# Legal Review Checklist for RankWiz AI

**Last Updated**: February 26, 2026
**Purpose**: Ensure all legal documents meet compliance requirements

---

## Pre-Review Preparation

### Document Organization
- [x] All documents created in `/legal/` directory
- [x] Each document is a standalone markdown file
- [x] README.md provides comprehensive overview
- [x] All documents formatted consistently
- [x] All documents include version and effective date

### Quality Checks
- [x] Total coverage: 1,660+ lines of substantive legal text
- [x] 5 core documents plus README
- [x] Consistent formatting and structure
- [x] Cross-references between documents
- [x] All [INSERT ...] placeholders identified for customization

---

## Legal Review Checklist

### 1. Terms of Service Review

#### Service Description
- [ ] Accurately describes RankWiz AI functionality
- [ ] Clearly explains BYOK (Bring Your Own Key) model
- [ ] Discloses that OpenAI is third-party, not RankWiz service
- [ ] Explains AI content is draft only, requires human review

#### BYOK OpenAI Responsibilities
- [ ] User owns API key ✓ (Section 3.1)
- [ ] User responsible for OpenAI charges ✓ (Section 3.1)
- [ ] User responsible for OpenAI ToS compliance ✓ (Section 3.1)
- [ ] User responsible for API key compromise ✓ (Section 3.2)
- [ ] RankWiz encrypts API key at rest ✓ (Section 3.1)
- [ ] User indemnifies RankWiz for OpenAI usage ✓ (Section 4.3)

#### Content Liability
- [ ] AI-generated content disclaimer clearly stated ✓ (Section 4.1)
- [ ] User responsible for reviewing content ✓ (Section 4.1)
- [ ] User responsible for accuracy/originality ✓ (Section 4.1)
- [ ] RankWiz not liable for AI-generated content ✓ (Section 4.2)
- [ ] User liable for plagiarism/copyright claims ✓ (Section 4.2)
- [ ] User indemnifies RankWiz for published content ✓ (Section 4.3)

#### WordPress Publishing
- [ ] User authorizes RankWiz to publish ✓ (Section 5.1)
- [ ] User can revoke access at any time ✓ (Section 5.2)
- [ ] User retains WordPress admin control ✓ (Section 5.2)
- [ ] Content goes live immediately ✓ (Section 5.3)
- [ ] Conflict management explained ✓ (Section 5.4)

#### Data Protection
- [ ] Encryption standards specified ✓ (Section 6.2)
- [ ] Data retention periods defined ✓ (Section 6.3)
- [ ] Soft delete (30 days) explained ✓ (Section 6.3)
- [ ] Third-party sharing disclosed ✓ (Section 6.4)
- [ ] No data selling stated ✓ (Section 6.4)

#### Liability Limitations
- [ ] AS-IS disclaimer ✓ (Section 7.1)
- [ ] No SLA for uptime ✓ (Section 8.1)
- [ ] Liability capped at amount paid ✓ (Section 7.2)
- [ ] Excluded damages enumerated ✓ (Section 7.2)
- [ ] Exceptions for IP infringement ✓ (Section 7.2)

#### Dispute Resolution
- [ ] Governing law specified ✓ (Section 13.1)
- [ ] Arbitration process explained ✓ (Section 13.2)
- [ ] Class action waiver included ✓ (Section 13.3)
- [ ] Dispute notification procedure ✓ (Section 13.2)

#### Prohibited Uses
- [ ] Spam generation ✓ (Section 2.3)
- [ ] Deceptive SEO practices ✓ (Section 2.3)
- [ ] Cloaking, doorways, link schemes ✓ (Section 2.3)
- [ ] Unauthorized account sharing ✓ (Section 2.3)
- [ ] Reverse engineering ✓ (Section 2.3)

#### Account Termination
- [ ] User termination process ✓ (Section 9.1)
- [ ] RankWiz termination grounds ✓ (Section 9.2)
- [ ] Data handling on termination ✓ (Section 9.3)
- [ ] 30-day soft delete explained ✓ (Section 9.3)

---

### 2. Privacy Policy Review

#### Data Collection
- [ ] Account data collection disclosed ✓ (Section 2.1)
- [ ] Site connection data disclosed ✓ (Section 2.1)
- [ ] GSC data collection disclosed ✓ (Section 2.1)
- [ ] WordPress content access disclosed ✓ (Section 2.1)
- [ ] Audit logs with IP disclosed ✓ (Section 2.1)
- [ ] API keys collection disclosed ✓ (Section 2.1)
- [ ] Automatic data collection disclosed ✓ (Section 2.2)
- [ ] Third-party data disclosed ✓ (Section 2.4)

