Privacy Policy
Version 1 · Last updated 5 July 2026
Last updated: 5 July 2026
This Privacy Policy explains how we collect and use personal data when you use our website and services, and the rights you have. It also includes our cookie policy (see section 6). We are committed to handling personal data lawfully, fairly and transparently under the UK GDPR and the Data Protection Act 2018.
1. Who we are
For the personal data described in this policy, the data controller is MAPS SEO LIMITED (trading as "MapsSEO"), a company registered in England and Wales under company number 17040615, whose registered office is at Suite 20877, 5 Brayford Square, London E1 0SG. MAPS SEO LIMITED is registered with the Information Commissioner's Office (ICO) as a data controller. For any privacy question, or to exercise your rights, contact us at [email protected].
2. The personal data we collect
- Account data — your name, email address and, if you register with a password, your password (which we store only in a securely hashed form). If you provide a telephone number, we store that too.
- Google Sign-In data — if you choose "Continue with Google", Google sends us your name, email address, profile picture (avatar) URL and your Google account identifier, which we store to create and recognise your account. We never receive your Google password.
- Order and service data — the business details you give us so we can deliver the services, such as your business name and contact details, locations, target keywords, Google Business Profile and Google Maps links, and related information.
- Enquiry data — information you send us through website forms or by email, for example when you request a free rank check or get in touch with a question.
- Billing data — the invoicing and payment records needed to take payment and meet our accounting and tax obligations. We do not collect or store your card details; payment is currently by bank transfer, and any future card payments would be handled entirely by a secure third-party payment provider.
- Analytics data — if you consent, Google Analytics 4 collects usage information such as the pages you view, and device, browser and approximate-location information derived from a truncated IP address. We enable IP anonymisation (
anonymize_ip) and use no advertising cookies (see section 6). - Technical and security data — our servers keep logs that include IP address and browser user-agent string, which we use to keep the site secure and working.
3. When we are a controller and when we are a processor
For most of the data above — your account, enquiries, analytics, billing and website use — we are the data controller, meaning we decide how and why it is processed.
However, to deliver the services we often need to work inside your Google Business Profile and with your own business records, which can contain personal data belonging to other people (for example the names of reviewers, or contact details of your own customers). For that data, you are the controller and we act as your processor: we handle it only to provide the services and only on your instructions. Our contractual data-processing commitments are set out in our Terms of Service. If you are a business customer, those commitments (confidentiality, security, use of the sub-processors listed in section 7, assistance with data subject requests, and deletion or return of data at the end of the services) form part of your agreement with us.
4. Why we use your data (lawful bases)
- To perform our contract with you — creating and managing your account, delivering the services you order, sending service-related messages (for example order confirmations, reports and account notices), and taking payment.
- Consent — for optional analytics cookies (Google Analytics 4). We do not load analytics until you accept, and you can withdraw consent at any time (see section 6).
- Our legitimate interests — keeping our website and systems secure, preventing fraud and misuse, responding to enquiries you send us, and running and improving our business, in each case balanced against your rights.
- Legal obligation — keeping accounting and tax records, and complying with other legal duties.
5. Transactional email
We send account and service emails (such as sign-up confirmations, notices and reports) using a specialist email delivery provider, Resend (Resend, Inc.). To deliver these messages, the provider processes your email address and the content of the message on our behalf as our processor. We do not use it to send marketing you have not asked for.
6. Cookies and similar technologies
We use a small number of cookies and similar browser storage. We keep this deliberately minimal.
- Strictly necessary — our Laravel session cookie and CSRF-protection token, which are needed to sign you in securely and keep the site working, and a small entry in your browser's local storage that remembers your cookie choice. These are set without consent because the site cannot function safely without them, as permitted by the Privacy and Electronic Communications Regulations (PECR).
- Analytics (optional) — Google Analytics 4 sets cookies (
_gaand_ga_<id>) only after you select "Accept" in our cookie banner. Until you accept, no analytics script is loaded and no analytics cookie is set. Our Analytics is configured with IP anonymisation on and no advertising or cross-site tracking features.
You gave, or declined, this consent through the banner shown on your first visit; your choice is remembered in your browser's local storage. To withdraw consent, clear the site's data (or the stored choice) in your browser; the banner will then ask again, and analytics will not load unless you accept. You can also block or delete cookies in your browser settings. We do not use advertising, profiling or cross-site tracking cookies.
7. Who we share your data with
We do not sell your personal data. We share it only with service providers that help us run our business, and only as needed:
- Google LLC / Google Ireland Limited — for Google Sign-In (authentication), Google Analytics 4 (analytics, only with your consent), and the Google Business Profile tools we use to deliver the services.
- Our hosting provider — our servers are located in the European Union (Frankfurt, Germany), where your data is stored.
- Resend, Inc. — for sending transactional email (see section 5).
- A payment provider — if we introduce card payments in future, a secure PCI-DSS-compliant payment provider (for example Stripe) would process those payments; we would never store your full card details.
- Professional advisers and authorities — for example our accountants, or law enforcement and regulators, where we are legally required or permitted to disclose.
8. Storing and transferring data internationally
Our hosting is within the European Economic Area (Frankfurt), which the UK recognises as providing an adequate level of protection. Some of our providers (such as Google and Resend) may process data in the United States or other countries outside the UK. Where that happens, we rely on an appropriate safeguard recognised under UK data protection law — such as the UK Extension to the EU-US Data Privacy Framework ("UK-US Data Bridge") where the provider is certified, or the UK International Data Transfer Agreement or Addendum together with the standard contractual clauses — so that your data stays protected.
9. How long we keep your data
- Account data — for as long as your account is open, and up to 12 months after it is closed, so we can deal with reactivation or any follow-up.
- Order, billing and tax records — for 6 years following the end of the accounting period they relate to, as required by UK tax and company law.
- Contract acceptance records (a copy of the terms you accepted, with date, IP address and browser) — kept while your account is open and for up to 6 years afterwards, as evidence of the agreement.
- Enquiry data that does not become a client relationship — up to 12 months.
- Analytics data — retained by Google Analytics for 14 months, after which it is aggregated or deleted.
- Server and security logs — up to 90 days.
Where we no longer need personal data, we delete it or make it permanently anonymous.
10. How we protect your data
We use appropriate technical and organisational measures to protect personal data: the website is served over HTTPS, passwords are stored only in hashed form, access to our systems is restricted to those who need it, and card details are never handled by us. No system can be guaranteed perfectly secure, but we take these obligations seriously and keep our measures under review.
11. Your rights
Under the UK GDPR you have the right to: be informed about how we use your data; access a copy of your data; have inaccurate data corrected; have your data erased; restrict or object to certain processing; data portability; and, where processing is based on consent, to withdraw that consent at any time. To exercise any of these rights, email [email protected]. We will respond within one month, and we do not charge for this in normal cases. If any of the data concerned is data we process on behalf of a business client (see section 3), we will pass your request to that client, who is the controller.
If you are not happy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113 — though we would appreciate the chance to put things right first.
12. Children
Our website and services are aimed at businesses and are not directed at children. We do not knowingly collect personal data from anyone under 18.
13. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top shows when it last changed. Where a change is significant, we will highlight it on this page or, for account holders, tell you by email.