Privacy Policy

Introduction

This privacy notice for Rankability, Inc. ("we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

• Visit our website at https://www.rankability.com
• Use our SEO software and tools
• Engage with us through contact forms, support requests, or email
• Participate in our Academy programs or events

Questions or concerns? If you do not agree with our policies and practices, please do not use our Services. For questions, contact us at [email protected].

1. What Information Do We Collect?

Personal Information You Provide

We collect personal information that you voluntarily provide to us, including:

• Contact Information: Name, email address, company name
• Account Data: Username, password (hashed), account preferences
• Payment Information: Billing address, payment method details (processed by Stripe)
• Communication Data: Messages, support requests, feedback
• Profile Information: Job title, industry, company size (optional)

Automatically Collected Information

When you visit our website, we automatically collect certain information (with your consent where required):

• Device Information: Browser type, operating system, device type
• Usage Data: Pages viewed, time spent, click patterns, feature usage
• Location Data: Approximate geographic location (IP-based, anonymized)
• Cookies & Tracking: Analytics cookies, session cookies, affiliate tracking (see our Cookie Policy)

2. Lawful Basis for Processing (GDPR/UK GDPR)

We process your personal data under the following lawful bases:

3. Third-Party Data Processors

We share your data with the following processors under Data Processing Agreements (DPAs):

Note: SCCs = Standard Contractual Clauses. All US-based processors operate under EU-approved Standard Contractual Clauses and/or the EU-US Data Privacy Framework.

4. Connected AI Assistants and the Rankability API (MCP)

Rankability offers a public REST API and a Model Context Protocol (MCP) server at https://rankability.com/mcp that allow you to connect third-party AI assistants — such as Claude Desktop, Cursor, Windsurf, and VS Code Copilot — to your Rankability account.

How access is granted

You can grant access in one of two ways:

• OAuth 2.0 authorization. When you click "Allow Access" on the Rankability consent screen, we issue a scoped, time-limited access token (1-hour expiry) and a refresh token (30-day expiry) bound to the organization that was active at the time of consent. The connected assistant uses these tokens to call our API on your behalf.
• API key. You may also generate a long-lived rk_live_ API key from Settings → API keys and configure your assistant to use it.

What the assistant can access

The connected assistant can read and act on data inside the organization that authorized it, limited to the scopes you approved (for example: list and view clients, read content projects and rank-tracking results, create new content briefs, trigger ranking scans, score pages). The assistant cannot access organizations you have not explicitly connected, cannot access another customer's data, and cannot exceed the scopes shown on the consent screen.

What we do with the data exchanged

Data accessed by an authorized assistant is governed by the same retention, processing, and security terms as the rest of the Rankability product, described elsewhere in this policy. We do not train models on your data, do not sell it, and do not share it with the assistant's vendor (e.g., Anthropic, Cursor) except insofar as the assistant itself sends responses back to that vendor's infrastructure to render them to you. The terms of that vendor's own privacy policy govern how the vendor handles those interactions.

Logging

Every API call made by a connected assistant is recorded in our internal audit log (organization, scope, endpoint, timestamp, status) for security, abuse detection, and customer support. These logs are retained for the same period as other application logs.

Revoking access

You can revoke a connected assistant's access at any time:

• OAuth-connected assistants — Settings → Connected apps → Revoke. The next API call from that assistant will fail with a 401 Unauthorized.
• API-key-connected assistants — Settings → API keys → Delete. Revocation is immediate.

If you have questions about how an authorized assistant has used your data, contact us at [email protected].

5. International Data Transfers

Rankability, Inc. is based in the United States. If you are accessing our services from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We ensure appropriate safeguards are in place for all international transfers:

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses with all US-based processors
• EU-US Data Privacy Framework: Processors certified under the adequacy decision
• Technical Safeguards: Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication, audit logs

6. Data Retention Periods

We retain your personal data only as long as necessary for the purposes outlined in this policy:

After retention periods expire, we securely delete or anonymize your data. You can request early deletion at any time (subject to legal requirements).

7. Your Data Protection Rights

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR/UK GDPR:

8. How We Protect Your Data

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication, least privilege principle
• Regular Audits: Security assessments, penetration testing, vulnerability scanning
• Staff Training: Regular data protection and security awareness training
• Incident Response: Documented breach notification procedures (within 72 hours to authorities)
• Vendor Management: DPAs with all processors, regular compliance reviews

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

9. Children's Privacy

Our Services are not directed to children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at [email protected].

10. Updates to This Policy

We may update this privacy policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by email (if you have an account) or by posting a prominent notice on our website. The "Last Updated" date at the top indicates when the policy was last revised.

11. Contact Information

For privacy-related questions, data subject rights requests, or complaints: