Privacy Policy

Leadrealizer Solutions GmbH – RankRealizer Website and Application

Effective: March 2026

---

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit our website or use our application. Personal data is any data that can be used to personally identify you. For detailed information on data protection, please refer to the sections below.

Who Is Responsible?

Data processing on this website and in the application is carried out by Leadrealizer Solutions GmbH. Contact details can be found in Section 2 and in our legal notice (Imprint).

How Do We Collect Your Data?

Your data is collected when you provide it to us (e.g., during registration, in contact forms). Other data is collected automatically or with your consent by our IT systems (e.g., technical data such as browser, operating system, or access time).

What Are Your Rights?

You have the right to access, rectify, delete, and restrict the processing of your data at any time. You can revoke consent and object to processing based on legitimate interests. Details can be found in Section 13.

---

2. Data Controller and Contact Information

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

Leadrealizer Solutions GmbH Industriestraße 170 50999 Cologne Germany

Commercial Register: HRB 120020, Cologne District Court VAT ID: DE400181258

Represented by Managing Directors: Thorsten Rolf Orendi, Moussa Bdeir, Christian Wilhelm Roth (Each managing director has sole power of representation.)

Phone: +49 (0) 221 7726660 Email: office@leadrealizer.com

Digital Services Act (DSA) Contact Point: Email: office@leadrealizer.com Communication may be conducted in German and English.

---

3. Data Protection Officer

A Data Protection Officer has not currently been appointed. Should an appointment become necessary under Art. 37 GDPR or § 38 BDSG (German Federal Data Protection Act), we will promptly appoint one and publish the contact details here.

For data protection inquiries, please contact: privacy@rankrealizer.com or write to the postal address above with the note “Data Protection.”

---

4. Scope

This privacy policy applies to the processing of personal data in connection with:

• the website at www.rankrealizer.com (hosted on Webflow),
• the RankRealizer application (web application, backend hosted on Bubble.io),
• all related services, features, and communication channels.

---

5. Legal Bases for Processing

Legal Basis	Scope
Art. 6(1)(a) GDPR (Consent)	Cookies and tracking, marketing, certain analytics tools
Art. 6(1)(b) GDPR (Performance of Contract)	User account, app functionality, payment processing, contact inquiries
Art. 6(1)(c) GDPR (Legal Obligation)	Tax retention obligations, statutory archiving
Art. 6(1)(f) GDPR (Legitimate Interest)	Web analytics (where consent is not required), IT security, website operation

---

6. General Notes

Note on Data Transfers to the USA

Our website and application use tools from companies based in the USA. When these tools are active, your personal data may be transferred to US servers. Where the respective company is certified under the EU-US Data Privacy Framework (DPF), this provides an adequate level of data protection. For companies not certified under the DPF, we use Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and additional technical and organizational measures.

SSL/TLS Encryption

This website and application use SSL/TLS encryption for security purposes. An encrypted connection is indicated by “https://” in the browser address bar and the lock icon.

Right to Withdraw Consent

Many data processing operations require your explicit consent. You may withdraw your consent at any time with effect for the future. The lawfulness of data processing carried out before the withdrawal remains unaffected.

Right to Object (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS.

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING FOR SUCH MARKETING PURPOSES; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING.

---

7. Hosting, CDN, and Infrastructure

7.1 Webflow (Website Hosting)

Our website is hosted by Webflow, Inc. (USA). When you visit the website, personal data (IP address, access data, meta and communication data) is processed on Webflow’s servers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in secure, efficient delivery).

We have concluded a Data Processing Agreement with Webflow.

Privacy Policy: https://webflow.com/legal/privacy

7.2 Bubble.io (App Backend)

Our application backend is hosted on Bubble Group, Inc. (USA). All data processed in the app is stored on Bubble.io servers in the USA.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

We have concluded a Data Processing Agreement with Bubble.io. Data transfers to the USA are based on the EU-US Data Privacy Framework and/or Standard Contractual Clauses.

