Does your website use third-party services? Get GDPR compliant in minutes.

SEMrush

What does SEMrush do?

Semrush is a B2B SEO and content marketing platform used by marketing teams, agencies and consultants to research keywords, audit sites, track positions, monitor competitors and analyse PPC campaigns. Semrush is accessed by authenticated employees on semrush.com. SemrushBot crawls publicly available pages to feed the index. Semrush is a US listed company with a strong European presence in Cyprus.

What Semrush is and how it fits in a website operation

Semrush is one of the leading SEO and content marketing platforms with more than 50 tools that span keyword research, backlink analysis, technical site audits, position tracking, content optimisation, social media management, local SEO and competitive intelligence. The product is delivered as a B2B SaaS dashboard at www.semrush.com, accessed by authenticated users only. SemrushBot, the public crawler, powers the indexed dataset. Semrush is publicly listed on the NYSE.

What data Semrush processes

In the SaaS, Semrush processes employee account information (email, role, SSO claims, two factor authentication), URLs and keywords submitted by users, projects, reports and access logs. SemrushBot collects publicly accessible HTML, headers, robots.txt and sitemaps. The bot respects robots.txt and identifies itself with a documented user agent (SemrushBot, SemrushBot-SA, SemrushBot-BA). The Semrush dashboard itself uses authentication cookies, security cookies and product analytics cookies for logged in users.

GDPR and ePrivacy implications

Semrush is a backend SaaS tool: it does not set cookies on the visitors of customer websites and therefore does not trigger the ePrivacy consent rule for them. SemrushBot crawling public pages relies on legitimate interest under Article 6(1)(f) GDPR; webmasters can deny it via robots.txt. SaaS usage by authenticated marketing teams is processed under Article 6(1)(b) GDPR.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International data transfers

Semrush Holdings Inc. is established in the United States with operations in Cyprus and a global engineering team. SaaS workloads run on AWS with US and EU regions. Transfers rely on the Semrush Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework. Supplementary measures include TLS 1.3, encryption at rest, ISO 27001 and SOC 2 Type II controls.

Practical compliance steps

Sign the Semrush Data Processing Addendum, enable SAML SSO and two factor authentication on the SaaS, restrict access to authorised employees, define explicit robots.txt rules for SemrushBot variants, document Semrush as a processor in your record of processing activities and mention Semrush Holdings Inc. and the US transfer in the privacy notice.

GDPR consent category

Marketing

Websites using SEMrush must obtain user consent under GDPR regulations.

Legal basisPerformance of a contract (Art. 6(1)(b) GDPR) for the Semrush SaaS; legitimate interest (Art. 6(1)(f) GDPR) for SemrushBot crawling public pages; consent (Art. 6(1)(a) GDPR) for Semrush widgets embedded with cookies on a public website

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive (Cookie Law), CCPA

DPIA considerations

A DPIA is generally not required for internal SEO usage of Semrush. A DPIA may be considered when Semrush is used to harvest competitor data at industrial scale via the API, when it is integrated with HR or sales tools that combine personal data or when sensitive sectors export bulk datasets.

Sample consent text

Our marketing team uses Semrush, an SEO and content marketing platform operated by Semrush Holdings Inc. (USA, with EU offices in Cyprus). Semrush is accessed by authenticated employees on semrush.com and is not embedded in our public website. The SemrushBot crawler may visit publicly available pages of our site according to the rules in robots.txt.

Technical details

Tracking methodB2B SaaS dashboard accessed at www.semrush.com; SemrushBot crawler for site and competitor analysis; optional ImpactHero behavioural research script (rarely embedded on customer sites)

Server locationBoston, Massachusetts and Limassol, Cyprus (Semrush Holdings Inc.); global AWS deployment

Cookieless tracking availableYes

Data transferred outside the EUSemrush Holdings Inc. is incorporated in Delaware (USA) with operational headquarters in Boston and a major European hub in Limassol, Cyprus. Customer data and SaaS workloads run on AWS in US and EU regions. Transfers rely on the Semrush Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework.

Third-party domains contacted

semrush.comstatic.semrush.comsemrushcdn.comsemrush.it

SEMrush places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Does Semrush set cookies on visitor websites?

No. Semrush is a B2B SaaS tool accessed by authenticated employees on semrush.com. It does not deploy cookies on the public websites of its customers. Cookies are only set inside the Semrush dashboard for the authenticated user.

Is consent required for SemrushBot crawling?

No. SemrushBot variants (SemrushBot, SemrushBot-SA, SemrushBot-BA) access public pages under legitimate interest under Article 6(1)(f) GDPR. Webmasters can disallow them in robots.txt. Consent is not the appropriate legal basis for impersonal crawling of public content.

What is the legal basis for processing data through Semrush?

Performance of a contract under Article 6(1)(b) GDPR for the Semrush SaaS used by authenticated employees. Legitimate interest under Article 6(1)(f) GDPR for SemrushBot crawling. Consent under Article 6(1)(a) GDPR if any Semrush widget that sets cookies is embedded on a public website.

How are data transfers to the United States protected?

Semrush signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Supplementary measures include TLS 1.3 in transit, encryption at rest, ISO 27001 and SOC 2 Type II.

Is a DPIA required for Semrush?

A DPIA is not required for internal SEO use. It may be relevant when Semrush is integrated with HR or sales tools that combine personal data, when it powers automation that targets identified EU users or when sensitive industries export bulk datasets through the API.

How do I block SemrushBot if I do not want it crawling my site?

Add a User-agent: SemrushBot block in robots.txt with Disallow: /. Also add separate blocks for SemrushBot-SA, SemrushBot-BA and SiteAuditBot if you want to opt out of every crawl. Semrush honours robots.txt within a few hours.

What are the alternatives to Semrush in Europe?

European or open source alternatives include SISTRIX (Germany), Searchmetrics (Germany), SEObserver (France), Babbar (France), Majestic (UK) and Screaming Frog (UK). Most teams combine an SEO platform with Google Search Console and Bing Webmaster Tools.

How do I update the cookie policy when using Semrush?

No specific cookie entry is needed because Semrush does not set cookies on your public website. Mention Semrush Holdings Inc. (USA, with EU offices in Cyprus) as a processor used internally by the SEO team and link to the Semrush Privacy Policy.

Get compliant — Try FlowConsent free

Free plan · 10-min setup