Privacy Policy

Theme Press Pty Ltd is an Australian company operating under the trading name Ranki. We provide AI-powered SEO, content marketing, and digital marketing automation services to Australian small and medium-sized businesses through the platform at ranki.com.au and app.ranki.com.au.

Our registered address is Sydney, New South Wales, Australia. For all privacy matters, contact our Privacy Officer at privacy@ranki.com.au. We take privacy compliance seriously and have appointed a Privacy Officer responsible for overseeing our compliance with the Privacy Act 1988 (Cth) and the APPs.

2.1 Information You Provide Directly

• ▸Full name and business name
• ▸Email address - used for account access, service communications, billing notifications, and monthly performance reports
• ▸Business website URL and domain
• ▸Business niche/industry and geographic location (used exclusively for SEO targeting and content personalisation)
• ▸Phone number (optional; collected only during onboarding calls and not used for unsolicited contact)
• ▸WordPress application credentials (username and application password) - encrypted at rest using AES-256
• ▸Any other business information voluntarily provided during onboarding (e.g. target audience, competitors, unique selling points)

2.2 Third-Party Platform Credentials and Access Tokens

• ▸Google OAuth tokens - read-only access to Google Analytics 4 and Google Search Console data. We do not modify, write to, or delete any data in your Google properties.
• ▸WordPress application credentials - encrypted at rest, used exclusively to publish blog content and update SEO metadata. We never modify post body content you have written, or URL slugs.
• ▸Facebook and Instagram API access tokens - used solely to post content on your behalf
• ▸LinkedIn API tokens - used solely to post content on your behalf
• ▸YouTube API tokens - used to upload AI avatar videos to your connected channel

2.3 Website and SEO Data

• ▸SEO audit data from your website: page titles, meta descriptions, heading structure, internal links, HTTP status codes, word counts, and schema markup
• ▸Google Search Console data: keyword impressions, clicks, and average position
• ▸Google Analytics data: sessions, pageviews, and traffic source summaries
• ▸Keyword ranking data for your domain and specified competitor domains (publicly available data obtained via DataForSEO)
• ▸AI-generated content published to your WordPress site (stored for reporting, refresh, and audit purposes)

2.4 Payment Information

All payment processing is handled exclusively by Stripe, Inc., a PCI DSS Level 1 certified processor. Ranki does not collect, store, process, or have access to your credit card number, CVV, expiry date, or banking details at any time. We receive only a Stripe Customer ID and subscription status confirmation from Stripe.

2.5 Prospect Analysis Data

When our team analyses a prospective client's publicly available website data prior to a sales meeting or audit call, that data is stored internally for proposal preparation purposes only. It is not used for any other purpose and is not shared with third parties outside the delivery of our audit service.

2.6 Technical and Usage Data

• ▸Server log data: IP address, browser type, pages visited, HTTP response codes, and timestamps - retained for 90 days then automatically purged
• ▸Authentication events and session tokens
• ▸Application error logs (log entries are designed to exclude personal content; we periodically audit our logging to ensure compliance with this principle)

2.7 Cookies and Local Storage

See clause 10 for full details. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies on the client dashboard (app.ranki.com.au).

We collect and use personal information only for the following purposes (our "collection purposes"), all of which are directly related to the Ranki service or our legal obligations:

• ▸Providing and delivering the Ranki service, including AI content creation, publishing to your website, and posting to social platforms on your behalf
• ▸Keyword rank tracking, AI visibility monitoring, and generation of monthly SEO performance reports
• ▸Website SEO audits and automated technical optimisations
• ▸Billing, subscription management, payment processing, and invoicing through Stripe
• ▸Service communications including onboarding, progress updates, alerts, monthly reports, and invoices
• ▸Verifying your identity and authorisation to access the Ranki platform and connected accounts
• ▸Providing customer support and responding to your enquiries
• ▸Detecting, investigating, and preventing fraud, security incidents, and breaches of our Terms of Use
• ▸Complying with applicable Australian laws and regulations, including tax law, record-keeping obligations, and the Notifiable Data Breaches (NDB) scheme
• ▸Product improvement using only aggregated, de-identified, statistical data - we do not use your individual business content, client data, or personal information to train AI models

We will not use your personal information for any purpose that is incompatible with the collection purposes listed above without first obtaining your explicit written consent. We do not sell, rent, lease, trade, or disclose your personal information to any third party for commercial gain, advertising, or profiling purposes.

