# Privacy Policy Last Updated: February 26, 2026 ## 1. Introduction RankWiz AI ("Company," "we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, web application, API, WordPress plugin, and related services (collectively, the "Service"). Please read this Privacy Policy carefully. If you do not agree with our practices, do not use the Service. This Privacy Policy applies to: - Individuals who create accounts and use RankWiz AI ("Users") - Individuals whose personal data is processed by RankWiz AI as a result of User activity (e.g., WordPress site editors, content viewers) ## 2. Information We Collect ### 2.1 Information You Provide Directly **Account Registration:** - Name - Email address - Password (hashed, not stored in plaintext) - Organization/company name (optional) - Phone number (optional) **Profile and Settings:** - Profile picture - Billing address (if subscription active) - Notification preferences - Language and timezone preferences **Site Connections:** - WordPress site URLs and domain names - Site names and descriptions - Google Search Console property verification tokens (OAuth tokens) - WordPress HMAC authentication secrets **API Keys and Credentials:** - OpenAI API key (encrypted at rest) - Any other third-party API credentials you provide **Content and Metadata:** - WordPress posts, pages, and custom post types (title, URL, content, media, metadata) - Custom instructions or prompts for AI-generated content - Analysis parameters and preferences **Support Communications:** - Emails, support tickets, and chat messages when you contact our support team - Attachments or files you upload with support requests - Feedback, feature requests, and surveys ### 2.2 Information Collected Automatically **Usage and Activity Data:** - Pages visited, features accessed, actions taken within the Service - Analysis runs, content generation requests, publishing events - Search queries and filters applied - Time spent in the Service, session duration, and navigation paths **Device and Browser Information:** - Device type, operating system, and browser type/version - Internet Protocol (IP) address - Browser language and timezone - Unique device identifiers or mobile advertising identifiers **Cookies and Tracking Technologies:** - Session cookies (to maintain login state and session security) - Authentication tokens (to verify you are logged in) - Preferences cookies (to remember your settings) - We use [INSERT ANALYTICS TOOL] for analytics; see Section 2.3 ### 2.3 Third-Party Data Collection **Google Analytics** (if enabled): - Tracks website traffic, user behavior, and engagement metrics - Processes personal data per Google's privacy policy - You can opt out via Google Analytics opt-out browser extension **[INSERT OTHER THIRD-PARTY SERVICES]**: - [DESCRIBE TRACKING OR ANALYTICS SERVICES] - [DESCRIBE DATA FLOWS] **OAuth Providers** (if social login enabled): - If you authorize login via Google, GitHub, or similar, those providers process your account information per their privacy policies ### 2.4 Information from Third Parties **Google Search Console:** - When you authorize RankWiz AI via OAuth, we receive and store: - Your verified GSC properties and site metrics - Search performance data (impressions, clicks, position, CTR, devices, countries, queries) - Query and page-level analytics **WordPress Sites:** - When you connect your WordPress site via the HMAC plugin, we access and store: - All published posts, pages, and custom post types - Post metadata (author, publish date, categories, tags, featured image) - WordPress user and site configuration (for operational purposes only) **Stripe** (if billing enabled): - Billing name, email, address, and card information (tokenized; Stripe retains the actual card data) - Billing and subscription events **OpenAI:** - When you generate content, OpenAI may retain usage metadata per their privacy policy; we do not process their responses for additional data collection ## 3. How We Use Your Information ### 3.1 Service Provision We use your information to: - Create and manage your account - Authenticate your identity and authorize access to your sites and data - Sync and display Google Search Console metrics - Read and display WordPress content inventory - Generate SEO recommendations and analysis - Generate AI-powered content drafts - Facilitate content publishing to your WordPress site - Track analysis history and ROI metrics - Maintain content snapshots and version history ### 3.2 Communication We use your email address to: - Send transactional emails (welcome, password reset, subscription confirmation, billing receipts) - Notify you of service changes, maintenance, or outages - Respond to support requests - Send scheduled email digests or calendar reminders (if enabled) - Announce new features or product updates - Send marketing emails (with an unsubscribe option in every email) You can manage communication preferences in your account settings. ### 3.3 Service Improvement and Analytics We use anonymized and aggregated