#### Processing Purposes
- [ ] Service provision ✓ (Section 3.1)
- [ ] Communication ✓ (Section 3.2)
- [ ] Service improvement ✓ (Section 3.3)
- [ ] Legal/security ✓ (Section 3.4)
- [ ] Legitimate interest ✓ (Section 3.5)

#### Legal Basis (GDPR)
- [ ] Service provision = contract ✓ (Section 4)
- [ ] Payment = contract + legitimate interest ✓ (Section 4)
- [ ] Security = legitimate interest + legal obligation ✓ (Section 4)
- [ ] Marketing = consent (opt-in) ✓ (Section 4)
- [ ] Analytics = legitimate interest ✓ (Section 4)

#### Third-Party Sharing
- [ ] Google (GSC) with OAuth tokens ✓ (Section 5.1)
- [ ] OpenAI with content + API key ✓ (Section 5.1)
- [ ] WordPress with content via REST API ✓ (Section 5.1)
- [ ] Stripe with payment data ✓ (Section 5.1)
- [ ] Hosting provider with all data ✓ (Section 5.1)
- [ ] Email service provider ✓ (Section 5.1)
- [ ] Analytics provider ✓ (Section 5.1)
- [ ] All via data processing agreements ✓ (Section 5.1)
- [ ] No data selling stated ✓ (Section 5.4)

#### Encryption & Security
- [ ] AES-256-CBC at rest ✓ (Section 6.1)
- [ ] TLS in transit ✓ (Section 6.2)
- [ ] Database encryption ✓ (Section 6.2)
- [ ] Security measures listed ✓ (Section 6.3)
- [ ] Security limitations disclosed ✓ (Section 6.4)

#### Data Retention
- [ ] GSC metrics: 90 days rolling ✓ (Section 7.1)
- [ ] WordPress snapshots: life of account ✓ (Section 7.1)
- [ ] Analysis data: life of account ✓ (Section 7.1)
- [ ] Audit logs: 30-90 days ✓ (Section 7.1)
- [ ] Stripe records: 7 years ✓ (Section 7.1)
- [ ] Soft delete: 30 days ✓ (Section 7.1)
- [ ] Deletions on termination ✓ (Section 7.2)

#### Data Subject Rights (GDPR)
- [ ] Right of access ✓ (Section 8.1)
- [ ] Right to rectification ✓ (Section 8.1)
- [ ] Right to erasure ✓ (Section 8.1)
- [ ] Right to restrict ✓ (Section 8.1)
- [ ] Right to portability ✓ (Section 8.1)
- [ ] Right to object ✓ (Section 8.1)
- [ ] Right to lodge complaint with DPA ✓ (Section 8.1)

#### Data Subject Rights (CCPA)
- [ ] Right to know ✓ (Section 8.1)
- [ ] Right to delete ✓ (Section 8.1)
- [ ] Right to opt-out ✓ (Section 8.1)
- [ ] Right to correct ✓ (Section 8.1)
- [ ] Right to limit use of sensitive PI ✓ (Section 8.1)
- [ ] Non-discrimination ✓ (Section 8.1)

#### Request Procedures
- [ ] Request submission method ✓ (Section 8.2)
- [ ] GDPR timeline (30 days, 60-day extension) ✓ (Section 8.3)
- [ ] CCPA timeline (45 days, 45-day extension) ✓ (Section 8.3)
- [ ] Exemptions explained ✓ (Section 8.4)
- [ ] Identity verification ✓ (Section 8.2)

#### International Transfers
- [ ] Data storage locations disclosed ✓ (Section 9.1)
- [ ] SCCs for non-adequate countries ✓ (Section 9.2)
- [ ] Supplementary safeguards ✓ (Section 9.2)
- [ ] User recourse ✓ (Section 9.3)

#### Cookies & Tracking
- [ ] Session cookies ✓ (Section 10.1)
- [ ] Authentication tokens ✓ (Section 10.1)
- [ ] Preference cookies ✓ (Section 10.1)
- [ ] Analytics cookies ✓ (Section 10.1)
- [ ] Third-party tracking disclosed ✓ (Section 10.2)
- [ ] Opt-out methods provided ✓ (Section 10.2)
- [ ] DNT signals respected ✓ (Section 10.3)

#### Breach Notification
- [ ] 72-hour notification (GDPR) ✓ (Section 12.1)
- [ ] Notification content ✓ (Section 12.1)
- [ ] Individual notification if high risk ✓ (Section 12.1)

