AerankoAnswer visibility
Try FreeLog in

Privacy Policy

Last updated: April 18, 2026

1. Data Controller

The controller of personal data processed through the Aeranko service is Aeranko AB (org. nr [XXXXXX-XXXX]), [Registered address, Sweden]. Privacy enquiries: privacy@aeranko.com. We do not currently have a mandatory Data Protection Officer under GDPR Art. 37 but privacy@aeranko.com reaches a designated privacy contact.

2. Categories of Personal Data

  • Account: name, email, company name, hashed password, tier and billing metadata.
  • Payment: managed by Stripe; we receive only the subscription status, last-four digits and country of the card.
  • Service data: domains, keywords, competitors and AEO configuration you submit.
  • Telemetry (Ship): crawler hits on your own sites, user-agent, request path, status code, referrer. No end-user identifiers are sent from Ship.
  • Usage data: pages visited, feature interactions, IP address at sign-in, browser and device metadata.
  • Communications: email replies, support tickets and survey answers you send us.

3. Purposes and Legal Bases (GDPR Art. 6)

  • Providing the Service, managing your account, running audits: performance of contract (Art. 6(1)(b)).
  • Billing and tax compliance: legal obligation (Art. 6(1)(c)) and performance of contract.
  • Fraud prevention, security, product improvement and aggregated benchmarking: legitimate interest (Art. 6(1)(f)). We balance this against your rights and you can object at any time.
  • Marketing email to existing customers about similar services: legitimate interest plus soft opt-in per Marknadsföringslagen (2008:486) 19-21 §§; unsubscribe link in every message.
  • Analytics cookies, newsletter sign-up and any marketing to non-customers: consent (Art. 6(1)(a)), withdrawable at any time.

4. Sub-processors and Sharing

We do not sell personal data. We share it only with vetted sub-processors under a written agreement:

  • Google Cloud Platform (hosting, europe-north1 region for application data; US for some administrative services) — GDPR Art. 46 SCCs.
  • Supabase (managed Postgres, EU region).
  • Stripe (billing; EU/US) — SCCs and EU-US Data Privacy Framework.
  • Resend (transactional email; US) — SCCs.
  • OpenAI and Anthropic (AI analysis; US) — SCCs and DPF where applicable.
  • Google Cloud Tasks and Cloud Scheduler (job queue; EU/US) — SCCs.
  • Sentry (error monitoring; EU region).

An up-to-date sub-processor list is available on request at privacy@aeranko.com. Material changes to the list will be notified at least 30 days in advance to customers that have signed a Data Processing Agreement.

5. International Transfers

Some of our sub-processors are located in the United States. When data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) and, where available, the EU-US Data Privacy Framework. On request we provide the applicable Transfer Impact Assessment summary.

6. AI Analysis and Automated Decision-Making

Running an audit sends the domain and keywords you supply to third-party AI providers (OpenAI, Anthropic) to generate visibility estimates. We do not send your name, email or billing information to these providers. Outputs are model-generated estimates and do not by themselves produce legal or similarly significant effects on natural persons within the meaning of GDPR Art. 22.

7. Retention

  • Account data: retained while your account is active; deleted within 30 days of account deletion.
  • Billing records: retained for 7 years after the last transaction, as required by Bokföringslagen (1999:1078).
  • Free-audit inputs (no account): retained 12 months, then deleted.
  • Ship telemetry (crawler events): 90 days on Starter, 180 days on Growth, unlimited on Dominator.
  • Email logs and bounces: 24 months.
  • Anonymised aggregate benchmarks: retained indefinitely; cannot be linked back to an identified person.

8. Your Rights under GDPR

You have the right to:

  • access your personal data (Art. 15);
  • request rectification of inaccurate data (Art. 16);
  • request erasure of your data (Art. 17);
  • restrict or object to processing based on legitimate interests (Art. 18, 21);
  • receive your data in a portable format (Art. 20);
  • withdraw consent at any time without affecting lawfulness of prior processing (Art. 7(3)).

To exercise these rights, email privacy@aeranko.com. We respond within one month and may extend by two months for complex requests, in which case we will inform you. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), Box 8114, 104 20 Stockholm, imy.se, or with your local supervisory authority.

9. Security and Breach Notification

We protect personal data with TLS in transit, AES-256-GCM at rest for secrets, role-based access controls, audit logging and least-privilege production access. Our infrastructure runs on Google Cloud Platform (europe-north1) with ISO 27001, SOC 2 Type II and ISO 27701 certifications at the provider level. Payment data never touches our servers; Stripe handles it end-to-end.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority without undue delay and, where feasible, within 72 hours in accordance with GDPR Art. 33, and we will notify affected data subjects where required by Art. 34.

10. Cookies

We use strictly necessary cookies for authentication and session management. Analytics cookies are set only after you consent via the cookie banner. See our Cookie Policy for the full list and retention periods. You can withdraw consent at any time from the cookie preferences link in the footer.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it promptly.

12. Changes to this Policy

We may update this Policy. Material changes will be announced by email to active account holders at least 30 days before they take effect. The current version is always accessible at aeranko.com/privacy.

13. Contact

Privacy enquiries: privacy@aeranko.com
Legal: legal@aeranko.com