Data and security
SimplyRank takes your data seriously. Here's what we do to protect it, and what you can expect from us.
For the legal version, see our Privacy Policy and Terms of Service.
What we store
Three categories:
| Category | Examples |
|---|---|
| Account data | Your email, name, organization name, sign-in activity |
| Configuration data | The brands, prompts, competitors, categories you've set up |
| Scan data | The AI responses we capture, mentions detected, citations parsed, position and sentiment scores |
We don't store your card details. Stripe handles payment data; we receive a customer ID and subscription status only.
Where it's stored
- Application database: Supabase (PostgreSQL), hosted on AWS.
- Hosting: Vercel (for the web application).
- Monitoring: Sentry (for error tracking).
- Billing: Stripe.
All providers are vetted, GDPR-compliant, and used under data processing agreements where required.
How it's protected
- Encryption in transit: All requests use HTTPS / TLS.
- Encryption at rest: Database and backups are encrypted by the cloud provider.
- Access controls: Tight, audited access to production systems.
- Row-level security: Multi-tenant isolation in the database — your data is logically partitioned and queries can't cross-tenant.
- Authentication: Magic-link sign-in (no passwords to leak).
- Logging: Application and access logs are retained and reviewed for anomalies.
Multi-tenancy
SimplyRank is multi-tenant — many organizations share the same application. We enforce strict isolation at the database level using row-level security policies. Your queries only return your own data; another tenant cannot see your prompts, brands, or scan results.
Data retention
How long we keep your data:
| Data type | Retention |
|---|---|
| Active scan history | Per your plan (7 days to 365 days, or unlimited on Agency Advanced) |
| Account data | While your account is active, plus 30 days after cancellation, then deleted unless legally required |
| Billing records | 7 years (per accounting requirements) |
| Logs | Up to 90 days |
When your active scan history exceeds the plan's retention window, the oldest data drops off automatically. To keep long-term history, export to CSV or upgrade to a longer-retention plan.
Data we don't use for AI training
To be clear: we do not train AI models on your data. Your scan results, prompts, and brand data are not used to train any model — ours, OpenAI's, Anthropic's, or anyone else's. The AI models we query are accessed via standard APIs that don't permit them to retain your input for training (per provider terms).
Security incidents
If we discover a security incident affecting your data, we will:
- Investigate immediately.
- Contain and remediate.
- Notify you within the timeframes required by applicable law (e.g. 72 hours under GDPR).
- Provide enough detail for you to assess your own obligations.
We hope to never need to send this kind of notice. We've designed the product to make it as unlikely as possible.
Compliance
- GDPR: We comply with GDPR for EEA / UK users. See Privacy and GDPR.
- CCPA: California residents have rights described in our Privacy Policy.
- SOC 2: We're working toward SOC 2 Type II certification. Some of the underlying providers we use (Supabase, Vercel, Stripe) have their own SOC 2 attestations.
For specific compliance questions, email [email protected].
What you can do to keep your data safe
A few things on your side:
- Magic-link discipline: Don't share magic links. They're single-use sign-in tokens — anyone with the link can sign in.
- Email security: Since sign-in goes through email, keeping your email account secure (strong password, MFA) is important.
- Team membership hygiene: Remove team members who leave the company.
- API key handling (Pro+): Treat API keys like passwords. Rotate if compromised.
What's next
Still need help? Email us at [email protected]. Or browse all help articles.