Privacy Policy

Last updated: 22 April 2026

1. Data Controller

The controller responsible for the processing of personal data within the meaning of Article 4(7) GDPR is:

RankWay Jan Kilian Kolonnenstraße 8 10827 Berlin Germany

Email: support@rankway.io Website: https://rankway.io

VAT ID (§ 27a UStG): DE359761278

Additional provider information is available in our Imprint.

2. Scope

This Privacy Policy applies to the website rankway.io (marketing site) and the application app.rankway.io ("RankWay", the "Service"), which provides a SaaS platform for SEO automation.

3. General Principles

We process personal data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications and Digital Services Data Protection Act (TDDDG). Personal data means any information relating to an identified or identifiable natural person (Article 4(1) GDPR).

4. Data Processed When Visiting the Website (rankway.io)

4.1 Server Logs

When you access our website, our hosting provider automatically collects the following data transmitted by your browser:

  • IP address (truncated/anonymised where possible)

  • Date and time of access

  • Requested URL and amount of data transferred

  • Referrer URL

  • Browser type and version, operating system

Purpose: Ensuring stable operation, security of our systems, detection of abuse. Legal basis: Article 6(1)(f) GDPR (legitimate interest). Storage duration: A maximum of 30 days, unless security-relevant events require longer retention.

4.2 Cookies and Similar Technologies

We use cookies and comparable technologies only to the extent permitted under Section 25 TDDDG.

Strictly necessary cookies (e.g. session cookies for login, consent storage, security tokens) are used on the basis of Section 25(2)(2) TDDDG without requiring consent. The legal basis for any associated processing of personal data is Article 6(1)(b) and (f) GDPR.

Consent-based cookies and technologies (analytics, marketing, third-party trackers) are only set after you have provided explicit consent in accordance with Section 25(1) TDDDG and Article 6(1)(a) GDPR. You provide consent through our cookie banner. You may withdraw your consent at any time with effect for the future via the "Cookie settings" link in the footer.

We currently use only strictly necessary cookies, in particular session cookies for login and language preference storage. These are required for the operation of the application and do not require separate consent.

If we use analytics or marketing cookies in the future, they will be listed here in detail and activated only with your explicit consent via a cookie banner.

5. Registration, Login and Use of the Service (app.rankway.io)

5.1 Account Registration

A user account is required to use RankWay. During registration, we process:

  • Email address

  • Password (stored as a hash)

  • Name (optional)

  • Language and locale preference

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

5.2 Login with Google

You may alternatively sign in with a Google account ("Sign in with Google"). Google will transmit your name, email address and a unique user ID to us. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details about Google's processing: https://policies.google.com/privacy.

Legal basis: Article 6(1)(a) GDPR (consent by using the Google login button) and Article 6(1)(b) GDPR (performance of a contract).

5.3 Data Processed During Service Use

During your use of RankWay, we process the data you enter and generate, in particular:

  • Website URLs you want analysed

  • Keywords, competitors, content plans

  • Generated content, article drafts, branding information

  • Connected integrations (CMS credentials stored encrypted, Google Business Profile)

  • Chat histories with the AI assistant "Ranky"

  • Usage events needed for providing the Service (e.g. onboarding status)

Legal basis: Article 6(1)(b) GDPR (performance of a contract). Storage duration: For the duration of the contractual relationship. After termination, data is deleted within 30 days unless statutory retention obligations apply (in particular Section 257 HGB and Section 147 AO — 6 or 10 years for accounting records).

5.4 Billing and Payments (Stripe)

Payments are processed by Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. We never receive complete payment details — your card information is submitted directly to Stripe and processed there. We only receive billing metadata such as payment status, invoice ID and partial card information (e.g. the last four digits).

Stripe's US parent company, Stripe, Inc., may receive access as part of intra-group processing. Stripe, Inc. is certified under the EU-U.S. Data Privacy Framework.

Legal basis: Article 6(1)(b) GDPR (performance of a contract). Further information: https://stripe.com/privacy

6. Service Providers and Data Processors

To provide RankWay, we use external service providers. Where legally required, we have concluded data processing agreements in accordance with Article 28 GDPR.

6.1 Hosting and Infrastructure

Service Provider Location Purpose Transfer basis Vercel Vercel Inc. USA Hosting of the app and marketing site EU-U.S. DPF certified + SCCs Supabase Supabase, Inc. USA (provider); data hosted in EU (Frankfurt) Database, authentication, file storage SCCs, EU region configured Sentry Functional Software, Inc. EU (Germany, de.sentry.io) Error monitoring: exception stacks, URL of the error, browser/device info, potentially IP address no third-country transfer required for stored data

6.2 AI and Data Processing Services

Service Provider Location Purpose Transfer basis Anthropic Claude Anthropic, PBC USA AI-powered content analysis, chat assistant, text generation EU-U.S. DPF certified + SCCs DataForSEO DataForSEO LLC USA SEO data (SERP, keywords, backlinks, on-page, rankings) SCCs Tavily Tavily AI USA Web and Reddit research SCCs

6.3 Communication and Marketing

Service Provider Location Purpose Transfer basis Resend Resend, Inc. USA Transactional emails (confirmations, password resets, notifications) SCCs Google OAuth Google Ireland Limited Ireland Google account login, optional Google Business Profile integration no third-country transfer required

6.4 Payments

See Section 5.4 (Stripe).

Regarding content transmitted to AI services: We only send content needed for the requested function (e.g. the website text to be analysed, the prompts you enter). According to Anthropic's documentation, content submitted via the API is not used to train their models. However, Anthropic retains API inputs and outputs for up to 30 days for abuse detection and trust & safety review, after which the data is automatically deleted. For details see https://www.anthropic.com/legal/privacy.