#### Children's Privacy
- [ ] Not intended for under 16 ✓ (Section 11)
- [ ] Data deletion commitment ✓ (Section 11)
- [ ] Parent/guardian contact ✓ (Section 11)

---

### 3. Data Processing Agreement Review

#### Scope & Applicability
- [ ] Processor/controller relationship clear ✓ (Section 2)
- [ ] Applies to GDPR jurisdictions ✓ (Section 1)
- [ ] Processing activities enumerated ✓ (Section 2.1)
- [ ] Data categories listed ✓ (Section 2.2)
- [ ] Data subject categories listed ✓ (Section 2.3)

#### Processing Instructions
- [ ] Process only per instructions ✓ (Section 4.1)
- [ ] Exception for legal obligations ✓ (Section 4.1)
- [ ] Notification of legal demands ✓ (Section 4.1)
- [ ] No independent use ✓ (Section 4.1)

#### Confidentiality
- [ ] Personnel bound by confidentiality ✓ (Section 4.2)
- [ ] Access controls in place ✓ (Section 4.2)
- [ ] Off-boarding procedures ✓ (Section 4.2)

#### Sub-Processors
- [ ] Sub-processor list provided ✓ (Section 5.1)
- [ ] 30-day change notification ✓ (Section 5.2)
- [ ] Right to object to changes ✓ (Section 5.2)
- [ ] Termination right if concerns ✓ (Section 5.2)
- [ ] Written sub-processor agreements ✓ (Section 5.3)
- [ ] Processor remains liable ✓ (Section 5.3)

#### Data Subject Rights Assistance
- [ ] Access assistance ✓ (Section 6.1)
- [ ] Deletion assistance ✓ (Section 6.1)
- [ ] Portability assistance ✓ (Section 6.1)
- [ ] Restriction assistance ✓ (Section 6.1)
- [ ] Response timeline (5-15 days) ✓ (Section 6.2)

#### Security Measures
- [ ] Encryption in transit (TLS) ✓ (Section 7.1)
- [ ] Encryption at rest (AES-256) ✓ (Section 7.1)
- [ ] Access control (RBAC) ✓ (Section 7.1)
- [ ] MFA for admins ✓ (Section 7.1)
- [ ] Audit logging ✓ (Section 7.1)
- [ ] Intrusion detection ✓ (Section 7.1)
- [ ] Vulnerability management ✓ (Section 7.1)
- [ ] Business continuity ✓ (Section 7.1)
- [ ] Personnel security ✓ (Section 7.1)

#### Security Certifications
- [ ] SOC 2 Type II ✓ (Section 7.2)
- [ ] ISO 27001 ✓ (Section 7.2)
- [ ] Audit sharing ✓ (Section 9.2)

#### Breach Notification
- [ ] 24-hour notification to customer ✓ (Section 8.1)
- [ ] Breach investigation details ✓ (Section 8.1)
- [ ] Customer notification requirements ✓ (Section 8.2)
- [ ] Law enforcement cooperation ✓ (Section 8.1)

#### Audit Rights
- [ ] Audit information request ✓ (Section 9.1)
- [ ] On-site audit right ✓ (Section 9.1)
- [ ] Third-party auditor right ✓ (Section 9.1)
- [ ] SOC 2 satisfies audit requirement ✓ (Section 9.2)
- [ ] Annual audit commitment ✓ (Section 9.3)
- [ ] Cost allocation ✓ (Section 9.4)

#### Data Deletion
- [ ] 30-day soft delete ✓ (Section 10.1)
- [ ] Permanent deletion after 30 days ✓ (Section 10.1)
- [ ] Legal retention exceptions ✓ (Section 10.1)
- [ ] Deletion certification ✓ (Section 10.2)
- [ ] Data portability option ✓ (Section 10.3)

#### International Transfers
- [ ] SCCs for non-adequate countries ✓ (Section 11.1)
- [ ] UK addendum if applicable ✓ (Section 11.1)
- [ ] Supplementary safeguards ✓ (Section 11.2)
- [ ] Data minimization ✓ (Section 11.2)
- [ ] Transfer Impact Assessment available ✓ (Section 11.3)
- [ ] Transfer suspension provisions ✓ (Section 11.4)

---

### 4. Acceptable Use Policy Review

#### Permitted Uses
- [ ] SEO analysis permitted ✓ (Section 2)
- [ ] Content optimization permitted ✓ (Section 2)
- [ ] AI-assisted content creation permitted ✓ (Section 2)
- [ ] Content publishing permitted ✓ (Section 2)
- [ ] Performance tracking permitted ✓ (Section 2)

