Privacy Policy

Last updated: 2 April 2026

This Privacy Policy explains how Baseline Rank ("we", "us", "our"), a sole trader based in the United Kingdom, collects, uses, and protects your personal data when you use the Baseline Rank API ("Service"). We are committed to handling your data in accordance with the UK GDPR and the Data Protection Act 2018.

1. Data We Collect

When you subscribe to or use the Service, we collect:

• Email address — provided at checkout, used to deliver your API key and send service communications
• Organisation name — provided at checkout, used to identify your account
• Payment information — handled entirely by Stripe; we never see or store your card details
• API usage logs — endpoint path, HTTP method, response status, response time, and IP address, logged on each API request
• Website analytics — page views and referrer data collected via self-hosted Umami (privacy-friendly, no cookies, no cross-site tracking)

2. How We Use Your Data

• To provision and deliver your API key
• To process payments and manage your subscription
• To enforce rate limits and detect abuse
• To send transactional emails (key delivery, billing receipts)
• To monitor service health and performance

We do not use your data for advertising, profiling, or any purpose beyond operating the Service.

3. Legal Basis for Processing

• Contract — processing your email and org name is necessary to fulfil our subscription agreement with you
• Legitimate interests — usage logging for rate limiting, security, and service reliability
• Legal obligation — retaining transaction records as required by UK law

4. Third Parties We Share Data With

• Stripe — payment processing. Stripe acts as an independent data controller. See Stripe's Privacy Policy.
• Resend — transactional email delivery. Your email address is passed to Resend solely to send service emails.
• Hetzner — our VPS provider hosts all data on servers in the EU (Germany).

We do not sell your data to any third party.

5. Data Retention

• Account data (email, org name) — retained for the duration of your subscription plus 12 months, then deleted
• API usage logs — retained for 90 days, then purged
• Payment records — retained for 7 years as required by UK tax law

6. Data Security

Your API key is stored as a one-way SHA-256 hash — we cannot recover the raw key. All data is stored on a private Hetzner VPS with restricted access. All connections are encrypted in transit via HTTPS (TLS).

7. Your Rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (subject to legal retention obligations)
• Restriction — ask us to limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies

The Baseline Rank website does not use cookies for tracking or advertising. Our analytics tool (Umami) is cookieless and does not track you across sites.

9. Changes to This Policy

We may update this policy from time to time. We will notify active subscribers by email before material changes take effect. The latest version is always available at baselinerank.com/privacy.html.

10. Contact and Complaints

For any privacy-related queries, contact us at [email protected].

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.