PredictClicks - SEO Forecasting Tool | Predict Organic Traffic

1. Introduction

CODE AND COMMERCE LIMITED ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the GSC Analytics forecasting service ("Service").

Data Controller:

Company: CODE AND COMMERCE LIMITED
Registered Office: 12 Mary Seacole Road, The Millfields, Plymouth PL1 3JY
Company Number: 15366248
Contact Email: support@predictclicks.com

We are the data controller for the personal data we process through the Service. This Privacy Policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide Directly

When you use our Service, we collect:

Google Account Information: Email address, name, and profile picture via Google OAuth 2.0 authentication
Payment Information: Processed by Stripe (we do not store credit card details)
Communications: Any information you provide when contacting our support team

2.2 Search Console Data

With your explicit authorization, we access and process data from Google Search Console and (optionally) Bing Webmaster Tools:

Search performance data (clicks, impressions, CTR, average position)
Page URLs, search queries, countries, devices, and search types
Historical data for the time periods you request (up to 16 months)

Important: This data belongs to you and is accessed in read-only mode. We process it temporarily to generate forecasts and do not permanently store your search console data on our servers.

2.3 Automatically Collected Information

When you use the Service, we automatically collect:

Usage Data: Features used, forecasts generated, exports performed, credits consumed
Technical Data: IP address, browser type, device information, operating system
Session Data: Authentication tokens (stored securely in encrypted JWT cookies)
Log Data: Error logs, API requests, system performance metrics

2.4 Cookies and Similar Technologies

We use the following types of cookies:

Essential Cookies: Required for authentication and service functionality (JWT session tokens)
Performance Cookies: Help us understand how users interact with the Service
Preference Cookies: Remember your settings (e.g., dark mode preference)

You can control cookies through your browser settings. However, disabling essential cookies will prevent you from using the Service.

3. How We Use Your Information

We process your personal data for the following purposes, based on the legal bases shown:

Providing the Service (Contractual Necessity)

Authenticating your identity via Google OAuth
Accessing and processing your Google Search Console data
Generating forecasts using the Prophet algorithm
Enabling data exports in CSV and JSON formats
Managing your credit balance and transactions

Payment Processing (Contractual Necessity)

Processing credit purchases through Stripe
Issuing VAT invoices (where applicable)
Processing refund requests
Preventing fraudulent transactions

Legal Compliance (Legal Obligation)

Complying with UK tax and accounting requirements
Responding to lawful requests from authorities
Maintaining records required by law

Legitimate Interests

Improving and optimizing the Service
Detecting and preventing fraud, abuse, and security threats
Analyzing usage patterns to enhance features
Providing customer support
Sending service-related notifications (e.g., Terms updates, security alerts)

Marketing (Consent - if applicable)

Sending promotional emails about new features or offers (only with your explicit consent)
You can withdraw consent at any time by clicking "unsubscribe" in emails or contacting us

4. Data Retention

We retain your data for different periods depending on the type:

Data Type	Retention Period
Account information	Until account deletion or 3 years of inactivity
Search console data (Google/Bing)	24 hours maximum (cached for performance)
Forecast results	24 hours (session-based, then permanently deleted)
Transaction records	7 years (UK tax law requirement)
Session/authentication tokens	Duration of session or until logout
Usage logs	90 days
Support communications	3 years after last contact

After the retention period expires, we securely delete or anonymize your data unless we are legally required to retain it longer.

5. Data Sharing and Third-Party Services

We do not sell your personal data. We share your data only with trusted third-party service providers necessary to operate the Service:

Google LLC

Purpose: Authentication (OAuth 2.0) and accessing Google Search Console API
Data Shared: Your Google account credentials (handled by Google), GSC data access tokens
Location: United States (UK-US Data Bridge adequacy decision)
Privacy Policy: https://policies.google.com/privacy

Microsoft Corporation (Bing Webmaster Tools)

Purpose: Optional authentication (OAuth 2.0) and accessing Bing Webmaster Tools API
Data Shared: Your Microsoft account credentials (handled by Microsoft), Bing Webmaster data access tokens
Location: United States (UK-US Data Bridge adequacy decision)
Privacy Policy: https://privacy.microsoft.com/privacystatement

Stripe, Inc.

