Privacy Policy

1. Who We Are (Data Controller)

For the purposes of GDPR and equivalent laws, the data controller is:

We do not currently have an EU/UK-established representative. EU/UK data subjects may contact us directly using the email above.

2. Information We Collect

We collect the following categories of information:

2.1 Information You Provide Directly

• Contact details: name, email address, company name, role, phone number (if provided)
• Domain / website URL you submit for a mini-audit or full audit
• Communications: messages, intake responses, kickoff call notes, and any information shared with us via email or video calls
• Billing details: billing name, billing address, and limited transactional information (we do not store full credit-card numbers; payments are processed by third-party processors)

2.2 Information You Authorize Us to Access (Audit Engagements)

With your explicit authorization, we access account-based data necessary to perform a technical audit, including:

• Google Search Console performance, coverage, and enhancement data
• Google Analytics (GA4) traffic and engagement reports
• Hosting, CMS, or other platform credentials you elect to share

This data may include URLs, query data, page-level metrics, and configuration details belonging to your organization.

2.3 Information Collected Automatically

When you visit the Site, we and our analytics providers may automatically collect:

• IP address and approximate location (city/region)
• Device type, browser, operating system, screen size
• Pages visited, referring URL, time on site, scroll behavior
• Cookies and similar technologies (see Section 7)

2.4 Information From Third-Party Tools

During an audit, we run your website through third-party SEO tools we license (e.g., Screaming Frog, Ahrefs, SEMrush, Sistrix). The data those tools produce about your website (crawl outputs, backlink profiles, keyword data) is collected as part of the deliverable workflow.

We do NOT knowingly collect:

• Sensitive personal data such as health, biometric, or financial-account information
• Information from children under 16

3. How We Use Your Information (Purposes & Legal Bases)

We use personal information for the following purposes:

1. To deliver the Services — performing mini-audits, full audits, walkthroughs, and follow-up support.
   Legal basis (GDPR): performance of a contract / pre-contractual steps.
2. To communicate with you — responding to inquiries, sending audit reports, scheduling calls, handling support requests.
   Legal basis: contract performance and legitimate interest.
3. To bill and collect payment — processing invoices and managing accounts.
   Legal basis: contract performance and legal obligation.
4. To improve and secure the Site — diagnosing technical issues, preventing abuse, monitoring performance.
   Legal basis: legitimate interest.
5. For marketing — sending occasional updates, case studies, or product news. You can opt out at any time.
   Legal basis: consent (where required) or legitimate interest.
6. For legal and compliance purposes — complying with applicable laws, enforcing our Terms, defending against claims.
   Legal basis: legal obligation and legitimate interest.
7. For internal research and benchmarking — using anonymized, aggregated data to improve our methodology. This data cannot be linked back to you.
   Legal basis: legitimate interest.

We do not sell your personal information for monetary consideration, and we do not engage in “sharing” of personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

4. How We Share Your Information

We share personal information only as described below:

4.1 Service Providers / Processors

We use trusted vendors to operate our business, including:

• Google (Google Analytics 4, Google Search Console) — analytics and audit data
• SEO tooling vendors — Ahrefs, SEMrush, Sistrix, Screaming Frog (audit execution)
• Hosting, email, and productivity providers
• Payment processors (for transactional information)

These vendors process data on our behalf under contractual confidentiality and security obligations.

4.2 Legal & Safety

We may disclose information when required by law, subpoena, or court order, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality.

4.4 With Your Consent

We will share personal information for any other purpose disclosed to you at the time and with your consent.

We do NOT sell or rent your personal information to advertisers or data brokers.

5. International Data Transfers

We are based in the United States, and our service providers may be located in the U.S., the EU, or other jurisdictions. If you are located outside the U.S., your information will be transferred to, processed in, and stored in countries whose data-protection laws may differ from yours.

When transferring personal data from the EU/UK/EEA to the U.S. or other countries that have not received an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented where appropriate by additional technical and organizational measures.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting obligations. Typical retention periods:

• Audit deliverables and engagement files: up to 7 years after delivery (for tax, audit, and reference purposes)
• Marketing contact data: until you unsubscribe, or up to 3 years of inactivity
• Site analytics data: up to 14 months (Google Analytics default) or as configured
• Billing records: as required by applicable tax and accounting law (typically 7 years in the U.S.)

When retention is no longer required, we delete, anonymize, or securely destroy the data.

