Privacy Policy

Rankboostr (“Rankboostr”, “we”, “us”) operates the Rankboostr.ai platform. This policy explains how we collect, use, store, disclose, and destroy personal information, and how customers worldwide can exercise privacy rights under applicable data protection laws.

This policy applies to information collected through rankboostr.ai and every customer-facing subdomain, our public APIs, and emails we send.

If you have a question about this policy, contact our privacy officer at privacy@rankboostr.ai.

1. Kinds of information we collect

Information you give us directly

• Your name and work email address when you create an account.
• A password hash (never the plaintext password) if you sign up with email and password.
• Your time zone, display picture, and preferences when you update your profile.
• Your organisation’s name, billing address, and tax details when you subscribe to a paid plan.
• Content you create on the platform — drafts, posts, scheduled media, site lists, keyword lists, competitor lists, and AI prompts.

Information we receive from third parties on your authorisation

• OAuth access and refresh tokens from LinkedIn, Meta (Facebook, Instagram), Google Business Profile, and similar platforms when you connect a social account. Tokens are encrypted at rest with AES-256-GCM before they touch our database.
• Public profile information returned by those platforms (display name, avatar, page IDs).
• Analytics, impressions, engagement, and review data that the platforms make available under the permissions you granted.

Information collected automatically

• Log and diagnostic data: IP address, user-agent, request timestamps, URLs called, request correlation IDs. We use this for security, debugging, and rate-limiting.
• Product analytics — aggregated, pseudonymous counts of feature usage collected via PostHog with cookieless tracking and session replay disabled.

Sensitive information

We do not request sensitive information such as health, race, political opinions, or sexual orientation. If you include sensitive information in free-text fields (post drafts, prompts) you do so voluntarily and consent to the handling described in this policy.

2. Why we collect and use your information

• To operate the service: run the account you pay for, schedule and publish your posts, fetch analytics, generate AI drafts, track keywords and reviews.
• To bill you: process subscription payments through Stripe, issue tax invoices, and prevent payment fraud.
• To communicate with you: send transactional emails (receipts, trial status, publish failures), respond to support requests, and — only if you opt in — send product update newsletters.
• To keep the platform secure and reliable: detect abuse, enforce multi-tenant isolation, rotate credentials after suspected compromise, investigate incidents.
• To meet legal obligations: respond to lawful requests, retain tax records, and notify affected customers or regulators when required.

We do not use your information for any purpose you would not reasonably expect given how the service is marketed. We do not sell personal information to third parties, ever.

3. How we store and protect your information

Your production data is stored in managed cloud infrastructure selected for reliability, security, and performance. Backups are encrypted at rest and kept for a rolling point-in-time recovery window.

Object storage (media, exports) lives in Cloudflare R2 or AWS S3. OAuth tokens for connected social accounts are encrypted with AES-256-GCM before they are written to the database; the encryption key is held in our hosting provider’s secret store, never in source code, and rotated per docs/runbooks/key-rotation.md.

Row-level security policies in Postgres prevent cross-tenant reads at the database layer — not just in application code. We audit tenant-isolation continuously with an automated cross-tenant test suite that runs on every deploy.

We maintain access controls, logging (30 days), and an incident-response runbook for security incidents. If we believe personal information has been accessed or disclosed without authorisation and notification is required, we will notify affected customers and regulators as required by applicable law.

4. Who we share your information with

We disclose personal information only to the following categories:

• Service providers: our infrastructure suppliers (Neon, Cloudflare, AWS, Vercel, Railway, Upstash, Resend, Stripe) each bound by a written data-processing agreement to handle your information only on our instructions.
• AI providers: Anthropic (for the AI drafting features) receives the prompts you generate and the minimum content needed to return a draft. Anthropic’s API-tier policy is that it does not retain or train on API requests.
• Social platforms: we send the posts you schedule to the platform(s) you selected, via the APIs you authorised us to call.
• Payment processor: Stripe (payment card data is provided directly to Stripe; we never see full card numbers).
• Legal and safety recipients: when disclosure is required or permitted by law, a subpoena, or a lawful request from a regulator.

International processing

Some service providers process data across multiple regions, including the United States, European Union, and United Kingdom. We use contractual data-processing terms and vendor controls designed to protect personal information wherever it is processed.

5. How long we keep your information

We keep personal information only as long as we need it for the purposes in Section 2, or as required by law. The full retention schedule is published at docs/retention.md in our public repository. Highlights:

• Active account data: kept while the account is active.
• Soft-deleted accounts: 30 days, then hard-purged. You can rescind deletion by emailing privacy@rankboostr.ai during that window.
• Audit logs: 2 years.
• In-app notifications: 90 days.
• DSAR export archives: 14 days (signed download URLs expire after 24 hours).
• Tax records held by Stripe: retained for the period required by applicable law.

6. Your rights

Access

You can request a machine-readable export of your organisation’s data at any time from Settings → Privacy & data. Owners and admins can export the full organisation dataset. We will generate and email a signed download link within 30 days of the request; in practice, most exports complete in minutes.

Correction

You can correct profile information directly in Settings. For corrections to data we hold but do not expose to self-service editing, email privacy@rankboostr.ai. We will either make the correction within 30 days or explain why we can’t.

Deletion

You can permanently delete your account from Settings → Privacy & data. Deletion is soft for 30 days (to allow you to recover it) and then irrevocable. If you are the sole owner of an organisation, deleting your account deletes the organisation and all its data.

Objection and restriction

If you object to a specific processing activity (for example, inclusion in product analytics), email us and we will either stop that activity for your account or explain why we can’t.

Complaints

If you think we have mishandled your personal information, email privacy@rankboostr.ai. We will acknowledge within 5 business days and substantively respond within 30 days. If you are not satisfied with our response, you can escalate to the relevant privacy regulator in your jurisdiction.

7. Cookies and tracking

We use strictly necessary first-party cookies to keep you signed in and to remember your CSRF token. These cookies cannot be disabled without breaking authentication.

Product analytics are collected in cookieless mode via PostHog. We do not use third-party advertising cookies, do not run retargeting pixels, and do not record or replay user sessions.

8. Children

Rankboostr is intended for use by businesses and is not marketed to individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified in-app and by email at least 30 days before the change takes effect. The current version is always available at rankboostr.ai/legal/privacy.

10. Contact

Rankboostr
Privacy officer: privacy@rankboostr.ai
General: support@rankboostr.ai