Privacy Policy & GDPR Information
Last updated: January 2025
Welcome to The Freelancer Marketing (“we”, “our” or “us”). This Privacy Policy explains how we collect, use, share and protect your data when you visit our website and use our marketing and SEO services. The Freelancer Marketing is a platform that helps businesses and freelancers optimize their online presence through SEO analysis, campaign management and data-driven marketing. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Controller
Controller within the meaning of the General Data Protection Regulation (GDPR) is:
This website is jointly operated by two legally independent companies. Both act as joint controllers within the meaning of Art. 26 GDPR.
Controller 1 (Cyprus)
The Freelancer Marketing Ltd.
Sinasi Bei, 69 KINGS RESORT BLOCK C, Flat/Office A2
8015 Paphos, Cyprus
Registration Number: HE 458650
VAT: CY60058879W
Controller 2 (Germany)
The Freelancer Crew Andy Staudinger e. K.
Bestenseer Straße 6
15749 Mittenwalde, Deutschland
Registry: HRA 4213 (Amtsgericht Cottbus)
USt-IdNr.: DE321060932
If you have any questions about data protection, you can reach us at the email address above.
2. Data Collection on this Website
What data is collected?
When visiting this website, the following data is automatically collected:
- IP address (anonymized)
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred
- Referrer URL (previously visited page)
- Browser and browser version
- Operating system
Legal Basis
Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in ensuring trouble-free operation of our website and improving our services.
Storage Duration
Server log files are automatically deleted after 30 days.
3. Hosting and Content Delivery Network (CDN)
Dedicated Server (Hetzner Online GmbH)
This website runs on a dedicated server of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) in data centers located in Germany. Deployment is handled by a self-hosted Coolify instance on the same server. Server administration and responsibility lie with us.
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen, Deutschland
Hosting at Hetzner does <strong>not</strong> involve any transfer of personal data to third countries. However, due to the use of Cloudflare as CDN, data may be routed through US servers (see Cloudflare section below).
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure and fast website delivery).
More information: Hetzner Privacy Policy
Content Delivery Network (Cloudflare)
To accelerate page delivery and protect against DDoS attacks, we use Cloudflare as a Content Delivery Network (CDN) and DNS provider. All HTTP requests to our website are routed through Cloudflare's global network.
Cloudflare Inc.
101 Townsend St
San Francisco, CA 94107, USA
Processed Data
Cloudflare necessarily processes the following data:
- User's IP address
- Requested URL and HTTP headers
- Time of access
- Amount of data transferred
- Referrer and user agent
Cloudflare is based in the USA (Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107). Data transfer is based on the EU-US Data Privacy Framework (adequacy decision) and additionally through EU Standard Contractual Clauses (SCCs).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and fast delivery of the website).
More information: Cloudflare Privacy Policy
4. Database and Backend (Supabase)
For storing and processing data, we use Supabase, an open-source backend-as-a-service platform.
Supabase Inc.
970 Toa Payoh North #07-04
Singapore 318992
Processed Data
The following data is stored in Supabase:
- Contact form inquiries (name, email, message)
- Blog content and comments
- User accounts (if registered): email, encrypted password
- CRM data for business contacts
Server Location
Our Supabase instance is hosted in the EU region (Frankfurt, Germany) to meet GDPR requirements.
Security
Supabase uses encryption both in transit (TLS/SSL) and at rest (AES-256). Passwords are hashed with bcrypt.
Legal basis: Art. 6 (1) (b) GDPR (contract fulfillment) and Art. 6 (1) (f) GDPR (legitimate interest).
More information: Supabase Privacy Policy
5. Cookies
Our website uses cookies. Cookies are small text files stored on your device that save certain settings and data.
Types of Cookies
Technically necessary cookies (Always active)
These cookies are essential for the operation of the website. This includes session cookies, authentication cookies, and CSRF protection cookies.
Storage duration: Session / max. 24 hours
Functional cookies (Optional)
These cookies enable extended functions such as saving your language preferences and theme settings.
Storage duration: 1 year
Analytics Cookies (Google Analytics / GTM) (Consent required)
We use Google Tag Manager (GTM) and Google Analytics 4 to analyze the usage of our website. These cookies are only set after your consent (Consent Mode v2). Without your consent, no analytics cookies are set and no personal data is transmitted to Google.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Storage duration: up to 14 months.
