RankTracker.By ShiftStack
Start free
RankTracker / Legal / Privacy● Live

Legal / Privacy

Privacy policy.

A plain-English summary of what we collect, why, and what you control. The defined-terms version follows, with EU AI Act, AI training opt-out, and regional residency clauses added for 2027.

The short version

RankTracker is a B2B SaaS product. We process the minimum personal data needed to deliver the service: account credentials, the Google Search Console properties you connect, the keywords and domains you tell us to track, and basic billing information. We don't sell data. We don't train AI models on your content. We don't run ad-tech on logged-in surfaces. We host inside the EU and the United States and act as a Data Processor for everything you bring into the platform.

1. Who we are

RankTracker is operated by RankTracker Inc. ("we", "us"). Our registered address and DPO contact are available on request via privacy@ranktracker.ca. UK and EU representatives are listed on the DPA at /legal/dpa.

2. What we collect

  • Account data - email, name, hashed password (or OAuth identifier), workspace and agency name.
  • Workspace content - clients, projects, keywords, competitors, prompts, generated content briefs, and any notes you save.
  • Connected service data - Google Search Console site list and metrics for properties you explicitly connect; OAuth refresh tokens, encrypted at rest with per-customer envelope keys.
  • Usage data - page views, button clicks, API call counts, error traces. Used to operate and improve the product; never sold.
  • Billing data - name, address, VAT, last-4 of card, processed by our PCI-DSS Level 1 payment processor (Stripe). We never store full card numbers.

3. Legal bases (GDPR Art. 6)

  • Contract - to deliver the service you paid for.
  • Legitimate interest - security, fraud prevention, product analytics.
  • Consent - optional marketing emails and non-essential cookies.
  • Legal obligation - tax records, abuse investigations.

4. AI training opt-out (the 2027 clause)

We do not use Customer Content, scan outputs, or workspace data to train, fine-tune, or improve any third-party AI model. Our sub-processors that provide LLM APIs (OpenAI, Anthropic, Google, Perplexity) operate under their zero-retention enterprise endpoints for our scans, so prompts and responses are not used to train their models either.

Why this matters

A growing share of agency contracts now require explicit AI training opt-out language. You have it, in writing, by default. No add-on, no enterprise tier required.

5. Sub-processors

A current list is maintained at /legal/dpa. We notify subscribers 30 days before adding a new sub-processor that materially handles personal data, via in-app banner, email, and an RSS feed at /legal/dpa/feed.xml.

6. Data retention

Active account data is retained for the life of your subscription plus 90 days. Backups are kept for 35 days. Scan response payloads default to 13 months of retention; you can shorten to 30, 90, or 180 days from workspace settings. On account deletion, we purge identifiable data within 30 days; aggregated, non-identifiable analytics may be retained indefinitely.

7. Your rights

Access, correction, deletion, portability, restriction, objection, and the right to lodge a complaint with your supervisory authority. Email privacy@ranktracker.ca - we respond within 30 days. Workspace owners can self-serve export and delete from settings.

8. International transfers

Where personal data leaves the EU/EEA, we rely on Standard Contractual Clauses (Commission Decision (EU) 2021/914) supplemented by the EU-US Data Privacy Framework where applicable. UK transfers use the UK International Data Transfer Addendum. Swiss transfers use the FADP-aligned SCCs.

9. Data residency

The default region is US-East. EU residency (Frankfurt) and UK residency (London) are available on Enterprise and selected per workspace at creation time. Once selected, primary storage and processing for that workspace stay in region; some sub-processors (LLM APIs) may still be invoked from other regions when no in-region endpoint exists, and this is disclosed at scan time.

10. Cookies

Strictly necessary cookies only on logged-in surfaces. The marketing site uses privacy-preserving analytics (no cross-site tracking, no fingerprinting, no third-party cookies). A full cookie inventory is published at /legal/security.

11. EU AI Act

RankTracker's AI features (content briefs, automated commentary in reports) qualify as general-purpose AI assistive tools under the EU AI Act and are deployed in a transparent way: any AI-generated text in the product is labelled, you can disable AI features per workspace, and we maintain a model card describing the providers, intended use, and known limitations. We are not deploying high-risk AI systems as defined by Annex III.

12. Children

The service is not directed to anyone under 16.

13. Changes

Material changes are announced via in-app banner and email at least 30 days before taking effect. A versioned changelog of this policy is maintained at /legal/privacy/changelog.