// legal
Privacy Policy
Last updated: 7 May 2026 · Effective date: 7 May 2026
1. Who we are
SIA “Cyber Unicorn” (registration no. 40203002129, Jūrmala, Baznīcas iela 30–13, LV-2015, Latvia) operates the Chrome extensions SerpControl and SerpControl Ultra and the website serpctrl.lv / app.serpctrl.com.
We are the data controller for personal data processed in connection with your use of the website, account, subscription, and extension authentication. The extensions do not transmit audited page content to us (see § 3).
Contact: legal@serpctrl.lv
2. What data we collect and why
| Category | Data | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account data | Email address, name (if provided) | Creating and managing your subscription | Contract (Art. 6(1)(b)) |
| Payment data | Billing address, last four card digits, VAT number (if B2B) — collected and stored by Stripe as our Merchant of Record; we receive only a redacted summary | Processing payments, issuing VAT invoices, fraud prevention | Contract / Legal obligation (Art. 6(1)(b)(c)) |
| Licence data | Extension authentication token, seat assignment, activation and last-seen timestamps | Validating Ultra subscription access and enforcing seat limits | Contract (Art. 6(1)(b)) |
| Support data | Email content you send to support@serpctrl.lv | Responding to support requests | Legitimate interest (Art. 6(1)(f)) |
| Website analytics | Anonymised page views, referrer, browser type — no cookies placed | Understanding how visitors use the site | Legitimate interest (Art. 6(1)(f)) |
| Error telemetry | Error stack traces, browser/runtime metadata, page route, and diagnostic breadcrumbs. Text and media are masked in client replay. | Detecting and fixing production errors | Legitimate interest (Art. 6(1)(f)) |
3. The extensions: audited page data stays in your browser
SerpControl and SerpControl Ultra analyse the active browser tab locally. When you click an audit tool:
- A content script is injected into the active tab you already have open.
- The script reads the live DOM (text, headings, links, JSON-LD, meta tags) and runs the audit in memory.
- Results are rendered as an overlay in the same tab.
- The page content and audit results are not sent to our servers. We never see what you audit.
The LLM Visibility tool (Ultra only) additionally issues a single fetch(location.href, {credentials:"omit"}) from the content-script context — this goes from your browser to the site you are auditing, not to us.
SerpControl Ultra contacts app.serpctrl.com only to authenticate your account, validate subscription/seat access, and issue a signed extension auth token. The extension stores that token locally in chrome.storage.localon your device.
4. Cookies and tracking
The extensions place no cookies and run no tracking scripts.
The website uses only strictly necessary cookies required for the subscription and account flow. We do not use advertising cookies or third-party tracking pixels. See our Cookie Notice for full details.
5. Sub-processors and third parties
We share personal data only with the following sub-processors, all bound by data-processing agreements:
| Sub-processor | Role | Country |
|---|---|---|
| Stripe, Inc. | Merchant of Record, payment processing, tax calculation and remittance, VAT invoicing | US (SCCs apply) |
| Vercel Inc. | Web hosting | US (SCCs apply) |
| Resend Inc. | Transactional email | US (SCCs apply) |
| Sentry | Error monitoring and diagnostics | US/EU infrastructure depending on Sentry configuration (SCCs apply where required) |
We do not sell or rent personal data to any third party. We do not share data with advertising networks.
6. International transfers
Where data is transferred outside the EEA (e.g. to Stripe, Vercel, Resend, or Sentry), we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism.
7. Retention
Account and payment data is retained for the duration of the subscription plus 7 years (as required by Latvian accounting law). Support emails are retained for 2 years from the last interaction. Anonymised analytics data is retained indefinitely.
8. Your rights
Under the GDPR you have the right to: access, rectify, or erase your personal data; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent.
To exercise any right, email legal@serpctrl.lv. We will respond within 30 days.
You also have the right to lodge a complaint with the Latvian Data State Inspectorate (Datu valsts inspekcija, www.dvi.gov.lv) or with the supervisory authority in your country of habitual residence.
9. Children
The Service is not directed at children under 16. If you believe a child has provided us with personal data, email legal@serpctrl.lv and we will delete it promptly.
10. Security
We use TLS for all data in transit and access to production systems is restricted to named individuals. Payment card data is handled entirely by Stripe and never stored on our servers.
11. Changes to this policy
If we make material changes we will update the “Last updated” date and, for Subscribers, send an email notice at least 14 days before the change takes effect.
12. Contact
Registration No.: 40203002129
Jūrmala, Baznīcas iela 30–13, LV-2015, Latvia
legal@serpctrl.lv