Marketing Cookies (Google Ads) (Consent required)
We use Google Ads Conversion Tracking (ID: AW-17455401718) to measure the success of our advertising campaigns. These cookies are only set after your explicit consent via our cookie banner. Without your consent, no marketing cookies are set and no conversion data is transmitted to Google.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Storage duration: up to 90 days.
Change cookie settings
You can change your cookie settings at any time via the "Cookie Settings" link in the footer of this website or withdraw your consent.
Legal basis: Art. 6 (1) (a) GDPR (consent) for optional cookies; Art. 6 (1) (f) GDPR for technically necessary cookies.
6. Embedded Content (Third Parties)
Google Consent Mode v2
We use Google Consent Mode v2. This means: All Google tags (Analytics, Ads) respect your cookie settings. As long as you have not given consent, the tags operate in restricted mode – no cookies are set and no personal data is transmitted. Only after your active consent via our cookie banner are the corresponding functions activated.
Google OAuth 2.0 & API Services
The Freelancer Marketing uses Google OAuth 2.0 to access certain Google services with your explicit consent. Access is read-only — no data in your Google account is modified or deleted.
Access Scope
- Google Ads API (read-only): Retrieval of your campaign data, ad groups, keywords and performance metrics for analysis in the dashboard.
- Google Analytics API (read-only): Retrieval of website traffic data, user statistics and conversion data for analysis.
- OpenID & Email: Identification of your Google account for secure authentication.
- Google Search Console API (read-only): Retrieval of search queries, click data and indexing status of your website.
Purpose of Data Processing
The retrieved data is used exclusively to provide you with analyses, reports and actionable recommendations about your Google Ads campaigns and website performance in the marketing dashboard. No data is shared with third parties.
Storage & Deletion
OAuth access tokens are stored encrypted on our servers and automatically deleted when you disconnect or delete your account. Campaign data is temporarily cached and regularly updated. After contract termination, all stored Google data is irrevocably deleted within 90 days.
Revoking Access
You can revoke The Freelancer Marketing's access to your Google account at any time at myaccount.google.com/permissions. After revocation, all stored tokens are immediately deleted.
Limited Use Compliance
The use of data retrieved via Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data is not sold to third parties, not used for advertising purposes, and not used to train AI models.
Our website embeds content from third-party providers. These integrations may result in providers setting cookies or collecting your IP address.
Figma
We use Figma to display design mockups and interactive prototypes. When loading the Figma embed, data is transmitted to servers of Figma Inc. (USA).
Provider: Figma, Inc., 760 Market Street, San Francisco, CA 94102, USA
Transferred data: IP address, browser information, time of access
Privacy policy: figma.com/legal/privacy
Legal basis: Art. 6 (1) (a) GDPR (consent). Embedding only occurs if you have agreed to functional cookies.
7. Contact Form and Email Contact
When you contact us via contact form or email, your information will be stored for processing the inquiry and for possible follow-up questions.
Collected Data
- Name
- Email address
- Message content
- Time of inquiry
- IP address (for spam prevention)
Storage Duration
Data will be deleted as soon as it is no longer necessary for the purpose of its collection. For personal data from contact forms, this is the case when the respective conversation has ended.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in answering inquiries).
8. AI & Machine Learning
We use Artificial Intelligence (AI) to provide you with automated SEO analyses, recommendations, and reports. Data is transmitted to the following AI service providers:
Google Gemini API
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use the direct Google Gemini API (generativelanguage.googleapis.com) with the Gemini 2.5 Pro and Gemini 2.5 Flash models to analyze website content and generate SEO recommendations. Google Search Grounding may be activated, whereby Google performs supplementary web searches to enhance analysis results. International transfer: USA — based on the EU-US Data Privacy Framework (Google LLC is DPF-certified) with EU Standard Contractual Clauses (Decision 2021/914) as additional safeguard.
Anthropic (Claude)
Provider: Anthropic PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA. Claude is used as a fallback system if the primary AI service is unavailable. Anthropic acts as a data processor pursuant to Art. 28 GDPR.
Groq
Provider: Groq Inc., Mountain View, CA, USA. Groq is used as an additional fallback system and processes the same data as the primary providers.
