PRIVACY POLICY
Last Updated: June 18, 2026. Effective immediately.
1. Introduction & Controller Identity
Welcome to SageRank. The SageRank platform ("SageRank", "we", "us", or "our"), operated as a digital asset of AURATEKK, is dedicated to protecting the privacy, security, and integrity of the personal data we process. This Privacy Policy details how we collect, use, store, share, and protect your Personal Data when you interact with our websites located at sagerank.io, app.sagerank.io, and our backend service endpoints.
For the purposes of the General Data Protection Regulation (GDPR) and other applicable global data protection frameworks, the data controller is AURATEKK. If you have any inquiries regarding data protection, you may reach our Data Protection Officer at dpo@sagerank.io or our general privacy inbox at privacy@sagerank.io.
2. Global Compliance Framework Registry
We process data under different legal bases depending on the jurisdiction and context of data collection. Below is the mapping of our processing activities to the applicable international legal standards:
| Jurisdiction | Applicable Legislation | Legal Basis / Core Compliance Mapping |
|---|---|---|
| European Union / EEA | GDPR (Regulation 2016/679) | Necessity for contract performance (Art. 6(1)(b)), compliance with legal obligations (Art. 6(1)(c)), and legitimate interests in platform protection (Art. 6(1)(f)). |
| United Kingdom (UK) | UK GDPR / Data Protection Act 2018 | Identical bases to EU GDPR. Cross-border transfers follow UK-specific safeguards (UK IDTA). |
| United Arab Emirates (UAE) | Federal Decree-Law No. 45 of 2021 (PDPL) | Explicit consent (Art. 5) or performance of contractual obligations (Art. 6). Data residency and transfers comply with Art. 22. |
| India | DPDP Act, 2023 | Processing is based on specific, unambiguous, and revocable consent accompanied by a detailed consent notice, or for specified legitimate uses. |
| United States (US) | CCPA / CPRA / FTC Act | Consumer disclosures: No sale/sharing of personal data for cross-context behavioral advertising. Consistent rights granted to all states. |
| Australia | Privacy Act 1988 | Adherence to Australian Privacy Principles (APPs), including clear notice of data usage and overseas recipient disclosures. |
| Canada | PIPEDA / CASL / Quebec Law 25 | Meaningful consent protocols, explicit email marketing opt-ins, and designated privacy representative disclosures. |
| Saudi Arabia | PDPL (Royal Decree No. M/147) | Adherence to Saudi PDPL regulations including sensitive data restrictions, explicit consent frameworks, and controller registrations. |
| GCC Countries | General E-Commerce & Consumer Laws | Transparent pricing and clear data retention schedules mapped for Gulf regional compliance. |
3. Data We Collect and Process
SageRank collects only the data necessary to provide our digital authority and vulnerability diagnostics tools. We collect the following categories of data:
- Account Credentials: Email addresses and passwords. Passwords are secured at rest using Bcrypt cryptographic hashing with a cost factor of 12, ensuring cleartext credentials are never stored.
- Multi-Factor Authentication (MFA): If enabled, we generate and store a secure TOTP Secret Key linked to your account context.
- Payment Metadata: To manage recurring plans ($79 SAGE Pro and $199 SAGE Sentinel), we store the Stripe Customer ID, Stripe Subscription ID, and/or equivalent Paddle Transaction and Subscription IDs. We do not store raw card numbers; these are handled directly by payment gateways under PCI-DSS compliance.
- OAuth Tokens (Layer 3): Authorized tokens for Youtube, Meta, LinkedIn, X, and TikTok to fetch brand visibility footprints. All OAuth tokens are **encrypted at rest using AES-256-CBC encryption** with unique initialization vectors derived from environment secrets.
- Domain Diagnostics & Scan Logs: Target URLs, DNS verification TXT records, and JSON audit files containing HTML tags, schemas, and open port summaries scanned during container execution.
- Technical Telemetry: IP addresses, browser User-Agent strings, and operator activity logs collected to safeguard the platform against DDoS and SSRF attacks.
4. How We Collect Data
We collect personal and technical data through three primary avenues:
- Directly from You: Information provided during registration, profile setup, account configurations, support tickets, and checkout processes.
- Automatically: Device telemetry, server connection logs, cookie identifiers, and request headers logged as you browse our dashboard.