7.3 Cloudflare (CDN and Security)

We use Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) as a Content Delivery Network (CDN) and for DDoS protection.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable delivery).

We have concluded a Data Processing Agreement with Cloudflare.

Privacy Policy: https://www.cloudflare.com/privacypolicy/

7.4 Server Log Files

The hosting provider automatically collects and stores information in server log files:

• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• IP address

This data is not combined with other data sources and is deleted after 30 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technically error-free delivery and security).

---

8. Data Processing on the Website

8.1 Contact Form

When you submit inquiries via our contact form, your form data and contact details are stored for the purpose of processing the inquiry and for follow-up questions.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures / performance of contract) or Art. 6(1)(f) GDPR (legitimate interest in effective processing).

Retention: Until you request deletion, withdraw consent, or the storage purpose ceases. Statutory retention periods remain unaffected.

8.2 Inquiries by Email or Phone

When you contact us by email or phone, your inquiry and all associated personal data are stored for processing purposes.

Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

8.3 Google Web Fonts

We use Google Web Fonts for consistent font display. When other Google services are used, a connection to Google servers may be established, potentially capturing your IP address.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

---

9. Data Processing in the Application

9.1 User Registration and Account Management

During registration we collect:

• First name and last name
• Email address
• Password (stored encrypted)
• Company name
• Company website / domain

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Retention: Duration of the user relationship + 12 months after account deletion.

9.2 Google Search Console Integration

The App integrates with Google Search Console (Google Ireland Limited / Google LLC) via OAuth 2.0 authorization. When a user connects their Google Search Console account, the following data is accessed and processed:

• Search performance data (impressions, clicks, average position, click-through rate)
• Keyword/query data associated with the user’s website
• Page-level performance data
• Device and country breakdowns

Access to the Google Search Console account is limited to read-only data retrieval within the scope approved by the user during the OAuth consent flow. The user can revoke access at any time via the App settings or directly through their Google Account permissions.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Google API Services – User Data Disclosure

RankRealizer’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

1. Data Accessed from Google APIs:

When a user connects their Google account, the App accesses the following Google user data:

• Google Search Console API: Search analytics data (queries, pages, impressions, clicks, position, CTR), index coverage data, and sitemap information associated with the user’s verified website properties

The App only requests the minimum scopes necessary to provide its functionality. Users are informed of the specific permissions requested during the OAuth consent flow and can review them before granting access.

2. How Google User Data Is Used:

Google user data accessed through the App is used exclusively for the following purposes:

• Analytics Dashboard: To display search performance metrics, keyword rankings, and traffic trends within the RankRealizer application
• Content Strategy: To identify keyword opportunities, content gaps, and content decay based on Search Console performance data
• AI-Assisted Content Generation: To inform AI-generated content recommendations based on actual search performance data
• Reporting: To generate performance reports for the user

Google user data is not used for:

• Serving advertisements or ad targeting
• Training general-purpose AI/ML models unrelated to the user’s own account
• Selling, renting, or leasing to third parties
• Any purpose unrelated to the core functionality described above

3. How Google User Data Is Shared:

Google user data may be shared with the following categories of third parties, solely to provide the Services:

• AI Processing Providers (Anthropic / OpenAI): Search performance data may be transmitted to AI APIs to generate content recommendations and keyword strategies. Processing is governed by Data Processing Agreements with these providers. Data is processed in real-time and is not retained by these providers beyond the processing request.
• Backend Infrastructure (Bubble.io): Google user data is stored on our backend infrastructure to provide the Services.
• Backend Automation (N8N): Google user data may be processed within automated workflows to deliver App features (e.g., content decay detection, scheduled reports).

Google user data is never shared with data brokers, advertising networks, or any party for purposes unrelated to providing the Services.

4. Data Storage and Protection:

Google user data is stored and protected as follows:

• Encryption in Transit: All data transmission between the App, our servers, and Google APIs uses TLS 1.2 or higher encryption.
• Encryption at Rest: Google user data stored on our servers is encrypted at rest.
• Access Controls: Access to Google user data on our systems is restricted to authorized personnel and services on a need-to-know basis, using role-based access controls.
• OAuth Token Security: Google OAuth tokens are stored encrypted and are never exposed to client-side code or third parties. Tokens are used exclusively by our backend to communicate with Google APIs on behalf of the user.
• Infrastructure Security: Our backend infrastructure (Bubble.io) employs industry-standard security measures including firewalls, intrusion detection, and regular security updates.

5. Data Retention and Deletion:

• Active Accounts: Google Search Console data is retained for the duration of the user’s active account to provide the Services. Users can disconnect their Google account at any time via the App settings or directly through their Google Account permissions, which immediately revokes the App’s access.
• After Disconnection: When a user disconnects their Google account from the App, we cease accessing new data from Google APIs. Previously synced data is retained in the user’s RankRealizer account unless the user requests its deletion.
• Account Deletion: Upon account deletion, all Google user data is deleted within 12 months, consistent with our general data retention policy (see Section 12). Backups containing Google user data are purged within 30 days of the deletion process completing.
• Deletion Requests: Users may request deletion of their Google user data at any time by emailing privacy@rankrealizer.com or using the data deletion function in the App settings. We will process deletion requests within 30 days.

9.3 AI Processing (Claude API and OpenAI API)

We use the Claude API (Anthropic, PBC, USA) and the OpenAI API (OpenAI, L.L.C., USA) for AI-powered features:

• SEO content generation (articles, outlines, meta descriptions)
• Keyword research and strategy recommendations
• Competitor analysis and content gap identification
• Content optimization and quality scoring

User inputs, keyword data, and Search Console data may be transmitted to the respective API during AI processing. Processing is governed by our Data Processing Agreements with Anthropic and OpenAI.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest).

9.4 Backend Automation (N8N)

We use N8N for automated backend processes and workflow automation (e.g., keyword discovery workflows, competitor monitoring, content generation pipelines). Personal data may be processed within the purposes described in this privacy policy.

9.5 Customer Support and Feedback (Featurebase)

We use Featurebase for support, feedback, and feature requests. Name, email address, inquiry content, and interaction data are processed.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

9.6 Payment Processing (Stripe)

Payment processing for subscriptions is handled by Stripe, Inc. (USA). Stripe processes payment data (credit card information, billing address) directly. We do not store credit card or bank details. We only receive information about payment status and billing data (subscription plan, billing cycle, invoice data).

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

We have concluded a Data Processing Agreement with Stripe.

Privacy Policy: https://stripe.com/privacy

---

10. Cookies and Tracking Technologies

10.1 General Information About Cookies

Our website uses cookies. Cookies are small text files stored on your device. They do not cause harm. Session cookies are automatically deleted after your visit; persistent cookies remain until you delete them or they expire.

Technically necessary cookies are stored on the basis of Art. 6(1)(f) GDPR. For all other cookies, we require your consent (Art. 6(1)(a) GDPR).

10.2 Cookie Consent Management (Cookiebot)

We use Cookiebot (Cybot A/S, Denmark) as our Consent Management Platform (CMP). On your first visit, you will be asked to set your cookie preferences. Cookiebot stores a cookie to assign your consent(s) or their withdrawal.

Data transmitted to Cookiebot: your consent(s), IP address (anonymized), browser/device information, time of visit.

Legal basis: Art. 6(1)(c) GDPR (legal obligation to obtain and document consent).

You can adjust your preferences at any time via the cookie banner or under [Cookie Settings].

10.3 Google Analytics 4

We use Google Analytics 4 (Google Ireland Limited) for web analytics. GA4 uses technologies for user recognition (cookies, device fingerprinting). Information collected is generally transmitted to Google servers in the USA.

