RankSurf

Privacy Policy

Effective Date: April 13, 2026

RankSurf ("we," "us," or "our") operates the RankSurf platform (the "Service"), an AI visibility monitoring tool for B2B companies. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service.

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address — provided via Google OAuth or magic link sign-up.
  • Full name — from your Google profile or as you provide it.
  • Profile photo URL — from your Google profile, if available.

We do not collect or store passwords. Authentication is handled via Google OAuth or passwordless email links.

1.2 Project and Brand Data

When you create a project, you provide:

  • Domain — the website you want to monitor.
  • Brand name and aliases — up to 3 alternative names for your brand.
  • Market/region — the geographic market your brand operates in.
  • Brand facts — structured key-value information about your brand (e.g., starting price, main product category, founding year, headquarters, key differentiator).
  • Competitors — names, domains, and aliases of competing brands (both manually added and auto-detected from AI responses).

1.3 Prompts

You create or select search queries ("Prompts") that are submitted to AI engines. Prompts are text strings between 5 and 300 characters, categorized by type (branded, category, comparison, problem-solving, evaluation, use-case).

1.4 Scan Results

When Scans run, we store:

  • AI engine responses — the full text returned by ChatGPT, Perplexity, and Gemini.
  • Brand mentions — whether and where your brand appears in each response.
  • Citation URLs — source links cited by AI engines.
  • Competitor mentions — which competitors appear, their positions, and citation status.
  • Accuracy issues — detected mismatches between AI statements and your brand facts.
  • Detected brands — all brand entities extracted from responses.

1.5 Site Audit Data

During site audits, we crawl pages on your domain and collect:

  • Page titles, meta descriptions, and heading structures.
  • Word counts (static and rendered content).
  • Internal and external links.
  • Structured data (JSON-LD, FAQ schema).
  • Client-side rendering parity metrics.
  • Robots.txt and sitemap data.
  • Domain authority score (via Open PageRank).

1.6 Improvement Recommendations

We generate and store:

  • Improvement title, description, type, and category.
  • Target URL (the specific page the improvement applies to).
  • Impact and effort ratings.
  • Evidence items supporting the recommendation.
  • Improvement status (as updated by you).

1.7 Billing Information

We collect your plan selection, subscription status, and billing period dates. We do not collect or store your payment card information. All payment processing is handled by Polar, our Merchant of Record (see Section 4.2).

1.8 Email Preferences

We store your communication preferences:

  • Master unsubscribe toggle.
  • Scan notification preference.
  • Weekly digest preference.
  • Nurture email preference.

1.9 Technical and Usage Data

We automatically collect:

  • Web performance metrics — anonymized Core Web Vitals (LCP, FID, CLS) via Vercel Analytics. No personally identifiable information is collected.
  • Error data — stack traces and operational context sent to Sentry for debugging. This may include your user ID to help us diagnose account-specific issues.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

  • Running Scans by submitting your Prompts to AI engines.
  • Analyzing AI responses for brand mentions, citations, and accuracy.
  • Generating Fix recommendations based on scan results and site audits.
  • Producing Reports and visualizations of your visibility data.
  • Managing your subscription and enforcing plan limits.

2.2 Communication

  • Transactional emails — welcome messages, subscription confirmations, payment receipts. These are always sent and cannot be opted out of.
  • Critical emails — trial expiration notices, payment failure alerts, prompt limit warnings. These are always sent.
  • Notification emails — scan completion alerts, accuracy issue notifications. You may opt out via your email preferences.
  • Marketing emails — weekly digest summaries, product updates, re-engagement messages. You may opt out via your email preferences or one-click unsubscribe links.

2.3 Service Improvement

  • Aggregated, anonymized analytics to understand usage patterns and improve the platform.
  • Error monitoring to identify and fix bugs.
  • AI cost tracking to optimize model selection and pricing.

