CSTools Privacy Policy
Date Last updated: June 22, 2026
Version: 1.0
This Privacy Policy (“Policy”) explains how CSTools LLC, a Missouri limited liability company (“CSTools,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information when you access or use [https://cstools.com] (the “Marketing Site”), [https://app.cstools.com] (the “Application”), and related products and services (collectively, the “Services”). This Policy is incorporated into our Terms of Use.
By using the Services, you acknowledge that your personal information will be handled as described in this Policy. If you do not agree, please do not use the Services. We may update this Policy from time to time; if we make changes, we will revise the “Date last updated” above and, for material changes, provide additional notice where required by law.
**Controller and processor roles. **For personal information about account holders and visitors, CSTools acts as a controller (or business). Where you use the Services to store or process personal information about your own clients (“Client Data”), you are the controller (or business) for that Client Data and CSTools acts as your processor (or service provider), as further described in Section 11 and in any applicable Data Processing Addendum.
1. Information We Collect
We collect personal information from the following sources and in the following categories.
1.1 Information You Provide to Us
| Category | Examples |
|---|---|
| Account and profile information | First name, last name, email address; optional job title; profile picture (uploaded or from Google); organization name. |
| Authentication information | Account credentials; one-time-password (OTP) secret if you enable two-factor authentication; Google account ID and encrypted Google OAuth access and refresh tokens if you use Google sign-in or connect Google services. |
| Billing information | Stripe customer ID and subscription identifiers; billing contact details. Payment card data is collected and processed by Stripe, not stored by CSTools. |
| User Content | Audit projects and rich-text content, comments, uploaded images, datasets, keyword and URL lists, Google Search Console data, and other SEO data you create, upload, or extract. |
| User-Supplied Credentials | API keys and credentials you provide to connect Third-Party Services (e.g., DataForSEO, OpenAI, Anthropic, Google Gemini), stored in encrypted form. |
| Communications and feedback | Information in your messages to us, support requests, survey responses, and feedback. |
1.2 Information We Collect Automatically
| Category | Examples |
|---|---|
| Device and connection data | IP address, browser type, device characteristics, and similar identifiers. |
| Session and security data | Session cookies and CSRF cookies used to authenticate you and secure the Application; server-side logs. |
| Diagnostic and error data | Error logs, crash reports, performance data, and related diagnostics captured through our error-monitoring provider (which may include personal information). |
| Usage and analytics data (Marketing Site) | Pages visited, links clicked, referral source, approximate location, and behavioral analytics collected via analytics and session-replay tools (e.g., Google Analytics and Microsoft Clarity), where enabled and subject to consent where required. |
1.3 Information from Third Parties
| Source | Examples |
|---|---|
| Google (OAuth and APIs) | Name, email, profile picture, Google account ID, and authorized data (such as Google Search Console and Google Business Profile data) accessed on your behalf. |
| Stripe | Billing and payment-status information (e.g., customer and subscription IDs, payment confirmations). |
| Error-monitoring and infrastructure providers | Diagnostic information about your interactions with the Services. |
2. Google API Services – Limited Use Disclosure
Our use and transfer of information received from Google APIs to any other application will adhere to the **_Google API Services User Data Policy_, including the Limited Use requirements.**
When you connect Google services, we request only the scopes necessary to provide the features you use (for example, read-only access to Google Search Console). We use Google user data solely to provide and improve the user-facing features of the Services, do not use it for advertising, do not sell it, and do not transfer or disclose it to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger or acquisition with appropriate notice. You can revoke our access at any time through your Google account security settings.
3. How We Use Personal Information
- To create, authenticate, and secure your account, and to manage Organization access and roles.
- To provide, operate, maintain, and improve the Services and their features, and to store your User Content.
- To process payments and manage Token purchases, subscriptions, seats, and storage through Stripe.
- To access connected Google services on your behalf (such as Google Search Console and Google Business Profile, and, in the future, other Google services you authorize).
- To send you transactional and service communications (such as confirmations, billing alerts, security notices, organization changes, and product updates), subject to your notification preferences.
- To monitor, debug, and improve stability and performance, and to detect, prevent, and address fraud, abuse, and security incidents.
