Privacy Policy

Version 2026-04-17

This Privacy Policy describes how NorfBay LLC, doing business as SerpCalls ("SerpCalls," "we," "us") collects, uses, shares, and protects information when you use serpcalls.com and related services (the "Service"). By using the Service, you agree to this Policy.

1. Who we are

SerpCalls is a software-as-a-service for tracking local-search rankings for service businesses. For EU/UK GDPR purposes we are the data controller of account data and a data processor of data you submit about your own customers or businesses.

2. What we collect

From you

Account: name, email, hashed password, optional profile image, optional 2FA secret, optional WebAuthn passkey credentials.
Organization & billing: organization name, Stripe customer and subscription IDs, plan, billing email. Payment card details are submitted directly to Stripe and are never stored on our servers.
Workspace configuration: the businesses you track — names, domains, Google Place IDs, target cities, keywords, grid points, check cadences.

Automatically

Session & device: session tokens (httpOnly cookies), IP address, user agent, login timestamps. IP addresses are not retained for more than 14 days.
Operational logs: request paths, status codes, timing, request IDs. Retained for 3 days.
Cookies: only strictly-necessary cookies for authentication and CSRF protection. We do not use Google Analytics, Meta Pixel, or any third-party advertising or marketing cookies.

From public sources, on your behalf

When you configure a workspace, the Service queries public search and business-data sources and stores the results for trend analysis:

Google Search organic, Local Service Ads, and Map Pack results for the keywords and locations you specify;
Google Business Profile metadata (ratings, review counts, review text, author names, business responses) for locations you track;
Competitor business names and domains observed in SERPs;
AI-visibility check results (whether a business appears in AI search-engine answers).

What we don't collect

We do not collect Social Security numbers, government IDs, biometric, financial-account, or health data. We do not knowingly collect data from children under 13.

3. How we use it

Provide and operate the Service you pay for.
Authenticate you and enforce multi-tenant isolation.
Process payments, renewals, and send billing notices.
Send transactional email (account verification, password reset, billing receipts, service alerts).
Respond to support requests.
Monitor, secure, and improve the Service, including detecting abuse and fraud, and meeting rate-limit obligations to our upstream providers.
Comply with legal obligations and enforce our Terms.

We do not sell your data. We do not share it for cross-context behavioral advertising. We do not use it to train third-party AI models.

Legal bases under GDPR: contract performance, legitimate interests (security and product improvement), consent where required, and legal obligation.

4. Who we share with (sub-processors)

We use the following processors to operate the Service. Each is bound by contract to protect your data and use it only for the purpose we specify.

Provider	Purpose	Data	Region
Neon (PostgreSQL)	Primary database	All account, workspace, and ranking data	EU
Cloudflare	Edge compute, routing, email delivery	Request metadata, session tokens, email content	Global
Stripe	Subscription billing	Billing contact, card data (held by Stripe)	US / EU
Oxylabs	Google SERP retrieval	Queried keywords and locations	Global
Google (Places API)	Business-profile and review data	Place IDs, business metadata	US
Groq	AI insights	Ranking records, generated prompts (no end-user PII)	US

We also disclose information to comply with law, valid legal process, or government requests; to enforce our Terms; and to protect rights, property, and safety. If we are involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.

5. AI-generated outputs

Rankings, insights, and recommendations produced by language models are generated from prompts built from your configuration and public SERP data. Prompts do not include end-user personal data. We use the non-training API endpoints for Groq and Gemini; self-hosted Ollama runs on our infrastructure.

6. Retention

Account profile: life of the account; deleted within 30 days after closure.
Session records: until expiry or logout; purged within 90 days.
Workspace configuration: life of the account plus 30 days.
Rankings: up to 2 years of history. Raw SERP payloads are dropped after 14 days to keep storage bounded; derived structured records remain.
Operational logs: 3 days.
IP addresses: 14 days.
Billing records: 7 years (tax / accounting compliance).
Backups: up to 35 days rolling.

7. Security

We use administrative, technical, and physical safeguards, including TLS in transit, encryption at rest, password hashing with HIBP screening, support for TOTP 2FA and WebAuthn passkeys, PostgreSQL row-level security scoped by workspace, least-privilege staff access, and audit logging for administrative actions. No system is perfectly secure. If you suspect your account is compromised, contact security@serpcalls.com immediately.

8. Your rights

Depending on where you live, you may have the right to:

access the personal data we hold about you;
correct inaccurate or incomplete data;
delete your data (right to be forgotten);
export your data in a portable format;
restrict or object to certain processing;
withdraw consent where processing is consent-based;
lodge a complaint with your supervisory authority (EU/UK) or state Attorney General (US).

Most rights can be exercised from in-product settings. For anything you can't do yourself, email privacy@serpcalls.com. We respond within 30 days (CCPA: 45 days, with one 45-day extension if necessary).

California residents (CCPA/CPRA): we do not sell or share personal information for cross-context behavioral advertising. EU/UK residents (GDPR): we do not make automated decisions with legal or similarly significant effects.

9. International transfers

Personal data may be processed in the United States and other countries where our sub-processors operate. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

10. Changes to this Policy

We may update this Policy. Material changes will be announced by email or in-app notice at least 15 days before they take effect. The version date at the top indicates the current version.

11. Contact

Privacy questions: privacy@serpcalls.com
Security: security@serpcalls.com
Data subject requests: privacy@serpcalls.com
Mailing address: NorfBay LLC, 4402 Montgomery Dr, Santa Rosa, CA 95405