Last updated: 14.06.2026
RankUp OÜ (“RankUp”, “we”, “us”) is the company responsible for your personal data when you use our website (rankup.so) and platform (app.rankup.so) (the “Service”). We are a private limited company registered in Estonia under registry code 17066724, with our registered address at Vase tn 7, Kesklinna linnaosa, Tallinn, Harju maakond, 10125, Estonia.
For any privacy question or to exercise your rights, contact us at support@rankup.so.
It helps to understand the distinction up front, because it determines whose data we are talking about:
For data about you as our user and customer — your account, your billing, how you use the Service — RankUp is the controller: we decide why and how it is processed, and this Privacy Policy governs it.
For personal data contained within the content and connected services you bring to the platform — for example, personal data inside the material you upload to your Knowledge Base, the pages we ingest from your website, or the analytics of your connected accounts — RankUp acts as a processor on your behalf. We handle that data on your instructions to provide the Service. The terms governing that processing are set out in our Data Processing Agreement, which supplements this Policy.
Account and authentication data. RankUp is passwordless — we never collect or store account passwords. When you sign up with Google, we receive your name, email address, and profile photo from your Google profile, and we store OAuth tokens that let us call Google APIs on your behalf. When you sign up with an email magic link, we collect only your email address until you choose to provide more. We also store account metadata such as your credit balances and your notification and approval preferences.
Onboarding and brand data. To set up the Service we collect the website URL you want to create content for, your brand name, your target language and location, your site/business type, your target audience, and any brand assets you upload (such as a logo, icon, or colours).
Billing data. Payments are processed by Stripe. We never receive or store your card details. Our own records hold only Stripe customer and subscription identifiers and plan details (tier, amount, currency, billing period); your billing name, address, and invoices are held by Stripe.
Usage and product data. Through our analytics provider (PostHog), our marketing-site analytics provider (Microsoft Clarity), and our error-monitoring provider (Sentry), we collect data about how the Service is used: pages and features used, clicks and interactions, performance data, device and browser information, error and crash logs, and session recordings (replays of on-screen interactions, in which sensitive inputs such as passwords, card numbers, and API keys are masked). This data is tied to your logged-in account where you are signed in. We also record which AI agents were run and the associated cost events. How we treat the cookies and similar technologies involved differs between our marketing website and our application — see section 6 and our Cookie Policy.
Content you submit to us. When you contact support, submit feedback, or interact with our changelog, that content and your contact details are processed by our customer-engagement provider (Featurebase) on our behalf. If you book a consultation call, the call may be recorded and transcribed via our meeting-notes provider (Fireflies); you are notified of the recording at the start of the call.
Content you create or connect. This includes the material you upload to your Knowledge Base, content ingested from your connected website, and the content generated for you by the Service. This content may contain personal data about third parties depending on what you include; we process it on your behalf as described in section 2 and our Data Processing Agreement.
Separately from the data above, you may connect third-party services to RankUp. When you do, we store the credentials you provide (see Security, section 9) and access only the data you authorize, for the purpose of providing the relevant feature. You can disconnect any integration at any time.
Google Search Console (read-only): we read your search-performance data — top queries and pages, clicks, impressions, click-through rate, and position — for the property you select. We cannot modify your Search Console and cannot access any other Google service.
Connected analytics (PostHog “bring-your-own”): where you connect your own analytics project, we store your API key and project ID and import the site-analytics data you authorize.
Content management systems (such as WordPress, WooCommerce, Storyblok): we store the access credentials or tokens for your site and read and write content on your behalf, as you direct.
RankUp’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically: the data we access from Google Search Console is used only to provide and improve the Service’s features for you; it is not sold; it is not used for advertising; and it is not transferred to others except as necessary to provide the Service, to comply with applicable law, or as part of a merger or acquisition.
Under the GDPR we must have a lawful basis for each purpose. They are:
To provide the Service — create and authenticate your account, run the platform, deliver the features you select, and send you sign-in and transactional/notification emails (via Resend): performance of our contract with you.
To take payment and keep financial records: performance of our contract for billing, and compliance with a legal obligation for the accounting records we must retain.
To analyze and improve the Service — product analytics, error monitoring, security, and deriving aggregated insights about what content performs well: our legitimate interests in operating, securing, and improving the Service. On our marketing website, cookie-based analytics load only with your consent; in the signed-in application we rely on legitimate interests with an opt-out. Section 6 and our Cookie Policy explain how each surface works.
To send product communications — changelog and product-update emails (via Featurebase): our legitimate interests in keeping customers informed about the Service. You can opt out of these at any time.
To record consultation calls (via Fireflies): your consent, given when you proceed with a recorded call.
We do not currently send marketing or newsletter emails. If we introduce them, we will rely on consent where required.