We collect and process personal information on the following legal bases:

• ▸Performance of contract: processing necessary to deliver the Ranki service you have subscribed to
• ▸Legitimate interests: processing for security monitoring, fraud prevention, and aggregated product analytics, where these interests are not overridden by your privacy rights
• ▸Legal obligation: processing required to comply with Australian law (including tax and record-keeping obligations and the NDB scheme)
• ▸Consent: where we rely on your consent (e.g. for optional communications), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal

Where we rely on consent as the basis for processing, you may withdraw that consent at any time by contacting us at privacy@ranki.com.au. Withdrawal of consent may affect our ability to deliver parts of the service.

To deliver the Ranki service, we share limited personal information with the following sub-processors. We have contractual data processing obligations in place with each sub-processor requiring them to: (a) process data only for the purpose of providing services to us; (b) implement appropriate security measures; (c) not further sub-process without our approval; and (d) assist us in meeting our obligations under the Privacy Act 1988 (Cth).

• ▸Supabase Inc. (USA) - Postgres database and authentication. SOC 2 Type II certified. All data is encrypted at rest. Data is stored on servers located in the United States. Cross-border transfer is addressed in clause 6.
• ▸Stripe, Inc. (USA) - Payment processing. PCI DSS Level 1 certified. We share only your name, email address, and billing information required to create and manage a Stripe subscription. We do not share card details.
• ▸Anthropic, PBC (USA) - AI content generation via Claude API. Prompts include your business name, niche, location, and target keywords. Under Anthropic's API terms of service, API inputs are not used to train Anthropic's models.
• ▸HeyGen Inc. (USA) - AI avatar video generation. We share post titles and video scripts. No biometric data relating to you or your customers is shared.
• ▸ElevenLabs, Inc. (USA) - AI voice synthesis for video voiceovers. We share text scripts only.
• ▸DataForSEO LLC - Keyword research, ranking data, and website crawl data. We share your domain and target keyword list.
• ▸Resend Inc. (USA) - Transactional email delivery. We share recipient email addresses and email content (reports, invoices, notifications).
• ▸Pexels GmbH (Germany) - Stock image and video library. We share text search queries related to your content topics only. No personal information is shared beyond search queries.
• ▸Google LLC (USA) - Google Analytics 4, Google Search Console, and YouTube APIs. Data processing subject to Google's privacy policies and terms.
• ▸Meta Platforms Inc. (USA) - Facebook and Instagram API. Data processing subject to Meta's Data Policy.
• ▸Microsoft Corporation (USA) - LinkedIn API. Data processing subject to LinkedIn's Privacy Policy.
• ▸Railway Corporation (USA) - Backend infrastructure and compute hosting for our FastAPI server and scheduled pipelines.
• ▸Vercel Inc. (USA) - Frontend hosting and global CDN for the ranki.com.au and app.ranki.com.au websites.

We do not permit any sub-processor to use your personal information for their own commercial purposes, advertising, or profiling. Our list of active sub-processors is updated when material changes are made. You may request the current list at any time by emailing privacy@ranki.com.au.

The majority of our sub-processors are based in the United States. As a result, your personal information is transferred to, stored, and processed in the United States, which does not have a formal adequacy determination from the Australian Government.

Before transferring personal information internationally, we take the following steps to ensure it receives protection substantially similar to the APPs:

• ▸We select sub-processors that are certified under recognised frameworks (e.g. SOC 2 Type II, PCI DSS, ISO 27001) or that operate under binding corporate rules or Standard Contractual Clauses
• ▸We require sub-processors to contractually commit to data protection obligations equivalent to the APPs
• ▸We limit the scope of data shared with each sub-processor to the minimum necessary for service delivery
• ▸We review sub-processor compliance as part of our annual security review

By using the Ranki service, you consent to the transfer of your personal information to the sub-processors listed in clause 5 for the purposes described in this policy. If you do not consent to international transfer, you should not use the Ranki service, as it cannot be delivered without these transfers.