#### Prohibited Uses — Spam
- [ ] Low-quality content prohibited ✓ (Section 3.1)
- [ ] Keyword stuffing prohibited ✓ (Section 3.1)
- [ ] Content farms prohibited ✓ (Section 3.1)
- [ ] Autoblogging prohibited ✓ (Section 3.1)
- [ ] Scraped content prohibited ✓ (Section 3.1)

#### Prohibited Uses — Deceptive SEO
- [ ] Cloaking prohibited ✓ (Section 3.2)
- [ ] Doorway pages prohibited ✓ (Section 3.2)
- [ ] Link schemes prohibited ✓ (Section 3.2)
- [ ] Hacked content prohibited ✓ (Section 3.2)
- [ ] Negative SEO prohibited ✓ (Section 3.2)

#### Prohibited Uses — Illegal Content
- [ ] Illegal content prohibited ✓ (Section 3.3)
- [ ] Hate speech prohibited ✓ (Section 3.3)
- [ ] Harassment prohibited ✓ (Section 3.3)
- [ ] Child exploitation prohibited ✓ (Section 3.3)
- [ ] Self-harm content prohibited ✓ (Section 3.3)
- [ ] Misinformation prohibited ✓ (Section 3.3)
- [ ] Copyright infringement prohibited ✓ (Section 3.3)
- [ ] Privacy violation prohibited ✓ (Section 3.3)
- [ ] Malware/phishing prohibited ✓ (Section 3.3)

#### Prohibited Uses — Misrepresentation
- [ ] Impersonation prohibited ✓ (Section 3.4)
- [ ] Misleading authorship prohibited ✓ (Section 3.4)
- [ ] False endorsements prohibited ✓ (Section 3.4)
- [ ] Misleading health claims prohibited ✓ (Section 3.4)
- [ ] Misleading financial advice prohibited ✓ (Section 3.4)
- [ ] Misleading product claims prohibited ✓ (Section 3.4)

#### Prohibited Uses — Service Abuse
- [ ] Account sharing prohibited ✓ (Section 3.5)
- [ ] Credential harvesting prohibited ✓ (Section 3.5)
- [ ] API abuse prohibited ✓ (Section 3.5)
- [ ] System access prohibited ✓ (Section 3.5)
- [ ] Reverse engineering prohibited ✓ (Section 3.5)
- [ ] Vulnerability testing prohibited ✓ (Section 3.5)
- [ ] DDoS attacks prohibited ✓ (Section 3.5)
- [ ] Bot networks prohibited ✓ (Section 3.5)

#### Prohibited Uses — OpenAI BYOK
- [ ] Unauthorized API keys prohibited ✓ (Section 3.6)
- [ ] OpenAI policy violations prohibited ✓ (Section 3.6)
- [ ] Fraudulent account use prohibited ✓ (Section 3.6)
- [ ] Key compromise reporting required ✓ (Section 3.6)

#### Content Review Responsibility
- [ ] User responsible for review ✓ (Section 4.1)
- [ ] User responsible for fact-checking ✓ (Section 4.1)
- [ ] User responsible for plagiarism detection ✓ (Section 4.1)
- [ ] Publication checklist provided ✓ (Section 4.3)

#### Monitoring & Enforcement
- [ ] Automated monitoring disclosed ✓ (Section 6.1)
- [ ] Manual review disclosed ✓ (Section 6.1)
- [ ] Third-party reports handled ✓ (Section 6.1)
- [ ] Investigation process explained ✓ (Section 6.2)
- [ ] Notification before action ✓ (Section 6.2)
- [ ] Opportunity to respond ✓ (Section 6.2)

#### Enforcement Actions
- [ ] Progressive enforcement ✓ (Section 6.3)
- [ ] Immediate termination for severe violations ✓ (Section 6.3)
- [ ] Appeal right (30 days) ✓ (Section 6.5)
- [ ] Appeal process explained ✓ (Section 6.5)

---

## Customization Checklist

### Required Customizations

#### Terms of Service
- [ ] `[YOUR STATE/JURISDICTION]` — Governing law (Section 13.1)
- [ ] `[ARBITRATION RULES]` — JAMS, AAA, etc. (Section 13.2)
- [ ] `[JURISDICTION]` — Arbitration location (Section 13.2)
- [ ] `[DATE TO BE SET]` — Effective date
- [ ] Company email addresses: legal@rankwiz.ai, support@rankwiz.ai

