Privacy Policy

1. Data Controller (Art. 13(1)(a) GDPR)

The party responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) and the BDSG (German Federal Data Protection Act) is:

There is no legal obligation to appoint a Data Protection Officer (Section 38 BDSG). For data protection inquiries, please contact the data controller listed above directly.

1b. Role under GDPR (Data Controller / Data Processor)

Rankmio is the data controller within the meaning of Art. 4(7) GDPR for the processing of your master data, access data, and usage data (e.g., registration, login, subscription management).

Insofar as we process personal data in the course of your use of our platform on behalf of our users (e.g., when analyzing website content, using AI features, or retrieving Google Search Console data), we act as a data processor pursuant to Art. 28 GDPR. The respective user remains the data controller for the data they provide.

2. Collected Data, Processing Purposes, and Legal Bases

We process personal data only to the extent necessary to provide our services or where you have given us your consent.

2.1 Registration and Login

When creating a user account, we process the following data:

• First name and last name
• Email address (also serves as the login name)
• Password — stored exclusively as a cryptographic one-way hash (bcrypt, cost factor 12); the plaintext password is never known to the provider
• IP address at registration and login (for abuse detection and rate limiting)
• Session cookie for authentication (see Section 6)

Purpose: Creation and management of the user account, authentication, communication regarding technical or contractual matters.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.2 Usage Data

With each page view, technical access data is collected:

• IP address of the accessing device — automatically anonymized after 30 days at the latest and can no longer be attributed to a person thereafter
• Page views, timestamps, browser and operating system used
• Session data via a technically necessary session cookie

Purpose: Ensuring technical operation, detecting abuse and attacks (rate limiting), troubleshooting.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

2.3 Projects and Domains

To provide the analysis features, we process project-related data:

• Project name and associated domain (URL)
• Project settings (e.g., conversion rate, average order value)
• Google Search Console property (if GSC connection is active, see Section 2.6)

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.4 Website Analysis

To provide SEO analysis features, we process:

• URLs entered by you, which are transmitted to external APIs for analysis (Google PageSpeed Insights API)
• PageSpeed results: performance, SEO, accessibility, and best practices scores (mobile and desktop), Core Web Vitals (LCP, FCP, TBT, CLS, SI, TTI, TTFB), page weight, optimization potentials
• Crawler data: title tag, meta description, H1-H6 headings, HTTP status, redirect chain, final URL, robots.txt status, Schema.org markup
• Calculated visibility index of the website
• AI-generated recommendations (optional, on request — technical metrics are transmitted to the OpenAI API; no personal user data such as name or email address is transmitted, see note in Section 3)

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.5 Subpage Analysis

The subpage analysis enables targeted examination of individual pages of a website for performance, SEO, and technical aspects:

• The full URL of the subpage to be analyzed
• PageSpeed results (mobile & desktop): performance, SEO, accessibility, and best practices scores, Core Web Vitals, optimization potentials
• Crawler data: title tag, meta description, H1-H6 headings, HTTP status, redirect chain, final URL, robots.txt status
• Calculated visibility index of the subpage
• Optional AI analysis: technical metrics are transmitted to the OpenAI API (no personal user data, see note in Section 3)

Results are stored in the database and automatically deleted after 90 days. Upon account or project deletion, all data is removed immediately.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.6 Keyword Hub and Google Search Console (optional)

Only when you actively establish the Google Search Console connection (via Google OAuth 2.0) do we process:

• OAuth credentials for the Google connection — stored encrypted with AES-256-CBC
• Google Search Console property (your assigned website address)
• Aggregated search query data: search term (query), page URL, clicks, impressions, CTR, average position — these are exclusively anonymized, Google-aggregated metrics without any reference to individual searchers
• Daily metrics (clicks, impressions, avg. position) for the last 90 days for trend graphs and trend detection (rising/falling badges)
• Cannibalization detection: automatic identification of queries ranking on multiple pages

Keyword enrichment (optional): If you use the DataForSEO enrichment, keywords are transmitted to the DataForSEO API to supplement search volume, competition, and CPC data (see Section 3.5). No personal user data is transmitted.