Ollama (Local)
For certain tasks, we use AI models running locally on our server via Ollama. In this case, no data leaves our server.
Processed Data
- Website URLs entered by you
- Publicly accessible content of analyzed websites (HTML structure, meta tags, headings, text)
- Generated analysis results and recommendations
API Usage Logging
For quality assurance and billing, we log the use of AI services. Stored data includes: user ID, provider used, model, number of tokens, and cost. The prompts and responses themselves are not permanently stored.
Third Country Transfer
Both Google Gemini (Google LLC, USA) and the fallback providers Anthropic (USA) and Groq (USA) transfer data to the United States. The transfer is based on the EU-US Data Privacy Framework (EU Commission adequacy decision of 10 July 2023) with EU Standard Contractual Clauses (Decision 2021/914) as additional safeguard. The DPF certification status of individual providers can be checked at dataprivacyframework.gov.
Transparency Notice (EU AI Act)
AI-generated content is clearly labeled in our analysis reports. No automated individual decisions within the meaning of Art. 22 GDPR are made — the AI serves exclusively as an analysis and recommendation tool.
Legal basis: Art. 6 (1) (b) GDPR (contract fulfillment) and Art. 6 (1) (f) GDPR (legitimate interest in providing accurate analyses).
Storage duration: API usage logs are deleted after 90 days. Analysis results are stored for 2 hours (free) or 30 days (premium).
8a. External SEO and Security Data Sources
For the website analysis, SEO and security features we use the following external APIs. With each request, URL parameters, domain names where applicable and technical request data are transmitted to the respective provider. Personal data of our users is — unless stated otherwise — not transmitted.
DataForSEO OÜ
Provider: DataForSEO OÜ (Company No. 14502291), Vesivärava tn 50-201, Kesklinna linnaosa, Tallinn, Harju maakond 10152, Estonia. Processing also occurs through sub-processors (Google LLC and Microsoft Corporation/Azure, USA). Purpose: keyword data, SERP data, backlink audits, on-page audits, local search results, PPC keyword data and competitor analyses. Data transmitted: domain names, keywords and URLs queried by the user. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing the analysis feature). International transfer: seat in the EU/Estonia; where sub-processing occurs in the USA, this is based on EU Standard Contractual Clauses (Decision 2021/914) according to DataForSEO's privacy policy.
Moz, Inc.
Provider: Moz, Inc., 1111 3rd Avenue, 17th Floor, Seattle, WA 98101, USA — subsidiary of iContact (Ziff Davis, Inc.). Purpose: domain authority and backlink metrics. Data transmitted: domain names queried by the user. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing the analysis feature). International transfer: USA — based on EU Standard Contractual Clauses (Decision 2021/914).
Have I Been Pwned (Pwned Passwords)
Provider: Superlative Enterprises Pty Ltd (ABN 62 085 442 020), Level 11, 2 Corporate Court, Bundall QLD 4217, Australia. API endpoint: api.pwnedpasswords.com (delivered via the Cloudflare edge network; data stored in a Microsoft Azure data centre, western United States). Purpose: checking new passwords against known data breaches during registration and password changes. Data transmitted: the password is hashed client-side using SHA-1; only the first five characters of this hash are sent to the provider (k-anonymity, following the Cloudflare implementation). The full password and the full hash never leave your browser. Identification of the user by the provider is technically excluded under the k-anonymity model. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in account security) and Art. 32 GDPR (security of processing). International transfer: Australia (seat; protected by the Australian Privacy Principles) and technical processing through the global Cloudflare edge network; based on the k-anonymity model, no personal data within the meaning of the GDPR is transmitted.
8b. Google API Services for Data Enrichment
For our Website Analyzer and SEO features we use the following additional Google Cloud APIs (in addition to Google Search Console, Google Analytics Data API and Google Ads API documented above):
- Google Cloud Vision API — image analysis of screenshots during on-page audits
- Google Places API / Google Maps Platform (server-side) — location validation and local SEO features
- Google Custom Search JSON API — programmatic web search for keyword research and backlink discovery
- Google Safe Browsing API — security checks for analyzed domains
- Google Knowledge Graph Search API — entity recognition for backlink quality scoring
- Google CrUX API (Chrome User Experience Report) — Core Web Vitals data from real users
Provider
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For intra-European services represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Purpose
Automated data enrichment and technical analysis of web pages evaluated through the Website Analyzer.