Purpose: Payment processing for credit purchases
Data Shared: Payment information, transaction amounts, email address
Location: United States (UK-US Data Bridge adequacy decision)
Privacy Policy: https://stripe.com/privacy

Vercel Inc.

Purpose: Website hosting and infrastructure
Data Shared: Technical data, logs, user requests
Location: United States (UK-US Data Bridge adequacy decision)
Privacy Policy: https://vercel.com/legal/privacy-policy

Upstash (Redis)

Purpose: Caching and background job processing (QStash)
Data Shared: Cached GSC data (temporary, up to 24 hours), user IDs, job metadata
Location: EU/US regions (configurable)
Privacy Policy: https://upstash.com/privacy

Railway (Prophet Service)

Purpose: Hosting the Prophet forecasting microservice
Data Shared: Anonymized time-series data for forecasting calculations
Location: United States
Privacy Policy: https://railway.app/legal/privacy

International Data Transfers

Some of our third-party providers are located in the United States. We ensure that adequate safeguards are in place for these transfers, relying on the UK-US Data Bridge adequacy decision and/or Standard Contractual Clauses (SCCs) approved by the UK authorities.

We may also share data:

With law enforcement or regulatory authorities when required by law
To protect our legal rights or defend against legal claims
In connection with a business sale, merger, or acquisition (you will be notified)
With your explicit consent for other purposes

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL
Authentication Security: OAuth 2.0 tokens are stored in encrypted, HTTP-only JWT cookies
Access Controls: Strict access controls limit who can access user data
Secure Infrastructure: Hosting on enterprise-grade cloud platforms with SOC 2 compliance
Regular Security Audits: Ongoing monitoring for vulnerabilities and security threats
Data Minimization: We only collect and retain data necessary for the Service
No Permanent GSC Storage: Your Google Search Console data is not permanently stored; it's processed transiently

Data Breach Notification: In the unlikely event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR, unless the breach is unlikely to result in a risk to your rights and freedoms.

7. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

Right to Access (Subject Access Request)

You can request a copy of the personal data we hold about you.

Right to Rectification

You can request that we correct inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data, subject to certain legal exceptions (e.g., we must retain transaction records for 7 years for tax purposes).

Right to Restrict Processing

You can request that we limit how we use your personal data in certain circumstances.

Right to Data Portability

You can request a copy of your data in a structured, machine-readable format (e.g., JSON or CSV).

Right to Object

You can object to processing based on legitimate interests (including marketing communications).

Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This includes revoking Google API access.

Right to Lodge a Complaint

You can lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have mishandled your data.

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@predictclicks.com with:

Your full name and email address associated with your account
A description of the right you wish to exercise
Any supporting information to help us verify your identity

We will respond to your request within 1 month (extendable by 2 months for complex requests). There is no fee unless your request is manifestly unfounded or excessive.

8. Children's Privacy

The Service is not intended for children under 13 years of age (or 16 in the EEA/UK for certain processing activities). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately, and we will delete it.

9. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. The forecasts generated by our Service are tools to assist your decision-making, not automated decisions made on your behalf.

10. Google API Services User Data Policy

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

We only access Google Search Console data that you explicitly authorize
We use this data solely to provide forecasting functionality
We do not transfer Google user data to third parties (except as disclosed in this policy)
We do not use Google data for serving advertisements
We do not allow humans to read Google user data unless:
- You explicitly consent (e.g., for support requests)
- It's necessary for security purposes
- Required to comply with applicable law

You can revoke our access to your Google Search Console data at any time through your Google Account Permissions page.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you by email (to the address associated with your account)
Display a prominent notice on the Service

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes. If you do not agree with the changes, you should stop using the Service and contact us to delete your account.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

CODE AND COMMERCE LIMITED

Email: support@predictclicks.com

Registered Office: 12 Mary Seacole Road, The Millfields, Plymouth PL1 3JY

Company Number: 15366248

13. Complaints to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data properly:

Information Commissioner's Office

Website: https://ico.org.uk/

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

However, we encourage you to contact us first so we can address your concerns directly.

ACKNOWLEDGMENT: By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.