You can disconnect the GSC connection at any time under Google Search Console → Disconnect, after which all OAuth tokens are immediately and irrevocably deleted. Already synchronized search query data is automatically deleted after 90 days or immediately removed upon account deletion.
Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (performance of contract for the GSC analysis feature).

2.7 Opportunity Analysis and AI Action Plan

After each GSC data retrieval, Rankmio automatically calculates traffic potentials for your keywords. The aggregated GSC search query data (Section 2.6) is evaluated locally. No transmission to external services takes place.

AI action plan (optional): On request, the following data is transmitted to the OpenAI API — no personal user data (see Section 3):

• Your project domain
• Top 10 keywords from the opportunity analysis with: search term, avg. position, expected traffic gain (incl. confidence interval), confidence score, intent type, and automatically generated recommendation
• Conversion rate and avg. order value (if provided, purely numeric)

Content brief (optional): On request, keyword, domain, avg. position, impressions, and intent type are transmitted to the OpenAI API. Results are not stored server-side (browser only).
Legal basis: Art. 6(1)(a) GDPR (consent through active triggering of the respective AI feature, e.g., clicking "Start analysis") and Art. 6(1)(b) GDPR (performance of contract).

2.8 Competitor Analysis

The competitor analysis area offers several features:

a) Quick comparison: Comparison of your website with a competitor URL based on publicly available data (PageSpeed, visibility, technical metrics). The competitor URL is transmitted to the Google PageSpeed Insights API.

b) Deep analysis: On request, up to 3 competitor domains are crawled (up to 50-100 pages per domain). For each crawled page, page title, H1-H6 headings, cleaned text excerpt (max. 300 characters), HTTP status, and URL path are captured. Technical page data is transmitted to the OpenAI API for comparative analysis. No personal user data is transmitted (see Section 3). A maximum of one deep analysis is retained per project.

c) Battle: Direct SEO and AI comparison between your website and a competitor URL with focus keyword and optional location. Crawled page data is transmitted to the OpenAI API. Max. 10 battles per user.

d) Sitemap monitor: Regular monitoring of competitor sitemaps for changes (new/removed pages). Only publicly accessible sitemap.xml files are retrieved.

None of the competitor features transmit personal user data to external services (see Section 3).
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest).

2.9 GEO Module — AI Visibility Analysis (optional)

The GEO module (Generative Engine Optimization) offers several AI-powered analysis features for optimizing your website for AI search engines. AI visibility data (e.g., citability score, entity coverage, AI visibility comparison) is calculated locally based on publicly available website data — no personal user data is transmitted to AI services (see Section 3). The following data is processed:

• AI Visibility Audit: Your domain is crawled. For each page, URL, title, H1, text excerpt, HTTP status, Schema.org data, and freshness signals (Last-Modified, dateModified) are captured. Technical page data is transmitted to the OpenAI API for evaluating topic coverage and AI suitability.
• Link analysis: Internal linking structure is analyzed locally — no external data transmission.
• Citability check: Page text is transmitted to the OpenAI API to assess AI citability using a multi-level checklist. Results are not persistently stored.
• Entity gap analysis: Own entities and up to 3 competitor URLs are crawled and transmitted to the OpenAI API. Results are not persistently stored.
• Schema.org generator: Page data (URL, title, H1, text excerpt) is transmitted to the OpenAI API — generated JSON-LD is stored in the database.
• AI Citation Tracking: Keywords are transmitted to the DataForSEO API to check for Google AI Overview citations. Results are stored in the database and deleted after 90 days.

The domain's robots.txt is analyzed to check AI crawler access. Max. 5 audits per project; older ones are automatically deleted. All GEO data is cleaned up after 90 days at the latest.
Legal basis: Art. 6(1)(a) GDPR (consent through active triggering of the respective GEO feature) and Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest).

2.10 Sitemap Hub (optional)

On request, you can run an AI-powered sitemap analysis for a project:

• Your domain is crawled internally (internal pages only)
• Per URL: HTTP status, page title (max. 80 chars), H1 (max. 80 chars), cleaned text excerpt (max. 300 chars), SHA1 hash of the text excerpt
• Existing sitemap.xml (URL list and lastmod data) — read only

AI processing: Technical page data (URL path, title, H1, text excerpt) is sent in batches to the OpenAI API (GPT-4o-mini). The AI rates each URL as valuable or low-quality. An AI audit summary is also generated. No personal user data is transmitted (see Section 3).

