Public document

Privacy Policy

This page explains how OverRank collects, uses, protects and stores the data necessary for the operation of the service.

Last update: May 28, 2026

OverRank is an AI, SEO and web performance visibility audit service. Analyses may include data from public websites and, where you allow it, connected Google accounts.

Data we collect

  • Account data: email address, displayed name, possible avatar and information necessary for authentication.
  • Audit data: URLs analyzed, audit results, technical metrics, reports generated, and history associated with the account.
  • Connected Google data: when you connect Google Search Console, Google Analytics 4, or Google Business Profile, OverRank uses authorized access to read only the properties, sites, locations, performance metrics, queries, pages, countries, devices, accounts, listings, and signals needed for the requested reports. Access tokens are stored encrypted server-side.
  • Technical data: application logs, IP address, user-agent, security events, errors and usage metrics necessary for the operation of the service.

Google access requested and minimization

  • Google sign-in: the openid, email, and profile scopes are used only to authenticate you, link your Google Account to your OverRank account, and retrieve your email address, Google identifier, display name, and optional avatar.
  • Google Search Console: the https://www.googleapis.com/auth/webmasters.readonly scope is used only to read the Search Console properties you choose, URLs, queries, clicks, impressions, CTR, positions, countries, devices, and sitemaps needed for SEO audits.
  • Google Analytics 4: the https://www.googleapis.com/auth/analytics.readonly scope is used only to read selected GA4 accounts/properties and landing-page metrics needed for the report: sessions, users, engagement, bounce, key events, and revenue if your property exposes them.
  • Google Business Profile: the https://www.googleapis.com/auth/business.manage scope is required by the Google Business Profile APIs used by OverRank. We use it to read the accounts and locations you manage, their names, addresses, phone numbers, websites, categories, and verification states, and to prepare Local features you activate. No post or reply is sent to Google without an explicit action from you.

Why we use this data

  • Create and secure your user account.
  • Launch AI, SEO and web performance visibility audits, produce reports and keep the history viewable in the application.
  • Show personalized recommendations and improve the quality of analyzes.
  • Prevent abuse, diagnose incidents, maintain security and measure service reliability.
  • Send you service-related notifications, such as an audit follow-up or an explicitly requested alert.

Data from public pages

  • For public page analytics, we may process URLs, titles, descriptions, page structures, structured data, metrics, scores, SERP positions, and limited snippets necessary for diagnostic proof.
  • We do not seek to collect personal data from third party sites. If public personal data incidentally appears in an analyzed page, it must be limited to what is strictly necessary for the report or ignored.
  • Protected pages, member areas, tunnels, private forms, payment pages and URLs containing sensitive tokens or parameters are refused or excluded from analysis.

Technical cache of sitemaps

  • Sitemaps can be read on-demand to help the user choose a target page. A short technical cache can be used to avoid requesting the same site several times during a search.
  • This cache is not intended to create a durable base for the URLs of a third-party site. It is used to improve performance, reduce network load and limit repeated requests.
  • The results kept in the account history relate to the audits and plans requested by the user: scores, findings, recommendations, URLs analyzed and limited technical evidence.

Storage and retention period

  • Account data, projects, audited URLs, reports and preferences are stored in PostgreSQL. Job queues, short caches, locks and progress events are stored in Redis.
  • Google OAuth tokens required for Search Console, Google Analytics 4, and Google Business Profile are encrypted server-side. They are never exposed in frontend code.
  • Session cookies are HttpOnly browser cookies. They are only used to maintain the session and protect calls through the BFF.
  • Application logs exclude passwords, API keys, raw tokens and secret content. Technical logs are retained to diagnose incidents and prevent abuse.

Hosting and location

  • The service's main infrastructure is hosted on Railway. The frontend, API and worker services are configured on servers located in the Netherlands.

Sharing and subprocessors

  • We do not sell your personal data.
  • We do not sell Google user data, rent it, disclose it to data brokers or information resellers, use it for targeted advertising, retargeting, creditworthiness, lending, or train generalized AI or ML models with it.
  • We do not transmit your user account information, passwords, session cookies, OAuth tokens or integration keys to analysis providers.
  • Analysis processing may rely on technical providers or external APIs with only the data needed for the requested report: domain, URL, public signals, performance metrics or data from a connected account when you have authorized it.
  • We share, transfer, or disclose Google user data only to the third parties needed to provide, secure, or improve the user-requested features.
  • These third parties are limited to OverRank infrastructure and operations subprocessors: Railway for hosting and running the service, the PostgreSQL/Redis databases in the application environment, and the transactional email provider configured for the service (Brevo in production when enabled, or an equivalent SMTP provider).
  • When AI enrichment is enabled for a report, limited excerpts and aggregated metrics from Search Console or Analytics may be sent to the configured AI provider (Mistral AI or Anthropic) solely to generate the recommendations for the requested report. Raw Google OAuth tokens are never sent to these providers.
  • If you export or share a report containing Google data, the recipient is chosen by you. OverRank does not automatically publish your Google data to third parties.
  • When you connect a Google service, access is used in accordance with the permissions granted by your Google account and only to produce the requested analyses. You can revoke this access from the app or from your Google account.

Retention

  • Account data is retained as long as the account remains active.
  • Reports, histories and audit data are retained to allow you to monitor the progress of your sites, unless deleted upon request or deleted from the application when available.
  • Technical and security logs are retained for a limited period of time, commensurate with diagnostic, security and compliance needs.

Security

  • We apply reasonable security measures: encryption of sensitive secrets, access control, separation of environments, logging of important events and limitation of internal access.
  • Server keys, OAuth tokens, passwords, session cookies and integration secrets are never exposed in frontend code.
  • No online service can guarantee absolute security. In the event of a significant incident, we will take the necessary measures to limit the impact and inform affected users when required.

Your rights

  • Depending on your situation and the applicable regulations, you can request access, rectification, deletion, limitation or export of your personal data.
  • You can also remove Google access from the app or from your Google account.
  • To exercise your rights, contact us at contact@stuandco.com. We may request additional information to verify your identity before processing the request.

Contact

For any questions about this policy or your data, write to contact@stuandco.com.

Also see our conditions of use and our public analysis policy .