6.5 Notice on Data Transfers to the United States

Several of the service providers listed above are based in the United States. On 10 July 2023, the European Commission adopted the adequacy decision on the EU-U.S. Data Privacy Framework (DPF), confirming that an essentially equivalent level of data protection is ensured for US companies certified under the DPF. On 3 September 2025, the General Court of the European Union confirmed this adequacy decision (Case T-553/23). An appeal before the Court of Justice of the European Union (Case C-703/25 P) is currently pending.

In addition to the DPF, we rely on EU Standard Contractual Clauses in accordance with Article 46(2)(c) GDPR for transfers to the United States. Despite these measures, a residual risk remains, in particular that US security authorities may access transferred data under certain legal grounds (e.g. FISA 702, Executive Order 12333). We inform you of this risk transparently.

7. AI Assistant "Ranky" and AI-Powered Features

RankWay uses Large Language Models (Claude by Anthropic) for:

  • Analysis of your website and generation of a branding context

  • Keyword suggestions and competitor analysis

  • Content planning and article generation

  • The "Ranky" chat assistant with onboarding and support functions

  • Measuring AI visibility across ChatGPT, Claude, Gemini and Perplexity

The prompts you enter and the content of your connected website are transmitted to Anthropic for this purpose and processed there to respond to your request. Chat histories with Ranky are stored in our database to maintain conversational context across sessions.

We do not carry out automated decision-making within the meaning of Article 22 GDPR. Content generated by the AI is a suggestion — you decide freely whether and how to use it.

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

8. Integrations with Third-Party Systems

Where you connect RankWay with your own external systems (e.g. WordPress, Shopify, Google Search Console, Google Business Profile), we process the credentials and API tokens needed for the integration. Credentials are stored encrypted. You can disconnect integrations at any time in the settings.

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

8.1 Google Business Profile

If you connect your Google Business Profile to RankWay, we process your company's profile data and publicly available customer reviews. Personal data of third parties contained in reviews is processed solely for display in the dashboard and for analysis of rating distribution; no transfer to other parties takes place.

9. Processing for Business Customers (Data Processing Relationship)

If you use RankWay in a business context and process personal data of your own customers or website visitors through our features (e.g. via the lead funnel or lead magnet features), you are the controller under Article 4(7) GDPR for that data. RankWay acts as a processor under Article 28 GDPR in such cases.

For this situation we provide a Data Processing Agreement (DPA), which can be concluded by contacting us at support@rankway.io. You may not process personal data of third parties via RankWay without a concluded DPA.

10. Contact and Support

If you contact us by email (support@rankway.io) or via a contact/support form, we process the information you provide in order to respond to your request.

Legal basis: Article 6(1)(b) GDPR where the request relates to a contract, otherwise Article 6(1)(f) GDPR (legitimate interest in handling the request). Storage duration: Until your request is resolved, then up to three years for documentation purposes.

11. Newsletters and Product Emails

After registration, we send emails related to onboarding and the product (e.g. welcome series, product updates). Transactional emails (e.g. password resets, payment confirmations) are sent on the basis of Article 6(1)(b) GDPR.

We only send marketing newsletters after obtaining your explicit consent (double opt-in). Legal basis: Article 6(1)(a) GDPR. You may unsubscribe at any time via the unsubscribe link in every email or by sending a message to support@rankway.io.

12. Your Rights

You have the following rights regarding your personal data:

  • Access to the data stored about you (Article 15 GDPR)

  • Rectification of inaccurate data (Article 16 GDPR)

  • Erasure of your data (Article 17 GDPR), subject to statutory retention obligations

  • Restriction of processing (Article 18 GDPR)

  • Data portability (Article 20 GDPR)

  • Objection to processing based on Article 6(1)(f) GDPR (Article 21 GDPR)

  • Withdrawal of consent given with effect for the future (Article 7(3) GDPR)

Objection to Direct Marketing

You have the right to object at any time to the processing of your personal data for direct marketing purposes (Article 21(2) GDPR). Following your objection, we will no longer process your data for these purposes. An informal message to support@rankway.io or a click on the unsubscribe link in any marketing email is sufficient.

To exercise your rights, an informal message to support@rankway.io is sufficient.

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR), in particular in the Member State of your residence, place of work or the place of the alleged infringement.

The supervisory authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59–61 10555 Berlin, Germany Phone: +49 30 13889-0 Email: mailbox@datenschutz-berlin.de Website: https://www.datenschutz-berlin.de

13. Data Security

We implement technical and organisational measures in accordance with Article 32 GDPR to protect your data against loss, manipulation and unauthorised access, including in particular:

  • TLS encryption for all connections to our services

  • Encryption at rest for sensitive credentials (e.g. CMS tokens)

  • Row-level security (RLS) at the database level to isolate tenants

  • Role and permission model for our staff

  • Regular backups and monitoring

14. Storage Duration and Deletion

Personal data is stored only as long as necessary for the purposes described or as required by statutory retention obligations. After termination of your account, active user data is deleted within 30 days. Invoicing and accounting data is retained for up to 10 years in accordance with Section 257 HGB and Section 147 AO.

15. No Obligation to Provide Data

Providing your personal data is neither legally nor contractually required. However, without the data necessary for concluding and performing the contract, we cannot enter into a contract with you.

16. Changes to This Privacy Policy

We reserve the right to adjust this Privacy Policy to reflect changes in legal requirements or in our services. The current version is always available at https://rankway.io/privacy. We will notify you of material changes by email or within the app.