- From Third Parties: Webhook events from Stripe and Paddle indicating billing success/cancellation, and profile credentials transmitted during Google OAuth sign-in.
5. How We Use Your Data
Your data is processed strictly for explicit, legitimate business operations:
- Providing Core Services: Executing scans, analyzing search visibility (SEO), generating Schema markup recommendations (AEO), and computing LLM visibility metrics (GEO).
- Running Security Matrix Containers: Provisioning disposable Docker containers to run tools like Nmap or Nuclei against verified domain targets.
- Automated Cron Routines: Running monitoring cycles every 5 minutes to inspect target headers, cache statuses, and SSL durations.
- Billing Administration: Processing recurring monthly subscriptions via Stripe and Paddle APIs.
- Platform Hardening: Monitoring logs for rate limits, command injection bypasses, or SSRF attempts.
6. Cookie Policy
We use session-based cookies and local storage tokens to manage your platform experience. We do not place third-party advertising or cross-site tracking cookies. The cookies we utilize are categorized as follows:
- Strictly Necessary: Session cookies for user authentication, CSRF security tokens, and dashboard state preservation. These are mandatory and cannot be turned off.
- Functional: Storing preferences such as light/dark mode selection and language settings.
The following table lists the primary cookies used by SageRank:
| Cookie Name | Purpose | Duration | Party |
|---|---|---|---|
__session |
Authenticates user session and token states. | Session / 30 Days | First Party |
__csrf_token |
Prevents Cross-Site Request Forgery attacks. | Session | First Party |
__theme_preference |
Stores dark/light layout state. | Persistent (1 Year) | First Party |
7. Third-Party Sub-Processors
To deliver our services, we transfer certain data categories to third-party sub-processors. All transfers are bound by strict Data Processing Agreements (DPAs) and security standards:
| Sub-Processor | Purpose | Data Transferred | Location | Privacy Policy |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing (direct billing) | Email, name, billing address, card metadata | USA | stripe.com/privacy |
| Paddle Payments Ltd. | Merchant of Record (billing and tax compliance) | Email, name, physical billing address, transaction details | UK / USA | paddle.com/privacy |
| Google LLC | OAuth 2.0 Identity Management | Email, name, profile avatar URL | USA | policies.google.com |
| Cloudflare, Inc. | Content delivery, DDoS shielding, DNS routing | IP address, request headers, browser telemetry | USA | cloudflare.com/privacy |
| Supabase, Inc. | Database hosting (PostgreSQL instance) | All account, profile, and scan diagnostic data | USA / EU | supabase.com/privacy |
| Docker, Inc. | Container registries for active scanning components | Technical telemetry logs (no personal data) | USA | docker.com/privacy |
8. International Data Transfers
Since SageRank serves a global client base, data collected in the EU, UK, UAE, or India may be transferred to and processed in the United States or other countries where our sub-processors host servers. To safeguard these transfers, we implement strict legal protections:
- EU Standard Contractual Clauses (SCCs): For transfers from the EU to countries without adequacy status, we rely on the 2021 European Commission SCCs.
- UK International Data Transfer Agreement (UK IDTA): For transfers originating in the UK, we deploy the UK IDTA Addendum alongside standard agreements.
- UAE and India Safeguards: Cross-border data transfers from the UAE and India comply with Article 22 of the UAE PDPL and the rules formulated under the India DPDP Act, 2023.
9. Your Rights by Jurisdiction
Regardless of your geographic location, you possess comprehensive control over your personal data. We grant the following rights in accordance with regional regulations:
- European Union & UK (GDPR): The right to access, rectify, delete, restrict, or port your personal data, as well as the right to object to processing and object to automated profiling. Reach our DPO at dpo@sagerank.io.
- California (CCPA/CPRA): The right to know what personal data is collected, delete personal data, correct inaccurate data, opt-out of the "sale" or "sharing" of personal data, and receive non-discriminatory service. Contact us at privacy@sagerank.io.
- India (DPDP Act 2023): The right to access your consent history, rectify or erase personal data, register a grievance with our Grievance Officer (grievance.officer@sagerank.io), and designate a nominee to exercise rights in the event of death or incapacity.
- United Arab Emirates (PDPL): The right to access, delete, rectify, or restrict processing of your personal data, and the right to object to automated decision-making. Contact us at dpo@sagerank.io.
