GDPR Compliance

1. GDPR Fundamentals

The GDPR (Regulation 2016/679) is an EU regulation protecting personal data and privacy. It applies to all organizations processing data of EU residents, regardless of company location.

2. Data Controller

3. Scope of Data Processing

• Identification Data: Name, surname, email address
• Authentication Data: Google OAuth tokens, encrypted passwords
• Search Console Data: Website performance metrics from Google Search Console API
• Billing Data: Processed via Lemon Squeezy (we don't store payment card details)
• Technical Data: IP address, browser info, session data

4. Legal Basis for Processing (Art. 6 GDPR)

• Contract Performance (Art. 6.1.b): To provide RankVault services you subscribed to
• Legitimate Interest (Art. 6.1.f): Service improvement, fraud prevention, security
• Consent (Art. 6.1.a): Marketing communications (you can withdraw consent anytime)
• Legal Obligation (Art. 6.1.c): Tax and accounting requirements

5. Your Rights Under GDPR

• Right to Access (Art. 15): Request information about data we process and obtain a copy
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to Restriction (Art. 18): Limit processing of your data in specific circumstances
• Right to Data Portability (Art. 20): Receive your data in machine-readable format (CSV/JSON)
• Right to Object (Art. 21): Object to processing based on legitimate interest or marketing
• Right to Withdraw Consent (Art. 7.3): Revoke consent for data processing at any time
• Right to Lodge a Complaint (Art. 77): File a complaint with your national supervisory authority

6. Data Retention Period

• Active Subscription: Data stored for the duration of your subscription
• After Cancellation: 30 days grace period, then permanent deletion
• Billing Data: Retained for 7 years (tax/legal obligations)
• Backups: Automatically deleted within 90 days

7. Data Transfers Outside EEA

Some data may be transferred to countries outside the European Economic Area:

• Google (USA): Google Search Console API - covered by Standard Contractual Clauses (SCC)
• Lemon Squeezy (USA): Payment processing - GDPR-compliant data processing agreement
• Cloud Providers: EU-based data centers with GDPR guarantees

All transfers use appropriate safeguards (SCC, adequacy decisions, or binding corporate rules).

8. Technical & Organizational Measures

Technical Measures:

• Encryption: SSL/TLS encryption, AES-256 for stored data
• Access Control: Role-based access, 2FA authentication
• Monitoring: Intrusion detection, security logs
• Backups: Regular encrypted backups

Organizational Measures:

• Staff Training: GDPR awareness and security training
• Confidentiality Agreements: All staff sign NDAs
• Data Processing Agreements: With all third-party processors
• Incident Response Plan: Procedures for data breach notification

9. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR). If the breach poses a high risk to your rights, we will also notify you directly (Art. 34 GDPR).

10. Contact & Data Protection Officer

For GDPR-related questions or to exercise your rights: