Privacy Policy

GRankr (grankr.com) ("GRankr," "we," "us," or "our") provides generative engine analytics software as a service (the "Service"). This Privacy Policy explains how we collect, use, store, and protect information when you visit our website at grankr.com or use the Service.

We do not sell your personal information, rent it to third parties, or use it for cross-context behavioral advertising. We do not monetize your data.

This policy applies to visitors to our marketing site at grankr.com, users who create an account, and people invited to an organization on the Service. If you use GRankr (grankr.com) on behalf of a company, your organization admin may control certain settings; this policy describes how we handle data as the service provider.

We collect the following categories of information:

• Account information — email address, optional username, authentication identifiers, and session cookies needed to sign in (passwordless magic links via our authentication provider).
• Organization and team data — organization name, your role (owner, admin, or member), membership records, and invitation email addresses you or your admins send.
• Product and configuration data — brand names, website URLs, tracking prompts, which AI engines and models you select for tracking, subscription or plan requests, and aggregated visibility metrics generated by the Service.
• Tracking and AI outputs — when you run brand visibility tracking, we store results such as mention counts, rankings, frequency, excerpts or raw model output, and related metadata (for example, where a brand appeared in a response). To perform tracking, we send your prompts and brand-related inputs to third-party AI providers that we use to operate the Service, according to your organization's tracking settings.
• Technical and usage data — IP address, browser type, device information, pages viewed, and similar diagnostic data in server logs. We also use Google Analytics on our website and Service to understand aggregate usage (see Cookies and analytics below).

We do not intentionally collect sensitive personal information (such as health, biometric, or government ID data). Please do not submit such information through the Service.

We use collected information to:

• Provide, maintain, and improve the Service;
• Authenticate users and enforce access controls within organizations;
• Run brand visibility tracking and display analytics to you and your team;
• Process invitations, plan limits, and support requests;
• Monitor security, prevent abuse, and debug technical issues;
• Understand how the product is used (including via Google Analytics); and
• Comply with legal obligations and enforce our terms.

Our legal bases for processing (where applicable, e.g. GDPR) include performance of our contract with you, legitimate interests in operating and securing the Service, and your consent where required (such as for non-essential cookies or analytics, where local law requires it).

We use essential cookies and similar technologies to keep you signed in and to protect the Service. We also use Google Analytics to collect aggregated statistics about visits and feature usage (for example, pages viewed and general traffic patterns). Google may set its own cookies and process data according to Google's Privacy Policy. You can limit analytics cookies through your browser settings or tools such as the Google Analytics Opt-out Browser Add-on.

We do not sell or share your personal information for advertising or data-broker monetization. We disclose information only in these limited circumstances:

• Service providers — companies that help us run the Service under contract and only for our instructions (for example, cloud hosting, authentication, database, email delivery, and analytics). Our primary infrastructure provider is Supabase.
• AI providers — when you run tracking, we transmit relevant prompts and brand-related inputs to the AI providers we use to deliver the Service (such as OpenAI, Anthropic, Google, or Perplexity), based on your organization's tracking configuration. Those providers process data under their own terms and privacy policies. You do not provide API keys or LLM credentials to us.
• Within your organization — other members of your organization can access data according to their role and your workspace settings.
• Legal and safety — if required by law, court order, or to protect rights, safety, and security of users or the public.
• Business transfers — in connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations and notice where required by law.

We and our service providers may process and store information in the United States and other countries. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for cross-border transfers of personal data.

We retain personal information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Organization data is generally deleted when an organization or account is deleted, subject to backup retention periods and legal holds. Aggregated or de-identified analytics may be kept longer.

We use administrative, technical, and organizational measures designed to protect your information, including encryption in transit, access controls, and row-level security in our database. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

Depending on where you live, you may have rights to access, correct, delete, or export your personal information, object to or restrict certain processing, and withdraw consent where processing is consent-based. You can update your email and username in account settings. You may request account deletion by contacting us.

If you are in the European Economic Area, UK, or California, you may also have additional rights (including lodging a complaint with a supervisory authority or opting out of certain processing where applicable). We will not discriminate against you for exercising privacy rights.

The Service is not directed to children under 18 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it.

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the effective date. Material changes may be communicated by email or in-product notice where appropriate.

For privacy questions or requests, email contact@grankr.com.