Data Handling & Privacy
Rankability processes SEO data, website analytics, and content on behalf of agencies and businesses. We take a minimalist approach to data collection — we only collect what is necessary to deliver the service, and we have clear retention policies for every data type.
Data Classification
We classify all data into four tiers, each with specific handling requirements:
| Classification | Description | Examples |
|---|---|---|
| Restricted | Highly sensitive; unauthorized disclosure causes severe harm | OAuth tokens, API keys, encryption keys |
| Confidential | Business-sensitive; unauthorized disclosure causes significant harm | Customer email addresses, organization data, financial records |
| Internal | Not intended for public disclosure | Admin logs, analytics, rate limit configurations |
| Public | Intended for public consumption | Published content, API documentation |
What Data We Collect
Account Data
- Email address and name (managed by our authentication provider, Clerk)
- Organization membership and roles
- Subscription and billing status (managed by Stripe — we never store payment card data)
Integration Data
- OAuth tokens for Google services (Search Console, Analytics, Business Profile, YouTube) — stored encrypted (AES-256-GCM)
- Website URLs and domain information you connect to the platform
SEO & Content Data
- Keywords, search rankings, and competitor analysis data
- Content drafts, outlines, and AI-generated copy
- Site audit results, backlink data, and performance metrics
Usage Data
- Feature usage analytics for product improvement
- API request logs for debugging and abuse detection
What We Do NOT Collect
- Payment card numbers, CVVs, or bank account details (Stripe handles all payment processing)
- Passwords (authentication is fully managed by Clerk)
- Personal browsing history outside of Rankability
- Data from your Google accounts beyond the specific scopes you authorize
Data Retention
Every data type has a defined retention period. Cleanup runs automatically on a daily schedule, and all retention runs are logged for audit purposes.
| Data Type | Retention Period |
|---|---|
| URL content cache | 7 days |
| Agent API request logs | 30 days |
| Rank tracker results | 90 days |
| Revoked API keys | 90 days |
| Old notifications | 180 days |
| Bulk research jobs | 180 days |
| Stripe webhook events | 1 year |
| Admin audit logs | 7 years |
| Credit transactions | 7 years |
Financial records are retained for 7 years to meet compliance requirements. Operational data is cleaned up much sooner.
Data Deletion
When you disconnect a Google integration, the associated OAuth tokens are nullified immediately and cleaned up from the database within 30 days.
If you need your data deleted, contact us at [email protected]. We will process your request and confirm deletion within 30 days.
Data Minimization
We follow the principle of sending only necessary data to third-party services:
- No personally identifiable information is sent to SEO data providers
- AI providers receive only the content context needed for generation — no unnecessary PII
- AI providers are configured with zero data retention and have opted out of training on customer data
Cookies
Rankability uses essential cookies for authentication and session management. We use product analytics to improve the platform. We do not sell or share cookie data with advertising networks.
For security inquiries or to request our SOC 2 report, contact [email protected]