Max. one analysis per project. All sitemap data is deleted after 90 days. Upon account or project deletion, all data is removed immediately.
Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interest).

2.11 robots.txt Tool (optional)

The following data is processed:

• Editor: robots.txt content is stored as a version history (technical configuration data without personal reference)
• Monitoring: If monitoring is enabled, your domain is regularly checked (cron every 30 minutes) for changes. Stored: domain URL, check interval, timestamp, SHA256 hash
• AI analysis (optional): robots.txt content is sent to the OpenAI API for evaluation and rule generation — no personal user data (see Section 3)

You are notified of detected changes. All robots.txt data is deleted upon project or account deletion.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.12 Content Optimizer & Page Analysis (optional)

On request, you can have existing texts or URLs analyzed and optimized:

• The full URL (URL mode) or entered text (text mode)
• Crawled page data: title, meta description, H1-H6 headings, word count, Schema.org markup, images (alt attributes and count only)
• Structured page text for citation analysis (headings, paragraphs, lists)
• Optional target keyword

AI processing: Technical page data is sent to the OpenAI API. The AI generates SEO optimization suggestions (title, meta description, heading structure, content strategy) and a citability rating based on a 12-point checklist. An optional HTML optimization suggestion may be generated. No personal user data is transmitted (see Section 3).

Results are stored in the database and automatically deleted after 90 days. Upon account or project deletion, all data is removed immediately.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.13 AI Answer Simulation (optional)

On request, you can simulate how AI systems (e.g., ChatGPT, Google AI) would cite your website content. Requests are sent to the OpenAI API or Claude API (Anthropic) depending on configuration. Only domain-related data (URLs, keywords, page titles, text excerpts) is transmitted — no personal user data.

• Full URL of the page
• Crawled page data: title, H1-H6 headings, text excerpt, Schema.org markup, word count
• A user question (entered or auto-generated)
• Optional: city and/or region for local relevance

Real web search: Via the OpenAI Responses API, a live web search may be performed. The user question is sent to the API, which independently searches the web and cites sources (URLs, titles). Citation URLs are compared locally with your URL.

Automatic question generation: Optionally, 5 relevant questions are generated from title and H1 (OpenAI API, no personal data).

Results are stored in the database (max. 10 per project, individually deletable) and automatically deleted after 90 days.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.14 Team Builder (optional)

When using the team feature, we process:

• Team membership: assignment between team lead and members (user IDs, team name, invitation timestamp, status)
• Email invitations: sent via our SMTP service (Strato) to the address provided by the lead
• Project access: which members may access which projects (user ID, project ID, timestamp)
• Credit pool: all credit deductions by a member are charged to the lead's balance. The transaction records which member triggered the action (triggered_by)
• Lead/member roles: the lead manages branding, GSC tokens, and credits. Members automatically use the lead's OAuth connections — no separate tokens are created

The member only sees whether credits are available, not the lead's balance. Removing a member deletes their account and all associated data. Deactivated accounts are removed after 30 days.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

2.15 Credits and Paddle Payments

We process:

• Current credit balance
• Transaction history: timestamp, amount (credits), reason, reference ID, balance after transaction

Paddle payments: Paddle.com Market Ltd acts as Merchant of Record (MoR). On our side, we process only:

• Paddle transaction IDs
• Payment amount, currency, date, and status
• Subscription status and duration for credit subscriptions

Sensitive payment data is never collected or stored by us.
Legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR.

2.16 Email Delivery

For emails (rank alerts, team invitations, password reset, system notifications) we use Strato SMTP (smtp.strato.de):

• Recipient email address
• Subject and content
• Sender: [email protected]

Email transport is encrypted (STARTTLS). Emails are not stored on our server after sending.
Legal basis: Art. 6(1)(b) GDPR.

