Last updated: June 2025
This Data Processing Agreement (DPA) is between Rankpad (the data processor) and the customer (the data controller). It governs how Rankpad processes personal data on your behalf in connection with the Rankpad service.
This DPA forms part of our Terms and Conditions and applies where Rankpad processes personal data subject to the General Data Protection Regulation (GDPR) or similar applicable data protection laws.
Personal data means any information relating to an identified or identifiable natural person. Processing means any operation performed on personal data. Controller means the entity that determines the purposes and means of processing. Processor means the entity that processes data on behalf of the controller.
You, the customer, are the data controller. Rankpad is the data processor. Rankpad processes personal data only on your documented instructions and for the purpose of providing the service.
In the course of providing the Rankpad service, we may process the following categories of data on your behalf: account holder name and email address, brand and competitor names you configure, prompts and tracking inputs you provide, and usage data tied to your account.
We process data solely to provide, maintain, and improve the Rankpad service as described in our Terms and Conditions. We process data for as long as your account is active. Upon account termination, personal data is deleted within 90 days.
Rankpad implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These include encryption in transit and at rest, access controls, and regular security reviews.
Rankpad uses the following sub-processors to deliver the service:
Supabase — database and infrastructure. Stripe — payment processing. Vercel — hosting and deployment.
We ensure all sub-processors are bound by data protection obligations consistent with this DPA. We will notify you of any changes to our sub-processor list with reasonable advance notice.
Rankpad will assist you in responding to data subject requests, including requests for access, correction, deletion, or portability of personal data. Contact us at privacy@rankpad.app with any such requests and we will respond within 30 days.
Where personal data is transferred outside the European Economic Area, Rankpad ensures appropriate safeguards are in place in accordance with applicable data protection law, including standard contractual clauses where required.
In the event of a personal data breach, Rankpad will notify you without undue delay and no later than 72 hours after becoming aware of the breach, providing sufficient information for you to meet your own notification obligations.
You have the right to audit Rankpad's data processing activities or commission a third-party auditor, subject to reasonable notice and confidentiality obligations. We will cooperate with such audits.
For questions about this DPA or data processing, contact us at privacy@rankpad.app.