Privacy Policy.

atlookup ("we," "us," "our") is a bootstrapped, founder-led SEO platform operated from Bangladesh. For the purposes of this policy, atlookup is the data controller — the entity that decides why and how your personal data is processed.

Contact for privacy matters:

• Email: [email protected]
• General support: /contact
• Founder: Razu Ahammed (responds personally to privacy requests)

We collect only what's necessary to run the service. Below is the complete list of personal data types we process — we don't collect anything beyond this.

We do not collect: phone numbers, physical addresses (beyond country for tax), social-graph data, browser fingerprints, location beyond country level, or any biometric identifiers.

We process your data only for these purposes:

• Provide the service: Run crawls, build reports, deliver email summaries you opted into.
• Account & billing: Authenticate logins, process subscription payments, send billing receipts.
• Support: Respond to questions, debug issues, recover accounts.
• Service improvement: Analyze aggregated, anonymized usage to find bugs and prioritize features.
• Security: Detect abuse, fraud, brute-force attempts, and rate-limit violations.
• Legal compliance: Respond to lawful requests from authorities (with as narrow scope as legally possible).

We do not use your data for advertising profile-building, behavioral targeting, or to train external AI/ML models.

We use a small set of cookies, all of which fall into two categories:

• Strictly necessary cookies: Required for the service to work — e.g., session cookie that keeps you logged in, CSRF token cookie that protects against form-spoofing.
• Optional analytics cookies: If we ever add page-view analytics (e.g., privacy-respecting Plausible or self-hosted tooling), we will list them here and ask consent before setting them. Today, we do not use third-party analytics cookies.

We do not use Google Analytics, Facebook Pixel, or advertising trackers. If that changes, we will update this section, ask consent, and notify existing users.

To run the service, we rely on a small set of trusted vendors. We share only the minimum data each vendor needs.

Note on payment processors: atlookup supports both Stripe and Paddle as billing providers. At any time, the active processor depends on your region (e.g., EU/UK customers may be billed via Paddle for VAT-compliant Merchant-of-Record handling, while others may be billed directly via Stripe). Whichever applies to you will be shown clearly at checkout. We never see or store your card details — that data lives only with the chosen processor.

We will update this list whenever we add or remove a sub-processor. Existing users will be notified by email at least 14 days before any new sub-processor begins handling their data.

We take reasonable steps to protect your data — but we won't claim certifications we don't yet hold. Here's what's actually in place:

• HTTPS everywhere: All traffic is encrypted via Cloudflare-managed TLS 1.2/1.3.
• Hashed passwords: Stored as salted bcrypt hashes — we cannot read your password, even internally.
• Encrypted secrets: Sensitive integrations (e.g., payment-gateway credentials) are encrypted at the application layer.
• Restricted access: Only the founder has production database access. No third-party engineers, no offshore teams.
• Logging: Server access logs are retained for security review and rotated regularly.

Formal compliance audits (SOC 2, ISO 27001) are on our roadmap as we scale. We will announce them only when they are real, not before. No security system is perfect; if we discover a breach affecting your data, we will notify you within 72 hours of confirming the incident.

We retain your data only as long as needed to provide the service and meet legal obligations.

• Active accounts: Account and crawl data are retained while your account is active.
• Crawl reports: Retention depends on your plan — Free tier: 1 month; Pro tier: 6 months; Agency tier: 12 months. Reflects current plan limits as configured in our system — updates automatically as plans evolve.
• Cancelled accounts: If you delete your account, we delete or anonymize your data within 30 days, except where we must retain billing records for tax law (typically up to 7 years in compliance with Bangladesh tax law).
• Backups: Backup snapshots may persist for up to 30 days after deletion before they cycle out, but are not actively accessed during that window.
• Access logs: Rotated within 90 days unless flagged for security investigation.

Regardless of where you live, we extend these data-subject rights to all users:

To exercise any of these rights, email [email protected] from the email address associated with your account. We will respond within 30 days.

If you believe we have mishandled your data, you have the right to lodge a complaint with your local data-protection authority. We would prefer you contact us first — we'll work to resolve it directly.

atlookup operates from Bangladesh, and our servers are hosted on Google Cloud Platform. Depending on the GCP region in use, your data may be processed in countries outside your own — including the United States, where GCP is headquartered.

Where required (e.g., for users in the European Economic Area or United Kingdom), we rely on appropriate transfer mechanisms such as Google Cloud's Standard Contractual Clauses. We are working toward optional EU data-residency for users who request it.

atlookup is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If we discover that a user is under 16, we will delete their account and associated data promptly.

If you are a parent or guardian and believe a child has provided us personal information, please contact [email protected] and we will act on it immediately.

Sometimes the most important part of a privacy policy is what's not in it. For clarity:

• We do not sell your data — not to advertisers, data brokers, or AI vendors.
• We do not share your data with social-media platforms or ad networks.
• We do not use your crawl data to train external machine-learning models.
• We do not read your private project URLs or audit reports for any purpose other than running the service for you.
• We do not create behavioral profiles, do retargeting, or run programmatic ads.
• We do not use dark patterns to extend subscriptions or hide cancellation.
• We do not claim certifications (SOC 2, ISO, HIPAA) we have not earned.

We may update this Privacy Policy from time to time. When we do, we will revise the Last updated date at the top of this page and, for material changes, notify registered users by email at least 14 days before they take effect.

Questions, requests, or concerns about your data:

• Privacy: [email protected]
• Support: /contact
• Founder: Razu Ahammed (atlookup, Bangladesh)

We try to respond to every privacy request personally, within 30 days at the latest.