Privacy Policy.

As an Estonian-registered company we are subject to the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act. We are your data controller for all services described below.

baldiv.com (this website)

• Server access logs — IP address, browser, pages visited. Retained 30 days.
• Contact form submissions — name, email, message. Retained until resolved.

dashboard.rank.al (SaaS platform)

• Account credentials — email address and bcrypt-hashed password, or Google OAuth token.
• License and billing data — license key, WordPress site domain, Stripe customer ID, subscription plan. No raw card numbers stored.
• Support tickets — name, email, message content, site URL.
• Session data — encrypted session cookie (RANKAL_SESS). Expires after 8 hours.

RankAl SEO WordPress plugin

• License verification — your WordPress domain and license key are sent to rank.al/api/license on activation. That's the only data sent to our servers.
• AI generation — post content is sent directly from your server to the AI provider you configure using your own API key. Does not pass through our servers.

• Contract performance (Art. 6(1)(b)) — processing your account, license, and billing data to provide the service.
• Legal obligation (Art. 6(1)(c)) — retaining billing records for 7 years per Estonian accounting law.
• Legitimate interests (Art. 6(1)(f)) — server logs, rate limiting, security monitoring. These do not override your rights.
• Consent (Art. 6(1)(a)) — where applicable (e.g. marketing emails). Withdrawable at any time.

We use only strictly necessary cookies — no advertising cookies, no tracking pixels, no Google Analytics.

• RANKAL_SESS — session auth cookie on dashboard.rank.al. HttpOnly, Secure, SameSite=Lax. Expires after 8h inactivity.
• csrf_token — CSRF protection. Not a tracking cookie.

Strictly necessary cookies do not require consent under ePrivacy Directive Recital 25.

We do not sell your data. We do not use your data for advertising. We share only with:

• Stripe Inc. — payment processing. Certified under EU–US Data Privacy Framework.
• Your chosen AI provider (Groq / OpenAI / Anthropic / Google) — only when you use AI features with your own API key. We are not a processor in this flow.
• Abelo — server infrastructure within the EU/EEA.

All data is processed and stored within the EU/EEA except where Stripe's US processing occurs under approved transfer mechanisms.

• Account data — retained while active + 90 days after deletion request.
• Billing records — 7 years (Estonian Accounting Act).
• Support tickets — 2 years.
• Server logs — 30 days.
• Session data — expires after 8 hours of inactivity.

• Access (Art. 15) — request a copy of all personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17) — request deletion, subject to legal retention obligations.
• Restriction (Art. 18) — restrict processing in certain circumstances.
• Portability (Art. 20) — receive your data in JSON/CSV format.
• Object (Art. 21) — object to processing based on legitimate interests.
• Withdraw consent — where consent was the basis, withdraw at any time.

• All data transmitted over HTTPS/TLS.
• Passwords stored as bcrypt hashes (cost factor 12).
• Sensitive config files stored outside the web root.
• Session tokens HttpOnly, Secure, SameSite=Lax.
• CSRF protection on all state-changing requests.
• Rate limiting on authentication endpoints.

In the event of a breach likely to risk your rights, we notify the Estonian DPA within 72 hours and affected individuals without undue delay (GDPR Arts. 33–34).

Our services are not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, email [email protected] and we will delete it promptly.

We may update this policy. Material changes will be notified by email and by updating the date at the top of this page.