Privacy Policy — rankmio - SEO & GEO (KI-Sichtbarkeit)

1. Data Controller (Art. 13(1)(a) GDPR)

The party responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) and the BDSG (German Federal Data Protection Act) is:

Knut Nickol
Anne-Frank-Straße 7, 64807 Dieburg
Email: kontakt@rankmio.de
Web: https://rankmio.com

There is no legal obligation to appoint a Data Protection Officer (Section 38 BDSG). For data protection inquiries, please contact the data controller listed above directly.

1b. Role under GDPR (Data Controller / Data Processor)

Rankmio is the data controller within the meaning of Art. 4(7) GDPR for the processing of your master data, access data, and usage data (e.g., registration, login, subscription management).

Insofar as we process personal data in the course of your use of our platform on behalf of our users (e.g., when analyzing website content, using AI features, or retrieving Google Search Console data), we act as a data processor pursuant to Art. 28 GDPR. The respective user remains the data controller for the data they provide.

Data Processing Agreement (DPA)

If you process personal data of third parties using our platform, we are obligated to offer you a DPA pursuant to Art. 28 GDPR. You can conclude the DPA directly in your user profile with a single click and download it as a PDF.

2. Collected Data, Processing Purposes, and Legal Bases

We process personal data only to the extent necessary to provide our services or where you have given us your consent.

Balancing of Interests (Art. 6(1)(f) GDPR): Where we process data on the basis of a legitimate interest, this interest lies in the secure, stable, and efficient provision of our platform as well as in the prevention of misuse. We have verified that your interests, fundamental rights, and freedoms do not override our legitimate interest.

Automated Evaluations (Art. 22 GDPR): Our platform generates automated evaluations of websites (e.g., SEO scores, visibility indices, AI visibility scores). These evaluations serve exclusively for technical analysis and do not constitute legally binding decisions. Automated decision-making within the meaning of Art. 22 GDPR with legal effect does not take place.

Scoring methodology: Scores are calculated based on publicly available website data (page speed, meta tags, content structure, mobile-friendliness, security headers, etc.) using rule-based algorithms and, where applicable, AI-assisted text analysis. No personal data of the website operator flows into the score calculation. The weighting of individual factors is regularly reviewed and may be adjusted.

AI-generated recommendations: Action plans and optimization suggestions generated by AI serve exclusively as non-binding recommendations. They do not constitute automated decisions with legal or similarly significant effect. The user always decides independently whether and how to implement suggestions.

2.1 Registration and Login

When creating a user account, we process the following data:

First name and last name
Email address (also serves as the login name)
Password — stored exclusively as a cryptographic one-way hash (bcrypt, cost factor 12); the plaintext password is never known to the provider
IP address at registration and login (for abuse detection and rate limiting)
Session cookie for authentication (see Section 6)

Purpose: Creation and management of the user account, authentication, communication regarding technical or contractual matters.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.2 Usage Data

With each page view, technical access data is collected:

IP address of the accessing device — automatically anonymized after 30 days at the latest and can no longer be attributed to a person thereafter
Page views, timestamps, browser and operating system used
Session data via a technically necessary session cookie

Purpose: Ensuring technical operation, detecting abuse and attacks (rate limiting), troubleshooting.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

2.3 Projects and Domains

To provide the analysis features, we process project-related data:

Project name and associated domain (URL)
Project settings (e.g., conversion rate, average order value)
Google Search Console property (if GSC connection is active, see Section 2.6)

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.4 Website Analysis

To provide SEO analysis features, we process:

URLs entered by you, which are transmitted to external APIs for analysis (Google PageSpeed Insights API)
PageSpeed results: performance, SEO, accessibility, and best practices scores (mobile and desktop), Core Web Vitals (LCP, FCP, TBT, CLS, SI, TTI, TTFB), page weight, optimization potentials
Crawler data: title tag, meta description, H1-H6 headings, HTTP status, redirect chain, final URL, robots.txt status, Schema.org markup
Calculated visibility index of the website
AI-generated recommendations (optional, on request — technical metrics are transmitted to the OpenAI API; no personal user data such as name or email address is transmitted, see note in Section 3)

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.5 Subpage Analysis

The subpage analysis enables targeted examination of individual pages of a website for performance, SEO, and technical aspects:

The full URL of the subpage to be analyzed
PageSpeed results (mobile & desktop): performance, SEO, accessibility, and best practices scores, Core Web Vitals, optimization potentials
Crawler data: title tag, meta description, H1-H6 headings, HTTP status, redirect chain, final URL, robots.txt status
Calculated visibility index of the subpage
Optional AI analysis: technical metrics are transmitted to the OpenAI API (no personal user data, see note in Section 3)

