Skip to main content
Patnick

Legal · Patnick

Privacy Policy

Last updated: April 22, 2026 · Effective immediately on publication

Plain-English summary

We collect the minimum data needed to deliver our SEO service, host our primary database in the EU, and do not sell personal data or use it to train AI models. You can export or delete your data at any time by writing to legal@patnick.com. Patnick is a Finnish company and is the data controller for the processing described below.

1. Who we are (the controller)

Patnick is the controller of the personal data described in this Privacy Policy. Our contact details are:

  • Name: Patnick (a Finnish private limited company / osakeyhtiö — Oy — in the course of being registered with the Finnish Patent and Registration Office, PRH)
  • Registered address: Keltasafiirinpolku 1A 07, 01300 Vantaa, Finland
  • Country of establishment: Finland (European Union)
  • General privacy / legal contact: legal@patnick.com
  • Business ID (Y-tunnus): will be published here once the Oy is registered

EU / EEA representative (Art. 27 GDPR): not required — the controller is established in the European Union.

Data Protection Officer (Art. 37 GDPR):a DPO is not mandatory for Patnick's current activities. The person responsible for privacy at Patnick is the founder; you can reach them at legal@patnick.com.

2. Scope

This Privacy Policy applies to anyone who visits patnick.com, creates an account, subscribes to a plan, or uses the Patnick platform. Patnick serves customers located in the United States and the European Union only, and the service is offered in English only.

Depending on where you live, the following laws apply to our processing of your data:

  • EU and EEA residents: General Data Protection Regulation (EU) 2016/679 (GDPR) and the Finnish Data Protection Act (1050/2018).
  • United Kingdom residents: UK GDPR and the Data Protection Act 2018.
  • California residents: California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA / CPRA).

3. Data we collect

3.1 Data you provide directly

  • Name and email address (required to create an account).
  • Password, stored only as a bcrypt hash — we never see your plain password.
  • Company name (optional, used for personalisation).
  • Website URL and pages you ask us to analyse.
  • Messages you send to our support channels.

3.2 Data collected through integrations (with your explicit consent)

  • Google Search Console OAuth token and the query, click, and impression data it returns.
  • Shopify or WordPress OAuth tokens, if you connect those platforms for automated SEO fixes.
  • HTML, text, and metadata from the website pages you instruct Patnick to analyse.

3.3 Data collected automatically

  • IP address and basic request headers (browser, device, referrer), used for security, fraud prevention, and abuse detection.
  • Aggregate, privacy-preserving analytics via Plausible (cookieless, EU-hosted).
  • Essential session and CSRF cookies — see our Cookie Policy.

3.4 Payment data

Card numbers, CVC codes and expiry dates are collected and processed exclusively by Stripe, a PCI-DSS Level 1 certified processor. Patnick never sees, transmits or stores raw card data. We store only the Stripe customer ID, subscription status, the last four digits and brand of the card, and invoice metadata needed for accounting.

4. Why we process your data (legal bases)

PurposeLegal basis (GDPR Art. 6 / UK GDPR Art. 6)
Creating and operating your account; delivering the service you subscribed toPerformance of a contract — Art. 6(1)(b)
Billing, invoicing, VAT/sales-tax and accounting recordsLegal obligation — Art. 6(1)(c)
Responding to your support requestsContract / legitimate interest — Art. 6(1)(b), (f)
Understanding feature adoption and improving the service in a privacy-preserving way (aggregate analytics only)Legitimate interest — Art. 6(1)(f): to measure and improve product quality in a manner that does not override your fundamental rights
Preventing abuse, fraud, spam and security incidents on the platformLegitimate interest — Art. 6(1)(f): to keep the service and its users safe and stable
Sending optional marketing emails (product updates, tips)Consent — Art. 6(1)(a); you can withdraw at any time
Connecting your Google Search Console, Shopify, or WordPress accounts when you choose toConsent + performance of a contract — Art. 6(1)(a), (b)
Exercising or defending legal claimsLegitimate interest / legal obligation — Art. 6(1)(c), (f)

5. Sub-processors

We rely on the following carefully vetted service providers. Each one is bound by a written Data Processing Agreement (DPA). Where a transfer outside the EEA / UK is involved, we put in place an appropriate safeguard for that specific vendor and transfer (see section 6).

ProcessorRolePrimary location
Stripe Payments Europe, Ltd.Payment processing, billing, fraud preventionIreland / United States
SupabasePrimary managed PostgreSQL database and authenticationEuropean Union (Frankfurt region)
Vercel Inc.Hosting, edge compute, global content delivery networkGlobal edge (some processing outside the EU)
OpenAI, L.L.C.AI content generation (Content Lab add-on only)United States
Google LLCGoogle Search Console OAuth and APIUnited States
Resend Inc. (or Postmark)Transactional email deliveryUnited States
Plausible Insights OÜCookieless, privacy-first web analyticsEuropean Union (Estonia / Germany)

Patnick does not sell personal data. Patnick does not share personal data for cross-context behavioural advertising. Patnick does not permit any sub-processor to use your personal data to train or fine-tune their AI models.

