§§ trust · legal

Privacy, plainly written.

We don't sell your data, don't share it with ad networks, and keep only what we need to run the product. This page is the long version — specific numbers included.

Last updated · April 17, 2026

§ 01Who we are#

AIRRNK is an AI visibility platform operated by MATO Ltd., a company registered in Israel. Throughout this policy, “we,” “us,” or “AIRRNK” refers to MATO Ltd. as the data controller of the personal data described below.

If you are in the European Economic Area, United Kingdom, or Switzerland, we act as the data controller for the personal data we process about you in connection with the AIRRNK product.

§ 02What we collect#

We keep three categories of data. Nothing else.

Account information
Your email address, workspace name, and — if you choose to provide it — a display name. We do not store passwords because we use magic-link sign-in.
Site data we scan
The public URLs you submit, their HTML responses, structured data we extract, and the prompts and responses generated when we query third-party AI platforms about your brand. We cache responses for up to 24 hours to reduce redundant traffic.
Usage analytics
Pages visited inside the AIRRNK dashboard, feature events (button clicks, scan completions), aggregated performance metrics, and technical metadata (browser, viewport size, coarse geolocation from IP — city-level, never GPS). Collected via PostHog.
Billing metadata
Plan, subscription status, invoice history, and a PayPal payer ID. We never see or store your card number, PayPal login, or bank details — those live with PayPal.

§ 03How we use it#

  • To run the service you signed up for — scans, reports, alerts, dashboards.
  • To contact you about your account (billing receipts, security notices, material changes to these terms).
  • To send product updates and a weekly digest, only if you opted in. You can unsubscribe at any time from any email we send you.
  • To debug errors, prevent abuse, and measure which features actually help customers.
  • To comply with legal obligations (tax records, lawful requests from authorities).

We do not train foundation models on your private scan data, sell your data to third parties, or use it for advertising profiling.

§ 04Legal bases (GDPR)#

For customers in the EU/UK, we rely on the following legal bases under Article 6(1) of the GDPR:

  • Contract — to provide the service you subscribed to.
  • Legitimate interests — to secure the product, prevent fraud, and improve features, balanced against your rights.
  • Consent — for the weekly digest and optional analytics cookies.
  • Legal obligation — where tax, accounting, or law-enforcement rules require us to keep or disclose data.

§ 05Sub-processors#

We use the following sub-processors. Each is bound by a data-processing agreement and, where applicable, Standard Contractual Clauses.

Supabase (US)
Primary database, auth store, object storage. SOC 2 Type 2. AES-256 at rest.
Cloudflare (US)
CDN, edge caching, DDoS protection, email routing. ISO 27001.
PayPal (US/EU)
Payment processing. PCI-DSS Level 1. We never see your card data.
Resend (US)
Transactional email (sign-in links, receipts, alerts).
PostHog (EU region)
Product analytics. We enable IP anonymization and disable session replay by default.
Anthropic / OpenAI
LLM providers used to generate report summaries. We send only the public site content you asked us to analyze — never your account information.

The current list lives at this URL. We'll give you at least 30 days' notice before adding a new sub-processor that materially changes how your data is handled.

§ 06Data retention#

Account records
Retained for 7 years after account closure to satisfy tax and accounting obligations in Israel.
Scan results
Retained for 2 years so you can see historical trends. You can delete any scan at any time from the dashboard; deletions propagate within 24 hours.
Product analytics
Retained for 90 days in raw form, then aggregated into non-identifiable metrics.
Email logs
Retained for 30 days to debug deliverability, then deleted.
Backups
Encrypted daily backups retained for 30 days, then overwritten.

§ 07Your rights#

You can exercise the following rights at any time, and we will respond within 72 hours:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — delete your account and all associated data (except what we must keep for tax or legal reasons).
  • Portability — export your scan history in JSON.
  • Object — restrict processing we base on legitimate interests.
  • Withdraw consent — at any time, without affecting past lawful use.
  • Complain — to the Israeli Privacy Protection Authority or your local EU supervisory authority.

Send us a message on /contact using the email address on your account. For CCPA requests from California residents, the same route handles your “right to know” and “right to delete” — we will never discriminate against you for exercising either.

§ 08Cookies#

We set four cookies. No ad trackers, no social pixels.

airank-session
First-party, HTTP-only. Keeps you signed in. Expires in 30 days.
airank-csrf
First-party. Guards against cross-site request forgery. Session-scoped.
ph_*
PostHog analytics cookie. IP-anonymized. Expires in 365 days. You can opt out via the cookie banner.
airank-theme
First-party. Remembers your theme preference (currently dark-only, but reserved for later).

§ 09International transfers#

Our core servers are in the EU (Supabase Frankfurt). When data is transferred outside the EEA — typically to US sub-processors — we rely on the European Commission's Standard Contractual Clauses (2021) and, where relevant, the EU-US Data Privacy Framework. We apply supplementary measures: encryption in transit and at rest, pseudonymization where feasible, and contractual limits on sub-processor access.

§ 10Security#

TLS 1.3 in transit, AES-256 at rest, magic-link authentication, role-based access control, and audit logs on every admin action. Full program details on our Security page.

§ 11Children#

AIRRNK is a B2B product not directed to anyone under 16. We do not knowingly collect data from children. If you believe a child has given us personal data, send us a note on /contact and we will delete it within 72 hours.

§ 12Changes to this policy#

We'll email active customers at least 30 days before any material change takes effect. Typographic or clarifying edits are noted here with an updated date.

§ 13Contact us#

Privacy questions, rights requests, or complaints — send a message on /contact. We aim to reply within 72 hours, in practice usually faster.

MATO Ltd., registered in Israel.

Document version 2026.04Last updated April 17, 2026