#### Privacy Policy
- [ ] `[INSERT ANALYTICS TOOL]` — Which service (Section 2.3)
- [ ] `[INSERT OTHER THIRD-PARTY SERVICES]` — Services used (Section 2.3)
- [ ] `[INSERT CUSTOM DOMAIN]` — For white-label (if applicable)
- [ ] `[DATE TO BE SET]` — Effective date
- [ ] Company email: privacy@rankwiz.ai, dpo@rankwiz.ai (if applicable)
- [ ] Company mailing address
- [ ] DPA reference (if applicable)
- [ ] Data processing locations

#### Data Processing Agreement
- [ ] `[INSERT PRIMARY DATA CENTER LOCATION]` — AWS region, etc. (Section 5.1)
- [ ] `[INSERT BACKUP LOCATION]` — Disaster recovery region (Section 5.1)
- [ ] `[INSERT HOSTING PROVIDER]` — Cloud provider name (Section 5.1)
- [ ] `[INSERT LOCATIONS]` — Email/analytics provider locations (Section 5.1)
- [ ] `[INSERT JURISDICTION]` — Governing law (Section 16.2)
- [ ] `[DATE TO BE SET]` — Effective date
- [ ] Verify all sub-processors listed correctly

#### Acceptable Use Policy
- [ ] Review enforcement team contacts: abuse@rankwiz.ai, support@rankwiz.ai
- [ ] Verify appeal timeline (currently 30 days)
- [ ] Confirm suspension durations (currently 7–90 days)
- [ ] `[DATE TO BE SET]` — Effective date

### Optional Customizations

- [ ] Add jurisdiction-specific sections (GDPR, CCPA variants)
- [ ] Add industry-specific restrictions (healthcare, finance, gambling)
- [ ] Add referral/partner program terms (if applicable)
- [ ] Add API-specific terms (if offering API)
- [ ] Add white-label/reseller terms (if supporting partners)
- [ ] Add SLA commitment (currently "best effort")
- [ ] Add uptime/performance guarantees
- [ ] Add specific security standard requirements beyond SOC 2 Type II

---

## Compliance Verification

### GDPR (EU/EEA)
- [x] Data controller/processor relationship established
- [x] Legal basis for processing documented
- [x] Data subject rights procedures defined
- [x] Data subject rights timelines (30 days)
- [x] Breach notification (72 hours)
- [x] SCCs for non-adequate country transfers
- [x] Security measures documented
- [x] DPA cooperation procedures
- [x] Audit rights established
- [x] Data deletion on termination

### CCPA/CPRA (California)
- [x] Right to know procedure defined
- [x] Right to delete procedure defined
- [x] Right to opt-out procedures defined
- [x] Right to correct procedure defined
- [x] Right to limit sensitive PI defined
- [x] Non-discrimination statement included
- [x] Privacy notice provided
- [x] CCPA/CPRA timeline (45 days + 45-day extension)
- [x] Opt-in for marketing (for CA consumers)

### LGPD (Brazil)
- [x] Legal basis for processing identified
- [x] Data subject rights covered
- [x] Breach notification procedure
- [x] DPIA cooperation (if required)

### PIPEDA (Canada)
- [x] Consent-based framework acknowledged
- [x] Data subject rights procedures
- [x] Accountability principles

### Other Jurisdictions
- [x] PDPA (Singapore) — data protection principles
- [x] Privacy Act (Australia) — notifiable breaches
- [x] UK GDPR — post-Brexit compliance

---

## Final Legal Review Sign-Off

### Document Review Status
- [ ] Terms of Service reviewed
- [ ] Privacy Policy reviewed
- [ ] Data Processing Agreement reviewed
- [ ] Acceptable Use Policy reviewed
- [ ] README reviewed

### Approval Status
- [ ] Terms of Service approved for use
- [ ] Privacy Policy approved for use
- [ ] Data Processing Agreement approved for use
- [ ] Acceptable Use Policy approved for use

### Sign-Off
- [ ] General Counsel approval
- [ ] Compliance approval
- [ ] Privacy Officer approval (if applicable)
- [ ] Security Officer approval (if applicable)
- [ ] Executive approval

**Reviewed By**: _________________________ **Date**: ____________

**Approved By**: _________________________ **Date**: ____________

---

## Post-Review Action Items

1. **Customization** — Fill in all [INSERT ...] placeholders
2. **Localization** — Create jurisdiction-specific variants if needed
3. **Integration** — Publish documents on website and in product
4. **Training** — Brief support/legal team on policy terms
5. **Monitoring** — Set calendar reminders for annual policy reviews
6. **Updates** — Track regulatory changes and update as needed

---

**Last Updated**: February 26, 2026