unless retention is required by law.
  • Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable confidentiality and notice.

6. Sub-processors

You provide general authorisation for us to engage sub-processors. A current list is maintained in our Privacy Policy. We will inform you of intended changes giving you the opportunity to object on reasonable grounds related to data protection. Current sub-processors include:

  • Supabase, managed Postgres, authentication, object storage (EU/US region as selected).
  • Cloudflare, edge hosting, DDoS protection and CDN.
  • Paddle, Merchant of Record for payments and tax compliance.
  • Resend, transactional email delivery.
  • Google (Gemini) & OpenAI, AI providers used for the AI Content Optimizer. Submitted prompts are not used for model training.

All sub-processors are bound by data protection terms no less protective than this DPA.

7. International transfers

Where Personal Data is transferred outside the EEA/UK to a country without an adequacy decision, transfers rely on the European Commission's Standard Contractual Clauses (SCCs) 2021/914 and, for UK data, the UK International Data Transfer Addendum (IDTA), together with supplementary technical measures (encryption, pseudonymisation) where appropriate.

8. Data subject requests

We will, to the extent legally permitted, promptly forward to you any request received directly from a Data Subject. Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as this is possible, to fulfil your obligation to respond to Data Subject requests.

9. Security incidents

We maintain a documented incident response plan. In the event of a Personal Data Breach affecting your data, we will notify you without undue delay and within 72 hours, providing the information required by Article 33(3) GDPR to the extent then known.

10. Audits

On request and no more than once per 12-month period, we will provide reasonable information to enable you to verify our compliance with this DPA. Where SOC 2 / ISO 27001 reports from our sub-processors are sufficient, we will provide those.

11. Return and deletion of data

On termination of the Terms, you may export your data via the in-product export tools. We will delete all Personal Data within 30 days of termination, except where retention is required by applicable law.

12. Liability and governing law

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms. This DPA is governed by the laws specified in the Terms.

13. Order of precedence

In the event of any conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA prevails.

14. Contact

Data protection enquiries: support@interestbudsolutions.com
Interest Bud Solutions Private Limited, India.