- To comply with legal obligations, enforce our Terms of Use, and protect the rights, property, and safety of CSTools, our users, and others.
- To create de-identified or aggregated data for analytics and other lawful business purposes.
4. How We Disclose Personal Information
We disclose personal information to the categories of recipients below. The principal service providers we use, and the data shared with each, are summarized in the following table.
| Recipient | Data Shared | Purpose |
|---|---|---|
| Stripe | Email, billing details, Stripe customer/subscription IDs | Payment and subscription processing |
| Google (OAuth and APIs) | OAuth tokens, Google account identity, authorized Google data | Authentication and Search Console / Business Profile access |
| Error-monitoring provider (e.g., Sentry) | Error logs (may include personal information) | Error monitoring and crash reporting |
| Google Cloud | Application data hosted on the platform | Hosting and infrastructure |
| Cloudflare | Marketing Site traffic data | Hosting and content delivery |
| DataForSEO | User-supplied credentials and API queries | Third-party SEO data (user-configured) |
| OpenAI / Anthropic / Google (Gemini) | User-supplied API keys and tool query data | AI-powered tool features (user-configured) |
| Email providers (e.g., SendGrid / Gmail API) | Email addresses | Transactional email delivery |
| Analytics tools (Marketing Site) | Usage and behavioral data | Site analytics (Google Analytics, Microsoft Clarity) |
We may also disclose personal information:
- To comply with law and legal process. To respond to subpoenas, court orders, regulatory requests, or other legal obligations.
- To protect rights and safety. To enforce our agreements and policies, to detect and prevent fraud or security incidents, and to protect CSTools, our users, and others.
- In a business transaction. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, with notice as required by law.
- With your direction or consent. Including when you connect a Third-Party Service or otherwise instruct us to share information.
- De-identified or aggregated data. Which cannot reasonably be used to identify you.
We do not disclose personal information to third parties for their own independent direct-marketing purposes. See Section 9 regarding “sale” and “sharing” under U.S. state privacy laws.
5. Cookies and Tracking Technologies
Application (app.cstools.com)
The Application uses strictly necessary cookies—a session cookie for authentication and a CSRF cookie for security. These functional cookies are required for the Application to operate and cannot be switched off through a consent tool. In production, these cookies use Secure and SameSite settings.
Marketing Site (cstools.com)
The Marketing Site uses, or will use, analytics and session-replay technologies such as Google Analytics and Microsoft Clarity to understand traffic, device and browser information, approximate location, and on-site behavior. Where required by law (including for visitors in the EEA and the United Kingdom), we will present a cookie-consent mechanism that allows you to accept or reject non-essential cookies and to manage your preferences. You can also control cookies through your browser settings.
6. Third-Party Services and Links
The Services integrate with and may link to Third-Party Services that have their own privacy policies and practices, including Google, Stripe, DataForSEO, OpenAI, Anthropic, Google (Gemini), and our analytics, infrastructure, and email providers. We are not responsible for the privacy practices of these third parties, and we encourage you to review their policies. When you connect a Third-Party Service or supply your own credentials or API keys, that third party’s terms and privacy policy govern its processing of your information.
7. Data Retention
We retain personal information for as long as your account is active or as needed to provide the Services, and thereafter as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and protect the security and integrity of the Services. Note that we use soft-deletion in certain systems, meaning records may be retained with a deletion marker for a period before permanent deletion, and that backups are retained for a limited period. When personal information is no longer needed, we delete or de-identify it in accordance with our retention practices and applicable law. Data processed by Third-Party Services is subject to their own retention practices.
8. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including:
- Hosting on Google Cloud, with the database and file storage on Google Cloud infrastructure and automated backups.
- Encryption at rest of sensitive credentials (including API keys and Google OAuth tokens) using application-level encryption.
- Secure and SameSite settings on session and CSRF cookies in production, and CORS restricted to trusted origins.
- Organization-level data isolation and role-based access control (Admin, Manager, Member).
- Hashed account passwords and optional two-factor authentication.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for activity under your account.
