Privacy Policy
Last updated: 12 June 2026
This policy explains what personal data RankNibbler collects, why, who we share it with, and the rights you have over it. It covers both the free on-page tools you can use without signing in and the RankNibbler account (workspaces, site scans, the API and related features).
1. Who we are
RankNibbler ("RankNibbler", "we", "us") provides on-page SEO analysis tools and site-scan services at www.ranknibbler.com. We are based in the United Kingdom and serve users around the world. We are the data controller for the personal data described in this policy, except where we act as a processor on your behalf (see our Data Processing Agreement).
We aim to comply with the data protection laws that apply to you, including the UK GDPR and the Data Protection Act 2018, the EU GDPR, and other applicable laws such as the California Consumer Privacy Act (CCPA/CPRA). Where a specific law gives you additional rights, those rights also apply.
If you have any questions about this policy or how we handle your data, get in touch via our contact form.
2. Information we collect
a. Using the free tools (no account needed)
When you analyse a URL with our free tools, we fetch that page and record the request in our logs. Each log entry includes:
- The URL and domain you submitted for analysis;
- Your IP address, the time of the request, and whether it succeeded;
- For requests to our public API, the API endpoint and the API key used.
We keep these logs to operate the service, prevent abuse, debug problems and understand demand. (This corrects an earlier version of this policy that said we did not store the URLs you analyse — we do.)
b. Creating and using an account
- Account details: your email address, an optional display name, and — if you register with a password — a password, which we store securely and never in plain text.
- Social sign-in: if you sign in with a supported social login provider, we receive your provider account ID, email and name from that provider. We do not store your social-login password or access tokens.
- Workspace & team: your organisation/workspace name and optional website, the team members you invite, and their roles and permissions.
- Sessions: when you sign in we create a session and record the IP address and browser user-agent associated with it, to keep your account secure.
c. Site scans and analysis results
When you run a site scan or single-page audit through your account we store:
- The start URL, site and scan configuration you chose, and which account/workspace and user ran it;
- The audit results for each crawled page — including the page URL, title, meta description, headings, meta tags, structured-data (schema) markup, on-page metrics, scores, internal links and anchor text. We store this derived analysis, not a copy of the raw HTML of the pages we crawl;
- Scheduled and recurring scans, and competitor domains and comparison results you generate (which may include AI-generated analysis).
d. API keys
If you create an API key, we store it in a secured form (not the key itself), a short non-secret prefix to help you identify it, an optional contact email, and its usage tier and limits.
e. Messages you send us
- Contact form: your name, email, message, and IP address.
- Reviews: your rating, optional name and email, comment, and IP address.
- Support tickets: the subject, category and messages you send from within the app (linked to your account).
f. Cookies and analytics
We use a strictly-necessary cookie to keep you signed in. With your consent, we also use a third-party analytics service for anonymised, aggregate usage statistics. Analytics cookies are only set if you accept them on the cookie banner, and you can reject or clear them at any time. See our Cookie Policy for the full list.
g. Connected accounts (Google Search Console & Google Analytics)
RankNibbler offers optional integrations that let you connect your own Google Search Console and Google Analytics (GA4) accounts. The connection is entirely optional and is started by you, by authorising RankNibbler through Google's OAuth consent screen. We request read-only access, and we use the data we retrieve solely to display your own Search Console performance and Analytics reporting data inside your RankNibbler account. We store the resulting metrics and the OAuth tokens needed to keep the connection working securely. You can disconnect at any time from within the app, and you can also revoke RankNibbler's access from your Google account settings. Our use of information received from Google APIs complies with the Google API Services User Data Policy, including its Limited Use requirements.
3. How we use your data and our legal bases
Where the UK or EU GDPR applies, we rely on the following legal bases (equivalent principles apply under other data protection laws):
| Purpose | Legal basis |
|---|---|
| Providing the tools, your account, scans, the API and support | Performance of a contract |
| Logging requests, securing accounts, preventing abuse and fraud, and maintaining the service | Legitimate interests |
| Sending service emails (verification, password reset, invites, scan-complete notifications) | Performance of a contract / legitimate interests |
| Analytics cookies and marketing measurement | Consent |
| Responding to contact-form, review and support messages | Legitimate interests / consent |
| Complying with our legal obligations | Legal obligation |
4. URLs and page content you analyse
When you analyse a URL or run a scan, we fetch the target page to analyse it. We fetch most pages directly from our own servers. Where a site blocks automated requests, we may route the fetch through a third-party fetching service which retrieves the page on our behalf. Some optional features send the target URL or the extracted page data to third parties — for example a performance-data service and a third-party AI service (to generate plain-English summaries and reports). These are shared only to deliver the feature you requested.
5. Who we share data with (sub-processors)
We do not sell your personal data. We share it only with the categories of service providers below, who process it on our behalf under contract:
| Category of provider | Purpose | Data shared |
|---|---|---|
| Cloud hosting & database | Running the service and storing data | All stored data |
| Content-delivery & security network | Delivering and protecting the site | Visitor IP addresses and traffic |
| Page-fetching service | Fetching pages that block direct requests | The target URL being analysed |
| Performance-data service | Performance data for analysed pages | The target URL |
| Analytics service | Optional, consent-based website analytics | Visitor IP, page views, analytics identifiers |
| AI service | Optional AI summaries and reports | Audit data for the analysed page |
| Email delivery service | Sending account and notification emails | Recipient email address and message content |
| Icon / favicon services | Displaying site icons in your dashboard | The hostname of the site shown |
| Social sign-in providers | Optional social login | Your provider ID, email and name |
| Connected analytics & search-data providers (where you connect them) | Importing your own Google Search Console and Google Analytics data at your request | Your Google account authorisation and the metrics you ask us to import |
A current list of the specific providers we use is available to business customers on request via our contact form. Our Data Processing Agreement sets out how we process personal data on your behalf.
6. International transfers
RankNibbler operates globally. Our core hosting and database are located in the United Kingdom, but because we and our providers operate internationally, your data may be processed in the United Kingdom, the European Union, the United States and other countries. Wherever data is transferred across borders, we rely on appropriate safeguards — such as adequacy decisions, the UK International Data Transfer Agreement / Addendum, or Standard Contractual Clauses — so that it remains protected.
7. Data retention
- Account data is kept for as long as your account is open, and deleted (or anonymised) after you close it, unless we must keep it to meet a legal obligation.
- Scan and audit data is kept so you can revisit your history. You can delete individual scans at any time from your dashboard, which permanently removes the scan and its page data. We may also apply an automatic retention period to older scans.
- Request and API logs are retained to operate and secure the service.
- Contact, review and support messages are kept while we deal with your query and for a reasonable period afterwards.
If you would like your data deleted sooner, get in touch via our contact form.
8. How we protect your data
We use encryption in transit, never store passwords or secret keys in plain text, and apply access controls and other appropriate technical and organisational measures to protect your data. No system is perfectly secure, but we work to protect your information against unauthorised access, loss or misuse.
9. Your rights
Depending on where you live, you have some or all of the following rights over your personal data:
- Access the personal data we hold about you;
- Have inaccurate data corrected;
- Have your data erased ("right to be forgotten" / right to delete);
- Restrict or object to certain processing;
- Receive your data in a portable format;
- Withdraw consent (e.g. for analytics) at any time;
- Not be discriminated against for exercising your rights.
We do not sell your personal data. If you are a California resident, you have the right to know, delete, and opt out of any "sale" or "sharing" of personal information under the CCPA/CPRA — and because we don't sell or share it in that sense, there is nothing to opt out of.
To exercise any of these rights, use our contact form. You also have the right to complain to your local data protection authority — for example the UK Information Commissioner's Office (ICO) at ico.org.uk, or the relevant supervisory authority in your country.
10. Children
RankNibbler is not intended for children. We do not knowingly collect personal data from anyone under 16 (or the minimum age required in your country).
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the latest version. Significant changes will be notified through the service where appropriate.
12. Contact
Questions about this policy or your data? Use our contact form.