7. Cookies and Tracking Technologies

The Site uses cookies and similar technologies. We currently use:

• Google Analytics 4 (GA4) — to understand how visitors use the Site, measure traffic sources, and improve performance. GA4 uses cookies and processes IP addresses (which Google truncates by default).
• Google Search Console verification (where applicable) — does not generally set tracking cookies.
• Strictly necessary cookies — required to operate the Site (e.g., session, security).

You can control cookies through your browser settings or through the cookie banner where presented. Disabling cookies may impact certain features of the Site. You can also install Google’s Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.

For more on Google Analytics’ practices, see Google’s Privacy Policy at https://policies.google.com/privacy.

8. Your Privacy Rights

Depending on where you live, you may have the rights described below. To exercise any right, email us at mike@leadconciergenyc.com. We will respond within the time required by applicable law (generally 30 days under GDPR, 45 days under CCPA/CPRA, with extensions where allowed).

8.1 Rights Under GDPR / UK GDPR (EU, UK, EEA residents)

• Access — request a copy of your personal data
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion (“right to be forgotten”)
• Restriction — limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests or direct marketing
• Withdraw consent — at any time, where processing is based on consent
• Lodge a complaint — with your local data protection authority (e.g., the UK ICO, Irish DPC, French CNIL)

8.2 Rights Under CCPA / CPRA (California residents)

• Right to know what personal information we collect, use, disclose, and (if applicable) sell or share
• Right to delete personal information we hold about you
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (we do not sell or share as defined)
• Right to limit use of sensitive personal information (we do not collect sensitive personal information for inferring characteristics)
• Right to non-discrimination for exercising your rights

You may designate an authorized agent to make a request on your behalf, with verification.

8.3 Rights Under PIPEDA (Canadian residents)

• Right to access personal information we hold about you
• Right to challenge accuracy and request correction
• Right to withdraw consent (subject to legal or contractual restrictions)
• Right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC)

8.4 Other U.S. State Rights

Residents of states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Texas, Utah, and others) generally have rights similar to those above, including access, deletion, correction, and opt-out of targeted advertising or profiling. Contact us using the email above to exercise these rights.

8.5 Verification

To protect your information, we may request verification before fulfilling a request (e.g., confirming identity via the email on file).

9. Security

We implement reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS), access controls, principle of least privilege for client credentials, and use of reputable cloud providers. No system is 100% secure; we cannot guarantee absolute security.

For audit engagements, we strongly encourage clients to use granular, revocable access (e.g., user-level Search Console / Analytics permissions) rather than sharing master credentials, and to revoke our access once the engagement is complete.

10. Confidentiality of Client Audit Data

Client website data, analytics, and audit findings are treated as Confidential Information under our Terms and Conditions. We will not disclose your audit data to any third party except (a) the service providers described in Section 4.1 (under contract), (b) as required by law, or (c) as you direct. See Section 7 of our Terms and Conditions for the full mutual confidentiality clause.

11. Children’s Privacy

The Site and Services are intended for businesses and adult professionals. We do not knowingly collect personal information from children under the age of 16. If we learn we have collected such data, we will delete it promptly. Parents or guardians may contact us at mike@leadconciergenyc.com.

12. Third-Party Links

The Site may link to third-party websites or studies (e.g., research from Backlinko, Ahrefs, SISTRIX, web.dev). We are not responsible for the privacy practices or content of those third-party sites. Review their privacy policies before providing personal information.

13. Do-Not-Track Signals and Global Privacy Control

Our Site does not currently respond to browser Do-Not-Track (DNT) signals because no common industry standard has been finalized. Where required by law (e.g., California), we honor Global Privacy Control (GPC) signals as an opt-out of “sale” or “sharing” of personal information, even though we do not currently sell or share personal information as defined under those laws.

14. Data Breach Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and the appropriate supervisory authorities in accordance with applicable law (within 72 hours of awareness where required under GDPR).

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. The “Last Updated” date reflects the most recent revision. Material changes will be highlighted on the Site or communicated via email when reasonably possible. Continued use of the Site or Services after the effective date constitutes acceptance.

16. How to Contact Us

For privacy-related questions, requests, or complaints:

If you have a concern about how we handled your personal information that we have not resolved to your satisfaction, you may also contact your local data protection authority.

By using the Site or Services, you acknowledge that you have read and understood this Privacy Policy.