Data categories
Domain names and URLs entered by the user, technical request metadata (request-side IP address, our server's user agent). For the Vision API additionally server-generated screenshots of the analyzed pages. No account data of our registered users.
Legal basis
Art. 6 (1) (f) GDPR (legitimate interest in providing the analysis feature). For logged-in users additionally Art. 6 (1) (b) GDPR (contract performance).
International transfer
USA — based on the EU-US Data Privacy Framework (Google LLC is DPF-certified) with EU Standard Contractual Clauses (Decision 2021/914) as additional safeguard.
8c. SearXNG (self-hosted meta search engine)
We run our own instance of the open-source meta search engine SearXNG on our infrastructure in Germany (Hetzner Online GmbH, Falkenstein / Nuremberg data centre). SearXNG aggregates results from public search engines without establishing a direct connection between our users and those search engines.
Purpose
Anonymised SERP data collection for internal SEO research, backlink discovery and link-building features.
Data processing
Queries are processed server-side on our own infrastructure. No personal data of our users is transmitted to external search engines; queries are sent from our server IP and contain no user identifiers.
International transfer
None. Server location Germany.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing the analysis feature).
9. Website Analysis & Crawling
Our Website Analyzer examines websites entered by you to perform SEO audits, WCAG accessibility checks, and backlink analyses.
How it Works
We use automated methods (web crawling via BeautifulSoup and httpx) to analyze publicly accessible web pages. Only freely available information is collected — no login-protected areas or non-public content is accessed.
Collected Data
- URLs entered by you
- Publicly accessible HTML content (meta tags, headings, links, text)
- Sitemap structures and robots.txt rules
- HTTP status codes and response times
- Accessibility attributes (ARIA, alt texts, contrast ratios)
No Personal Data of Third Parties
Only publicly accessible, technical information from the analyzed websites is collected. Personal data appearing on the analyzed websites is neither extracted nor stored.
PDF Report Generation
For premium analyses, we generate PDF reports using Playwright/Chromium. The generation takes place entirely on our server — no data is transmitted to third parties.
Legal basis: Art. 6 (1) (b) GDPR (contract fulfillment) and Art. 6 (1) (f) GDPR (legitimate interest in providing the analysis service).
Storage duration: Analysis cache 2 hours (free) or 30 days (premium). URLs and analysis results are automatically deleted upon expiration.
10. Payment Processing (Revolut)
For payment of our premium analysis services, we use the payment service provider Revolut.
Payment Service Provider
Revolut Bank UAB
Konstitucijos Ave. 21B, Vilnius, 08130, Lithuania
Registration number: 304580906
German branch: Revolut Bank UAB, Zweigniederlassung Deutschland, Unter den Linden 40, 10117 Berlin (HRB 249024 B)
Data Protection Officer: dpo@revolut.com
Data Transmitted to Revolut
- Payment amount (€3.99)
- Email address (if provided)
- Order description (shortened URL of the analyzed website)
Actual payment data (credit card number, bank details, etc.) is processed exclusively by Revolut as an independent controller. We have no access to this sensitive payment information.
Data Stored by Us
- Revolut order ID (for payment assignment)
- IP address (at the time of the order)
- Email address (if provided)
- Payment status and timestamp
- License status and validity period (30 days)
Third Country Transfer
Revolut Bank UAB is based in Lithuania (EU). However, Revolut may transfer your data to companies outside the EEA as part of payment processing. Revolut has implemented appropriate safeguards in accordance with GDPR requirements.
Legal basis: Art. 6 (1) (b) GDPR (contract fulfillment — payment processing is necessary to provide the service you requested).
Storage duration: Payment data (order ID, status) is stored for up to 10 years in accordance with commercial and tax law retention obligations. License data is deleted 30 days after expiration.
10a. Appointment Booking via Microsoft Bookings
You can book appointments (e.g. consultations) via our booking widget. The technical basis is Microsoft Bookings / Microsoft Graph API. The booked slot is written to our Microsoft 365 / Outlook calendar and a Microsoft Teams meeting link is generated.