The Service uses cookies and similar technologies, including for the product analytics and session recording described above. We treat them differently on each surface. On our marketing website (rankup.so), we set analytics and session-recording cookies only after you consent through our cookie banner; if you decline, we set none of these and collect only anonymous, cookieless usage measurement. Embedded content — such as videos and our booking calendar — and the advertising pixels it loads are not controlled by the banner: they load only if you choose to interact with that content, and may then set their own cookies. In our application (app.rankup.so), we run product analytics and session recording under our legitimate interests, and you can opt out at any time via “Manage Cookies” in the account menu. Details of the specific cookies, their purposes, and how to manage your choices are set out in our Cookie Policy.
We share personal data with the service providers that help us run RankUp. Each is bound by contract to protect it and process it only on our instructions. Our current providers are:
| Provider | Purpose | Region | Transfer safeguard |
|---|---|---|---|
| Supabase (AWS) | Primary database | EU (Frankfurt) | In-EU |
| Vercel | App hosting / compute | EU (Frankfurt) | In-EU |
| AWS (S3, Lambda) | File storage and backend jobs | EU (Stockholm) | In-EU |
| AI model providers — AWS Bedrock, Microsoft Azure OpenAI, Google, OpenAI, Anthropic, Perplexity, xAI, OpenRouter | Processing content submitted to AI features; the specific provider used may vary by feature and routing configuration | EU and US / global | SCCs for US/global |
| Stripe | Payments | US / global | SCCs |
| Sign-in (OAuth) and Search Console integration | US / global | SCCs | |
| Google Workspace | Support email | US / global | SCCs |
| PostHog | Product analytics | US | SCCs |
| Sentry | Error monitoring | US / global | SCCs |
| Microsoft Clarity | Marketing-site analytics, session recording, and heatmaps | US / global | SCCs |
| Resend | Sign-in and transactional emails | US | SCCs |
| Fireflies | Consultation-call recording and transcription | US | SCCs |
| Featurebase | Support/messaging, feedback, changelog, and related emails | EU (EEA) | In-EU; limited ancillary transfers under SCCs |
We may also disclose personal data where required by law, to enforce our agreements, or in connection with a merger or acquisition.
Your account data and content are stored and processed in the European Union: our database and application infrastructure are hosted in Frankfurt, Germany, and our file storage in Stockholm, Sweden. Content you submit to AI-powered features is processed by the AI model providers listed above, which may be located in the EU or the United States. A limited number of our other providers operate in the United States or are globally distributed. Where personal data is transferred outside the European Economic Area, that transfer is protected by appropriate safeguards, in particular the European Commission’s Standard Contractual Clauses.
Retention. We keep different categories of data for different periods:
Your account data, brand assets, and preferences, and your Knowledge Base, ingested content, and generated content, are retained for the life of your account — including while your account is dormant after a cancellation, so that you can resume where you left off if you resubscribe — and are deleted when you close your account or request deletion. Connected-service credentials are kept until you disconnect the service or delete your account. AI agent usage and cost events are kept for the life of the account. Google Search Console data is kept while the connection is active and is overwritten as it refreshes.
Telemetry is kept on fixed periods: product analytics for 12 months, session recordings for 30 days, and error logs (Sentry) for 90 days. Transient runtime logs on our hosting platform are short-lived per the provider’s defaults and are not separately stored by us.
Consultation-call transcripts are kept for 12 months. Support correspondence is kept for 24 months. Feedback and feature requests are kept while relevant to product development.
Billing records are kept for 7 years to meet our obligations under Estonian accounting law. Because this is a legal obligation, these records are retained even if you request deletion of your other data.
Security. We host data in the European Union (Frankfurt for our database and application, Stockholm for file storage). Data is transmitted over encrypted connections (TLS) and our databases are encrypted at rest. Sensitive third-party integration credentials are additionally protected with application-level encryption. Access to personal data requires authentication and is restricted to a small number of authorized team members under confidentiality obligations. We rely on established infrastructure providers (AWS, Supabase, Vercel) that operate their own security programs.
Under the GDPR you have the right to: access the personal data we hold about you; have inaccurate data corrected; have your data erased; restrict or object to certain processing; receive your data in a portable format; and, where we rely on consent, withdraw that consent at any time (without affecting processing already carried out). Withdrawing consent to a consultation-call recording, or opting out of product-update emails, will not affect your use of the Service.
To exercise any of these rights, email support@rankup.so. We will respond within the timeframes required by law.
Data provided to us by our customers. If your personal data was provided to us by one of our customers — for example, because your details appear in content they uploaded or in a site they connected — RankUp acts as a processor for that data, and the customer is the controller. We will refer your request to that customer and assist them in responding, as required by law.
Automated decision-making. We do not use your personal data to make decisions about you solely by automated means that produce legal or similarly significant effects on you.
You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee); you may also complain to the authority in your country of residence.
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us personal data, contact support@rankup.so and we will delete it.
We may update this Policy from time to time. When we make material changes, we will update the date above and, where appropriate, notify you. Your continued use of the Service after an update takes effect means the updated Policy applies to you.
For any question about this Policy or your personal data, contact RankUp OÜ at support@rankup.so, or by post at Vase tn 7, Kesklinna linnaosa, Tallinn, Harju maakond, 10125, Estonia.