2.18 Whitelabel Branding (optional)

Only when you set up the whitelabel feature:

• Logo file (PNG or JPEG, max. 2 MB) — stored as Base64 encoded and encrypted in the database
• Company name / footer text (max. 30 characters)
• Address, city, and country (for PDF reports)
• Display preference (whether your login name appears in PDFs)
• Timestamp of consent as proof per Art. 7(1) GDPR

Revocation: You can delete your branding data at any time under Profile → Branding → Deactivate and delete branding. Upon account deletion, all branding data is immediately removed.
Legal basis: Art. 6(1)(b) and Art. 6(1)(a) GDPR.

2.19 Free SEO Check (public, no registration)

You can perform a free SEO and AI visibility check without registration:

• IP address: stored for rate limiting (max. 1 check per IP per day)
• URL: the website to be analyzed
• Analysis results: SEO score, AI visibility score, 16 individual checks, meta information

The free check works purely algorithmically — no data is sent to external AI services. Analysis uses the internal crawler and Google PageSpeed Insights API. Data is deleted after 30 days.
Legal basis: Art. 6(1)(f) GDPR.

2.20 Rank Alerts and Email Notifications

When rank alerts are enabled:

• Keyword (search query), current and previous Google position
• Configured thresholds and change timestamps
• Email notifications for significant ranking changes (via Strato SMTP, see Section 2.16)

Evaluation is performed entirely locally. Upon account deletion, all rank alert data is irrevocably removed.
Legal basis: Art. 6(1)(b) GDPR.

2.21 Keyword Cluster AI and Featured Snippet Optimizer

When using these AI features, the following is sent to the OpenAI API:

• Keywords (search queries) and their positions
• Domain of the analyzed website
• Impressions and click data (aggregated)

Keyword cluster results are stored in the session only (not persistent). Featured snippet results are also not stored server-side.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.22 Site Audit (Action Items)

The site audit aggregates findings from all analysis tools into a prioritized action list. Only already collected data from the respective modules (Sections 2.4-2.11) is summarized. No additional data collection or external transmission occurs.

Optional AI-generated summaries and recommendations may be requested (OpenAI API, technical findings only).
Legal basis: Art. 6(1)(b) GDPR.

2.23 Notification System

Rankmio has an internal notification system (e.g., ranking changes, robots.txt changes):

• Notification type, title, and optional message text
• Creation timestamp and read status
• Optional link to the affected page within the platform

Info notifications are hidden after 15 minutes. Persistent notifications remain until marked as read. No transmission to external services occurs. Upon account deletion, all notifications are immediately removed.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

2.24 AI Provider Settings

You can configure which AI providers (e.g., Claude, ChatGPT, Gemini, Perplexity, Google AI Overview) are displayed as active. A JSON configuration is stored in your user profile.

No personal user data is transmitted to AI providers simply because a provider is enabled. Data transmission occurs only upon active use of an AI feature.
Legal basis: Art. 6(1)(b) GDPR.

2.25 Asynchronous Processing (Background Jobs)

Some features are processed asynchronously. Temporarily stored:

• Job type, status (running / complete / failed), input data, and result reference
• Randomly generated security token
• User and project assignment

Temporary job data is automatically deleted after 1 hour. No external transmission of job metadata.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

2.26 AI Assistant (Chat Agent)

Rankmio provides an AI-powered chat assistant that interprets your SEO and GEO analysis data:

• Chat messages: your questions and AI-generated answers
• Context data: project ID, selected page URL, existing analysis data (loaded from the database, not re-collected)
• Briefing data: automatically compiled summary of your current SEO/GEO findings

Data transmission: Chat messages and context data are sent to the OpenAI API (model gpt-4o-mini). No personal data (name, email) is transmitted — only technical analysis data and your question.

Storage: Chat history is encrypted and automatically deleted after 90 days. Max. 20 messages per conversation are sent as context. Each session stores title, creation time, and last access. Individual sessions and messages can be deleted by the user at any time.
Legal basis: Art. 6(1)(a) and Art. 6(1)(b) GDPR.

2.27 Voice Input (Voice-to-Text)

The AI assistant optionally offers voice input:

• Audio recording: temporary recording via browser microphone (only after actively pressing the mic button)
• Transcribed text: the speech recognition result

Data transmission: Audio data is sent to the OpenAI Whisper API for transcription. This involves transfer to the USA (see Section 8).

