Privacy Policy

Privacy Policy

Last updated: May 2026. This is a working draft pending final legal review. The most recent version always applies and is available on this page.

1. Who we are

This Privacy Policy describes how Searchpilot B.V., a private limited company incorporated in the Netherlands (KvK 99806673, VAT NL869141314B01, registered office in Amsterdam), trading as "RankBird" ("RankBird", "we", "us"), collects and uses personal data. Our full statutory details are on /pages/legal. We have not appointed a Data Protection Officer; for any privacy question contact support@rankbird.com.

2. Scope

This policy covers personal data we process as controller: visitors of rankbird.com, people who contact us, and the contact persons of our (prospective) customers. Where we process personal data inside a customer's Shopify store on the customer's behalf through the RankBird platform, the customer is the controller and we act as processor under our Data Processing Addendum — that processing is governed by the customer's own privacy notice and the DPA, not this policy.

3. What we collect, why, and on what legal basis

  • Website & contact form — name, email, company, store URL and the content of your message; technical data such as IP address, user-agent, timestamps and an anti-spam token (Cloudflare Turnstile). Purpose: answering your request and site security. Legal basis: art. 6(1)(b) GDPR (steps prior to a contract, for the form) and art. 6(1)(f) GDPR (legitimate interest, for security and anti-spam).
  • Customer & prospect administration — name, role, business email, phone, company, store URL, communication history, chosen plan. Purpose: onboarding, support, account and service management. Legal basis: art. 6(1)(b) GDPR (performance of the contract) for customers; art. 6(1)(f) GDPR (sales and relationship management) for prospects.
  • Billing — name, company, billing address, VAT number, bank details, invoice and payment data. Purpose: invoicing and accounting. Legal basis: art. 6(1)(b) GDPR (contract) and art. 6(1)(c) GDPR (legal obligation — tax administration). The App Plan is billed via Shopify Billing; Shopify is the merchant of record for those charges.
  • Marketing communication (if you sign up) — name, email, company, engagement data. Purpose: product updates and newsletters. Legal basis: art. 6(1)(a) GDPR (consent) or art. 6(1)(f) GDPR (legitimate interest — existing B2B relationship, with an opt-out in every message).
  • Server, application and security logs — IP address, user-agent, request and response data, timestamps, error and event logs. Purpose: availability, debugging, security and incident handling. Legal basis: art. 6(1)(f) GDPR (legitimate interest — security and continuity).
  • Job applicants (if you apply) — the data contained in your application. Purpose: recruitment. Legal basis: art. 6(1)(b) and 6(1)(f) GDPR.

We do not seek special categories of personal data, and we ask you not to send such data via the contact form.

4. Cookies

rankbird.com uses only strictly necessary cookies by default; analytics or other non-essential cookies are set only with your consent via the cookie banner. Web fonts are self-hosted, so no font request is made to a third party on page load. Details and how to change your choice are in our Cookie Policy.

5. Who we share data with

We share personal data only with service providers ("sub-processors") that process it on our behalf under a data processing agreement, with our professional advisers (e.g. our accountant) where necessary, and with authorities where legally required. We do not sell personal data. The current list of sub-processors — with their location and the safeguard for any transfer — is published on /pages/sub-processors.

6. International transfers

Our database, file storage and transactional email run on infrastructure located within the EEA (Amazon Web Services, Frankfurt — eu-central-1). Some sub-processors (e.g. Shopify, Cloudflare, Anthropic, Google) are located in the United States; for those transfers we rely on the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses, with additional safeguards where appropriate.

7. How long we keep data

  • Contact-form messages: up to 24 months, unless a customer relationship arises.
  • Customer administration: for the duration of the relationship plus 7 years for data tied to our accounts (Dutch tax-retention obligation); prospect data without follow-up: up to 24 months.
  • Billing records: 7 years (Dutch tax law).
  • Marketing: until you unsubscribe or withdraw consent, then deleted promptly (unsubscribe log kept up to 12 months).
  • Logs: 30 to 90 days, unless needed longer for an ongoing security investigation.
  • Job applications: 4 weeks after the procedure ends, or up to 1 year with your consent.

8. Your rights

Under the GDPR you have the right to access your personal data, to rectification, to erasure, to restriction of processing, to data portability, and to object to processing based on our legitimate interests. Where processing is based on consent, you may withdraw it at any time (this does not affect processing carried out before withdrawal). To exercise a right, email support@rankbird.com; we may need to verify your identity and will respond within one month. You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

9. Automated decision-making and AI

We do not take decisions producing legal or similarly significant effects about you based solely on automated processing. The RankBird platform uses third-party large language models to generate content drafts; that processing takes place on a customer's instruction within their workspace (see the DPA), API inputs are not used to train those models, and a human reviews and approves AI-generated content before publication.

10. Security

We apply appropriate technical and organisational measures: TLS for all connections, encryption at rest for the database and file storage, least-privilege access with multi-factor authentication where available, anti-spam and DDoS protection, data-processing agreements with sub-processors, and a personal-data-breach procedure including notification to the Autoriteit Persoonsgegevens within 72 hours where required.

11. Children

The Service is intended for businesses and is not directed at children. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time; material changes will be communicated where appropriate (for example by email or an in-product notice) and the "last updated" date above will change. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

Questions about this Privacy Policy or about your personal data can be sent to support@rankbird.com. Our full company details are on /pages/legal.