Privacy Policy
Last updated: April 25, 2026
1. Data controller
Helvetseo is an SEO audit service operated in Switzerland. The data controller within the meaning of art. 5 lit. j of the Swiss revised Federal Act on Data Protection (revFADP) and art. 4 §7 GDPR is:
- Ethan Valentin Besson, sole proprietorship operating the "Helvetseo" service
- Address: Route de Vallaire 6, 1024 Ecublens (VD), Switzerland
- Website: https://helvetseo.ch
- Contact: contact@helvetseo.ch
2. Data collected
2.1 Submitted URL and audit report
When you submit a URL through the audit form, we collect and process:
- The URL of the website you wish to audit
- The public HTML content of the page (meta tags, titles, images, links — as accessible to any browser)
- The generated audit report (scores, recommendations, technical sections)
- The language chosen for the report (fr/de/it/en)
Data is stored temporarily in a Redis database with a random identifier (UUID v4) and automatically expires after 24 hours if the audit is not paid for.
2.2 Technical data
For security and abuse prevention:
- IP address: used solely as a rate-limiting key (10 audits / hour / IP), stored hashed in Redis with the same TTL as the audit (1 hour max)
- HTTP headers (User-Agent, Accept-Language): read by the server but not stored
2.3 Payment data
If you choose to unlock the full report (CHF 9), payment is processed by Lemon Squeezy (our Merchant of Record). We neither see nor store card data. Lemon Squeezy collects on our behalf:
- Billing email
- Billing name and address (where required by the jurisdiction)
- Country (for VAT)
This data is retained by Lemon Squeezy in accordance with its privacy policy.
2.4 Analytics
We use Vercel Web Analytics and Vercel Speed Insights to measure the number of visits and technical performance. These tools work without cookies, without persistent identifiers, and do not allow an individual user journey to be reconstructed. They aggregate anonymous counters (page views, conversion events, Core Web Vitals) on the Vercel server side.
2.5 Data not collected
No advertising cookies, no web beacons, no cross-site tracking, no behavioural profiling, no fingerprinting, no user account (no email or password on the site side — only if you pay via Lemon Squeezy, which manages this data itself).
3. Cookies
No cookies are set by Helvetseo. The Vercel analytics are cookieless by design. No consent banner is required according to the FDPIC's guidelines.
If you proceed to the Lemon Squeezy payment page, that page may set its own cookies on its domain — see its policy.
4. Purposes and legal bases
| Processing | Purpose | Legal basis (revFADP / GDPR) |
|---|---|---|
| Submitted URL + report (free) | Generation and display of the report | Pre-contractual measures (art. 31 para. 1 revFADP, art. 6.1.b GDPR) |
| Submitted URL + report (paid) | Performance of the service contract | Contract performance (art. 31 revFADP, art. 6.1.b GDPR) |
| IP (rate-limit) | Abuse prevention, DoS protection | Legitimate interest (art. 31 para. 2 revFADP, art. 6.1.f GDPR) |
| Payment data | Payment processing, invoicing, accounting | Contract performance + legal obligation (art. 31 revFADP, art. 6.1.b + 6.1.c GDPR) |
| Analytics (Vercel) | Aggregated audience measurement | Legitimate interest (art. 6.1.f GDPR) |
No automated decision producing legal effects is taken with regard to you.
5. Recipients and transfers
5.1 Hosting: Vercel Inc. (USA)
The application is hosted by Vercel Inc. (USA). Data transfers to the USA are covered by the European Commission's Standard Contractual Clausesand by Vercel's accession to the EU-US Data Privacy Framework, recognised as adequate by Switzerland.
5.2 Anthropic PBC (USA)
The audit report is generated by the Claude model from Anthropic PBC. The public HTML content of your page and the performance metrics are sent to the Anthropic API to draft the report. No personal identifying data within the meaning of the revFADP is transmitted (it is the public content of a website). Basis: SCCs + DPF adequacy.
5.3 Google LLC (USA) — PageSpeed Insights
The performance metrics (LCP, CLS, TBT) are obtained via the public PageSpeed Insights API. Only the public URL of the audited site is transmitted to Google. Basis: SCCs + DPF.
5.4 Lemon Squeezy (USA)
Operated by Lemon Squeezy LLC as Merchant of Record. Collection and processing of payment data take place directly on their infrastructure. Basis: contract performance + SCCs.
5.5 Amazon Web Services (USA) — DNS Route 53
The helvetseo.chdomain is registered and managed through Amazon Route 53 (AWS). With each DNS resolution, AWS infrastructure processes technical data (DNS resolver IP address, timestamp) with no direct link to the user's identity. Basis: SCCs + AWS's accession to the EU-US Data Privacy Framework.
5.6 Fonts
Playfair Display and Inter are self-hosted via next/font. No requests are made to Google Fonts or any other third-party CDN. No data is transmitted in this connection.
6. Retention period
| Data | Duration |
|---|---|
| Unpaid audit report | 24 hours (automatic Redis expiration) |
| Paid audit report | 24 hours on the site side; deletion on request. Single paid link — you can export the PDF during that period. |
| Rate-limit key (IP) | 1 hour maximum (sliding window) |
| Accounting records (payments) | 10 years (art. 958f para. 1 SCO — retention obligation) |
| Aggregated Vercel analytics | According to Vercel's retention policy (max 12 months) |
7. Your rights (revFADP / GDPR)
- Access: obtain a copy of the data concerning you
- Rectification: correct an inaccuracy
- Erasure: request deletion (subject to any legal retention obligation)
- Portability: receive your data in a structured format (JSON/PDF)
- Objection: object to processing based on legitimate interest
- Restriction: request the restriction of the processing
Exercise your rights by email to contact@helvetseo.ch (response within 30 days). In case of disagreement:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
- EU: supervisory authority of your country of residence
8. Security
Technical and organisational measures in compliance with art. 8 revFADP and art. 32 GDPR:
- Encryption in transit: HTTPS/TLS everywhere, HSTS preload (2 years, includeSubDomains)
- Content Security Policy with per-request nonce, self-only, no third-party scripts
- SSRF protection: DNS validation + private-IP blacklist before any external fetch
- Rate-limiting: 10 requests per IP per hour on the audit endpoint
- CSRF: Origin/Referer validation on sensitive actions
- Secure headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy strict-origin, restrictive Permissions-Policy
- Isolation: no cross-user data (each audit has a unique non-guessable UUID, 128 bits of entropy)
9. Minors
The service is not intended for persons under 16 years of age. No data is knowingly collected from minors.
10. Changes
This policy may be updated. The date of the last update appears at the top. Substantial changes will be flagged on the home page for at least 30 days.
11. Contact
Questions, access requests or complaints: contact@helvetseo.ch
12. Governing language version
This translation is provided for informational purposes only. In case of any discrepancy or interpretive doubt, the French original version of the Privacy Policy shall exclusively prevail.