1. Who we are
Rank Meter is operated from the United Kingdom. We act as a data controller for the personal data described in this policy. If you have any questions about how your data is handled, contact us at hello@rankmeter.co.uk.
2. The data we collect
We only collect data that is necessary to deliver the service.
- Free scan input — the business name and UK town you type into the search box, plus the IP address used to call our scan API.
- Account data (paid customers) — email address, hashed password, business name, billing details, the saved projects you create, and our service-task history for your account.
- Google Business Profile (optional) — if you choose to connect your GBP via Google's OAuth, we store a refresh token, the Google account email you used, and your Google account ID. We never see your Google password.
- Audit log — timestamps of significant actions on your account (sign-up, sign-in, password reset, plan changes, GBP connection) for security and dispute-resolution purposes.
- Cookies — a single HttpOnly session cookie after sign-in. See our cookie notice.
3. Why we collect it (lawful bases)
- Performance of a contract — to deliver the scans, reports, and SEO services you have signed up for.
- Legitimate interests — to keep the service secure, prevent abuse, and improve the product. You can object at any time.
- Consent — for optional integrations such as the Google Business Profile OAuth connection, which you can revoke at any time.
- Legal obligation — to retain financial records (invoices) for the period required by HMRC.
4. Who we share data with
We do not sell your data. We share it only with the processors below, each bound by a written data-processing agreement:
- Stripe — payment processing. Stripe holds your card data directly; we only receive a customer ID and subscription status.
- Resend — transactional email delivery (welcome, password reset, weekly digest).
- Google — Maps Places API, Geocoding, PageSpeed Insights, and (if you connect) the Business Profile API.
- Cloudflare — CAPTCHA verification on sign-up to block automated abuse.
- Our hosting provider — to run the application servers and database.
Some of these providers operate outside the UK. Where data is transferred outside the UK, we rely on the UK's adequacy decisions or Standard Contractual Clauses with appropriate supplementary measures.
5. How long we keep it
- Free-scan input — not stored beyond the scan response.
- Account & project data — kept while your account is active and for 30 days after closure, then deleted.
- Invoices & payment records — six years (HMRC requirement).
- Audit logs — twelve months from creation.
6. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request erasure ("right to be forgotten");
- restrict or object to processing;
- request portability of the data you provided;
- withdraw consent for any processing based on consent;
- complain to the Information Commissioner's Office (ICO).
Email hello@rankmeter.co.uk with the subject line "GDPR request" and we will respond within 30 days.
7. Security
Passwords are hashed with bcrypt (cost 12). Session cookies are HttpOnly + SameSite=Lax + Secure in production. Sensitive Google OAuth tokens are stored encrypted at rest. We do not log card numbers or full tokens. If you suspect any account compromise, email hello@rankmeter.co.uk immediately.
8. Children
Rank Meter is a B2B service intended for UK business owners. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it.
9. Changes to this policy
If we make material changes we will email account holders at least 14 days before the change takes effect. The current version is always available at this URL with a "Last updated" date.
10. Contact
Questions, requests or complaints — email hello@rankmeter.co.uk.
