The short version: We collect the minimum personal information needed to run Ranklet: your name, email, hashed password, the briefs you generate, and the billing records Stripe sends us. We don't sell personal data, we don't share it with advertisers, and we don't train AI models on your keywords or briefs. We share data only with the named subprocessors listed below, and only to the extent each one needs to do its job. You can request access, correction, or deletion of your data at any time by emailing [email protected]; we will respond within 30 days, and a confirmed deletion is propagated across our active systems and backups within 30 days of confirmation.
1. Who we are
Ranklet ("Ranklet", "we", "us", "our") is an AI-powered SEO content brief generator operated by Vasyl Moshchenko as a sole proprietor based in Ontario, Canada. For any privacy question, data-subject request, or DMCA notice, contact [email protected].
This Privacy Policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to the Ranklet website at ranklet.io and the Ranklet web application (together, the "Service"). It does not apply to third-party websites or services that link to or from Ranklet.
2. Information we collect
2.1 Information you give us at sign-up
- First name and last name, used to personalise the app and address you in transactional email.
- Email address, used as your login identifier and for transactional email (receipts, password resets, security notices, material changes to these policies).
- Password. Never stored in plaintext. We store only a one-way hash generated by bcrypt with a per-user salt. We cannot recover your password; if you forget it, you reset it via email.
2.2 Information generated through your use of the Service
- Briefs you generate. The keyword you entered, the country code you targeted, the live Google SERP snapshot fetched for that keyword at generation time, and the brief that our AI pipeline produced. We retain these so you can revisit, search, and export your past briefs.
- Usage and credit ledger. A per-account record of how many briefs you generated, how many credits you have left in the current billing period, and any overage packs you purchased or consumed.
- Billing records. Your subscription status, current plan, next renewal date, and the Stripe customer / subscription identifiers that link your Ranklet account to your Stripe records. We never see or store your full credit-card number; Stripe holds those. We receive only a tokenized payment method reference, the brand and last four digits of your card (for display in the billing page), and Stripe's invoices.
2.3 Technical information collected automatically
- IP address, used for rate limiting, abuse prevention, and security investigations. We do not use IP addresses for advertising or for cross-site tracking.
- User-agent string: the browser and operating system you are using, for compatibility and security investigation.
- Encrypted session cookie, described in detail in our Cookies Policy. The cookie holds an opaque, encrypted session identifier plus a CSRF token; it does not contain your name, email, or any other personal field in cleartext.
- Error and performance traces. When something breaks on our side, our error monitor records a stack trace and contextual metadata so we can fix the bug. We configure the monitor to scrub email addresses, IP addresses, and request bodies before transmission. Despite this, an occasional trace may incidentally include a personal field; we delete such fields when noticed.
2.4 Optional information with your consent
- Analytics measurement (Google Analytics 4). Only set if you grant the Analytics category in the cookie banner. Records aggregated page views, referrer, anonymized IP, and approximate geographic region. Used to understand which pages are working and which are not. Never linked to your account.
2.5 Information we do not collect
- Plaintext passwords.
- Credit card numbers, CVV, or expiry dates (Stripe handles those).
- Cross-site tracking data, advertising identifiers, fingerprinting signals.
- Any data we sell or rent to third parties. We never sell personal data.
3. How we use that information
We use the personal information described in Section 2 for the following purposes, and only these purposes:
- Operate the Service. Authenticate your login, render your dashboard, generate briefs you request, store and serve your past briefs, enforce your plan's usage limits, and process subscription billing through Stripe.
- Transactional email. Send receipts, password resets, security notices (for example, when your password is changed), and notices of material changes to these policies. Transactional emails are sent through our email-delivery provider.
- Service-related communication. Respond to support requests you send us.
- Security, fraud prevention, and abuse handling. Detect and respond to automated abuse, credential-stuffing attempts, payment fraud, and violations of our Terms of Service.
- Product improvement. Understand which features are used and which fail. Where we use Google Analytics for this purpose, it is opt-in via the cookie banner. Where we use internal aggregated usage data (for example: "how many briefs were generated last week"), no individual user is identifiable.
- Legal compliance. Comply with tax, accounting, anti-fraud, and other legal obligations applicable to us as a Canadian business.
We do not use your personal information for behavioural advertising, profiling that produces legal effects, or any automated decision-making that has a significant impact on you.
4. Legal bases for processing (GDPR / UK-GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation and the UK GDPR require us to identify a legal basis for each processing activity. Ours are:
- Performance of a contract (Article 6(1)(b)), for everything required to deliver the Service to you: account creation, authentication, brief generation, storage of your briefs, billing and subscription management, and customer support.
- Legitimate interests (Article 6(1)(f)), for security, fraud prevention, abuse mitigation, rate limiting, internal aggregated analytics, error monitoring, and defending legal claims. Our legitimate interests are balanced against your privacy interests; you may object to processing on this basis by emailing us (see Section 9).
- Consent (Article 6(1)(a)), for optional analytics cookies (Google Analytics) and any future marketing email. You may withdraw consent at any time without affecting prior processing.
- Legal obligation (Article 6(1)(c)), for tax records, invoices, and responding to lawful requests from authorities.