data to: - Understand how users interact with the Service - Identify bugs, performance issues, and security vulnerabilities - Improve features and user experience - Calculate usage trends, benchmarks, and industry patterns - Conduct A/B testing and feature experiments - Generate reports on service performance This analysis uses aggregated data that does not identify you personally. ### 3.4 Legal Compliance and Security We process your information to: - Comply with legal obligations (taxes, law enforcement requests, regulatory inquiries) - Enforce these Terms of Service and other agreements - Protect against fraud, abuse, and unauthorized access - Maintain audit logs for security and accountability - Respond to data subject access requests under GDPR, CCPA, or other privacy laws - Establish, exercise, or defend legal claims ### 3.5 Legitimate Interests We process your information for our legitimate interests in: - Preventing fraud and abuse of the Service - Debugging and improving security - Providing customer support - Marketing our Service (for non-EU users; EU users are opted out unless they consent) - Maintaining business records and compliance documentation ## 4. Legal Basis for Processing (GDPR) If you are located in the EU/EEA, we process your personal data under the following legal bases: | Processing Activity | Legal Basis | |---|---| | Account creation, authentication, service provision | Performance of contract (Terms of Service) | | Payment processing | Performance of contract + legitimate interest | | Security, fraud prevention, abuse detection | Legitimate interest + legal obligation | | Compliance with law enforcement, regulatory requests | Legal obligation | | Service improvement, analytics, A/B testing | Legitimate interest | | Email marketing (if opted in) | Consent | | Automated decision-making (e.g., recommendation scoring) | Legitimate interest + performance of contract | You have the right to object to processing based on legitimate interest (see Section 9: Your Privacy Rights). ## 5. Data Sharing and Disclosure ### 5.1 Third-Party Service Providers We share your information with service providers who process data on our behalf under written data processing agreements: | Service | Data Shared | Purpose | |---|---|---| | **Google** (GSC API calls) | Your OAuth tokens, site domain | Retrieve search performance metrics | | **OpenAI** | Page content, keywords, metadata, your OpenAI key | Generate AI-powered content drafts | | **WordPress** (Your site via REST API) | Post content, metadata, your HMAC secret | Publish/update content on your site | | **Stripe** | Billing name, email, address, tokenized payment info | Process subscriptions and payments | | **Hosting Provider** (e.g., AWS) | All account and operational data | Host servers, store databases, provide infrastructure | | **Email Service Provider** (e.g., SendGrid, Mailgun) | Name, email, content of transactional/marketing emails | Deliver transactional and promotional emails | | **Analytics Provider** (e.g., Plausible, Mixpanel) | Anonymized usage data, IP address, device info | Analyze user behavior and service performance | | **Customer Support Platform** (e.g., Zendesk, Intercom) | Email, name, support tickets, attachment contents | Manage customer support requests | All service providers are contractually obligated to process data only for the purposes we specify and to maintain appropriate security. ### 5.2 Legal Obligations and Law Enforcement We may disclose your information if required by: - Court orders, subpoenas, or warrants - Law enforcement agencies investigating criminal activity - Regulatory bodies (FTC, state AGs, SEC, etc.) - Suspected violations of law or these Terms When legally possible, we will notify you of such requests. ### 5.3 Business Transfers If RankWiz AI is acquired, merged, or substantially reorganized, your information may be transferred as part of that transaction. We will notify you of any material change in how your data is processed. ### 5.4 We Do Not Sell Your Data We do not sell, rent, trade, or otherwise monetize your personal data to advertisers, brokers, or other third parties. ## 6. Data Encryption and Security ### 6.1 Encryption at Rest Sensitive credentials are encrypted using AES-256-CBC encryption (Laravel's `encrypted` cast): - Google OAuth tokens (access and refresh tokens) - WordPress HMAC secrets - OpenAI API keys - Audit log IP addresses (if configured) All other data is stored in encrypted database tables using database-level encryption (e.g., AWS RDS encryption, encrypted MySQL storage). ### 6.2 Encryption in Transit All data transmitted between your browser/device and our servers is encrypted using TLS/HTTPS (minimum TLS 1.2). Unencrypted HTTP connections are redirected to HTTPS. ### 6.3 Security Measures We implement: - Firewalls and intrusion detection - Rate limiting and DDoS protection - Web application firewalls (WAF) - Regular security audits and penetration testing - Code scanning for vulnerabilities (SAST/DAST) - Dependency scanning for vulnerable libraries - Database activity monitoring and query logging - Restricted access to production systems (least privilege) - Audit logging of sensitive operations - Multi-factor authentication for admin accounts ### 6.4 Security Limitations While we implement industry-standard security, no system is completely secure. Risks include: - Zero-day vulnerabilities in third-party software - Insider threats or compromised employee accounts - Physical attacks on data centers - Sophisticated social engineering You are responsible for: - Protecting your password (strong, unique, never shared) - Enabling multi-factor authentication on your account - Monitoring for unauthorized access to your account - Revoking API keys that are compromised or no longer needed - Reporting security incidents to security@rankwiz.ai ## 7. Data Retention ### 7.1 Retention Schedule | Data Category | Retention Period | Rationale | |---|---|---| | Account information (name, email, password hash) | Life of account + 30 days post-termination | Account operations; allows account recovery after accidental deletion | | Google Search Console metrics | Configurable, default 90 days rolling | Rolling retention; older data auto-deleted to limit storage | | WordPress content snapshots | Life of account | Version history and rollback capability | | Analysis runs, findings, recommendations | Life of account | Ongoing analysis and ROI tracking | | AI-generated drafts | Life of account or until manually deleted | User ability to reference or restore generated content | | Audit logs | Daily pruning, default 30–90 days | Security and accountability; older logs auto-purged | | Email communications (support tickets) | 1 year | Support history and dispute resolution | | Stripe billing records | 7 years | Tax and accounting compliance | | Soft-deleted sites and associated data | 30 days | Accidental deletion recovery; then permanent purge | ### 7.2 Data Deletion on Account Termination When you terminate your account: 1. Your account is marked as soft-deleted 2. You lose access to the Service 3. Data remains in our database for 30 days (allowing account recovery) 4. After 30 days, all data associated with your account is permanently purged 5. Legal retention obligations may result in preservation of audit logs or transaction records **Exception:** If your account is subject to a litigation hold or regulatory investigation, data may be retained longer per legal requirements. ### 7.3 User Deletion Rights You can request deletion of specific data categories: - Delete individual posts or analysis runs from within the Service - Request a full account deletion (will trigger the 30-day soft-delete period) - Request specific data deletion via data subject request (see Section 9) ## 8. Data Subject Requests (GDPR, CCPA, Other Privacy Laws) ### 8.1 Your Privacy Rights Depending on your jurisdiction, you may have the following rights: **EU/EEA (GDPR):** - **Right of access**: Request a copy of all personal data we hold about you - **Right to rectification**: Correct inaccurate or incomplete data - **Right to erasure** ("right to be forgotten"): Request deletion of your data (with exceptions) - **Right to restrict processing**: Limit how we use your data pending dispute resolution - **Right to data portability**: Request your data in a structured, machine-readable format - **Right to object**: Object to processing based on legitimate interest (e.g., marketing) - **Right to lodge a complaint**: File a complaint with your data protection authority (DPA) **California (CCPA/CPRA):** - **Right to know**: Receive a copy of the categories and pieces of personal information we've collected - **Right to delete**: Request deletion of personal information we've collected (with exceptions) - **Right to opt-out**: Opt out of the sale or sharing of your personal information (we don't sell, but you can opt out of certain data uses) - **Right to correct**: Request correction of inaccurate personal information - **Right to limit use of sensitive personal information**: Limit our use of sensitive PI to necessary business purposes - **Right to non-discrimination**: We will not discriminate against you for exercising these rights **Other jurisdictions:** - Check your local privacy laws for applicable rights (LGPD, PIPEDA, PDPA, Privacy Act, etc.) ### 8.2 How to Submit a Request To exercise your rights, submit a request to privacy@rankwiz.ai with: - Your name and email address - The specific right you're exercising (access, deletion, portability, etc.) - Description of the data or scope of the request - Proof of identity (we may request verification to prevent unauthorized requests) ### 8.3 Response Timeline We will respond to your request within: - **GDPR**: 30 days (extendable by 60 days for complex requests); we will notify you of any extension - **CCPA/CPRA**: 45 calendar days (extendable by 45 days with notice) - **Other regulations**: Per applicable law If we cannot fulfill your request (in whole or part), we will explain the legal basis for refusal. ### 8.4 Exemptions and Exceptions We may refuse or delay a request if: - Necessary to defend legal claims or comply with legal obligations - Disclosure would violate another individual's privacy rights - Data is subject to attorney-client privilege or litigation hold - You cannot be properly identified - The request is manifestly unfounded or excessive ## 9. International Data Transfers ### 9.1 Where Data Is Stored RankWiz AI stores data primarily in [INSERT DATA CENTER LOCATION(S), E.G., "AWS US-EAST-1 AND EU-CENTRAL-1"]. By using the Service, you consent to the transfer of your data to these locations. ### 9.2 Transfers from EU/EEA If you are located in the EU/EEA, we ensure appropriate safeguards for transfers outside the EEA: - **Adequacy decisions**: For transfers to countries with EU adequacy decisions (e.g., Canada post Bill C-27) - **Standard Contractual Clauses (SCCs)**: For transfers to other countries, we execute SCCs (2021 EU version) with data processors and sub-processors - **Supplementary measures**: We implement technical, organizational, and contractual measures to address transfer risks If transfers to certain countries are restricted due to regulatory developments (e.g., Schrems II), we will notify you and adjust our data processing. ### 9.3 Your Recourse If you believe our data transfer mechanisms are inadequate, you may: - Contact us at privacy@rankwiz.ai - File a complaint with your data protection authority (DPA) ## 10. Cookies and Tracking Technologies ### 10.1 Types of Cookies We Use | Cookie Type | Purpose | Duration | Opt-Out | |---|---|---|---| | **Session cookies** | Maintain login state, prevent CSRF attacks | Session (browser close) | Not recommended; breaks functionality | | **Authentication tokens** | Verify you are logged in across page navigations | 30 days or until logout | Logging out clears token | | **Preference cookies** | Remember your settings (dark mode, language, etc.) | 1 year | Clear browser cookies; resets to defaults | | **Analytics cookies** | Track page views, user journey, event data | Per analytics provider (typically 1–2 years) | See Section 10.2 | ### 10.2 Third-Party Tracking We use [INSERT ANALYTICS PROVIDER, E.G., "PLAUSIBLE, MIXPANEL, GOOGLE ANALYTICS"] to track user behavior. These providers may: - Set cookies or identifiers on your browser - Collect IP address, device info, and pages visited - Transfer data internationally You can opt out via: - Their opt-out mechanisms (see their privacy policy) - Browser privacy tools (DNT header; note: not all sites honor this) - Disabling cookies in your browser settings (may degrade Service functionality) ### 10.3 Do Not Track (DNT) We respect browser DNT signals, but note that many websites do not. We will honor DNT headers if you enable them in your browser settings. ## 11. Children's Privacy RankWiz AI is not intended for children under 16 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware a child has provided personal data, we will delete it promptly. Parents or guardians concerned about their child's data may contact privacy@rankwiz.ai. ## 12. Data Breach Notification ### 12.1 Our Commitment If we experience a confirmed personal data breach, we will: 1. **Investigate promptly**: Determine the scope, nature, and individuals affected 2. **Notify you and regulators**: Within 72 hours of discovering the breach (GDPR), notify: - Affected individuals (if high risk) - Supervisory authorities (GDPR) - Other regulators as required by law 3. **Provide transparency**: Explain what data was breached, what measures we're taking, and how you can protect yourself 4. **Preserve evidence**: Cooperate with law enforcement and regulators ### 12.2 What Constitutes a Breach A breach is a confirmed incident where unauthorized individuals access, disclose, or alter personal data (e.g., hacking, employee theft, lost device, misconfiguration). Data exfiltration that was immediately detected and remedied before exposure may not require notification if risk to individuals is low. ## 13. Policy Updates We may update this Privacy Policy at any time. Material changes will be communicated via: - Email notification to your registered address - Banner on our website - In-app notification Non-material changes (e.g., clarifications, contact updates) take effect immediately. Material changes require 30 days' notice before taking effect. Your continued use after the effective date constitutes acceptance. If you do not accept changes, you may terminate your account. ## 14. Contact Us For privacy questions, data subject requests, or concerns: **Privacy Team:** Email: privacy@rankwiz.ai **Data Protection Officer** (if applicable): Email: dpo@rankwiz.ai **Mailing Address:** [INSERT COMPANY ADDRESS] **Regulatory Complaints:** - **EU/EEA**: Your country's data protection authority (DPA) - **California**: California Privacy Protection Agency (CPPA) - **Other**: Your state or country's privacy regulator --- **Version 1.0** | Effective Date: [DATE TO BE SET]