Storage: The audio recording is deleted immediately after transcription and is never permanently stored on our server. Only the transcribed text remains as a chat message.
Legal basis: Art. 6(1)(a) GDPR.

2.28 Website Crawling & Headless Browser

For technical SEO analysis, Rankmio crawls user-registered websites:

• HTML content: source code of crawled URLs
• HTTP headers: status codes, redirects, content type
• Performance data: load times, page weight
• Structured data: meta tags, headings, internal links

Technology: For websites with enhanced protection (e.g., Cloudflare), a server-side headless browser (Puppeteer) is used. Both user-registered domains and publicly accessible competitor websites (Section 2.8) may be crawled.

Storage: Extracted analysis data is stored and subject to the regular retention period (180 days, see Section 4). Raw HTML content is discarded after data extraction.
Legal basis: Art. 6(1)(b) GDPR.

2.29 Semantic Content Search (Embeddings)

For context-based AI assistant search, website content is converted to numerical vectors (embeddings):

• Input: text segments from crawled content (no personal user data, see Section 3)
• Output: numerical vectors (1,536 dimensions) representing semantic meaning

Data transmission: Text segments are sent to the OpenAI Embeddings API. No personal user data is transmitted (see Section 3).

Storage: Vectors are stored in a vector database and completely removed upon account deletion. Vectors cannot be reversed into readable text.
Legal basis: Art. 6(1)(b) GDPR.

2.30 Feature Usage Log

For abuse prevention, credit billing, and rate limiting:

• Feature identifier: internal name of the used function (e.g., "SEO analysis", "keyword search")
• IP address: for rate limiting and abuse detection
• User ID and project ID
• Timestamp
• Credit cost

Usage logs are automatically deleted after 90 days. Upon account deletion, all entries are immediately removed. No external transmission.
Legal basis: Art. 6(1)(f) and Art. 6(1)(b) GDPR.

2.31 Automated Background Processing (Cron Jobs)

Regular automated processes include:

• GSC data synchronization
• robots.txt monitoring (every 30 minutes)
• Data cleanup (daily at 02:00)
• Stale job cleanup (every 15 minutes)
• Embedding synchronization
• API health checks

All cron executions are logged internally (start, end, status, summary). These logs contain no personal user data and serve operational monitoring only.
Legal basis: Art. 6(1)(f) and Art. 6(1)(b) GDPR.

2.32 Personal Notes and Tasks

You can create notes and tasks (todos) within your projects:

• Title, description, and status (open / completed)
• Assignment to a project and optionally to a URL
• Creation and update timestamps

Data is stored locally in the database only and not transmitted externally. Deleted upon project or account deletion.
Legal basis: Art. 6(1)(b) GDPR.

2.33 Keyword Tracking (manual)

In addition to GSC-imported keywords, you can manually create keywords and track their SERP position:

• Keyword (search term), target URL, current and historical Google position
• Search volume and competition data (via DataForSEO enrichment, Section 3.5)
• Project assignment and timestamp

Deleted upon project or account deletion.
Legal basis: Art. 6(1)(b) GDPR.

2.34 Content Studio (optional)

The Content Studio enables AI-supported content creation based on your brand documents. The following data is processed:

• Document uploads: PDF, DOCX, or TXT files that you actively upload. Files are stored on our server (Hetzner, Frankfurt). Text content is extracted, split into segments, and converted into numerical vectors (embeddings) via the OpenAI Embeddings API
• URL imports: Public URLs that you provide are crawled (CrawlerService), text content is extracted and embedded analogously to document uploads
• Content Briefs: Topic, keywords, and persona data are sent to the OpenAI API for brief generation. The brief is enriched with brand context retrieved via vector search from your uploaded documents
• Persona generation: Your uploaded brand documents are analyzed via the OpenAI API to identify buyer personas (target audience profiles)
• Content generation: The content brief, brand context, and selected persona are sent to the OpenAI API to generate article drafts
• Citability check: Generated text is analyzed both locally (algorithmic checks) and via the OpenAI API (AI-based evaluation)
• Own API key: Users can optionally store their own OpenAI API key. The key is encrypted with AES-256-CBC and stored on our server. When using your own key, content is processed directly through your personal OpenAI account. The key is stored exclusively server-side and is not shared with third parties
• AI text optimization: Selected text is sent to the OpenAI API for optimization (5 modes: SEO, readability, shorten, expand, citability). HTML formatting is included
• Content gap analysis: Matching editor text against competitor data happens locally in the browser. AI paragraph generation sends the gap topic to the OpenAI API
• Keyword extraction from editor: When no URL is available, editor text is sent to the server for keyword analysis (no external API, local processing)

Data transmission: Only extracted text content is sent to the OpenAI API. No personal user data (name, email, IP address), no file metadata (file name, creation date, author), and no original files are transmitted. OpenAI does not use API data for model training (no-training endpoint). When using your own API key, data is transmitted directly through your personal OpenAI account; OpenAI's own privacy policy applies additionally.

Storage: Uploaded documents are stored on the Hetzner server in Frankfurt. Embeddings are stored in the PostgreSQL vector database (pgvector). Generated content (briefs, personas, articles) is stored in the database. All data is completely removed upon project or account deletion.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) GDPR (consent through active use of AI generation features).

2.35 Visibility Index (optional)

The Visibility Index calculates a composite score (0-100) for your own or external websites. The following data is processed:

• Own website: Keyword rankings and traffic data from your Google Search Console connection (Section 2.6) are used locally. No additional external API calls are made. This scan is free of charge
• External websites: The domain is transmitted to the DataForSEO API (Section 3.5) to retrieve ranked keyword data (keyword, position, search volume, estimated traffic value). No personal user data is transmitted
• AI citability check (optional): A URL is transmitted to the OpenAI API for a citability assessment. No personal user data is transmitted (see note in Section 3)

Scan results (score breakdown, keyword data, traffic estimates) are stored in the database per project and user. Historical scans are retained for progress tracking. All data is removed upon account or project deletion.
Legal basis: Art. 6(1)(b) GDPR (contract performance).

2.36 User Feedback Form

Logged-in users can send feedback to the team via a discreet form (sidebar link). The following data is processed:

• Category (bug, feature wish, praise, question, other) and free-text message (5–5000 characters)
• The user's account name and email address are automatically included so we can reply if needed
• User-ID for internal attribution
• Timestamp of submission

The feedback is sent by email to the operator's inbox via Strato SMTP (Section 2.16). No external transfer to AI providers, no DB persistence (V1).
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR (legitimate interest in product improvement).

3. External Service Providers and Processors

Your personal data is shared with third parties only as described below. No data is shared for advertising purposes. In no case are user identifiers (name, email, IP address) transmitted to the following AI service providers. All AI requests use no-training API endpoints — submitted data is not used to train the providers' models.

3.1 Google (PageSpeed API, OAuth 2.0, Search Console, Gemini)

a) PageSpeed Insights API: URLs are transmitted for performance analysis. No personal user data is shared.

b) Google OAuth 2.0: Only when you actively connect a Google service. Only necessary permissions are requested.

c) Google Search Console API: Retrieval of search query data.

• Recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
• Privacy: policies.google.com/privacy
• Transfer: USA/EU; EU-US Data Privacy Framework + SCC

Legal basis: Art. 6(1)(b) GDPR.

3.1b Google Gemini (independent AI provider)

Used as an independent AI provider for analysis features. Gemini operates independently from Google Search and OAuth services.

Affected features: AI answer simulation (Section 2.13), GEO module (Section 2.9), Content Optimizer (Section 2.12), Competitor Analysis (Section 2.8) — only when Gemini is configured as active provider.

Transmitted data: Technical page data only (URLs, titles, headings, text excerpts, Schema.org markup), SEO metrics, keywords, domain names. No personal user data is transmitted.

• Recipient: Google Ireland Limited
• Privacy: ai.google.dev/terms
• Transfer: USA/EU; EU-US Data Privacy Framework + SCC
• Gemini API does not use inputs for model training by default

Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

3.2 OpenAI (GPT-4o-mini, Responses API)

Used for numerous AI features. No personal data is transmitted. Only:

• Technical page data
• SEO metrics
• Keywords and domain names
• Industry names
• robots.txt content

Affected features: AI recommendations, action plans, content briefs, sitemap hub, keyword clusters, snippet optimizer, GEO module, content optimizer, AI answer simulation, competitor analysis, robots.txt analysis, industry rating.

• Recipient: OpenAI, Inc., San Francisco, CA 94110, USA
• Privacy: openai.com/privacy
• Transfer: USA; SCC per Art. 46(2)(c) GDPR
• OpenAI does not use API inputs for training by default

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

3.3 Anthropic (Claude)

Used for selected AI features (competitor insights, GEO module, sitemap audit, AI answer simulation). Only technical page data is transmitted — identical to OpenAI data categories. No personal data is transmitted.

• Recipient: Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA
• Privacy: anthropic.com/privacy
• Transfer: USA; SCC
• Anthropic does not use API inputs for training by default

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

3.4 Perplexity (AI with web search)

Used for selected AI features (AI answer simulation, research). Only technical page data and search queries are transmitted.

Affected features: AI answer simulation (Section 2.13), GEO module (Section 2.9), Content Optimizer (Section 2.12) — only when Perplexity is active.

• Recipient: Perplexity AI, Inc., San Francisco, CA, USA
• Privacy: perplexity.ai/privacy
• Transfer: USA; SCC

Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

3.5 DataForSEO

Used for two features:

a) Keyword enrichment: keywords are transmitted to retrieve search volume, competition, and CPC data. No personal user data is transmitted.

b) AI Citation Tracking: keywords are transmitted to check for Google AI Overview citations. Location (Germany) and language (German) are sent as parameters. Results are stored in the database and deleted after 90 days.

• Recipient: DataForSEO, Inc., 1100 NE 213th Street, Miami Shores, FL 33179, USA
• Privacy: dataforseo.com/privacy-policy
• Transfer: USA/EU; SCC

Legal basis: Art. 6(1)(b) GDPR.

3.5b Wikidata / Wikipedia (sameAs Schema Enrichment)

When generating Schema.org markup (in the Schema Generator and Content Studio), Rankmio automatically enriches the JSON-LD with sameAs references to Wikidata and Wikipedia. This is one of the strongest signals for AI search engines to disambiguate entities correctly.

• Transmitted data: entity name + short context string (e.g., page topic) for the matching query — no personal user data
• Caching: 30-day file cache to minimize API calls
• Recipient: Wikimedia Foundation, Inc., San Francisco, CA, USA
• Privacy: meta.wikimedia.org/wiki/Privacy_policy
• Wikidata is a publicly accessible knowledge graph; queries are anonymous and not linked to user identities.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in semantic-web optimization).

3.6 Paddle (Payment Processing)

Paddle.com Market Ltd acts as Merchant of Record.

• Recipient: Paddle.com Market Ltd, London EC1V 8BT, UK
• Privacy: paddle.com/legal/privacy
• Transfer: UK; EU adequacy decision per Art. 45 GDPR

Legal basis: Art. 6(1)(b) GDPR.

3.6b Cloudflare (Turnstile Captcha)

On the registration form (/register), Rankmio uses Cloudflare Turnstile as a privacy-friendly captcha to protect against automated bot registrations.

• Transmitted data: Visitor IP address, browser fingerprint signals (TLS, headers, JS environment), challenge token. No tracking cookies are set; Turnstile uses ephemeral session signals.
• Recipient: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA
• Privacy: cloudflare.com/privacypolicy
• Transfer: USA; EU-US Data Privacy Framework (Cloudflare is DPF-certified) + Standard Contractual Clauses
• Turnstile is loaded only on the registration page and not on logged-in pages.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in spam/bot prevention). A data processing agreement pursuant to Art. 28 GDPR is in place with Cloudflare.

3.7 Hetzner (Hosting)

• Recipient: Hetzner Online GmbH, Gunzenhausen, Germany
• Data center: Nuremberg, Germany
• Privacy: hetzner.com/privacy-policy

All data is stored and processed exclusively in Germany. No third-country transfer.
Legal basis: Art. 6(1)(b) GDPR with Art. 28 GDPR.

3.8 Strato (Email SMTP)

• Recipient: STRATO AG, Berlin, Germany
• Privacy: strato.de/datenschutz

Email transport is encrypted (STARTTLS). All data remains in Germany.
Legal basis: Art. 6(1)(f) GDPR with Art. 28 GDPR.

