RankBirdPrivacy Policy
Last updated: May 2026. This is a working version pending final legal review. The most recent version applies and is always available on this page.
1. Who we are
This Privacy Policy describes how Searchpilot B.V., a private limited company under Dutch law (KvK 99806673, VAT NL869141314B01, registered office in Amsterdam), trading as “RankBird” (“RankBird”, “we”, “us”), collects and uses personal data. Our full statutory details are on Company details. We have not appointed a Data Protection Officer; for privacy questions, contact us at support@rankbird.com.
2. Scope
This policy applies to personal data we process as a controller: visitors to rankbird.com, people who contact us, and the contacts of our (prospective) clients. Where we process personal data in a client’s Shopify store on that client’s behalf via the RankBird platform, the client is the controller and we act as processor under our Data Processing Agreement — that processing is governed by the client’s own privacy policy and the DPA, not by this policy.
3. What we collect, why, and on what basis
- Website & contact form — name, email address, company, store URL and the content of your message; technical data such as IP address, user agent, timestamps and an anti-spam token (Cloudflare Turnstile). Purpose: responding to your request and securing the website. Basis: Art. 6(1)(b) GDPR (pre-contractual steps, for the form) and Art. 6(1)(f) GDPR (legitimate interest, for security and anti-spam).
- Client & prospect administration — name, role, business email, phone number, company, store URL, communication history, chosen plan. Purpose: onboarding, support, account and service management. Basis: Art. 6(1)(b) GDPR (performance of the contract) for clients; Art. 6(1)(f) GDPR (sales and relationship management) for prospects.
- Billing — name, company, billing address, VAT number, bank details, invoice and payment data. Purpose: billing and accounting. Basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(c) GDPR (legal obligation — tax records). The App plan is billed through Shopify Billing; Shopify is the merchant of record for those payments.
- Marketing communications (if you opt in) — name, email, company, interaction data. Purpose: product updates and newsletter. Basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest — existing business relationship, with an opt-out in every message).
- Server, application and security logs — IP address, user agent, request and response data, timestamps, error and event logs. Purpose: availability, debugging, security and incident handling. Basis: Art. 6(1)(f) GDPR (legitimate interest — security and continuity).
- Applicants (if you apply for a job) — the data in your application. Purpose: recruitment and selection. Basis: Art. 6(1)(b) and 6(1)(f) GDPR.
We do not ask for special categories of personal data and request that you do not send them via the contact form.
4. Cookies
rankbird.com uses only strictly necessary cookies by default; analytical or other non-essential cookies are placed solely with your consent via the cookie banner. Web fonts are self-hosted on rankbird.com, so loading a page makes no font request to a third party. Details and how to change your choice are in our Cookie Policy.
5. Who we share data with
We share personal data only with service providers (“sub-processors”) who process it on our behalf under a data processing agreement, with our professional advisers (for example our accountant) where needed, and with authorities where legally required. We do not sell personal data. The current list of sub-processors — with their location and the safeguard for any transfer — is on Sub-processors.
6. Transfers to third countries
Our database, file storage and transactional email run on infrastructure within the EEA (Amazon Web Services, Frankfurt — eu-central-1). Some sub-processors (such as Shopify, Cloudflare, Anthropic, Google) are based in the United States; for those transfers we rely on the EU-US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses (SCCs), with additional safeguards where appropriate.
7. How long we keep data
- Contact form messages: up to 24 months, unless a client relationship arises.
- Client administration: for the duration of the relationship plus 7 years for data linked to our accounts (tax retention obligation); prospect data with no follow-up: up to 24 months.
- Billing data: 7 years (tax law).
- Marketing: until you unsubscribe or withdraw consent, then promptly deleted (unsubscribe log up to 12 months).
- Logs: 30 to 90 days, unless longer is needed for an ongoing security investigation.
- Job applications: 4 weeks after the procedure ends, or up to 1 year with your consent.
8. Your rights
Under the GDPR you have the right to access your personal data, to rectification, to erasure, to restriction of processing, to data portability, and to object to processing based on our legitimate interest. Where processing is based on consent, you may withdraw it at any time (this does not affect processing carried out before withdrawal). To exercise a right, email support@rankbird.com; we may need to verify your identity and will respond within one month. You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
9. Automated decision-making and AI
We do not make decisions with legal or similarly significant effects on you based solely on automated processing. The RankBird platform uses third-party large language models to generate content drafts; that processing takes place on a client’s instruction within their workspace (see the Data Processing Agreement), API input is not used to train those models, and a human reviews and approves AI-generated content before publication.
10. Security
We take appropriate technical and organizational measures: TLS for all connections, encryption at rest for the database and file storage, least-privilege access with multi-factor authentication where available, anti-spam and DDoS protection, data processing agreements with sub-processors, and a data-breach procedure including notification to the Autoriteit Persoonsgegevens within 72 hours where required.
11. Children
The Service is intended for business use and is not directed at children. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time; material changes are communicated where appropriate (for example by email or an in-product notification) and the “last updated” date above is adjusted. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
Questions about this Privacy Policy or your personal data can be sent to support@rankbird.com. Our full company details are on Company details.