Results are stored in the database and automatically deleted after 90 days. Upon account or project deletion, all data is removed immediately.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.6 Keyword Hub and Google Search Console (optional)

Only when you actively establish the Google Search Console connection (via Google OAuth 2.0) do we process:

OAuth credentials for the Google connection — stored encrypted with AES-256-CBC
Google Search Console property (your assigned website address)
Aggregated search query data: search term (query), page URL, clicks, impressions, CTR, average position — these are exclusively anonymized, Google-aggregated metrics without any reference to individual searchers
Daily metrics (clicks, impressions, avg. position) for the last 90 days for trend graphs and trend detection (rising/falling badges)
Cannibalization detection: automatic identification of queries ranking on multiple pages

Keyword enrichment (optional): If you use the DataForSEO enrichment, keywords are transmitted to the DataForSEO API to supplement search volume, competition, and CPC data (see Section 3.5). No personal user data is transmitted.

You can disconnect the GSC connection at any time under Google Search Console → Disconnect, after which all OAuth tokens are immediately and irrevocably deleted. Already synchronized search query data is automatically deleted after 90 days or immediately removed upon account deletion.
Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (performance of contract for the GSC analysis feature).

2.7 Opportunity Analysis and AI Action Plan

After each GSC data retrieval, Rankmio automatically calculates traffic potentials for your keywords. The aggregated GSC search query data (Section 2.6) is evaluated locally. No transmission to external services takes place.

AI action plan (optional): On request, the following data is transmitted to the OpenAI API — no personal user data (see Section 3):

Your project domain
Top 10 keywords from the opportunity analysis with: search term, avg. position, expected traffic gain (incl. confidence interval), confidence score, intent type, and automatically generated recommendation
Conversion rate and avg. order value (if provided, purely numeric)

CTR snippet optimization (optional): On request, keyword, domain, avg. position, CTR values, and intent type are transmitted to the OpenAI API. Results are not stored server-side (browser only).

Content brief (optional): On request, keyword, domain, avg. position, impressions, and intent type are transmitted to the OpenAI API. Results are not stored server-side (browser only).
Legal basis: Art. 6(1)(a) GDPR (consent through active triggering of the respective AI feature, e.g., clicking "Start analysis") and Art. 6(1)(b) GDPR (performance of contract).

2.8 Competitor Analysis

The competitor analysis area offers several features:

a) Quick comparison: Comparison of your website with a competitor URL based on publicly available data (PageSpeed, visibility, technical metrics). The competitor URL is transmitted to the Google PageSpeed Insights API.

b) Deep analysis: On request, up to 3 competitor domains are crawled (up to 50-100 pages per domain). For each crawled page, page title, H1-H6 headings, cleaned text excerpt (max. 300 characters), HTTP status, and URL path are captured. Technical page data is transmitted to the OpenAI API for comparative analysis. No personal user data is transmitted (see Section 3). A maximum of one deep analysis is retained per project.

c) Battle: Direct SEO and AI comparison between your website and a competitor URL with focus keyword and optional location. Crawled page data is transmitted to the OpenAI API. Max. 10 battles per user.

d) Sitemap monitor: Regular monitoring of competitor sitemaps for changes (new/removed pages). Only publicly accessible sitemap.xml files are retrieved.

None of the competitor features transmit personal user data to external services (see Section 3).
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest).

2.9 GEO Module — AI Visibility Analysis (optional)

The GEO module (Generative Engine Optimization) offers several AI-powered analysis features for optimizing your website for AI search engines. AI visibility data (e.g., citability score, entity coverage, AI visibility comparison) is calculated locally based on publicly available website data — no personal user data is transmitted to AI services (see Section 3). The following data is processed:

AI Visibility Audit: Your domain is crawled. For each page, URL, title, H1, text excerpt, HTTP status, Schema.org data, and freshness signals (Last-Modified, dateModified) are captured. Technical page data is transmitted to the OpenAI API for evaluating topic coverage and AI suitability.
Link analysis: Internal linking structure is analyzed locally — no external data transmission.
Citability check: Page text is transmitted to the OpenAI API to assess AI citability using a multi-level checklist. Results are not persistently stored.
Entity gap analysis: Own entities and up to 3 competitor URLs are crawled and transmitted to the OpenAI API. Results are not persistently stored.
Schema.org generator: Page data (URL, title, H1, text excerpt) is transmitted to the OpenAI API — generated JSON-LD is stored in the database.
AI Citation Tracking: Keywords are transmitted to the DataForSEO API to check for Google AI Overview citations. Results are stored in the database and deleted after 90 days.

The domain's robots.txt is analyzed to check AI crawler access. Max. 5 audits per project; older ones are automatically deleted. All GEO data is cleaned up after 90 days at the latest.
Legal basis: Art. 6(1)(a) GDPR (consent through active triggering of the respective GEO feature) and Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest).

2.10 Sitemap Hub (optional)

On request, you can run an AI-powered sitemap analysis for a project:

Your domain is crawled internally (internal pages only)
Per URL: HTTP status, page title (max. 80 chars), H1 (max. 80 chars), cleaned text excerpt (max. 300 chars), SHA1 hash of the text excerpt
Existing sitemap.xml (URL list and lastmod data) — read only

AI processing: Technical page data (URL path, title, H1, text excerpt) is sent in batches to the OpenAI API (GPT-4o-mini). The AI rates each URL as valuable or low-quality. An AI audit summary is also generated. No personal user data is transmitted (see Section 3).

Max. one analysis per project. All sitemap data is deleted after 90 days. Upon account or project deletion, all data is removed immediately.
Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interest).

2.11 robots.txt Tool (optional)

The following data is processed:

Editor: robots.txt content is stored as a version history (technical configuration data without personal reference)
Monitoring: If monitoring is enabled, your domain is regularly checked (cron every 30 minutes) for changes. Stored: domain URL, check interval, timestamp, SHA256 hash
AI analysis (optional): robots.txt content is sent to the OpenAI API for evaluation and rule generation — no personal user data (see Section 3)

You are notified of detected changes. All robots.txt data is deleted upon project or account deletion.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.12 Content Optimizer & Page Analysis (optional)

On request, you can have existing texts or URLs analyzed and optimized:

The full URL (URL mode) or entered text (text mode)
Crawled page data: title, meta description, H1-H6 headings, word count, Schema.org markup, images (alt attributes and count only)
Structured page text for citation analysis (headings, paragraphs, lists)
Optional target keyword

AI processing: Technical page data is sent to the OpenAI API. The AI generates SEO optimization suggestions (title, meta description, heading structure, content strategy) and a citability rating based on a 12-point checklist. An optional HTML optimization suggestion may be generated. No personal user data is transmitted (see Section 3).

Results are stored in the database and automatically deleted after 90 days. Upon account or project deletion, all data is removed immediately.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.13 AI Answer Simulation (optional)

On request, you can simulate how AI systems (e.g., ChatGPT, Google AI) would cite your website content. Requests are sent to the OpenAI API or Claude API (Anthropic) depending on configuration. Only domain-related data (URLs, keywords, page titles, text excerpts) is transmitted — no personal user data.

Full URL of the page
Crawled page data: title, H1-H6 headings, text excerpt, Schema.org markup, word count
A user question (entered or auto-generated)
Optional: city and/or region for local relevance

Real web search: Via the OpenAI Responses API, a live web search may be performed. The user question is sent to the API, which independently searches the web and cites sources (URLs, titles). Citation URLs are compared locally with your URL.

Automatic question generation: Optionally, 5 relevant questions are generated from title and H1 (OpenAI API, no personal data).

Results are stored in the database (max. 10 per project, individually deletable) and automatically deleted after 90 days.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.14 Team Builder (optional)

When using the team feature, we process:

Team membership: assignment between team lead and members (user IDs, team name, invitation timestamp, status)
Email invitations: sent via our SMTP service (Strato) to the address provided by the lead
Project access: which members may access which projects (user ID, project ID, timestamp)
Credit pool: all credit deductions by a member are charged to the lead's balance. The transaction records which member triggered the action (triggered_by)
Lead/member roles: the lead manages branding, GSC/GMB tokens, and credits. Members automatically use the lead's OAuth connections — no separate tokens are created

The member only sees whether credits are available, not the lead's balance. Removing a member deletes their account and all associated data. Deactivated accounts are removed after 30 days.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

2.15 Credits and Paddle Payments

We process:

Current credit balance
Transaction history: timestamp, amount (credits), reason, reference ID, balance after transaction

Paddle payments: Paddle.com Market Ltd acts as Merchant of Record (MoR). On our side, we process only:

Paddle transaction IDs
Payment amount, currency, date, and status
Subscription status and duration for credit subscriptions

Sensitive payment data is never collected or stored by us.
Legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR.

2.16 Email Delivery

For emails (rank alerts, team invitations, password reset, system notifications) we use Strato SMTP (smtp.strato.de):

Recipient email address
Subject and content
Sender: noreply@rankmio.de

Email transport is encrypted (STARTTLS). Emails are not stored on our server after sending.
Legal basis: Art. 6(1)(b) GDPR.

2.18 Whitelabel Branding (optional)

Only when you set up the whitelabel feature:

Logo file (PNG or JPEG, max. 2 MB) — stored as Base64 encoded and encrypted in the database
Company name / footer text (max. 30 characters)
Address, city, and country (for PDF reports)
Display preference (whether your login name appears in PDFs)
Timestamp of consent as proof per Art. 7(1) GDPR

Purpose: Branding data is used exclusively for generating personalized PDF reports. Branding data is not shared with third parties, not publicly accessible, and not used for advertising.

Revocation: You can delete your branding data at any time under Profile → Branding → Deactivate and delete branding. Upon account deletion, all branding data is immediately removed.
Legal basis: Art. 6(1)(b) and Art. 6(1)(a) GDPR.

2.19 Free SEO Check (public, no registration)

You can perform a free SEO and AI visibility check without registration:

IP address: stored for rate limiting (max. 1 check per IP per day)
URL: the website to be analyzed
Analysis results: SEO score, AI visibility score, 16 individual checks, meta information

The free check works purely algorithmically — no data is sent to external AI services. Analysis uses the internal crawler and Google PageSpeed Insights API. Data is deleted after 30 days.
Legal basis: Art. 6(1)(f) GDPR.

2.20 Rank Alerts and Email Notifications

When rank alerts are enabled:

Keyword (search query), current and previous Google position
Configured thresholds and change timestamps
Email notifications for significant ranking changes (via Strato SMTP, see Section 2.16)

Evaluation is performed entirely locally. Upon account deletion, all rank alert data is irrevocably removed.
Legal basis: Art. 6(1)(b) GDPR.

2.21 Keyword Cluster AI and Featured Snippet Optimizer

When using these AI features, the following is sent to the OpenAI API:

Keywords (search queries) and their positions
Domain of the analyzed website
Impressions and click data (aggregated)

Keyword cluster results are stored in the session only (not persistent). Featured snippet results are also not stored server-side.
Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

2.22 Site Audit (Action Items)

The site audit aggregates findings from all analysis tools into a prioritized action list. Only already collected data from the respective modules (Sections 2.4-2.11) is summarized. No additional data collection or external transmission occurs.

Optional AI-generated summaries and recommendations may be requested (OpenAI API, technical findings only).
Legal basis: Art. 6(1)(b) GDPR.

2.23 Notification System

Rankmio has an internal notification system (e.g., ranking changes, robots.txt changes):

Notification type, title, and optional message text
Creation timestamp and read status
Optional link to the affected page within the platform

Info notifications are hidden after 15 minutes. Persistent notifications remain until marked as read. No transmission to external services occurs. Upon account deletion, all notifications are immediately removed.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

2.24 AI Provider Settings

You can configure which AI providers (e.g., Claude, ChatGPT, Gemini, Perplexity, Google AI Overview) are displayed as active. A JSON configuration is stored in your user profile.

No personal user data is transmitted to AI providers simply because a provider is enabled. Data transmission occurs only upon active use of an AI feature.
Legal basis: Art. 6(1)(b) GDPR.

2.25 Asynchronous Processing (Background Jobs)

Some features are processed asynchronously. Temporarily stored:

Job type, status (running / complete / failed), input data, and result reference
Randomly generated security token
User and project assignment

Temporary job data is automatically deleted after 1 hour. No external transmission of job metadata.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

2.26 AI Assistant (Chat Agent)

Rankmio provides an AI-powered chat assistant that interprets your SEO and GEO analysis data:

Chat messages: your questions and AI-generated answers
Context data: project ID, selected page URL, existing analysis data (loaded from the database, not re-collected)
Briefing data: automatically compiled summary of your current SEO/GEO findings

Data transmission: Chat messages and context data are sent to the OpenAI API (model gpt-4o-mini). No personal data (name, email) is transmitted — only technical analysis data and your question.

Storage: Chat history is encrypted and automatically deleted after 90 days. Max. 20 messages per conversation are sent as context. Each session stores title, creation time, and last access. Individual sessions and messages can be deleted by the user at any time.
Legal basis: Art. 6(1)(a) and Art. 6(1)(b) GDPR.

2.27 Voice Input (Voice-to-Text)

The AI assistant optionally offers voice input:

Audio recording: temporary recording via browser microphone (only after actively pressing the mic button)
Transcribed text: the speech recognition result

Data transmission: Audio data is sent to the OpenAI Whisper API for transcription. This involves transfer to the USA (see Section 8).

Storage: The audio recording is deleted immediately after transcription and is never permanently stored on our server. Only the transcribed text remains as a chat message.
Legal basis: Art. 6(1)(a) GDPR.

2.28 Website Crawling & Headless Browser

For technical SEO analysis, Rankmio crawls user-registered websites:

HTML content: source code of crawled URLs
HTTP headers: status codes, redirects, content type
Performance data: load times, page weight
Structured data: meta tags, headings, internal links

Technology: For websites with enhanced protection (e.g., Cloudflare), a server-side headless browser (Puppeteer) is used. Both user-registered domains and publicly accessible competitor websites (Section 2.8) may be crawled.

Storage: Extracted analysis data is stored and subject to the regular retention period (180 days, see Section 4). Raw HTML content is discarded after data extraction.
Legal basis: Art. 6(1)(b) GDPR.

2.29 Semantic Content Search (Embeddings)

For context-based AI assistant search, website content is converted to numerical vectors (embeddings):

Input: text segments from crawled content (no personal user data, see Section 3)
Output: numerical vectors (1,536 dimensions) representing semantic meaning

Data transmission: Text segments are sent to the OpenAI Embeddings API. No personal user data is transmitted (see Section 3).

Storage: Vectors are stored in a vector database and completely removed upon account deletion. Vectors cannot be reversed into readable text.
Legal basis: Art. 6(1)(b) GDPR.

2.30 Feature Usage Log

For abuse prevention, credit billing, and rate limiting:

Feature identifier: internal name of the used function (e.g., "SEO analysis", "keyword search")
IP address: for rate limiting and abuse detection
User ID and project ID
Timestamp
Credit cost

Usage logs are automatically deleted after 90 days. Upon account deletion, all entries are immediately removed. No external transmission.
Legal basis: Art. 6(1)(f) and Art. 6(1)(b) GDPR.

2.31 Automated Background Processing (Cron Jobs)

Regular automated processes include:

GSC data synchronization
robots.txt monitoring (every 30 minutes)
Data cleanup (daily at 02:00)
Stale job cleanup (every 15 minutes)
Embedding synchronization
API health checks

All cron executions are logged internally (start, end, status, summary). These logs contain no personal user data and serve operational monitoring only.
Legal basis: Art. 6(1)(f) and Art. 6(1)(b) GDPR.

2.32 Personal Notes and Tasks

You can create notes and tasks (todos) within your projects:

Title, description, and status (open / completed)
Assignment to a project and optionally to a URL
Creation and update timestamps

Data is stored locally in the database only and not transmitted externally. Deleted upon project or account deletion.
Legal basis: Art. 6(1)(b) GDPR.

2.33 Keyword Tracking (manual)

In addition to GSC-imported keywords, you can manually create keywords and track their SERP position:

Keyword (search term), target URL, current and historical Google position
Search volume and competition data (via DataForSEO enrichment, Section 3.5)
Project assignment and timestamp

Deleted upon project or account deletion.
Legal basis: Art. 6(1)(b) GDPR.

Purpose limitation: We process your personal data exclusively for the purposes stated in this section. No processing for other purposes takes place (Art. 5(1)(b) GDPR).

3. External Service Providers and Processors

Your personal data is shared with third parties only as described below. No data is shared for advertising purposes. In no case are user identifiers (name, email, IP address) transmitted to the following AI service providers. All AI requests use no-training API endpoints — submitted data is not used to train the providers' models.

Processor note (Art. 28 GDPR): We have concluded Data Processing Agreements (DPAs) with all listed external service providers.

Note on "no personal data": When we state that "no personal data" is transmitted, this refers to user identifiers. Publicly available website content may occasionally contain third-party personal data (e.g., author names in URLs). Such data originates from public sources and is processed exclusively for technical analysis.

3.1 Google (PageSpeed API, OAuth 2.0, Search Console, Gemini)

a) PageSpeed Insights API: URLs are transmitted for performance analysis. No personal user data is shared.

b) Google OAuth 2.0: Only when you actively connect a Google service. Only necessary permissions are requested.

c) Google Search Console API: Retrieval of search query data.

Recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy: policies.google.com/privacy
Transfer: USA/EU; EU-US Data Privacy Framework + SCC

Legal basis: Art. 6(1)(b) GDPR.

3.1b Google Gemini (independent AI provider)

Used as an independent AI provider for analysis features. Gemini operates independently from Google Search and OAuth services.

Affected features: AI answer simulation (Section 2.13), GEO module (Section 2.9), Content Optimizer (Section 2.12), Competitor Analysis (Section 2.8) — only when Gemini is configured as active provider.

Transmitted data: Technical page data only (URLs, titles, headings, text excerpts, Schema.org markup), SEO metrics, keywords, domain names. No personal user data is transmitted.

Recipient: Google Ireland Limited
Privacy: ai.google.dev/terms
Transfer: USA/EU; EU-US Data Privacy Framework + SCC
Gemini API does not use inputs for model training by default

Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

3.2 OpenAI (GPT-4o-mini, Responses API)

Used for numerous AI features. No personal data is transmitted. Only:

Technical page data
SEO metrics
Keywords and domain names
Industry names
robots.txt content

Affected features: AI recommendations, action plans, CTR optimization, content briefs, sitemap hub, keyword clusters, snippet optimizer, GEO module, content optimizer, AI answer simulation, competitor analysis, robots.txt analysis, industry rating.

Recipient: OpenAI, Inc., San Francisco, CA 94110, USA
Privacy: openai.com/privacy
Transfer: USA; SCC per Art. 46(2)(c) GDPR
OpenAI does not use API inputs for training by default

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

3.3 Anthropic (Claude)

Used for selected AI features (competitor insights, GEO module, sitemap audit, AI answer simulation). Only technical page data is transmitted — identical to OpenAI data categories. No personal data is transmitted.

Recipient: Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA
Privacy: anthropic.com/privacy
Transfer: USA; SCC
Anthropic does not use API inputs for training by default

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

3.4 Perplexity (AI with web search)

Used for selected AI features (AI answer simulation, research). Only technical page data and search queries are transmitted.

Web search note: Unlike other AI providers, Perplexity independently performs web searches to include current information. The submitted query (e.g., domain name, keyword) is used for internet searches. Rankmio has no control over which external sources Perplexity retrieves.

Affected features: AI answer simulation (Section 2.13), GEO module (Section 2.9), Content Optimizer (Section 2.12) — only when Perplexity is active.

Recipient: Perplexity AI, Inc., San Francisco, CA, USA
Privacy: perplexity.ai/privacy
Transfer: USA; SCC

Legal basis: Art. 6(1)(a), Art. 6(1)(b), Art. 6(1)(f) GDPR.

3.5 DataForSEO

Used for two features:

a) Keyword enrichment: keywords are transmitted to retrieve search volume, competition, and CPC data. No personal user data is transmitted.

b) AI Citation Tracking: keywords are transmitted to check for Google AI Overview citations. Location (Germany) and language (German) are sent as parameters. Results are stored in the database and deleted after 90 days.

Recipient: DataForSEO, Inc., 1100 NE 213th Street, Miami Shores, FL 33179, USA
Privacy: dataforseo.com/privacy-policy
Transfer: USA/EU; SCC

Legal basis: Art. 6(1)(b) GDPR.

3.6 Paddle (Payment Processing)

Paddle.com Market Ltd acts as Merchant of Record.

Recipient: Paddle.com Market Ltd, London EC1V 8BT, UK
Privacy: paddle.com/legal/privacy
Transfer: UK; EU adequacy decision per Art. 45 GDPR

Legal basis: Art. 6(1)(b) GDPR.

3.7 Hetzner (Hosting)

Recipient: Hetzner Online GmbH, Gunzenhausen, Germany
Data center: Nuremberg, Germany
Privacy: hetzner.com/privacy-policy

All data is stored and processed exclusively in Germany. No third-country transfer.
Legal basis: Art. 6(1)(b) GDPR with Art. 28 GDPR.

3.8 Strato (Email SMTP)

Recipient: STRATO AG, Berlin, Germany
Privacy: strato.de/datenschutz

Email transport is encrypted (STARTTLS). All data remains in Germany.
Legal basis: Art. 6(1)(f) GDPR with Art. 28 GDPR.

3.9 Changes to Sub-Processors

Notification and objection right: If we add or replace a sub-processor listed in this section, we will inform affected users in advance by email or in-app notification at least 30 days before the change takes effect.

You have the right to object to the change within the 30-day notice period. If we cannot resolve your objection reasonably, you may terminate the contract extraordinarily with immediate effect and request deletion of all your data.

This procedure ensures that your rights under Art. 28(2) and (4) GDPR regarding sub-processor changes are fully safeguarded.

4. Data Storage and Retention Periods

We store personal data only as long as necessary for the respective processing purpose or as required by law. Automatic data cleanup runs daily (02:00).

Data Category	Retention Period	Deletion Trigger
User account (profile data)	Until account deletion by user	Active deletion in profile
IP addresses (access log)	Anonymized after 30 days	Automatic via cron
Analysis results (website, subpages, AI recommendations)	90 days	Automatic via cron
GSC search queries and daily values	90 days	Automatic via cron or account deletion
Opportunity scores (traffic potentials)	90 days	Automatic via cron or account deletion
GEO audit results	90 days, max. 5 audits per project	Automatic via cron or project/account deletion
AI Citation Tracking results	90 days	Automatic via cron or account deletion
Content optimizer results	90 days	Automatic via cron or project/account deletion
AI answer simulations	90 days, max. 10 per project	Automatic via cron or project/account deletion
Sitemap analysis results	90 days, max. 1 per project	Automatic via cron or project/account deletion
Competitor deep analysis	90 days, max. 1 per project	Automatic via cron or project/account deletion
Competitor battle results	Max. 10 per user	Automatic (FIFO on overflow) or account deletion
Cached API data	30 days	Automatic via cron
Free SEO check (IP, URL, scores)	30 days	Automatic via cron
OAuth-Tokens (GSC)	Until disconnected	Manual or account deletion
Rank alert data	Until account deletion	Manual or account deletion
robots.txt versions and monitoring	Until project or account deletion	Manual or project/account deletion
Team memberships	Until removal or account deletion	Manual (lead removes member) or account deletion
Credit transactions (history)	Until account deletion	Account deletion; tax records: 10 years
Payment receipts (Paddle transaction log)	90 days operational, then legal retention	Tax retention: 10 years
Branding data (logo, company name, address)	Until active deletion	Manual (Profile → Deactivate branding) or account deletion
AI action plan text	Until account deletion	Overwritten on recreation; removed on account deletion
CTR snippets, content briefs, keyword clusters	No server-side storage	Browser session only
Background job data (temporary)	Max. 1 hour	Automatic deletion
Notifications	Info: 15 min; persistent: until read	Automatic or manual; immediately on account deletion
Session-Cookie	Until browser session ends	Automatic on browser close
Chat agent history	90 days	Automatic deletion; immediately on account deletion
Voice input (audio)	No storage	Deleted immediately after transcription
Website crawl data	180 days	Automatic deletion; immediately on account deletion
Crawled page content	180 days	Automatic deletion; immediately on account deletion
Internal link structure	Until next analysis or project deletion	Overwritten on re-analysis; immediately on account deletion
Sitemap URLs (crawl results)	90 days, max. 1 crawl per project	Automatic via cron or project/account deletion
Keyword tracking data (manual)	Until project or account deletion	Manual or project/account deletion
Feature usage log	90 days	Automatic via cron or account deletion
Personal notes and tasks	Until project or account deletion	Manual or project/account deletion
Subscription status (Paddle)	Until account deletion	Account deletion; tax data: 10 years
Cron job logs (operations monitoring)	30 days	Automatic via cron
Embeddings (vectors)	Until account deletion	Completely removed on account deletion

Retention explanation: The different periods arise from processing purposes: 90 days for analysis results (sufficient for trends), 30 days for IP addresses and caches (abuse prevention), 180 days for crawl data (long-term change analysis), 10 years for tax-relevant records (legal requirement per § 147 AO). Data without a fixed period is retained until actively deleted by the user.

After retention periods expire, data is automatically deleted or irreversibly anonymized.

5. Your Rights as a Data Subject (Art. 15-22 GDPR)

5.1 Right of Access (Art. 15 GDPR)

You have the right to request information about your stored personal data at any time.

5.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction or completion of your data. You can edit your profile data directly under Profile.

5.3 Right to Erasure (Art. 17 GDPR)

You have the right to deletion ("right to be forgotten"). You can delete your account and all associated data under Profile → Delete account.

5.4 Right to Restriction (Art. 18 GDPR)

You can request that processing of your data be restricted.

5.5 Right to Data Portability (Art. 20 GDPR)

You can export all your stored data as a JSON file under Profile → Export data.

5.6 Right to Object (Art. 21 GDPR)

Your Right to Object

You have the right to object at any time to the processing of your personal data based on Art. 6(1)(f) GDPR (legitimate interest), for reasons arising from your particular situation.

In the event of a justified objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests (Art. 21(1) sentence 2 GDPR).

Send your objection to: kontakt@rankmio.de

5.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You may withdraw consent at any time with future effect — in your profile settings, by not using the respective feature, or by email.

5.8 Right to Complain (Art. 77 GDPR)

The competent supervisory authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163, 65021 Wiesbaden
Tel: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de
Web: datenschutz.hessen.de

5.9 Data Breach Notification (Art. 33, 34 GDPR)

In case of a data breach:

Notification to the supervisory authority within 72 hours (Art. 33)
Notification to affected persons if high risk (Art. 34)
Documentation of every breach

Contact us at kontakt@rankmio.de if you suspect a breach.

6. Cookies and Session Management

We use only technically necessary cookies. No tracking, analytics, or marketing cookies are used.

6.1 Cookies Used

Cookie Name	Type	Purpose	Duration
`rankmio_session`	Session cookie	Authentication and session management (HttpOnly, SameSite=Lax)	Until browser session ends

Since only technically necessary cookies are used, no cookie consent banner is required.
Legal basis: Art. 6(1)(f) GDPR with § 25(2)(2) TTDSG.

7. Technical and Organizational Measures (TOMs)

Per Art. 32 GDPR:

Transport encryption: HTTPS/TLS (TLS 1.2/1.3)
Password security: bcrypt (cost factor 12)
Encryption of sensitive data: AES-256-CBC
SQL injection protection: PDO Prepared Statements
CSRF protection: cryptographic tokens
Rate limiting: IP-based
IP anonymization: after 30 days
Automatic data deletion: daily cron job
Firewall: only necessary services (HTTP/HTTPS) are permitted
Access controls: role-based (Visitor, Basis, Pro, Admin, Credits)
Webhook verification: HMAC signature verification
Server location: Nuremberg, Germany (Hetzner)
Access restriction: need-to-know principle

8. Data Transfers to Third Countries (Art. 44 ff. GDPR)

For some of the services we use, data is transferred to countries outside the EU/EEA (particularly the USA). We ensure that these transfers are based on appropriate safeguards:

Recipient	Country	Guarantee per Art. 46 GDPR
Google LLC (PageSpeed API, OAuth, Search Console)	USA/EU	EU-US Data Privacy Framework + SCC
Google Gemini (AI provider)	USA/EU	EU-US Data Privacy Framework + SCC
OpenAI, Inc. (GPT-4o-mini, Responses API)	USA	Standard Contractual Clauses (SCC)
Anthropic, PBC (Claude)	USA	Standard Contractual Clauses (SCC)
Perplexity AI, Inc.	USA	Standard Contractual Clauses (SCC)
DataForSEO, Inc.	USA/Ukraine	Standard Contractual Clauses (SCC)
Paddle.com Market Ltd	UK	UK adequacy decision (Art. 45 GDPR)
Hetzner Online GmbH (Hosting)	Germany	No third-country transfer — data remains in the EU
STRATO AG (Email SMTP)	Germany	No third-country transfer — data remains in the EU

Note on the Schrems II ruling (CJEU, Case C-311/18): Despite the conclusion of Standard Contractual Clauses (SCC) and — in the case of Google — certification under the EU-US Data Privacy Framework, a residual risk remains that US authorities could access transferred data based on US law (particularly FISA Section 702, Executive Order 12333). We have implemented appropriate safeguards and conducted a risk assessment (Transfer Impact Assessment). The risk is rated as low, since no user identifiers (name, email, IP address) are transmitted to the listed US service providers — only technical website analysis data without direct personal reference.

Supplementary protective measures: data minimization (only data necessary for the analysis purpose), pseudonymization (no user identifiers in API requests), transport encryption (TLS 1.2/1.3), contractual assurances from providers (no use of API inputs for model training).

Upon request, we will gladly provide information about the specific safeguard mechanisms and our risk assessment.

9. Contact for Privacy Matters

For questions about data protection, to exercise your rights, or for any other privacy-related concerns, please contact:

Knut Nickol
Anne-Frank-Strasse 7, 64807 Dieburg, Germany
Email: kontakt@rankmio.de

We generally respond to inquiries within 30 days. For complex or multiple requests, this period may be extended by a further two months (Art. 12(3) GDPR). To clearly identify your request, please provide your registered email address.

10. Changes to This Privacy Policy

We reserve the right to update this privacy policy when our services change or new legal requirements arise. The current version is always available at rankmio.com/privacy. We will notify registered users of material changes by email.

Last updated: April 2026