- Australia, Canada & Saudi Arabia: Access, correct, or withdraw consent for data processing. Escalations for Canada can be made under PIPEDA rules, and Australian inquiries can be addressed to the Office of the Australian Information Commissioner (OAIC).
10. Do Not Sell / Do Not Share My Personal Information
SageRank does not engage in the sale of personal information to third parties, nor do we share your personal data for cross-context behavioral advertising. Because we do not sell or share data, we do not provide a "Do Not Sell" opt-out toggle. You may request confirmation of this practice or verify your data records by contacting privacy@sagerank.io.
11. Automated Decision-Making & Profiling
Our optimization engines utilize automated calculations to evaluate domain search engine metrics (SEO), response attributes (AEO), and LLM citation statuses (GEO). These diagnostic scoring systems do not produce any legal effects or significantly affect users in a similar manner under GDPR Article 22. All scores are informational recommendations for site optimization. Users may request manual, human review of their scores by contacting support.
12. Children's Privacy (COPPA)
SageRank does not knowingly collect or maintain personal information from children under the age of 13 in the United States, or under 16 in the EU and UK. If we discover that a child under these ages has registered an account, we will purge their data from our active databases within 48 hours. If you are a parent or guardian who believes a child has registered an account, please contact us at privacy@sagerank.io.
13. Marketing Communications
We send occasional marketing updates to users who have opted in. In compliance with the U.S. CAN-SPAM Act and Canada's Anti-Spam Legislation (CASL), you may opt-out of marketing emails at any time by clicking the "Unsubscribe" link in the email footer. You will continue to receive transactional, operational, and billing-related emails (such as payment receipts and security alerts) necessary for subscription administration.
14. Data Breach Notification
In the event of a security incident resulting in an unauthorized breach of personal data, SageRank complies with global notification timelines. We will notify the appropriate supervisory authority (such as the Irish DPC or UK ICO) within 72 hours of becoming aware of the breach (GDPR Article 33). If the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify the impacted users directly without undue delay (GDPR Article 34).
15. Technical Safeguards
To align with ISO/IEC 27001 cybersecurity frameworks, we implement a multi-layered security matrix:
- Transient Modular Isolation (TMI): Active network scanning containers run in isolated environments separated from our database layers.
- SSRF Blocklists: Crawlers check target DNS resolutions to block private subnets (RFC 1918) and loopbacks.
- Input Sanitization Whitelist: All domain inputs are filtered through character Whitelists.
- Encryption: Data is encrypted in transit using TLS 1.3 and at rest using AES-256 protocols.
16. Data Retention Schedule
We retain your personal data only as long as necessary to fulfill the purposes of processing or comply with legal requirements:
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Account Credentials | Duration of active account lifecycle. Deleted 48 hours after account closure request. | Contract Performance (GDPR Art. 6(1)(b)) |
| Billing & Tax Metadata | 7 Years (as required under tax and corporate reporting laws). | Legal Obligation (GDPR Art. 6(1)(c)) |
| OAuth Tokens | Retained until revoked by user or until account deletion. | Consent (GDPR Art. 6(1)(a)) |
| Telemetry Logs | 90 Days (regularly purged or anonymized). | Legitimate Interest (GDPR Art. 6(1)(f)) |
17. California Shine the Light
Under California Civil Code Section 1798.83 (the "Shine the Light" law), California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from us once a calendar year details about the customer information we shared, if any, with other businesses for their own direct marketing uses. SageRank does not share personal data with third parties for their direct marketing purposes.
18. Contact, DPO & Grievance Officers
For inquiries, complaints, or exercising data rights, please contact our compliance desk:
- General Privacy Inbox: privacy@sagerank.io
- Data Protection Officer (EU/UAE): dpo@sagerank.io
- India Grievance Officer: grievance.officer@sagerank.io
- General Legal Escalations: legal@sagerank.io
- Registered Office: AURATEKK, [AURATEKK REGISTERED ADDRESS]
19. Changes to This Policy
We reserve the right to revise this Privacy Policy. If we make material updates, we will notify you at least thirty (30) days prior to the effective date via email and in-app banners. Your continued use of the platform after the 30-day notice period constitutes acceptance of the modified Privacy Policy.