6. International data transfers

Our primary database is hosted in the European Union (Supabase, EU region). Some data may be processed or made accessible outside the EU / EEA / UK by approved sub-processors and by global edge infrastructure, for example to deliver website content or to process payments. Where that happens, we put in place an appropriate Chapter V safeguard for the specific vendor and scope, which may include:

  • The European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), supplemented by additional technical and organisational measures where needed.
  • The UK International Data Transfer Addendum (IDTA) for transfers originating from the UK.
  • Reliance on the EU–US Data Privacy Framework (and its UK extension), but only for sub-processors that are certified under the DPF and only for the specific processing activities covered by that certification.

You can request a copy of the relevant safeguard for any specific sub-processor by writing to legal@patnick.com.

7. How long we keep your data

CategoryRetention
Active account dataFor the life of your account, plus up to 30 days after cancellation for account-closure and dispute-resolution purposes.
Invoices, billing and accounting recordsAs long as required by applicable tax, accounting and corporate-law rules — typically several years. In Finland, accounting records are generally retained for the statutory bookkeeping period (currently six years under the Finnish Accounting Act, longer for specific items). US tax records are retained in line with IRS requirements applicable to the type of record.
Integration OAuth tokensUntil you revoke them in the connected platform or close your Patnick account.
Support ticketsUp to 3 years, for service-quality and dispute-resolution purposes.
Aggregated, non-identifying product analyticsRolling 24 months.
Security / audit logsUp to 12 months, unless needed longer to investigate a specific incident.

8. Your rights

8.1 Under the GDPR and UK GDPR

  • Access a copy of your personal data.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”), subject to narrow legal exceptions.
  • Restrict or object to processing, including a right to object to processing based on legitimate interests.
  • Data portability, for data you provided to us under consent or contract.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Lodge a complaint with a supervisory authority. In Finland, the lead supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), PL 800, 00531 Helsinki, Finland — tietosuoja.fi. UK residents can also contact the Information Commissioner's Office (ICO) at ico.org.uk.

8.2 Under the CCPA / CPRA (California)

  • Right to know what we collect and how we use it.
  • Right to delete your personal information.
  • Right to correct inaccurate information.
  • Right to opt out of sale or sharing — Patnick does not sell or share your personal information.
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination for exercising these rights.

8.3 How to exercise your rights

Email us at legal@patnick.com from the address associated with your account. We aim to acknowledge requests within 72 hours. We will respond and fulfil requests within the timeframes required by applicable law, including typically within one month under the GDPR / UK GDPR (extendable by up to two further months for complex or numerous requests) and within 45 days under the CCPA / CPRA (extendable by a further 45 days where reasonably necessary), subject to identity verification and any other lawful extensions. There is no charge for reasonable requests.

9. AI and automated decision-making

Patnick's recommendation engine identifies and proposes SEO fixes. No fix is applied to your live site without your explicit, one-click approval. Patnick does not make any decision that produces a legal or similarly significant effect on you solely by automated means.

The optional Content Lab add-on submits prompts to OpenAI's API. By default, OpenAI does not use API data to train its models, and we request the strictest available data-handling configuration for our account (including zero-retention where OpenAI makes it available for our use case). The exact configuration may vary over time based on OpenAI's policies and the specific API endpoints we use. Every Content Lab output is reviewed and edited by Patnick before it is delivered to you (approximately 80% human editorial curation).

10. Security

We apply organisational and technical safeguards appropriate to the nature of the data we process. These currently include:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption at rest on our primary database (managed by Supabase).
  • Bcrypt hashing for user passwords.
  • Access to customer data on a need-to-know basis, with audit logging of administrative actions.
  • Two-factor authentication on administrative accounts used by Patnick staff.
  • Regular dependency updates and planned independent security reviews.

No system is perfectly secure. If you believe you have discovered a vulnerability, please write to legal@patnick.comwith “Security” in the subject line. We will acknowledge within 24 hours and work with you on a responsible disclosure.

11. Children

Patnick is a business tool and is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us and we will delete the data promptly.

12. Changes to this policy

If we make material changes, we will notify registered customers by email at least 30 days before the changes take effect, and update the “Last updated” date at the top of this page. Continued use of the service after the effective date means you accept the new policy.

13. Contact

Patnick
Keltasafiirinpolku 1A 07
01300 Vantaa
Finland
All privacy, data-protection and legal enquiries: legal@patnick.com

Questions about this policy?

Contact us at legal@patnick.com. We read every email and reply within 2 business days.