2.4 Security

  • Rate limiting on public endpoints.
  • Webhook signature verification for payment events.
  • Error tracking to detect and respond to security incidents.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Legal BasisDataPurpose
ContractAccount data, project data, prompts, scan results, billingNecessary to provide the Service you subscribed to
ConsentMarketing emails, weekly digestYou opt in via email preferences; withdraw anytime
Legitimate InterestError monitoring, aggregated analytics, securityMaintaining and improving the Service, fraud prevention

You may withdraw consent for marketing communications at any time without affecting the lawfulness of processing based on consent before withdrawal.

4. How We Share Your Information

We do not sell your personal information. We share data with third-party service providers only as necessary to operate the Service.

4.1 AI/LLM Providers

We send data to AI engine providers to execute Scans and generate Improvements:

ProviderData SentPurpose
OpenAI (ChatGPT)Prompts (search queries)AI response generation for visibility monitoring
Google (Gemini)Prompts (search queries)AI response generation for visibility monitoring
Perplexity (Sonar)Prompts (search queries)AI response generation for visibility monitoring

During Fix generation, we also send your domain, brand name, and competitor names to AI providers for context.

We do not send your email address, account information, or any personal identity data to AI providers.

4.2 Payment Processor

Polar is our Merchant of Record and handles all payment processing. When you subscribe, Polar receives:

  • Your email address (for receipts and invoicing).
  • Your user ID (for linking subscriptions to your account).
  • Plan selection and billing period.

Polar processes payment card data directly. We never see or store your card numbers, CVV, or bank details. Polar is PCI DSS compliant.

4.3 Email Service

Resend delivers emails on our behalf. Resend receives:

  • Your email address.
  • Personalized email content (e.g., brand name, scan metrics, fix summaries, subscription details).

4.4 Background Job Processing

Trigger.dev orchestrates long-running tasks (Scans, Fix generation, email sending). Task payloads include your project ID, user ID, run ID, and prompt data. Trigger.dev processes this data on our behalf and does not use it for any other purpose.

4.5 Web Crawling

Jina AI extracts content from pages on your domain during site audits. Jina receives the URLs of pages to crawl. No personal data is sent to Jina.

4.6 Domain Authority

Open PageRank provides domain authority scores. We send your domain name to their API. No personal data is included.

4.7 Error Monitoring

Sentry receives error reports including stack traces and operational context. This may include your user ID for debugging purposes. Sentry does not receive your email, name, or project content.

4.8 Hosting and Analytics

Vercel hosts the Service and collects anonymized web performance metrics (Core Web Vitals). Vercel Analytics does not collect personally identifiable information by default. Vercel Speed Insights collects Real User Monitoring data for performance optimization.

4.9 Authentication and Database

Supabase provides authentication and hosts our database. All application data (account information, projects, scans, fixes) is stored in Supabase-hosted PostgreSQL with Row-Level Security enforced.

5. Cookies and Tracking Technologies

We use a minimal set of cookies, all first-party:

CookiePurposeType
Supabase session tokenMaintains your authenticated session (JWT)Essential, httponly, secure
Project context (pid)Remembers your active project within the appEssential, httponly, secure
Vercel AnalyticsAnonymized web performance metricsAnalytics, first-party

We do not use third-party advertising or tracking cookies. We do not participate in cross-site tracking, behavioral advertising, or cookie-based retargeting.

6. Email Communications

6.1 Types of Emails

We send the following categories of email:

  • Transactional: Welcome, subscription confirmation, payment receipts, cancellation confirmation. Always sent; cannot be opted out.
  • Critical: Trial expiration, payment failure, prompt limit warnings. Always sent.
  • Notification: Scan completion alerts, accuracy issue alerts. Opt-out available.
  • Marketing: Weekly digest, product updates, re-engagement. Opt-out available.

6.2 Managing Preferences

You can manage your email preferences from your account settings. Each preference can be toggled independently. A master unsubscribe toggle disables all non-transactional and non-critical emails.

6.3 One-Click Unsubscribe

All marketing and notification emails include a one-click unsubscribe link that works without requiring you to log in. These links use cryptographically signed tokens for security.

