Powering AI Search with Rankad.ai

Preamble

This Data Deletion Policy describes the rights of users, customers, and other data subjects ("you," "your") to request the permanent deletion of personal data processed by Rankad AB ("Rankad," "we," "us," "our"), and the procedures Rankad follows to fulfil such requests. This Policy forms part of our Privacy Policy and is binding on Rankad as data controller.

1. Right to Erasure

You have the right to request the permanent erasure of your personal data held by Rankad. This right arises under Article 17 of the General Data Protection Regulation (EU) 2016/679 (GDPR) as applicable in Sweden, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) where applicable, and any other applicable data protection or privacy legislation.

Upon receiving and verifying a valid deletion request, Rankad will permanently erase all personal data associated with your account within 30 calendar days, subject to the exceptions set out in Section 3.

2. Scope of Deletion

Upon confirmation of a valid deletion request, Rankad will permanently delete the following categories of personal data: your account credentials and profile information; all brand configurations, scan histories, and AI-visibility reports associated with your account; all integration tokens and OAuth credentials including those for Google Search Console, Google Analytics, Shopify, Framer, and any other connected services; all usage logs, analytics, and behavioural data attributable to your account; all scheduled-report configurations, email-delivery settings, and collaboration data; and all API keys and developer credentials issued to your account.

3. Lawful Retention Exceptions

Rankad will retain data beyond a deletion request only to the extent, and for the minimum duration, strictly required by applicable law or by a legitimate overriding legal interest. This includes financial and transactional records required for tax and accounting compliance, retained for the period mandated under Swedish accounting legislation (Bokföringslagen 1999:1078) and applicable EU regulations, currently seven years; data required to establish, exercise, or defend legal claims where an active dispute or litigation hold exists, retained for the duration of such proceedings and any applicable limitation period; and aggregated, fully anonymised statistical data that cannot reasonably be re-linked to you, which falls outside the definition of personal data under Article 4(1) GDPR.

All data retained under this Section is stored in isolated, access-controlled environments, is subject to strict internal access restrictions, and is never used for marketing, profiling, or product development purposes.

4. Deletion Timelines and Backup Purge

Live databases: personal data will be permanently deleted within 30 calendar days of the verified deletion request. Encrypted backup systems: personal data will be purged within 90 calendar days of the verified deletion request. Sub-processor notification: deletion instructions will be transmitted to all relevant sub-processors within 5 business days of the verified deletion request.

During the backup retention window, backed-up data is technically inaccessible to all internal personnel and systems and is maintained solely for disaster recovery purposes.

5. Third-Party Sub-Processors

Rankad engages third-party sub-processors including Supabase and Cloudflare to process personal data on its behalf. Rankad contractually requires, through data processing agreements compliant with Article 28 GDPR, that all relevant sub-processors delete personal data within 30 days of receiving Rankad's deletion instruction. Rankad transmits such instructions within 5 business days of a verified deletion request. Rankad remains responsible under applicable law for ensuring sub-processor compliance.

6. Account Deletion and Standalone Data Requests

Deleting your Rankad account constitutes an automatic data deletion request and triggers the deletion process described in this Policy. You may also submit a standalone data deletion request for specific data categories without closing your account. To submit a request, email [email protected].

7. Identity Verification

To protect against unauthorised deletion requests, Rankad requires verification of your identity before processing any deletion request. Verification is completed by sending a confirmation link or code to the email address registered with your account. Rankad will not process deletion requests that cannot be verified by this method. If you no longer have access to your registered email address, please contact us at [email protected] to discuss alternative verification options.

8. Confirmation and Audit Records

Upon completion of a deletion request, Rankad will send a written confirmation to your registered email address. For audit and legal compliance purposes, Rankad maintains a deletion log containing only a pseudonymous hashed reference to the request, the date the request was received, and the date deletion was completed. The deletion log contains no personal data and is kept separately from all other data systems.

9. Limitation of Liability

Rankad's obligations under this Policy are limited to personal data within its reasonable control. Rankad is not liable for the failure of any third-party sub-processor to comply with a deletion instruction where Rankad has transmitted such instruction in accordance with Section 5 and has taken reasonable steps to enforce the sub-processor's contractual obligations. Nothing in this Policy limits or excludes any liability that cannot be excluded under applicable law.

10. Changes to This Policy

Rankad reserves the right to amend this Policy at any time. Material changes will be communicated to registered users by email or via a prominent notice on the Rankad platform at least 14 days before taking effect. Continued use of the Rankad platform following notification constitutes acceptance of the revised Policy.

11. Contact and Supervisory Authority

To exercise your right to erasure or for any questions regarding this Policy:

Email: [email protected] Data Controller: Rankad AB, Sweden Supervisory Authority: Integritetsskyddsmyndigheten (IMY), imy.se

You have the right to lodge a complaint with IMY at any time if you believe Rankad has not handled your personal data in accordance with applicable law.