Trust & Security
How we handle your data, what we collect, and where we are on our security roadmap.
Data we collect
RankSurf stores the minimum data required to provide the service:
- Domains & brandYour website domain, brand name, aliases, and market region.
- PromptsThe search queries you configure for monitoring (“best project management tool for startups”, etc.).
- AI responsesFull text responses from ChatGPT, Perplexity, and Gemini for each prompt.
- User emailYour email address, used for login (Google OAuth or magic link) and transactional/notification emails.
- Billing infoPlan selection and subscription status. We never store your card number — payment processing is handled entirely by Polar.
- CompetitorsCompetitor names and domains you add or that are auto-detected from scans.
Full details are in our Privacy Policy.
How we use AI providers
RankSurf submits your prompts to three AI engines to measure your brand’s visibility. We also use AI internally for brand detection and improvement suggestions. We never send your email address or account identity to any AI provider.
| Provider | Use | Training & retention |
|---|---|---|
| OpenAI (GPT-4o mini) | Scan engine (ChatGPT visibility) | Not used for training. Retained up to 30 days for abuse monitoring, then deleted. |
| Google (Gemini 2.5 Flash) | Scan engine, brand detection, improvement synthesis | Not used for training (paid API tier). Search-grounding queries may be stored by Google for up to 30 days. |
| Perplexity (Sonar) | Scan engine (Perplexity visibility) | Not used for training. Zero data retention by default. |
GDPR compliance
RankSurf is built to comply with the GDPR. We process EU user data under contractual necessity (to deliver the service), consent (marketing emails, opt-in only), and legitimate interest (error monitoring and security).
EU/EEA users have the right to access, rectify, erase, and export their data. To exercise any of these rights:
- Email us at hello@ranksurf.com
- We respond within 30 days.
- Data transfer mechanisms: we rely on Standard Contractual Clauses (SCCs) for processors in the US.
SOC 2
SOC 2 Type II certification is on our roadmap. We have not yet initiated a formal audit. In the meantime, we follow SOC 2-aligned controls: access control, encryption in transit and at rest, dependency monitoring, and structured incident response. We will update this page when an audit is underway. If you have a vendor security questionnaire, email hello@ranksurf.com and we will respond directly.
Data residency
Application data is stored in Supabase-hosted PostgreSQL. The primary database region is the United States. Vercel edge infrastructure serves the application globally. Transactional emails are delivered via Resend (US-based). We do not currently offer EU-only data residency, though all international transfers rely on SCCs.
Subprocessors
We use the following third-party processors to operate RankSurf:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | United States |
| Vercel | Hosting & edge delivery | Global (US primary) |
| Resend | Transactional & lifecycle email | United States |
| Polar | Billing & payment processing (MoR) | European Union |
| Trigger.dev | Background job orchestration | United States |
| OpenAI | AI response generation (ChatGPT engine) | United States |
| Google (Gemini) | AI response generation & analysis | United States |
| Perplexity | AI response generation (Sonar engine) | United States |
| Sentry | Error monitoring | United States |
| PostHog | Product analytics (consent-gated) | European Union |
Security questions
For security reports, vendor questionnaires, data-handling questions, or privacy and GDPR data-subject requests, email hello@ranksurf.com.