Privacy Policy

1. Introduction

Hado Dev, LLC, doing business as Hado SEO ("Hado SEO," "we," "our," or "us"), provides a DNS rendering service that allows client-side web applications to be rendered for search engine crawlers and social media bots (the "Service"). This Privacy Policy explains how we collect, use, share, and protect personal information in connection with the Service, our website at hadoseo.com, and our customer dashboard.

We are committed to handling personal information lawfully, fairly, and transparently. This Policy is designed to satisfy our obligations under the EU General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws (collectively, "Data Protection Laws").

For questions about this Policy or how we handle personal information, please contact [email protected].

2. About This Policy and Who It Applies To

Hado SEO acts in two distinct roles with respect to personal information, and each role has its own legal framework:

Hado SEO as Controller

Where we collect personal information directly from you when you visit our website, create an account, subscribe to the Service, or interact with us, we are the "controller" of that personal information. This Privacy Policy primarily governs that controller relationship. Examples of controller-held personal information include your name, email address, billing details, and account preferences.

Hado SEO as Processor

Where we process personal information on behalf of our business customers (for example, end-user request data that flows through the Service for our customers' websites), we act as a "processor" or "service provider." In that role, our customers are the controllers, and they determine the purposes and means of the processing. Our processing of that data is governed by the Data Processing Addendum executed between Hado SEO and the customer, available at hadoseo.com/dpa. If you are an end user of one of our customers' websites and have a question about your personal information, please contact that customer first; we will support them in responding to your request.

3. Information We Collect

We collect only the personal information necessary to deliver, maintain, and improve the Service. The categories of personal information we collect, and the sources, are summarized below.

Account and Subscription Information

When you create an account or subscribe to a paid plan, we collect:

• Identifiers: name, email address, organization name
• Account credentials: passwords (stored as cryptographic hashes), API keys (stored as SHA-256 hashes)
• Billing information: subscription plan, billing address, payment method (processed by our payment processor; we do not store payment card data)
• Service configuration: domain names, DNS configuration, and routing preferences you provide

Technical and Usage Data

When you or visitors to your domains use the Service, our infrastructure may automatically collect:

• IP addresses and User-Agent strings (used transiently for bot classification and not persisted)
• Request metadata: timestamps, request paths, HTTP status codes
• Diagnostic information from our proxy and renderer systems
• Aggregated analytics: cache hit rates, bot detection counts, request volumes

Website and Dashboard Data

When you visit hadoseo.com or use our dashboard, we may collect:

• Pages visited, session duration, and referring URL
• Browser and device information
• Information you submit through forms (contact, demo requests, support tickets)

Communications and Support

When you contact us for support, we collect the information you choose to share, including the contents of your messages and any attachments.

What We Do Not Collect

By design, we do not collect or store:

• End-user PII from visitors to your websites (no persistent IP, cookie, or session data)
• Payment card data (handled entirely by our PCI-compliant payment processor)
• Plaintext credentials of any kind
• Customer page content beyond auto-expiring cached HTML
• Special categories of personal information (race, religion, health, biometrics, etc.)

4. How We Use Personal Information

We use personal information only for the purposes described in this Policy. Under GDPR, we rely on one or more of the following legal bases for each processing activity:

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We do not use personal information for any form of automated decision-making that produces legal or similarly significant effects.

5. How We Share Personal Information

We share personal information only with the parties described below, and only as necessary to deliver the Service.

Sub-Processors

We engage a limited number of third-party service providers ("Sub-Processors") to deliver components of the Service. The current list of Sub-Processors, including the categories of data each handles and their location, is published at hadoseo.com/subprocessors. Sub-Processors are contractually bound to process personal information only on our instructions and in accordance with this Policy and our Data Processing Addendum.

Payment Processing

Billing transactions are processed by Stripe, Inc. Stripe collects payment card information directly from you and provides us only with the transaction metadata necessary to manage your subscription. Stripe's privacy practices are governed by its own privacy policy.

Legal and Safety Disclosures

We may disclose personal information if required to do so by law, valid legal process (such as a subpoena or court order), or to protect the rights, property, or safety of Hado SEO, our customers, or others. We challenge overbroad government requests where appropriate.

Business Transfers

If Hado SEO is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality obligations.

No Sale or Cross-Context Behavioral Advertising

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. These statements apply to personal information of California residents as those terms are defined under CCPA/CPRA.

6. International Data Transfers

Persistent customer data (account records, configuration, analytics, and audit logs) is currently stored and processed in the United States. Transient request processing occurs at globally distributed edge locations operated by our infrastructure Sub-Processors and is not persisted outside of transient handling.

Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. We also implement supplementary measures consistent with European Data Protection Board recommendations, including encryption in transit and at rest, strict access controls, and challenges to overbroad government access requests.

Customers may obtain additional detail on international transfer mechanisms through the Data Processing Addendum, available at hadoseo.com/dpa.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including to meet legal, accounting, or reporting requirements. The general retention periods are:

We retain personal information for the periods set out above to fulfill the purposes for which it was collected, including supporting active accounts, enabling account reactivation, detecting and preventing fraud, and defending against legal claims. We do not automatically delete account data after closure; instead, we retain it for these legitimate purposes until you request deletion or the data is no longer needed.

You may request deletion of your personal information at any time under Section 9 (Your Privacy Rights). We will honor verified deletion requests except where we are required to retain specific data to comply with a legal obligation (for example, billing records must be retained for tax and accounting purposes), to exercise or defend legal claims, or to detect and prevent security incidents or fraud. Where we cannot delete data due to a legal requirement, we will restrict its use to that requirement and delete it as soon as the requirement no longer applies.

8. Cookies and Tracking Technologies

Different parts of our offering use cookies differently:

The Rendering Service

The DNS rendering service itself does not set cookies. End-user IP addresses and User-Agent strings are used transiently for bot classification but are not stored.

The Dashboard and Marketing Site

Our website at hadoseo.com (which hosts both our marketing site and customer dashboard) uses cookies and similar technologies for the following purposes:

• Essential cookies: required to log you in, maintain your session, and remember settings (no consent required)
• Analytics cookies: help us understand how visitors use our website (e.g., page views, time on site) and improve content; only set with your consent in jurisdictions that require it
• Functional cookies: remember your preferences (e.g., language, theme); only set with your consent where required

You can manage non-essential cookies through the cookie consent banner displayed on first visit, or through your browser settings. Disabling essential cookies will prevent you from using the dashboard.

9. Your Privacy Rights

Depending on your jurisdiction, you have certain rights regarding your personal information. We will respond to verified requests within the time period required by applicable law (generally within 30 days under GDPR; within 45 days under CCPA/CPRA, with one 45-day extension where reasonably necessary).

GDPR and UK GDPR Rights

If you are located in the EEA, the United Kingdom, or Switzerland, you have the right to:

• Access the personal information we hold about you (Article 15)
• Request correction of inaccurate personal information (Article 16)
• Request deletion of your personal information (Article 17)
• Request restriction of processing in certain circumstances (Article 18)
• Receive your personal information in a portable format (Article 20)
• Object to processing based on legitimate interests (Article 21)
• Withdraw consent where we rely on consent as the legal basis (Article 7)
• Lodge a complaint with the supervisory authority in your country of residence

California Resident Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it
• Request access to the specific pieces of personal information we have collected about you
• Request deletion of personal information we have collected from you, subject to legal exceptions
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising; this right is included for completeness)
• Limit the use of sensitive personal information (we do not collect sensitive personal information as defined under CPRA)
• Be free from retaliation for exercising your privacy rights

How to Exercise Your Rights

To exercise any of these rights, email [email protected]. We will verify your identity before processing your request, which may require additional information to confirm you are the data subject. There is no fee for exercising your rights, except for clearly unfounded or excessive requests. You may authorize an agent to make requests on your behalf, subject to verification.

If you are an end user of a Hado SEO customer's website and your request relates to data processed on behalf of that customer, please contact the customer directly. We will assist them in responding to your request as required by our Data Processing Addendum.

10. Security

We implement industry-standard technical and organizational measures to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control and tenant isolation
• Hashed credentials and API keys (passwords and API keys are never stored in plaintext)
• Continuous monitoring and automated alerting
• Peer code review, static analysis, and dependency scanning in our deployment pipeline
• Regular review of our security posture

Detailed security practices are documented in our Security Posture Overview, available on request under a non-disclosure agreement. Despite these measures, no online service is completely secure, and we cannot guarantee absolute security.

11. Children's Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact [email protected].

12. Automated Decision-Making and Profiling

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant effects on individuals. The bot classification performed by the Service is operational (used to route requests appropriately) and does not result in decisions about individuals.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email to the account email address on file or by in-product notice at least 30 days before the changes take effect. The "Last Updated" date at the top of this Policy reflects the most recent version. Continued use of the Service after the effective date of an updated Policy constitutes acceptance of the changes.

14. Contact Us

For questions about this Policy, to exercise your privacy rights, or to raise a concern about how we handle personal information: