1. Scope and controller
This policy applies to Rankly websites, applications, APIs, reports, support, and related services operated by Cyberhusk. It covers account users, invited members, trial users, subscribers, website visitors, and people whose business contact details a customer submits for report delivery or support.
Customers are responsible for deciding whether they are authorized to submit client websites, prompts, report recipients, Search Console data, and other third-party information. For that customer-directed data, the customer may act as controller and Rankly processes the data to provide the service.
2. Information we collect
We collect account and workspace information such as name, email, verification status, role, organization name, authentication method, session and device details, IP address, security events, and notification preferences. Stripe and PayPal provide billing status, plan, customer and subscription identifiers, payment outcomes, and period dates; Rankly does not store full card or bank credentials.
- Project domains, brand names, markets, website crawl results, sitemap and robots findings, uptime and SSL checks.
- Keywords, SE Ranking metrics, Search Console clicks, impressions, CTR and average position, Google rank results and ranking URLs.
- Prompts, AI answers, citations, mentions, visibility aggregates, opportunities, content briefs, reports, and scheduled recipients.
- Team invitations, support tickets, attachment-safe metadata, administrative logs, job attempts, provider usage, error and delivery events.
- Marketing-site requests, cookies required for sessions and security, and limited diagnostics through Sentry when configured.
3. How information is obtained
Information comes directly from users, invited teammates, connected Google Search Console accounts, crawled public websites, and service providers used for measurement and billing. DataForSEO may supply domain-ranking keyword candidates when Search Console is unavailable. SE Ranking supplies keyword metrics. Bright Data supplies Google SERP and AI-result evidence. OpenRouter supports enrichment, prompt generation, classification, sentiment, and opportunity analysis.
4. Purposes and legal bases
We process information to create and secure accounts, verify email, provide subscriptions, enforce limits, run measurement and monitoring jobs, generate reports, deliver notifications, support customers, prevent abuse, reconcile billing, keep backups, diagnose failures, and meet legal obligations.
Depending on location and context, processing relies on performance of a contract, legitimate interests in operating and protecting Rankly, consent for optional Google Search Console access or non-essential communications, and compliance with legal obligations. Search Console access can be disconnected at any time.
5. Service providers and disclosures
Rankly discloses only the information reasonably necessary for providers to perform their role. Current provider categories include Google for identity and Search Console, DataForSEO for keyword discovery, SE Ranking for keyword metrics, Bright Data for rank and AI-result collection, OpenRouter for server-owned intelligence, Stripe and PayPal for billing, Resend for transactional email, Cloudflare Turnstile for abuse prevention, Sentry for error monitoring, and infrastructure, database, backup, and uptime-monitoring vendors.
We may also disclose information to professional advisers, authorities, or counterparties when required by law, needed to protect rights and safety, or involved in a legitimate business transaction with appropriate safeguards. We do not sell personal information or let customers supply provider API keys through Rankly.
6. Cookies and authentication
Rankly uses secure, HTTP-only session cookies and anti-forgery controls needed to authenticate users and protect mutations. OAuth state, PKCE verifiers, reset tokens, verification tokens, and invitation tokens are short-lived, single-use, or stored as hashes or encrypted secret references. Turnstile may process device and request signals to distinguish people from abusive automation.
7. Retention
Detailed tracking history is retained for 13 months. Raw provider payloads are retained for 90 days. Durable monthly and weekly aggregates remain while the account is active. Authentication, webhook, billing, support, and security records are retained as needed for the account relationship, fraud prevention, accounting, disputes, and legal obligations.
Canceled or unpaid workspaces may remain read-only for 30 days. A workspace-owner deletion request enters a 30-day recovery window before permanent deletion. Encrypted backups rotate on a limited schedule, so deleted information may persist temporarily in protected backup media until rotation, without being restored except for disaster recovery or legal necessity.
8. Security
Rankly uses encrypted server-managed OAuth secrets, restricted production environment files, role and workspace authorization, signed billing and provider callbacks, same-origin and CSRF controls, durable throttling, session revocation, structured logs without secrets, encrypted backups, and service health monitoring. Provider credentials are not returned to browsers or included in customer job payloads.
No security program eliminates all risk. Users should choose strong unique passwords, protect Google and billing accounts, review active sessions, limit team roles, and notify support promptly about suspected compromise.
9. International processing
Rankly and its providers may process information in countries other than the user's country. Where required, transfers rely on contractual safeguards, adequacy decisions, provider data-protection terms, or another lawful mechanism. Provider availability and data location can vary by market.
10. Your choices and rights
Users can manage profile details, email, password, devices, sessions, notification preferences, team access, Search Console connections, and report sharing from the application. Workspace owners can download a structured workspace export and schedule account deletion. Billing and essential account-security emails cannot be disabled.
- Depending on applicable law, individuals may request access, correction, deletion, restriction, portability, or objection, and may withdraw consent without affecting earlier lawful processing.
- Requests must be verified to protect the account and may be limited where another person's rights, legal retention, fraud prevention, or customer-controller instructions apply.
- People may complain to their local data-protection authority. We encourage contacting support first so the request can be investigated.
11. Children and sensitive information
Rankly is a business service and is not directed to children. Do not submit children's information, government identifiers, payment credentials, health information, or other sensitive personal information in prompts, tickets, reports, or project content unless it is lawful and strictly necessary for an authorized business purpose.
12. Policy updates
We may update this policy when the product, providers, retention practices, or legal requirements change. The effective date will be updated and material changes will be communicated where required. Earlier versions may be requested from support when available.