6.4 Frequency Limits

We enforce email frequency limits to prevent excessive messaging:

  • Daily deduplication (no duplicate template sends per day).
  • Window-based limits (e.g., accuracy alerts: maximum once per 24 hours).
  • Lifetime caps on certain email types (e.g., re-engagement emails).

7. Data Retention

7.1 Active Accounts

While your account is active, we retain all data necessary to provide the Service:

  • Account and profile data: retained for the lifetime of the account.
  • Project data, prompts, scan results, and fixes: retained for the lifetime of the project.
  • Email logs: retained for preference enforcement and frequency deduplication.
  • AI usage logs: retained for cost tracking and optimization.

7.2 After Account Deletion

When you request account deletion:

  • Your personal data (name, email, profile) will be deleted within 30 days.
  • Project data, scan results, and fixes will be deleted within 30 days.
  • Shared reports will be immediately inaccessible and deleted with the project.
  • Anonymized, aggregated data (which cannot identify you) may be retained indefinitely.
  • Data required for legal compliance (e.g., billing records) may be retained as required by law.

7.3 Backup Retention

Database backups are managed by Supabase and follow their retention policy. Backups containing deleted data are purged according to their standard retention schedule.

8. Data Security

We implement the following security measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers uses TLS encryption.
  • Row-Level Security: Database access is enforced at the row level. Users can only access their own data. Background jobs use a service client with restricted scope.
  • No passwords stored: Authentication uses Google OAuth or email magic links. No password hashes are stored.
  • Server-side secrets: API keys for third-party services are stored as server-side environment variables and are never exposed to client-side code.
  • Webhook verification: All incoming webhooks (payment events) are verified using cryptographic signatures.
  • Signed tokens: Unsubscribe links use cryptographically signed tokens that cannot be forged.
  • Error monitoring: Sentry provides real-time error tracking to detect and respond to issues quickly.

9. Your Rights

9.1 Rights for EEA/UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data (subject to legal retention requirements).
  • Right to data portability — request your data in a structured, machine-readable format.
  • Right to restrict processing — request that we limit how we use your data.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — withdraw consent for marketing emails at any time.

9.2 Rights for California Residents (CCPA)

If you are a California resident, you have the following rights:

  • Right to know — request disclosure of the categories and specific pieces of personal information we collect.
  • Right to delete — request deletion of your personal information.
  • Right to opt-out of sale — we do not sell your personal information, so this right does not apply.
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

9.3 How to Exercise Your Rights

You can exercise your rights by:

  • Email preferences: Manage directly from your account settings or via one-click unsubscribe links.
  • Account deletion: Contact us at privacy@ranksurf.com to request account deletion.
  • Data export: Contact us at privacy@ranksurf.com to request a copy of your data.
  • General requests: Email privacy@ranksurf.com with your request. We will respond within 30 days.

We may need to verify your identity before processing your request.

10. International Data Transfers

Your data may be processed in the following locations:

ServiceLocationPurpose
SupabaseUnited StatesDatabase and authentication
VercelUnited StatesHosting and edge delivery
OpenAIUnited StatesAI response generation
Google (Gemini)United StatesAI response generation
PerplexityUnited StatesAI response generation
SentryUnited StatesError monitoring
Trigger.devUnited StatesBackground job processing
PolarEuropean UnionPayment processing
ResendUnited StatesEmail delivery

For transfers from the EEA/UK to countries without an adequacy decision, we rely on the service providers' Standard Contractual Clauses (SCCs) and other appropriate safeguards as required by GDPR.

11. Children's Privacy

The Service is a B2B product designed for business professionals. We do not knowingly collect personal information from anyone under the age of 16. If we learn that we have collected data from a person under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@ranksurf.com.

12. Third-Party Links

The Service may display URLs cited by AI engines in their responses. These are third-party websites that we do not control. We are not responsible for the privacy practices or content of external sites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will:

  • Provide at least 30 days' notice via email to the address associated with your account.
  • Update the "Effective Date" at the top of this page.
  • Post the revised policy on our website.

Your continued use of the Service after the effective date of the revised policy constitutes acceptance. If you do not agree to the changes, you should stop using the Service and request account deletion.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

If you are in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.