Privacy Policy

1. Data controller and contact

RankFade is the data controller for personal data processed through the Services. You can reach our data-protection contact at [email protected]. EU/UK users may also contact us in writing at the postal address published on our website.

2. Categories of data we collect

We collect data in five categories: account data, product content, operational telemetry, billing metadata, and support context.

• Account data: email address, hashed password, locale, time zone, and authentication metadata.
• Product content: text you upload (CSV feedback, Slack channel messages you grant us access to, web URLs you ask us to monitor), and the AI summaries we produce.
• Operational telemetry: IP address, user agent, page paths, error reports, and aggregate usage counters used to keep the Services online and safe.
• Billing metadata: order identifiers, plan, country, and tax region returned by our merchant of record (Paddle).
• Support context: tickets you submit to us, including replies and any information you choose to include.

3. Lawful basis for processing (GDPR / UK-GDPR)

Where the EU GDPR or the UK GDPR applies, we rely on the following legal bases. For each processing purpose only one basis applies at a time; we will tell you which one on request.

• Performance of contract (Art. 6(1)(b)): account creation, authentication, delivering paid features you purchased, processing payments and refunds.
• Legitimate interest (Art. 6(1)(f)): security telemetry, abuse and fraud prevention, debugging, and aggregated product analytics. You may object at any time.
• Consent (Art. 6(1)(a)): non-essential analytics cookies, marketing emails, and any optional features that involve sending your content to a new third-party processor we have not used before. Consent can be withdrawn at any time without affecting prior lawful processing.
• Legal obligation (Art. 6(1)(c)): retention of tax and billing records, responding to lawful requests from authorities.

4. How we use the data

We use personal data to provide and improve the Services, including the following purposes.

• Authenticate your account and protect it from abuse.
• Run the analyses you request (theme extraction, ranking checks, Slack digests) and deliver results.
• Process payments through Paddle, our merchant of record, and provide receipts.
• Respond to your support tickets and product feedback.
• Diagnose outages, prevent fraud, and comply with legal obligations.
• Send transactional emails (receipts, security alerts) and, only if you opt in, product updates.

5. Retention

We retain personal data only for as long as needed for the purpose for which it was collected, plus any minimum period required by law. Concrete retention windows:

• Account data: while your account is active, then up to 24 months after deletion (in cold storage; not visible in the app) to handle disputes, abuse investigations, and re-activation requests.
• Raw uploads (feedback CSVs, Slack messages cached for digesting): up to 30 days, then deleted; processed summaries follow your plan's retention.
• Operational logs (application, web server, security): 90 days unless an active incident requires longer retention.
• Backups: encrypted snapshots are retained for 30 days, then overwritten on rolling rotation.
• Support tickets: 24 months after the ticket is closed.
• Billing and tax records: 7 years (or longer where local tax law requires).

6. Subprocessors and where data is stored

We use a small number of subprocessors to operate the Services. The current list is published on this page and updated when we add or remove a vendor. Material changes are notified to active customers at least 14 days before they take effect, so they can object.

• Paddle.com Market Limited (merchant of record, billing and tax) — Ireland and global.
• Cloudflare, Inc. (DNS, CDN, edge security) — global.
• OpenAI, L.L.C. and Anthropic, PBC (model inference for product features) — United States. Data sent for inference is not used by these vendors to train their foundation models under our enterprise agreements.
• Hosting and database providers in the United States and European Union (current vendors disclosed at /legal/subprocessors).
• Resend (transactional email delivery).
• Sentry (error monitoring with personal identifiers redacted) and PostHog (product analytics, opt-in).

7. International transfers

Some of our subprocessors are located outside the European Economic Area or the United Kingdom (notably the United States). Where we transfer personal data internationally we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, supplemented by technical measures such as transit encryption, encryption at rest, and pseudonymisation where feasible. A summary of our transfer impact assessment is available on request from [email protected].

8. Your rights (GDPR, UK-DPA, CCPA/CPRA)

Subject to applicable law, you have the following rights with respect to your personal data. We honor these rights for all users regardless of jurisdiction; specific statutory rights apply to EU/UK residents and California residents.

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure ('right to be forgotten') — ask us to delete your data; we will do so unless we have an overriding legal obligation to retain it.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to restriction of processing — temporarily limit how we use your data while a dispute is resolved.
• Right to object — object to processing based on legitimate interest, including profiling.
• Right to withdraw consent — for any processing based on consent, with no effect on prior lawful processing.
• California rights (CCPA/CPRA) — right to know, delete, correct, opt out of sale/share (we do not sell or share for cross-context behavioural advertising), and limit use of sensitive personal information. We do not discriminate against users who exercise these rights.
• To exercise any of these rights, email [email protected] from the address on file. We aim to respond within 30 days (45 days for California requests).
• Right to lodge a complaint — if you believe we have mishandled your data, you may complain to your local supervisory authority (for the EU, your national Data Protection Authority; for the UK, the Information Commissioner's Office at ico.org.uk; for California, the California Privacy Protection Agency).

9. Children

The Services are for users aged 16 and older. We do not knowingly collect data from children under 16. If you believe a child has provided us data, contact us and we will delete it.

10. Security

We use TLS in transit, encryption at rest for sensitive secrets (such as Slack bot tokens), least-privilege access for staff, two-factor authentication for administrators, and audit logs for sensitive actions. No system is perfectly secure; if we learn of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours where required, and notify affected users without undue delay.

11. Automated decision-making

We do not use personal data for automated decisions that produce legal or similarly significant effects on you. AI features (theme extraction, digests, ranking analysis) generate recommendations that humans review and act on; they do not auto-execute decisions about you.

12. Changes

If we materially change this policy, we will update the effective date and notify active users by email or in-app banner at least 14 days before the change takes effect. Continued use after the new effective date constitutes acceptance.

13. Contact

For any privacy question or to exercise your rights, email [email protected]. For general legal correspondence, use [email protected]. We aim to respond within 30 days.

Contact

For questions about this document, email [email protected].

Other policies

• Terms of Service
• Refund Policy
• Cookie Policy