5. Who we share information with
We share personal information only with the subprocessors listed below, only for the purposes described, and only to the minimum extent each one needs. We do not sell personal information. We do not share personal information with advertisers, data brokers, or any third party outside this list. We have data processing agreements (or equivalent contractual protections, including Standard Contractual Clauses where applicable) with each subprocessor.
| Subprocessor | Purpose | Location | Data shared |
|---|---|---|---|
| Stripe | Payment processing, subscription billing, invoicing | USA | Name, email, billing address, card details (tokenized; we never see the full card number) |
| Transactional email provider | Transactional email delivery | USA | Email address and message contents (receipts, password resets, security notices) |
| AI inference provider | Brief generation from your keyword and the SERP context we fetch | USA | The keyword you submit and the SERP context we pass to the model. Per our agreement with the provider, the provider does not train on data submitted through its API. |
| SERP data provider | Live Google SERP fetching | USA | The keyword you submit and the country code you target. No account-identifying information is sent. |
| Error monitoring provider | Error and performance monitoring | USA / EU | Anonymized stack traces and contextual metadata. We configure the monitor to scrub PII (email, IP, request bodies) before transmission. |
| Google Analytics (GA4) | Traffic measurement on marketing pages, only when you grant the Analytics category in the cookie banner | USA | Anonymized IP, page views, referrer, approximate region. Data flows under Google's Standard Contractual Clauses. |
| Cloud hosting provider | Application hosting and database storage | Canada (Toronto) or USA depending on region; we aim to deploy in Toronto for Canadian data residency where feasible | All application data at rest, encrypted |
Current subprocessor identities, addresses, and processing locations are available upon request to [email protected]. We maintain commercially appropriate data processing agreements with each subprocessor and review the list periodically. We use categorical descriptions in this public Policy to limit unnecessary disclosure of our internal stack; the specific identities are available to data subjects, enterprise customers performing vendor due diligence, and supervisory authorities on request.
We may also disclose personal information when we are legally required to do so (for example, in response to a court order, subpoena, or other lawful request from a government authority), or where disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or violations of our Terms. Where legally permitted, we will notify you before complying.
If Ranklet is acquired, merged, or sells substantially all of its assets, personal information may be transferred to the acquirer. Such an acquirer would be bound to honour the commitments in this Privacy Policy, or to give you notice and an opportunity to delete your account before any change in practice takes effect.
6. International data transfers
Ranklet is operated from Canada. Our cloud hosting provider processes data in Canada or the United States depending on the deployment region. Stripe (payments) and Google Analytics (analytics, only with consent) are based in the United States and named here because they are user-discoverable (Stripe appears on payment receipts and bank statements; Google Analytics cookies are visible in browser tools). Our other subprocessors (transactional email, AI inference, SERP data, and error monitoring) are based in the United States, with the error monitor also processing in the European Union. Specific names are available on request as described in Section 5.
If you are in the European Economic Area, the United Kingdom, or Switzerland, your personal information may therefore be transferred to, stored in, and processed in countries (including the United States) that do not provide the same level of data protection as your home jurisdiction. We rely on the following safeguards for such transfers:
- Canada's adequacy decision for transfers from the EEA to Canada in respect of the commercial activities of a private-sector organisation.
- Standard Contractual Clauses (the European Commission's 2021 SCCs, and the UK International Data Transfer Addendum where applicable) with subprocessors located in the United States.
- EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework, where individual subprocessors are certified under them.
You can request a copy of the safeguard relied on for any specific transfer by emailing [email protected].
7. Data retention
- Active accounts. We retain your account data, briefs, and billing records for as long as your account is active.
- After you delete your account. We mark your account as deleted immediately, which removes access and hides your data from all production systems. Your data is then permanently erased from active systems within 30 days, and from encrypted backups within a further 30 days as those backups expire on their normal rolling schedule. After 60 days from your deletion request, no Ranklet system retains your personal data.
- Billing records. Invoices and payment records are retained for the period required by Canadian tax law (currently six years), even after account deletion. These records contain your name, billing address, and invoice amounts but do not include card details. They are retained in Stripe under Stripe's retention schedule and in our accounting export under the same six-year window.
- Subprocessor retention. Each subprocessor retains data we send them according to their own retention policy. We do not control those schedules. When we instruct deletion (for example, after you delete your account), each subprocessor honours that instruction on their own timeline, which is typically aligned with or shorter than ours.
- Backups. Encrypted database backups are retained on a rolling 30-day window, then automatically destroyed. We do not selectively restore deleted records from backup.
- Error logs. Our error monitor retains traces for 90 days, then automatically deletes them.
8. Your rights
Depending on where you live, you have some or all of the following rights over your personal information. We honour these rights regardless of where you live, on a best-effort basis, but the specific legal entitlement depends on your jurisdiction.
8.1 Under GDPR and UK-GDPR (EEA, UK, Switzerland)
- Right of access: a copy of the personal information we hold about you.
- Right to rectification: correction of inaccurate or incomplete information.
- Right to erasure ("right to be forgotten"): deletion of your personal information, subject to legal-retention exceptions for billing records.
