Roles
You are the Controller of personal data you submit to the Service. RankTracker is the Processor. For data we collect about your account itself (logins, billing), we are the Controller.
Scope
This DPA covers all personal data processed by RankTracker on your behalf in connection with the Service, for the duration of your subscription plus the retention period defined in the privacy policy.
Sub-processors
The current list of sub-processors who may process Customer Personal Data is below. We provide 30 days' notice of additions via email, in-app banner, and the RSS feed at /legal/dpa/feed.xml.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (database, auth, storage) | Application data hosting | EU/US |
| Cloudflare | Edge compute & CDN | Global |
| Stripe | Payment processing | EU/US |
| Resend | Transactional email | US |
| OpenAI (zero-retention endpoint) | ChatGPT scans, content briefs | US |
| Anthropic (zero-retention endpoint) | Claude scans | US |
| Google AI (Vertex) | Gemini scans, AI Overviews context | US/EU |
| Perplexity API | Perplexity scans | US |
| SerpAPI / DataForSEO | SERP rank scanning | US |
| PostHog (EU) | Product analytics | EU |
| Sentry | Error monitoring | EU |
AI training restriction
RankTracker contractually requires every LLM sub-processor (OpenAI, Anthropic, Google, Perplexity) to operate under zero-retention enterprise endpoints when processing Customer Personal Data. Prompts and responses generated by your scans are not used to train, fine-tune, or improve any third-party model. We do not train our own models on Customer Personal Data either.
International transfers
EU/EEA personal data transferred outside the EEA is governed by the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), Module Two (Controller to Processor), supplemented by the EU-US Data Privacy Framework where the recipient is certified. UK transfers are governed by the UK IDTA. Swiss transfers use the FADP-aligned SCCs.
Data residency
Default region is US-East. EU residency (Frankfurt) and UK residency (London) are available on Enterprise. Per-workspace selection at creation. Once selected, primary storage and processing stay in region; some LLM sub-processors may be invoked from other regions when no in-region endpoint exists, and this is disclosed.
Security
We maintain a written Information Security Program meeting recognised industry standards (SOC 2 Type II audited annually; ISO 27001-aligned controls). Detail at /legal/security.
Breach notification
Customer notification within 72 hours of confirming a Personal Data Breach affecting your workspace. Notification includes nature and scope of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.
Audit rights
Annual SOC 2 Type II and ISO 27001-aligned reports available under NDA. On-site audits available for Enterprise customers on reasonable notice and at the customer's expense, subject to confidentiality.
Return and deletion
On termination, Customer Personal Data is available for export for 30 days, then purged from production systems within 30 days. Encrypted backups age out within 35 days. A deletion certificate is available on request.
Sub-processor notifications
Subscribe to dpa-updates@ranktracker.ca or the RSS feed for sub-processor change notifications. You have 30 days from notice to object; reasonable objections trigger commercial-reasonable mitigation or, at your option, termination with pro-rata refund.