Privacy Policy

The data controller for all services described in this policy is:

Baldiv OÜ
Registry code: 17495709
Narva mnt 5, Kesklinna linnaosa
Tallinn, Harju maakond, 10117
Estonia, European Union
Email: [email protected]

As an Estonian-registered company, we are subject to the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.

2.1 rankalseo.com (this website)

• Server access logs — IP address, browser type, pages visited, referring URL. Retained for 30 days. Legal basis: legitimate interests (security and abuse prevention).
• Contact form submissions — name, email, message content. Retained until your request is resolved. Legal basis: contract / pre-contractual steps.

2.2 dashboard.rank.al (SaaS platform)

• Account credentials — email address and bcrypt-hashed password (or Google OAuth token — we never store your Google password). Legal basis: contract performance.
• License and billing data — license key, associated WordPress site domain(s), Stripe customer ID, subscription plan, payment history. We do not store raw card numbers — Stripe handles PCI-DSS compliance. Legal basis: contract performance and legal obligation (EU accounting records).
• Support tickets — name, email, message content, site URL. Retained for 2 years or until account deletion. Legal basis: legitimate interests (providing support).
• Session data — encrypted session cookie (RANKAL_SESS) used to keep you logged in. Expires after 8 hours of inactivity. Legal basis: legitimate interests.
• Rate-limit logs — hashed IP address and request timestamp, used to prevent abuse. Retained for 15 minutes. Legal basis: legitimate interests (security).

2.3 Rankal SEO Optimizer WordPress plugin (on your site)

• License verification — your WordPress site domain and license key are sent to rank.al/api/license when activating or verifying a license. This is the only data your plugin sends to our servers. Legal basis: contract performance.
• SEO data — all SEO metadata (titles, descriptions, schema, redirects) is stored exclusively in your WordPress database. It is never sent to our servers.
• AI generation — when you use AI features, your post content is sent directly from your server to the AI provider you configure (Groq, OpenAI, Anthropic, or Google) using your own API key. Content does NOT pass through our servers. The AI provider's own privacy policy applies.

• Contract performance (Art. 6(1)(b)) — processing your account, license, and billing data to provide the service you signed up for.
• Legal obligation (Art. 6(1)(c)) — retaining billing and transaction records for 7 years as required by Estonian accounting law.
• Legitimate interests (Art. 6(1)(f)) — server logs, rate limiting, security monitoring, and fraud prevention. These interests do not override your fundamental rights.
• Consent (Art. 6(1)(a)) — where applicable (e.g. marketing emails). You may withdraw consent at any time.

We use only strictly necessary cookies:

• RANKAL_SESS — session authentication cookie on dashboard.rank.al. HttpOnly, Secure, SameSite=Lax. Expires after 8 hours of inactivity.
• csrf_token — CSRF protection token stored in the session. Not a tracking cookie.

We do not use advertising cookies, tracking pixels, Google Analytics, or any third-party analytics on rankalseo.com. Strictly necessary cookies do not require consent under ePrivacy Directive Recital 25.

We do not sell your data. We do not use your data for advertising. We share data only with the following processors:

• Stripe Inc. (USA) — payment processing. Stripe is certified under EU–US Data Privacy Framework. Stripe Privacy Policy →
• Your chosen AI provider (Groq / OpenAI / Anthropic / Google) — only when you use AI features with your own API key. Your content is sent directly from your server to that provider. We are not a processor in this flow.
• Abelo (hosting) — our server infrastructure provider based in Europe. Personal data is processed on servers located within the EU/EEA.

All data is processed and stored within the EU/EEA except where Stripe's US processing occurs under approved transfer mechanisms.

• Account data — retained while your account is active and for 90 days after a deletion request, then permanently deleted.
• Billing and license records — retained for 7 years from the transaction date (Estonian Accounting Act requirement).
• Support tickets — retained for 2 years, then deleted.
• Server access logs — deleted after 30 days.
• Rate-limit logs — deleted after 15 minutes.
• Session data — expires after 8 hours of inactivity.

As a data subject under GDPR (Articles 15–22), you have the following rights:

• Right of access (Art. 15) — request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction (Art. 18) — request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON/CSV).
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.
• Right not to be subject to automated decisions (Art. 22) — we do not make automated decisions with significant legal effects on you.

To exercise any of these rights, email [email protected] with the subject line "GDPR Request". We will respond within 30 days (extendable to 90 days for complex requests, with notice).

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee) or the supervisory authority in your EU member state of residence.

We implement appropriate technical and organisational measures to protect your data, including:

• All data transmitted over HTTPS/TLS
• Passwords stored as bcrypt hashes (cost factor 12) — never in plain text
• Sensitive configuration files stored outside the web root
• Session tokens are HttpOnly, Secure, and SameSite=Lax
• CSRF protection on all state-changing requests
• Rate limiting on authentication endpoints

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours and notify affected individuals without undue delay, as required by GDPR Article 33–34.

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

We may update this policy from time to time. When we make material changes we will notify registered users by email and update the "Last updated" date at the top of this page. We recommend checking this page periodically. Continued use of the service after the effective date of changes constitutes acceptance of the updated policy.

For any privacy-related questions, data subject requests, or concerns:

Baldiv OÜ
Narva mnt 5, Kesklinna linnaosa
Tallinn, Harju maakond, 10117
Estonia, EU
Registry: 17495709
Email: [email protected]

Supervisory authority: Estonian Data Protection Inspectorate (AKI) — Tatari 39, 10134 Tallinn, Estonia.