Legal

Privacy Policy

Last updated February 12, 2026

RankPilot AI ("we", "us") respects your privacy. This policy explains what we collect, why, and your choices.

1. Data we collect

  • Account data — email, display name, password hash (or Google profile picture if you use Google sign-in).
  • Workspace data — domains, descriptions, content plans, blog drafts, audit results, keywords, backlinks, social channel credentials (encrypted at rest), schedules.
  • Usage data — feature events, API calls, approximate token counts (used to operate the platform and prevent abuse).
  • Technical data — IP address, browser, device type, log timestamps.

2. How we use it

  • To operate, secure and improve the service.
  • To run AI features you trigger (analyses, drafts, image generation, LLM visibility checks).
  • To send transactional emails (security alerts, schedule run failures, account changes).
  • To detect and prevent abuse / fraud.

3. AI processing

When you use AI features, your prompts and project context are forwarded to our AI providers (currently OpenAI and Google) via the Emergent Universal LLM Key. We never sell your data to AI vendors and we don't use your content to train models. Provider terms apply: see OpenAI and Google's API privacy commitments.

3a. Google OAuth integrations (Search Console, Analytics, Google Ads)

RankPilot AI integrates with Google Search Console, Google Analytics 4, and Google Ads through Google OAuth 2.0. When you connect your Google account, we request the following OAuth scopes only after your explicit consent:

  • https://www.googleapis.com/auth/webmasters.readonly — read your verified site properties, indexing status and Search Console performance queries (clicks, impressions, position) to generate audits and identify underperforming queries.
  • https://www.googleapis.com/auth/analytics.readonly — read Google Analytics 4 traffic and engagement metrics to populate your dashboard and content-performance reports.
  • https://www.googleapis.com/auth/adwords — read your Google Ads accounts, campaigns, ad groups, keywords and search-terms reports, and create / update campaigns, ad groups, Responsive Search Ads (RSAs), keywords and negative keywords only when you explicitly click "Push campaign live" inside our dashboard.

How we store Google OAuth tokens. Refresh tokens and access tokens are encrypted at rest in our database (per-user, isolated). Tokens are transmitted only over TLS. We never expose tokens in client-side code, browser storage, or API responses. You can revoke our access at any time from Google Account → Third-party apps or from your Integrations page — revoking immediately deletes the stored refresh token from our database.

Use of Google user data. Data obtained via Google APIs is used solely to provide the features you requested (SEO audits, blog generation, Google Ads campaign generation, performance reporting). We do not transfer this data to third parties except sub-processors strictly necessary to operate the service, we do not use it for advertising, and we do not use it to train AI models. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google Ads API specifics. When you authorize Google Ads, RankPilot AI reads campaign and search-term performance from your account, and — only when you click the explicit "Push campaign live" button — creates campaigns, ad groups, RSAs, keywords and negative keyword lists in your own Google Ads account via the Google Ads API. We never access other advertisers' accounts. We do not store financial / billing data from Google Ads.

4. Sharing

We do not sell your data. We share it only with:

  • Sub-processors needed to run the service (cloud hosting, AI model providers, email delivery, payment processing).
  • Authorities when legally compelled.
  • An acquirer in the event of a merger / acquisition (you'll be notified beforehand).

5. Storage & security

Data lives in MongoDB databases on secure cloud infrastructure. Passwords are hashed with bcrypt. Social-channel tokens are masked in API responses and never logged in plaintext. Connections use TLS in transit.

6. Your rights

7. Cookies

We use essential cookies only: access_token, refresh_token, and session_token (for Google sign-in). All are httpOnly and used solely to keep you logged in. We do not run third-party advertising trackers.

8. Children

RankPilot AI is not directed at children under 16. If you believe we hold data on a minor, contact us and we'll erase it.

9. Changes

We'll post material changes here and email account holders at least 14 days before they take effect.

10. Contact

Questions? support@myrankpilotai.com

Data Controller: Oz Tech Hub
Registered address: 17 Selma Walk, Donnybrook, VIC 3064, Australia
Phone: +61 413 227 784
Trading as: RankPilot AI (https://myrankpilotai.com)