3.9 Changes to Sub-Processors

4. Data Storage and Retention Periods

We store personal data only as long as necessary for the respective processing purpose or as required by law. Automatic data cleanup runs daily (02:00).

After retention periods expire, data is automatically deleted or irreversibly anonymized.

5. Your Rights as a Data Subject (Art. 15-22 GDPR)

5.1 Right of Access (Art. 15 GDPR)

You have the right to request information about your stored personal data at any time.

5.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction or completion of your data. You can edit your profile data directly under Profile.

5.3 Right to Erasure (Art. 17 GDPR)

You have the right to deletion ("right to be forgotten"). You can delete your account and all associated data under Profile → Delete account.

5.4 Right to Restriction (Art. 18 GDPR)

You can request that processing of your data be restricted.

5.5 Right to Data Portability (Art. 20 GDPR)

You can export all your stored data as a JSON file under Profile → Export data.

5.6 Right to Object (Art. 21 GDPR)

5.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw consent at any time with future effect — in your profile settings, by not using the respective feature, or by email.

5.8 Right to Complain (Art. 77 GDPR)

The competent supervisory authority is:

5.9 Data Breach Notification (Art. 33, 34 GDPR)

In case of a data breach:

• Notification to the supervisory authority within 72 hours (Art. 33)
• Notification to affected persons if high risk (Art. 34)
• Documentation of every breach

Contact us at [email protected] if you suspect a breach.

6. Cookies and Session Management

We use only technically necessary cookies. No tracking, analytics, or marketing cookies are used.

6.1 Cookies Used

Since only technically necessary cookies are used, no cookie consent banner is required.
Legal basis: Art. 6(1)(f) GDPR with § 25(2)(2) TTDSG.

7. Technical and Organizational Measures (TOMs)

Per Art. 32 GDPR:

• Transport encryption: HTTPS/TLS (TLS 1.2/1.3)
• Password security: bcrypt (cost factor 12)
• Encryption of sensitive data: AES-256-CBC
• SQL injection protection: PDO Prepared Statements
• CSRF protection: cryptographic tokens
• Rate limiting: IP-based
• IP anonymization: after 30 days
• Automatic data deletion: daily cron job
• Firewall: only necessary services (HTTP/HTTPS) are permitted
• Access controls: role-based (Visitor, Basis, Pro, Admin, Credits)
• Webhook verification: HMAC signature verification
• Server location: Nuremberg, Germany (Hetzner)
• Access restriction: need-to-know principle
• Secure storage of credentials: API keys and other secrets are kept exclusively in encrypted form and are not accessible via the web
• Intrusion prevention & brute-force protection: Automatic blocking of suspicious IP addresses on repeated failed login or probe attempts
• Audit logging: Security-relevant events are logged and retained for review in case of suspicion (Art. 32(1)(d) GDPR — regular review)
• Bot/captcha protection: Privacy-friendly captcha protection on the registration page against automated mass sign-ups (see Section 3.6b)
• Multi-layer backup strategy: Daily automated backups across multiple layers, including encrypted offsite backup in a separate data center for rapid availability restoration (Art. 32(1)(c) GDPR)
• Email authenticity: SPF, DKIM, and DMARC are fully configured for the domains used to prevent phishing under our sender address

8. Data Transfers to Third Countries (Art. 44 ff. GDPR)

For some of the services we use, data is transferred to countries outside the EU/EEA (particularly the USA). We ensure that these transfers are based on appropriate safeguards:

Upon request, we will gladly provide information about the specific safeguard mechanisms and our risk assessment.

9. Contact for Privacy Matters

For questions about data protection, to exercise your rights, or for any other privacy-related concerns, please contact:

We generally respond to inquiries within 30 days. For complex or multiple requests, this period may be extended by a further two months (Art. 12(3) GDPR). To clearly identify your request, please provide your registered email address.

10. Changes to This Privacy Policy

We reserve the right to update this privacy policy when our services change or new legal requirements arise. The current version is always available at rankmio.com/privacy. We will notify registered users of material changes by email.

Last updated: April 2026