9. U.S. State Privacy Rights (California and Other States)
This Section provides additional disclosures for residents of U.S. states with comprehensive privacy laws, including California (CCPA/CPRA), and other states such as Virginia, Colorado, Connecticut, Texas, and Utah, as applicable. Over the past 12 months, we have collected the categories of personal information described in Section 1, used them for the purposes in Section 3, and disclosed them to the recipients in Section 4.
9.1 “Sale” and “Sharing”
We do not sell personal information for monetary consideration. However, our use of third-party analytics and similar technologies on the Marketing Site may be considered a “sale” or “sharing” (including for targeted or cross-context behavioral advertising) under some state laws. Where this applies, we will provide an opt-out mechanism (such as the cookie-consent tool described in Section 5) and will honor recognized opt-out preference signals (such as Global Privacy Control) where required. We do not knowingly sell or share the personal information of individuals under 16 years of age.
9.2 Your Rights
Subject to applicable law and verification, you may have the right to:
- Know and access the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients;
- Request correction of inaccurate personal information;
- Request deletion of personal information, subject to legal exceptions;
- Opt out of any “sale” or “sharing” of personal information and of targeted advertising;
- Opt out of profiling that produces legal or similarly significant effects (we do not engage in such profiling);
- Not receive discriminatory treatment for exercising your rights; and
- Appeal a decision we make regarding your request.
To exercise these rights, contact us at [[email protected]]. You may use an authorized agent where permitted. We will verify your request as required by law. California’s “Shine the Light” law: we do not disclose personal information to third parties for their own direct-marketing purposes.
10. EEA/UK Privacy Rights (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following applies. We process personal information on the legal bases of: performance of a contract (to provide the Services); your consent (for example, for non-essential cookies); compliance with legal obligations; and our legitimate interests (such as securing and improving the Services), balanced against your rights.
Subject to applicable law, you have the right to: confirmation and access; rectification; erasure; restriction of processing; objection to processing; data portability; and to not be subject to solely automated decision-making producing legal or similarly significant effects. You may also withdraw consent at any time (without affecting prior processing) and lodge a complaint with your local supervisory authority.
10.1 International Data Transfers
We are based in the United States and use service providers located in the United States and elsewhere. Where we transfer personal information from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum), and we take steps to ensure your information receives a level of protection consistent with applicable law.
11. Client Data and Our Role as a Processor
When you use the Services to manage SEO audits and store information about your own clients, you may provide personal information relating to those clients (“Client Data”). You are responsible for ensuring you have a lawful basis and any required notices and consents to collect and process Client Data and to make it available to us. With respect to Client Data, you act as the controller (or business) and CSTools acts as your processor (or service provider): we process Client Data only to provide the Services in accordance with your instructions and our agreement, and not for our own independent purposes. To the extent required by applicable law, we will enter into a Data Processing Addendum with you upon request or as required for your compliance obligations.
12. Children’s Privacy
The Services are intended for business and professional users and are not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us personal information, please contact us at [[email protected]] and we will take appropriate steps to delete it.
13. Your Choices
- Account information. You can review and update your profile and notification preferences within the Application, or by contacting us.
- Email preferences. You can adjust email-notification preferences in your account settings; we may still send essential transactional and service messages.
- Connected services. You can disconnect Third-Party Services and revoke Google access through your Google account settings.
- Cookies. You can manage non-essential cookies on the Marketing Site through the consent tool (where available) and your browser settings.
- Account deletion. You can request deletion of your account; certain information may be retained where we have a legal obligation or legitimate need, as described in Section 7.
14. Do Not Track
Some browsers offer a “Do Not Track” (DNT) signal. Because there is no common industry standard for DNT, the Services are not currently configured to respond to DNT signals. We do, however, intend to honor recognized opt-out preference signals (such as Global Privacy Control) where required by applicable law.
15. Complaints
If you have a privacy concern, complaint, or question about this Policy or our data practices, please contact us at [[email protected]]. We will respond within a reasonable timeframe. If your concern remains unresolved, you may escalate to your local data-protection authority (for EEA/UK residents) or, in the United States, the Federal Trade Commission or your state attorney general.
16. Contact Us
CSTools LLC
Email: [[email protected]]
_© CSTools LLC. All rights reserved. _