Trust & Security
How we handle your data, what we collect, and where we are on our security roadmap.
Data we collect
RankSurf stores the minimum data required to provide the service:
- Domains & brandYour website domain, brand name, aliases, and market region.
- PromptsThe search queries you configure for monitoring (“best project management tool for startups”, etc.).
- AI responsesFull text responses from ChatGPT, Perplexity, and Gemini for each prompt.
- User emailYour email address, used for login (Google OAuth or magic link) and transactional/notification emails.
- Billing infoPlan selection and subscription status. We never store your card number — payment processing is handled entirely by Polar.
- CompetitorsCompetitor names and domains you add or that are auto-detected from scans.
Full details are in our Privacy Policy.
How we use AI providers
RankSurf submits your prompts to three AI engines to measure your brand’s visibility. We also use AI internally for brand detection and improvement suggestions. We never send your email address or account identity to any AI provider.
| Provider | Use | Training on your data |
|---|---|---|
| OpenAI (GPT-4o mini) | Scan engine (ChatGPT visibility) | No — zero data retention via API |
| Google (Gemini 2.5 Flash) | Scan engine, brand detection, improvement synthesis | No — API usage, not training data |
| Perplexity (Sonar) | Scan engine (Perplexity visibility) | No — zero data retention via API |
GDPR compliance
RankSurf is GDPR-compliant. We process EU user data under contractual necessity (to deliver the service), consent (marketing emails, opt-in only), and legitimate interest (error monitoring and security).
EU/EEA users have the right to access, rectify, erase, and export their data. To exercise any of these rights:
- Email us at privacy@ranksurf.com
- We respond within 30 days.
- Data transfer mechanisms: we rely on Standard Contractual Clauses (SCCs) for processors in the US.
SOC 2
SOC 2 Type II certification is on our roadmap. We have not yet initiated a formal audit. In the meantime, we follow SOC 2-aligned controls: access control, encryption in transit and at rest, dependency monitoring, and structured incident response. We will update this page when an audit is underway. If you have a vendor security questionnaire, email security@ranksurf.com and we will respond directly.
Data residency
Application data is stored in Supabase-hosted PostgreSQL. The primary database region is the United States. Vercel edge infrastructure serves the application globally. Transactional emails are delivered via Resend (US-based). We do not currently offer EU-only data residency, though all international transfers rely on SCCs.
Subprocessors
We use the following third-party processors to operate RankSurf:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | United States |
| Vercel | Hosting & edge delivery | Global (US primary) |
| Resend | Transactional & lifecycle email | United States |
| Polar | Billing & payment processing (MoR) | European Union |
| Trigger.dev | Background job orchestration | United States |
| OpenAI | AI response generation (ChatGPT engine) | United States |
| Google (Gemini) | AI response generation & analysis | United States |
| Perplexity | AI response generation (Sonar engine) | United States |
| Sentry | Error monitoring | United States |
Security questions
For security reports, vendor questionnaires, or data-handling questions, email us at security@ranksurf.com. For privacy and GDPR requests: privacy@ranksurf.com.