Data collected
- Name
- Email address
- Phone number (optional)
- Topic / inquiry (optional)
- Requested time slot (date, time, timezone)
- IP address, timestamp of booking
Recipient / Processor
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park
Leopardstown, Dublin 18, Ireland
Intra-group transfer to the USA (Microsoft Corporation) possible, safeguarded by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCC).
Legal basis: Art. 6(1)(b) GDPR (preparation and performance of a contract or pre-contractual measure on request).
Retention: Data is deleted when no longer needed, subject to statutory retention obligations (up to 10 years for contract documents under German commercial / tax law).
10b. Lead Capture, Newsletter Sign-up & Premium PDF Delivery
We collect email addresses in two places on our website: (1) in the Website Analyzer to deliver the full SEO report as a PDF and (2) in the newsletter sign-up in the sidebar of our blog posts for regular practical tips on SEO, GEO and web development. Both flows use a strict double opt-in mechanism: after entering your address we send a confirmation email; only after you click the confirmation link are you added to our newsletter list — and in the analyzer flow the PDF is dispatched as well.
Data collected
- Email address (mandatory)
- Name (optional, analyzer flow only)
- Phone number (optional, analyzer flow only)
- Analyzed URL and score (analyzer flow only, technical context)
- Premium key (analyzer flow only, to match the PDF report)
- Sign-up source (e.g. "analyzer-loader" or "blog-sidebar")
- Confirmation token, sign-up & confirmation timestamps
- IP address (technical, for anti-spam)
Storage & Processors
Lead data is stored in our own database on Supabase (EU region Frankfurt). For confirmation/report emails and newsletter management we use Brevo (Sendinblue SAS); for individual workflows (e.g. internal notifications, booking) we also use Microsoft 365 SMTP via Microsoft Ireland Operations Limited. Confirmed newsletter sign-ups are transferred to a dedicated Brevo contact list with the sign-up source ("analyzer-loader" or "blog-sidebar") stored as an attribute.
Sendinblue SAS (Brevo)
106 Boulevard Haussmann
75008 Paris, France
Legal basis: Art. 6(1)(b) GDPR (pre-contractual delivery of the requested PDF report in the analyzer flow) and Art. 6(1)(a) GDPR (consent for newsletter via double opt-in, both in the analyzer flow and in the blog sidebar sign-up).
Withdrawal: You can withdraw your newsletter consent at any time via the unsubscribe link in every email or by writing to info@the-freelancer-marketing.de. Withdrawal has effect for the future only.
Retention:Unconfirmed leads are deleted after 30 days. Confirmed newsletter subscribers are stored until they unsubscribe. Dispatch logs (e.g. "PDF sent on ...") are kept for up to 3 years as evidence.
More: Brevo Privacy Policy
11. Your Rights under GDPR
You have the following rights regarding your personal data:
- Right of Access: You can request information about your personal data stored with us (Art. 15 GDPR).
- Right to Rectification: You can request the correction of inaccurate data (Art. 16 GDPR).
- Right to Erasure: You can request the deletion of your data, provided there are no legal retention obligations (Art. 17 GDPR).
- Right to Restriction: You can request the restriction of processing (Art. 18 GDPR).
- Right to Data Portability: You can receive your data in a structured format (Art. 20 GDPR).
- Right to Object: You can object to processing if it is based on Art. 6 (1) (f) GDPR (Art. 21 GDPR).
Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data (Art. 77 GDPR).
12. SSL/TLS Encryption
This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the address bar of the browser changing from "http://" to "https://" and by the lock symbol in your browser line.
When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.
13. Storage Duration
We only store your personal data for as long as is necessary for the respective purposes or as required by legal retention periods.
| Data Type | Storage Duration |
|---|---|
| Server log files | 30 days |
| Contact requests | After completion of communication |
| User accounts | Until deletion by the user |
| Cookie consent | 1 year |
| Cloudflare CDN logs | Max. 72 hours |
| AI usage logs | 90 days |
| Analysis results (free) | 2 hours |
| Analysis results (premium) | 30 days |
| Payment data | 10 years (legal requirement) |
| Business documents | 10 years (legal requirement) |
14. Changes to this Privacy Policy
We reserve the right to adapt this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services.
The new privacy policy will apply to your next visit. We recommend that you read this privacy policy regularly.
Do you have questions about data protection?