Data processed: pseudonymized usage data, page views, time on site, device/browser information, interaction data, IP address (anonymized).

Retention: Up to 14 months.

You can prevent data collection by Google Analytics by downloading the browser add-on: https://tools.google.com/dlpage/gaoptout

Legal basis: Art. 6(1)(a) GDPR (consent).

We have concluded a Data Processing Agreement with Google.

10.4 Google Tag Manager

We use Google Tag Manager (Google Ireland Limited) for website tag management. Google Tag Manager itself does not collect personal data but enables the integration of other tags that may collect data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

10.5 Meta Pixel (Facebook Pixel)

We use the Meta Pixel (Meta Platforms Ireland Ltd.) for conversion measurement and retargeting for Facebook/Instagram advertising.

Data processed: page views, interaction data, device information.

You can deactivate remarketing in Facebook ad settings: https://www.facebook.com/ads/preferences/

Legal basis: Art. 6(1)(a) GDPR (consent).

Privacy Policy: https://www.facebook.com/privacy/policy/

10.6 LinkedIn Insight Tag

We use the LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company) for conversion tracking and retargeting for LinkedIn advertising.

Data processed: page views, professional profile information (aggregated), device information.

Legal basis: Art. 6(1)(a) GDPR (consent).

Privacy Policy: https://www.linkedin.com/legal/privacy-policy

10.7 Google Ads Conversion Tracking

We use Google Ads Conversion Tracking (Google Ireland Limited) to measure the effectiveness of Google Ads campaigns. A cookie is set when you click on a Google ad.

Data processed: IP address, user behavior, browser information, conversion data.

Legal basis: Art. 6(1)(a) GDPR (consent).

10.8 Hotjar / Microsoft Clarity

We use Hotjar (Hotjar Ltd, Malta) and/or Microsoft Clarity for UX analysis (heatmaps, session recordings, conversion funnels).

Data processed: anonymized click, scroll, and interaction data, device information, time spent.

You can deactivate Hotjar at: https://www.hotjar.com/opt-out

Legal basis: Art. 6(1)(a) GDPR (consent).

We have concluded a Data Processing Agreement with Hotjar.

---

11. International Data Transfers

Service Provider	Location	Purpose	Transfer Mechanism
Bubble.io	USA	App backend	DPF / SCCs
Cloudflare	USA	CDN, security	DPF / SCCs
Google (Analytics, Ads, GTM, Search Console)	USA (via Ireland)	Analytics, marketing, SEO data	DPF
Meta Platforms	USA (via Ireland)	Marketing, retargeting	DPF
LinkedIn	USA (via Ireland)	Marketing, retargeting	DPF
Anthropic (Claude API)	USA	AI content generation	SCCs
OpenAI (GPT API)	USA	AI content generation	DPF / SCCs
Stripe	USA	Payment processing	DPF / SCCs
Hotjar	Malta/EU	UX analysis	EU internal
Microsoft (Clarity)	USA	UX analysis	DPF / SCCs
Cookiebot (Cybot)	Denmark/EU	Consent management	EU internal
Featurebase	Varies	Support, feedback	SCCs

DPF = EU-US Data Privacy Framework; SCCs = Standard Contractual Clauses (Art. 46(2)(c) GDPR)

We have concluded Data Processing Agreements with all processors pursuant to Art. 28 GDPR.

---

12. Data Retention and Deletion

Data Category	Retention Period
User account data	Duration of user relationship + 12 months after account deletion
Google Search Console data	Duration of active connection; deleted upon disconnection request or account deletion
Generated content (articles, outlines)	Duration of user relationship + 12 months after account deletion
Payment and billing data	10 years (German statutory retention: § 147 AO, § 257 HGB)
Server log files	30 days
Cookie consent data	12 months
Support/feedback data	Duration of user relationship + 12 months

---

13. Rights of Data Subjects

13.1 Your Rights Under GDPR

Right of Access (Art. 15 GDPR): Information about stored data, processing purposes, recipients, and retention periods.

Right to Rectification (Art. 16 GDPR): Correction of inaccurate or completion of incomplete data.

Right to Erasure (Art. 17 GDPR): Deletion of your data, provided no statutory retention obligations apply.

Right to Restriction (Art. 18 GDPR): Restriction of processing, e.g., when contesting accuracy.

Right to Data Portability (Art. 20 GDPR): Provision of your data in a structured, machine-readable format.

Right to Object (Art. 21 GDPR): Objection to processing based on legitimate interests.

Right to Withdraw Consent (Art. 7(3) GDPR): Withdrawal of consent with effect for the future.

Right to Lodge a Complaint (Art. 77 GDPR): Complaint with a supervisory authority. The authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) Postfach 20 04 44, 40102 Düsseldorf, Germany https://www.ldi.nrw.de

13.2 Exercising Your Rights

• Email: privacy@rankrealizer.com
• Post: Leadrealizer Solutions GmbH, Data Protection, Industriestraße 170, 50999 Cologne, Germany

We will respond within 30 days (extendable to 90 days for complex requests).

---

14. Additional Rights for California Residents (CCPA/CPRA)

Residents of California have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

14.1 Categories of Personal Information Collected

We may collect the following categories of personal information:

• Identifiers: Name, email address, IP address, account name
• Internet Activity: Browsing history, search history, information regarding interactions with our website/app
• Commercial Information: Subscription records, purchasing history
• Geolocation Data: Approximate location derived from IP address

14.2 Your CCPA Rights

Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.

Right to Delete: You can request the deletion of your personal information, subject to certain exceptions.

Right to Correct: You can request the correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing: We do not “sell” your personal information in the traditional sense. To the extent that sharing data for cross-context behavioral advertising (e.g., via tracking pixels) constitutes a “sale” or “sharing” under the CCPA, you have the right to opt out. You can exercise this right via our cookie consent banner.

Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

14.3 How to Exercise Your CCPA Rights

Submit a verifiable consumer request by emailing us at: privacy@rankrealizer.com

We will verify your identity before processing your request. We will respond within 45 days (extendable to 90 days with notice).

---

15. Additional Rights for UK Residents

For residents of the United Kingdom, the provisions of the UK GDPR and the Data Protection Act 2018 apply. Your rights are substantially the same as those described in Section 13 under the GDPR.

Supervisory authority: Information Commissioner’s Office (ICO), https://ico.org.uk

---

16. Additional Rights for Swiss Residents

For residents of Switzerland, the provisions of the revised Swiss Federal Act on Data Protection (revFADP/revDSG) apply. Your rights are substantially the same as those described in Section 13, supplemented by specific provisions of the revFADP.

Supervisory authority: Federal Data Protection and Information Commissioner (FDPIC), https://www.edoeb.admin.ch

---

17. Data Security

We implement appropriate technical and organizational measures:

• Encrypted data transmission (TLS 1.2+)
• Encrypted storage of sensitive data
• Access control and authorization management
• Regular security reviews
• Backup and recovery procedures
• Employee training in data protection

We note that data transmission over the internet may have security gaps. Complete protection against third-party access is not possible.

---

18. Minors

Our services are intended for businesses and business customers (B2B) and are not intended for use by persons under 16 years of age. We do not knowingly collect personal data from minors.

---

19. Objection to Advertising Emails

The use of contact data published as part of the legal notice obligation for sending unsolicited advertising and information materials is hereby objected to. We expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as spam emails.

---

20. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements, technical developments, or changes to our services. The current version is always available on our website and in the application. Registered users will be notified by email of material changes.

---

Last updated: March 2026

Leadrealizer Solutions GmbH – Industriestraße 170, 50999 Cologne, Germany