Content published to your website and social media accounts is generated by artificial intelligence (Anthropic Claude and related tools). By using the Ranki service, you acknowledge and accept that:

• ▸AI-generated content is reviewed for quality and relevance but may contain factual inaccuracies, outdated information, hallucinated statistics, or errors of judgment. You retain sole responsibility for the accuracy and appropriateness of content published under your brand.
• ▸You must review published content promptly and notify us at hello@ranki.com.au of any required corrections, retractions, or removals. We will act on such requests within 2 business days.
• ▸Ranki makes no copyright claim over AI-generated content published to your platforms. You own the content published to your website and social channels, subject to the acknowledgement that AI-generated content may have limited copyright protectability under applicable law.
• ▸AI-generated content is for general marketing and SEO purposes only. It must not be construed or used as professional legal, medical, financial, engineering, psychological, or other regulated professional advice.
• ▸Content generated for your business uses your business name, location, niche, and target keywords as inputs to the AI model but does not incorporate your personal communications, private data, or customer data.
• ▸We do not use the content generated for your account to train any AI model, fine-tune any model, or improve AI outputs for any other client.

We implement a layered set of technical and organisational security measures designed to protect personal information against unauthorised access, disclosure, alteration, loss, and destruction, including:

• ▸AES-256 encryption for all credentials, API tokens, and sensitive business data stored at rest
• ▸TLS 1.3 encryption for all data in transit between your browser, our servers, and sub-processors
• ▸Row-level security (RLS) policies enforced at the database layer using Supabase - no client can access another client's data
• ▸All API credentials and secrets stored exclusively as environment variables in secure secrets management systems, never in source code, version control, or log files
• ▸Role-based access controls (RBAC) - only authorised Ranki personnel with a documented legitimate business need can access client data, on a need-to-know basis
• ▸Automated dependency auditing and vulnerability scanning for known CVEs
• ▸Regular internal security reviews and access audits

Despite implementing these measures, no system can guarantee absolute security. You acknowledge and agree that you provide personal information to us at your own risk. We are not responsible for security breaches caused by your own disclosure of credentials, your browser or device security, or third-party platforms outside our control.

We maintain a documented incident response procedure for data security incidents. In the event of a data breach that is likely to result in serious harm to affected individuals:

• ▸We will contain and assess the breach as rapidly as possible upon becoming aware of it
• ▸We will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act 1988 (Cth)) as soon as practicable, and no later than 30 days after becoming aware that a notifiable data breach has occurred
• ▸We will notify you of any breach affecting your account data as soon as practicable, including a description of the nature of the breach, the types of information involved, and the steps we have taken to contain it
• ▸We will take all reasonable steps to remediate the breach, prevent recurrence, and cooperate with any regulatory investigation by the OAIC

For breaches that are unlikely to result in serious harm, we will document the breach internally and may notify you at our discretion.

• ▸Account and business data: retained for the duration of your active subscription plus 7 years to meet Australian tax and record-keeping obligations under the Income Tax Assessment Act 1997 (Cth) and the Corporations Act 2001 (Cth).
• ▸Published content: retained while your subscription is active. Upon cancellation, you may request a full data export within 30 days of your cancellation date.
• ▸OAuth tokens (Google, Meta, LinkedIn, YouTube): deleted within 30 days of subscription cancellation or upon active token revocation by you, whichever is earlier.
• ▸WordPress credentials: deleted within 7 days of subscription cancellation.
• ▸Log and technical data: automatically purged after 90 days.
• ▸Prospect analysis data: retained for 12 months from the date of analysis, then permanently deleted.
• ▸Billing and transaction records: retained for 7 years in accordance with Australian tax law.
• ▸Data subject access request records and complaint records: retained for 5 years.

When personal information is no longer required for any of our collection purposes and no retention obligation applies, we will take reasonable steps to destroy or permanently de-identify it.

Under the Privacy Act 1988 (Cth) and the APPs, you have the following rights regarding your personal information:

• ▸Access (APP 12): Request a copy of the personal information we hold about you. We will provide access in a reasonable format within 30 days, unless an exception applies under the APPs (e.g. where access would unreasonably impact another person's privacy or would be unlawful).
• ▸Correction (APP 13): Request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. If we refuse to correct, we will provide written reasons and information on how to complain to the OAIC.
• ▸Deletion: Request deletion of your personal information, subject to our legal retention obligations and legitimate business interests. We will advise you if we cannot delete information and the reason why.
• ▸Withdrawal of consent: Withdraw consent to any processing based on consent at any time. This does not affect the lawfulness of processing conducted before the withdrawal. Withdrawal may prevent us from delivering parts of the service.
• ▸Opt-out of direct marketing: Opt out of non-essential marketing communications at any time by using the unsubscribe link in any marketing email or by emailing privacy@ranki.com.au. Note: service communications (invoices, reports, alerts) are not marketing communications and cannot be opted out of while your subscription is active.
• ▸Complaint: Lodge a complaint about our handling of your personal information with us in the first instance. If unsatisfied with our response, lodge a complaint with the OAIC.

To exercise any of these rights, email privacy@ranki.com.au with sufficient information to verify your identity and describe your request. We will acknowledge your request within 5 business days and provide a substantive response within 30 days. If additional time is required, we will notify you and provide an estimated completion date. We do not charge a fee for access requests, correction requests, or complaints.

The Ranki platform uses automated systems to perform functions including keyword analysis, content scheduling, SEO scoring, and AI visibility reporting. These automated processes do not make decisions about you as an individual in a way that produces legal effects concerning you or significantly affects you personally. The service operates on your business data for business marketing purposes. No profiling of individuals for credit, insurance, or other regulated decisions is performed.

Our platform uses the following cookies and local storage mechanisms:

• ▸Strictly necessary cookies: Supabase session tokens required for authentication and maintaining your logged-in state. These cannot be disabled without preventing access to the dashboard.
• ▸Preference storage: Theme settings (dark/light mode preference) stored in browser localStorage. This is not a cookie and does not track you across sites.

We do not use third-party advertising cookies, retargeting pixels, cross-site tracking cookies, or behavioural profiling cookies on the client dashboard (app.ranki.com.au). The marketing website (ranki.com.au) may use anonymised analytics (e.g. page view counts) to understand site performance; these do not identify you individually.

The Ranki service is designed exclusively for business use by persons aged 18 years and over. We do not knowingly collect personal information from minors under the age of 18. If we become aware that a person under 18 has provided personal information without verifiable parental or guardian consent, we will promptly delete that information and terminate the associated account. If you believe a minor has provided us with personal information, please contact us immediately at privacy@ranki.com.au.

The Ranki platform and our communications may contain links to third-party websites, platforms, and resources (including Google, Meta, LinkedIn, and Stripe). These third-party sites have their own privacy policies and are not governed by this policy. We are not responsible for the privacy practices or content of any third-party site. We encourage you to review the privacy policy of any third-party site you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• ▸Notify you by email to your registered address at least 14 days before the change takes effect
• ▸Update the effective date at the top of this page
• ▸Where required by law (e.g. where we intend to use your information in a materially different way), seek your renewed consent before processing

Continued use of the Ranki service after the effective date of any update constitutes acceptance of the revised Privacy Policy. If you do not accept the changes, you may cancel your subscription before the effective date and request deletion of your personal information.

For any privacy-related enquiry, access request, correction request, or complaint:

If you are not satisfied with our response to a complaint, or believe we have not handled your personal information in accordance with the APPs, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• ▸Website: www.oaic.gov.au/privacy/privacy-complaints
• ▸Phone: 1300 363 992
• ▸Post: GPO Box 5218, Sydney NSW 2001

We encourage you to contact us first before lodging a complaint with the OAIC, as we may be able to resolve the issue more quickly. We take all privacy complaints seriously and commit to investigating and responding to each complaint fairly and promptly.