- Right to data portability: your data in a structured, commonly used, machine-readable format (we export as JSON).
- Right to restrict processing: limit how we process your data while a dispute is being resolved.
- Right to object to processing based on our legitimate interests. We will stop unless we have overriding legitimate grounds.
- Right to withdraw consent for processing based on consent (cookies, future marketing email).
- Right to lodge a complaint with your local data protection authority. We would prefer you contact us first so we can address the concern, but you do not have to.
8.2 Under CCPA / CPRA (California residents)
- Right to know what personal information we collect, why, and who we share it with. This Privacy Policy is our answer; if you want a personal copy of the specific data tied to your account, email us.
- Right to delete: request deletion of your personal information, subject to the same legal-retention exceptions noted above.
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of "sale" or "sharing". We do not sell personal information and we do not share it for cross-context behavioural advertising, so there is nothing for you to opt out of. We will continue not to do these things.
- Right to limit use of sensitive personal information. We do not collect or use sensitive personal information as defined by the CCPA.
- Right to non-discrimination. We will not deny service, charge different prices, or provide a different level of quality because you exercised a CCPA right.
8.3 Under PIPEDA (Canada)
- Right of access: confirmation of whether we hold your personal information, and a copy of it.
- Right to correction: amendment of inaccurate or incomplete personal information.
- Right to withdraw consent for processing based on consent. Some processing is necessary to provide the Service; withdrawing consent for those activities will require us to close your account.
- Right to file a complaint with the Office of the Privacy Commissioner of Canada. We ask you to contact us first.
9. How to exercise your rights
To exercise any of the rights described above, email [email protected] from the email address associated with your Ranklet account. Tell us which right you want to exercise. We will respond within 30 days. If your request is unusually complex or you have made multiple requests, we may extend this period by up to a further 60 days and will tell you why.
To protect your account, we may need to verify your identity before acting on a request, typically by confirming you control the account's email address or by asking you to confirm details only the account holder would know. We will not act on a request to delete or transfer data until we are reasonably satisfied who is asking.
Exercising your rights is free. If a request is manifestly unfounded, excessive, or repetitive, we may either charge a reasonable fee that reflects our administrative cost or refuse to act on it; if we do this, we will explain why and how to challenge our decision.
You can also exercise the most common rights directly in the app:
- Update your name or email: Settings page.
- Change your password: Settings page.
- Delete your account: Settings page. This triggers the 30-day deletion described in Section 7.
- Manage cookie consent: Cookie preferences link in the footer.
10. Security
We take the security of your data seriously, but no system on the internet is perfectly secure and we cannot guarantee absolute security. The measures we use include:
- Passwords are never stored in plaintext. We hash passwords with bcrypt using a per-user salt. We cannot recover your password, only reset it.
- TLS in transit. All traffic between your browser and Ranklet is encrypted with TLS 1.2 or higher. HSTS is enabled.
- Encrypted backups. Database backups are encrypted at rest.
- Encrypted session cookies. Session cookies are signed and encrypted by Rails using a server-side secret; they cannot be tampered with or read by client-side scripts.
- Rate limiting and abuse mitigation on authentication endpoints and brief generation.
- Error logging without PII. Our error monitor is configured to scrub email addresses, IP addresses, and request bodies before transmission.
- Subprocessor security. Each subprocessor in Section 5 is contractually obliged to maintain appropriate security measures, and we rely on their published certifications (SOC 2, ISO 27001, PCI-DSS) where applicable.
- Least-privilege access. Only the operator has production database access, and that access is logged.
If we become aware of a security breach that affects your personal information, we will notify you and the relevant data-protection authorities within the timelines required by applicable law (72 hours under GDPR / UK-GDPR for high-risk breaches; "as soon as feasible" under PIPEDA; and on the CCPA timeline for California residents).
11. Children's privacy
Ranklet is not intended for children. You must be at least 16 years old to create an account and use the Service. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected personal information from someone under 16, we will delete that information and close the account promptly. If you believe a child has provided us with personal information, email [email protected] and we will act on it.
12. Cookies and similar technologies
We use a small number of strictly necessary cookies (for session management and CSRF protection) and optional analytics cookies (only with your consent). For the full list, what each cookie does, how long it lasts, and how to change your preferences, see our Cookies Policy.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make a change that is material (meaning a change that meaningfully affects how we collect, use, share, or retain personal information), we will give you at least 30 days' notice by email to the address on your account before the change takes effect. We will also update the "Effective" date at the top of this page.
For non-material changes (typo fixes, clarifications, formatting, adding a subprocessor that does the same job as an existing one in the same jurisdiction), we may make the change without prior notice but will still update the Effective date.
If you do not agree with a change, you can delete your account before the change takes effect; your data will be deleted on the timeline in Section 7.
14. Contact
For any privacy question, data-subject request, complaint, or DMCA notice, contact:
- Email: [email protected]
- Operator: Vasyl Moshchenko, sole proprietor
- Jurisdiction: Ontario, Canada
If you are in the EEA, the UK, or Switzerland and would prefer to contact a representative in your region, email us and we will provide the relevant routing information.