GDPR Compliance

1. Our Commitment to GDPR

Rank++ is committed to protecting the privacy and security of your personal data in accordance with GDPR requirements. We have implemented appropriate technical and organizational measures to ensure compliance.

This document supplements our Privacy Policy and provides specific information for individuals in the EEA, UK, and Switzerland.

2. Data Controller

Rank++ Inc. is the data controller for the personal data we process. This means we determine the purposes and means of processing your personal data.

3. Legal Basis for Processing

We process your personal data under the following legal bases:

3.1 Contractual Necessity

Processing necessary to provide our services to you, including:

• Creating and managing your account
• Processing payments and subscriptions
• Delivering AI visibility analysis and reports
• Providing customer support

3.2 Legitimate Interests

Processing necessary for our legitimate business interests, including:

• Improving and developing our services
• Detecting and preventing fraud and security threats
• Understanding user behavior to enhance user experience
• Internal business analytics and reporting

3.3 Consent

Processing based on your explicit consent for:

• Marketing communications and newsletters
• Optional analytics and tracking cookies
• Personalized content and recommendations

3.4 Legal Obligation

Processing required to comply with legal obligations, such as tax reporting, anti-money laundering requirements, and responding to lawful requests from authorities.

4. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

4.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this in a commonly used electronic format within 30 days.

4.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. You can also update most information directly in your account settings.

4.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain the data. Note that:

• Account data is deleted 90 days after account closure
• Billing records are retained for 7 years for tax compliance
• Anonymized data may be retained for analytics

4.4 Right to Restriction of Processing

You can request that we limit how we use your personal data in certain circumstances, such as while we verify data accuracy or investigate a complaint.

4.5 Right to Data Portability

You can request a machine-readable copy of your data to transfer to another service. We provide data export functionality in your account settings.

4.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

4.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

4.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights. EU/EEA supervisory authorities can be found at:

5. How to Exercise Your Rights

To exercise any of your GDPR rights:

1. Email us: Send a request to dpo@rankplusplus.com with "GDPR Request" in the subject line
2. Specify your request: Clearly state which right you want to exercise and what action you want us to take
3. Verify your identity: We may ask for identification to prevent unauthorized access
4. Receive response: We will respond within 30 days (may be extended to 60 days for complex requests)

There is no charge for exercising your rights unless your request is manifestly unfounded or excessive.

6. International Data Transfers

We are based in the United States. When you use our Service from the EEA, UK, or Switzerland, your data is transferred to and processed in the US.

We ensure adequate protection for international transfers through:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all processors handling EEA data
• Adequacy Decisions: We rely on EU Commission adequacy decisions where available
• Data Processing Agreements: All third-party processors sign DPAs with GDPR requirements
• Additional Safeguards: Encryption, access controls, and regular security audits

7. Data Processing Activities

We maintain records of our data processing activities as required by GDPR:

8. Data Retention Periods

We retain personal data only as long as necessary for the purposes outlined:

9. Data Recipients

We share your personal data only with trusted processors who have signed Data Processing Agreements:

We do not sell personal data to third parties.

10. Automated Decision-Making

We use automated processing to:

• Calculate AI visibility scores based on your website content
• Generate optimization recommendations
• Detect potential security threats or fraud

These automated decisions do not produce legal effects or significantly affect you. They are used to provide insights and recommendations that you can choose to implement or ignore.

You have the right to request human review of any automated decision and to express your point of view.

11. Data Protection by Design and Default

We implement data protection principles in our Service design:

• Data Minimization: We collect only data necessary for our services
• Purpose Limitation: Data is used only for stated purposes
• Storage Limitation: Data is deleted when no longer needed
• Privacy by Default: Most privacy-friendly settings are default
• Encryption: Data is encrypted in transit and at rest
• Access Controls: Strict role-based access to personal data
• Pseudonymization: Data is anonymized where possible

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours
• We will notify affected individuals without undue delay
• Notification will include nature of breach, potential consequences, and mitigation measures
• We maintain incident response procedures and conduct regular drills

13. Children's Data

Our Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we learn we have collected data from a child without parental consent, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at dpo@rankplusplus.com.

14. Marketing Communications

We will only send marketing communications if you have:

• Explicitly opted in to receive them
• Provided your email in the context of a sale (soft opt-in, where permitted)

Every marketing email includes an unsubscribe link. You can also manage preferences in your account settings or contact us at marketing@rankplusplus.com.

15. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for any processing activities that may result in high risk to your rights and freedoms. This includes:

• New features involving personal data
• Use of new technologies
• Large-scale processing of sensitive data
• Automated decision-making with significant effects

16. Contact Our Data Protection Officer

For any questions about GDPR compliance or to exercise your rights: