RankPro logoRankPro.
Start free

Privacy Policy

Last updated: 6/20/2026

Who we are

RankPro (the "Service") is operated by RankPro ("RankPro", "we", "us"). For the personal data you provide to us directly through the Service, RankPro acts as the data controller.

What we collect and why

  • Account data (name, email, hashed password / auth provider ID) — to create and secure your account. Legal basis: performance of our contract with you.
  • Business profile data you enter (business name, location, services, hours) — to run features you've enabled. Legal basis: contract.
  • Google Business Profile data you authorize us to access (profile fields, posts, reviews, insights) and an encrypted OAuth refresh token — to publish posts and replies you approve. Legal basis: contract + your consent at the OAuth screen.
  • Customer / lead data you upload (names, phone numbers, messages) — to deliver missed-call SMS, follow-ups and lead capture on your behalf. Legal basis: contract (you are controller of this data; we process it as your processor).
  • Usage and device data (IP address, browser, pages viewed, feature events, error logs) — to operate, secure and improve the Service. Legal basis: legitimate interests.
  • Support messages you send us — to answer your questions. Legal basis: legitimate interests.

Payment data (card details, billing address) is collected directly by Paddle at checkout. We do not see or store your full card details.

Google user data

When you connect Google Business Profile, we request the business.manage, openid, and email scopes. We use that access only to read your profile, posts, reviews, and insights, and to publish posts or review replies you've explicitly approved. We store the minimum data needed in an encrypted database, and we encrypt your OAuth refresh token at rest. We do not access Gmail, Drive, Calendar, or any other Google product.

RankPro's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it to train generalized AI models, and do not let humans read it except with your explicit consent or for security/debugging.

Full integration details — scopes, features, retention, and revocation — live on our Google Business Profile integration page.

Who we share data with

We share personal data only with the categories of recipients below, and only to the extent needed:

  • Paddle — our Merchant of Record, for sale of the product, subscription management, payments, tax compliance, invoicing, and handling refunds.
  • Supabase — database, authentication, and file storage hosting.
  • Google — Business Profile API, when you connect your listing.
  • Twilio — SMS delivery for missed-call texts and follow-ups.
  • Lovable AI Gateway and underlying model providers (e.g. Google, OpenAI) — to generate AI drafts you review.
  • Professional advisers (legal, accounting) where needed.
  • Authorities where required by law.

We do not sell your personal data and do not share it for cross-context behavioural advertising.

Data retention

We keep personal data only as long as we need it for the purposes above: account data for the life of your account plus up to 12 months after deletion (for backups and legal/accounting records); GBP-derived data is queued for deletion within 30 days of disconnecting Google or deleting your account; usage logs are kept up to 13 months. After these periods data is deleted or irreversibly anonymised.

Security

We apply appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS) and at rest for sensitive fields (such as OAuth refresh tokens), role-based access controls, and audit logging.

International transfers

Our hosting providers and subprocessors may process data outside your country, including in the United States and the EU. Where required, transfers are protected by appropriate safeguards (such as Standard Contractual Clauses or adequacy decisions).

Your rights & data deletion

Depending on where you live, you have rights to access, correct, delete, restrict, port or object to our processing of your personal data, and to withdraw consent at any time. You can also lodge a complaint with your local data protection authority. We will respond to verified requests within the timeframes required by applicable law (typically within one month under GDPR).

You can disconnect Google at any time from Dashboard → Google Business Profile → Disconnect. This revokes our refresh token immediately and queues GBP-derived data for deletion within 30 days. You can also revoke access directly at myaccount.google.com/permissions. To delete your entire account and all associated data, use Dashboard → Settings → Delete account or contact us.

Cookies

We use essential cookies needed to keep you logged in and to secure the Service, plus a small amount of first-party analytics to understand product usage. We do not use advertising cookies.

Contact

Questions, data requests, or to report a security issue: support@rankpro.io.