Privacy Policy

This Privacy Policy explains how Rankrush Limited ("RankRush", "we", "us", or "our") collects, uses, shares, and protects information when you use the RankRush platform at rankrush.ai (the "Service"). By using the Service, you agree to the practices described here.

1. Data controller

The data controller for personal data processed through the Service is Rankrush Limited (Companies House no. 11997028), registered at Kemp House, 152 City Road, London, United Kingdom, EC1V 2NX. You can reach us at privacy@rankrush.ai.

2. Information we collect

2.1 Account information

When you create an account, we collect your email address, a hashed password, account creation timestamp, and authentication metadata (last sign-in time, IP address, user agent). Authentication is handled by Supabase Auth.

2.2 Business profile information

To deliver visibility scans and audits, we collect business profile data you provide: business name, website URL, industry, target keywords, brand description, target audience, and similar onboarding inputs. You may create multiple business profiles per account.

2.3 Usage and product data

We log actions you take inside the Service (scan runs, node verifications, keyword additions, audit executions) for the purposes of usage limits, billing, debugging, and product improvement. This includes timestamps, action type, profile context, and result counts.

2.4 AI query and audit data

For each visibility scan, we store the keyword queried, the LLM that responded, whether your brand was visible, the position, the raw model response, the URLs the model cited, and the brands that appeared. This data is what powers your visibility dashboards.

2.5 Google Search Console data (optional)

If you connect a Google Search Console property, we receive — through Google's OAuth flow — read access to your search query data, page performance, and property metadata. We cache this data to power keyword analysis. You can disconnect at any time from your settings; cached data is deleted on request.

2.6 Reddit / Community Engagement data (optional, Buzz module)

If you use the Buzz module and connect a Reddit account, we store OAuth tokens encrypted at rest and the content of any posts or comments you draft, schedule, or publish through the Service. We also store third-party content discovered through public web searches conducted on your behalf (Reddit threads, community discussions) in order to surface engagement opportunities.

2.7 Billing data

Payments are processed by Stripe. We do not store full card numbers on our servers. We retain a Stripe customer ID, subscription status, plan tier, and invoice metadata required to operate billing.

2.8 Cookies and similar technologies

We use strictly necessary cookies and local storage to keep you logged in, remember your active business profile, and preserve UI preferences. We do not currently use third-party advertising or cross-site tracking cookies.

3. How we use your information

We use the data we collect to: (a) operate, maintain, and improve the Service; (b) execute the visibility scans, audits, and engagement workflows you initiate; (c) authenticate you and protect your account; (d) process subscriptions and invoices; (e) communicate service-related notices; (f) prevent abuse, fraud, and violations of our Terms; and (g) comply with legal obligations.

Legal bases (EU/UK GDPR): performance of a contract (to provide the Service), legitimate interests (security, product improvement, fraud prevention), consent (for optional integrations such as Google Search Console and Reddit), and legal obligation (tax, accounting).

4. Third-party processors and sub-processors

To operate the Service, we share specific data with the following third parties acting as processors or sub-processors. Each receives only the minimum data needed for its function.

4.1 Infrastructure

• Supabase — managed PostgreSQL database, authentication, edge function runtime, and file storage. Hosts substantially all customer data.
• Hetzner — VPS infrastructure hosting the marketing site at rankrush.ai and the dashboard application at app.rankrush.ai.

4.2 AI / LLM providers (used to execute visibility scans, audits, and content generation)

• OpenAI — receives your business name, target keywords, and audit prompts to generate visibility query responses, brand-name resolution, and content suggestions.
• Anthropic — receives the same category of inputs to generate AI visibility responses via Claude models with web search.
• Google (Gemini API) — receives the same category of inputs to generate visibility responses with Google Search grounding, audit verification, and Buzz strategy generation.
• Perplexity — receives keywords and queries to generate visibility responses via Sonar models.

We use API endpoints that are configured, where available, to exclude submitted prompts from being used to train the providers' models. We do not transmit your account credentials, payment details, or Reddit OAuth tokens to LLM providers.

4.3 Payments

• Stripe — processes all payments, stores card details on its compliant infrastructure, and provides invoice management.

4.4 Optional integrations (only if you enable them)

• Google Search Console — read access to your verified property data via OAuth.
• Reddit — OAuth-based posting and account linkage for the Buzz module.
• Firecrawl — web search API used to discover public Reddit and community discussions relevant to your brand.

4.5 We do not sell your data

We do not sell, rent, or trade personal information to third parties for advertising or marketing purposes.

5. International data transfers

Several of our processors (notably the LLM providers, Stripe, and Supabase) operate or transit data through the United States and other jurisdictions. Where personal data of EU/UK residents is transferred outside the EEA/UK, we rely on Standard Contractual Clauses or equivalent safeguards offered by the processor.

6. Data retention

We retain account data for as long as your account is active. Visibility scan history, audit history, and usage logs are retained for the lifetime of the account so that you can analyze trends. When you delete your account, we delete or anonymize personal data within 30 days, subject to legal retention obligations (e.g., tax records, fraud prevention).

7. Your rights

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; correct inaccurate data; delete your data; restrict or object to processing; receive your data in a portable format; and withdraw consent for optional integrations. To exercise any of these rights, contact us at privacy@rankrush.ai. EU/UK residents may also lodge a complaint with their local supervisory authority. California residents have equivalent rights under the CCPA/CPRA.

8. Security

We use row-level security on our database, encrypted-at-rest storage, encrypted-in-transit communication (HTTPS), and least-privilege access controls. Reddit OAuth tokens and similar credentials are stored encrypted. No system is perfectly secure, and we cannot guarantee absolute security.

9. Children

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

10. Changes to this Policy

We may update this Privacy Policy as the Service evolves. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you by email or in-product notice.

11. Contact

Questions or requests: privacy@rankrush.ai.