Privacy Policy
1. Privacy at a Glance
1.1 General Notes
This information gives you a quick overview of what happens to your personal data when you visit our website. Personal data is information by which you can be personally identified.
Who is responsible?
The data processing on this website is carried out by the website operator. You will find the contact details in the section “Controller” further below.
How do we collect your data?
-
Directly: when you provide it to us (e.g. via forms).
-
Automatically: by our IT systems when you visit the website (e.g. browser data, IP address).
What do we use your data for?
Part of the data is collected to ensure the smooth operation of the website. Other data may be used to analyze how visitors use the site.
What rights do you have with respect to your data?
You have the right to obtain information, correction, deletion, restriction, objection, data portability, as well as the right to lodge a complaint with a supervisory authority.
Analysis tools and third parties
When you visit our website, your browsing behavior may be analyzed using cookies and analytics tools. This is typically done anonymously. Details and objection options can be found in the following sections.
2. General Information and Mandatory Disclosures
2.1 Data protection
Protecting your personal data is important to us. We treat your data confidentially and in accordance with legal data protection regulations, especially the GDPR, and this Privacy Policy.
2.2 Controller
rankingCoach GmbH
c/o wework
Pilgrimstraße 6
50674 Cologne, Germany
Phone: +49 221 828 298 34
Email: support@rankingcoach.com
2.3 Purposes and legal bases of processing
We process personal data for providing our website, communication, analytics, and fulfillment of contracts. Legal bases are Art. 6(1)(a), (b), and (f) GDPR.
2.4 Recipients and transfer to third countries
Data may be passed on to external service providers. A list of subcontractors is available in our directory. Transfers to third countries occur only on the basis of suitable safeguards (e.g. EU Standard Contractual Clauses or EU‑US Data Privacy Framework).
2.5 Storage duration
Data is only stored as long as it is needed for the respective purpose or statutory retention periods apply.
2.6 Your rights
You have the following rights at any time with respect to your personal data:
-
Access (Art. 15 GDPR) — to the data we process
-
Rectification (Art. 16 GDPR) — of incorrect or incomplete data
-
Deletion (Art. 17 GDPR) — insofar as no retention obligations conflict
-
Restriction of processing (Art. 18 GDPR)
-
Data portability (Art. 20 GDPR)
-
Objection (Art. 21 GDPR) — particularly against direct advertising
-
Withdrawal of consent (Art. 7(3) GDPR) with effect for the future
-
Right to complain to a competent data protection supervisory authority (Art. 77 GDPR)
2.7 Supervisory authority
You can find a list of data protection supervisory authorities here:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
2.8 Obligation to provide data
Providing personal data is voluntary. However, for contract conclusion (e.g. payment processing) certain information is required.
2.9 Encryption and payment transactions
All data transfers on our website — including enquiries via forms as well as payment data — are made exclusively via encrypted SSL/TLS connections. Thus your data is protected from unauthorized access by third parties.
2.10 Objection to promotional emails
The use of contact details published under the legal notice obligation by third parties for sending unsolicited advertising and information materials is hereby expressly contradicted. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as by spam emails.
3. Data Protection Officer
Statutory data protection officer
We have appointed the following Data Protection Officer:
Colin Simbach
TÜV Informationstechnik GmbH
TÜV NORD Group
Langemarckstraße 20
45141 Essen, Germany
Phone: +49 201 8999 461
Email: privacyguard@tuvit.de
4. Data Collection on Our Website
Cookies and Consent Management
Our website uses cookies. Cookies are small text files stored on your device.
Technically necessary cookies
Certain cookies are technically required for the operation of our website. These cookies are not subject to consent. The legal basis is § 25(2) TTDSG and Art. 6(1)(f) GDPR (legitimate interest in the error‑free provision of our services).
Analysis and marketing cookies
All other cookies not technically necessary (e.g. for analytics, statistics, or marketing) are used only with your explicit consent. The legal basis is § 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR. Consent can be revoked at any time via the settings in the cookie banner.
Consent Management Tool
We use Usercentrics to obtain and document your consents for storing certain cookies on your device or using certain technologies. The provider is Usercentrics GmbH, Sendlinger Straße, 80331 Munich, Germany. Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 7 GDPR.
Server log files
When you visit our website, our hosting provider automatically collects and stores information in so‑called server log files, which your browser transmits. These include:
-
Browser type and version
-
Operating system used
-
Referrer URL
-
Hostname of the accessing device
-
Time of access
-
IP address
A merging of this data with other data sources does not take place. The collection is for technical monitoring, security, and optimization. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation of the website).
Contact form
If you send us an inquiry via our contact form, we process your data to answer your inquiry and for any follow-up questions. No disclosure to third parties without your explicit consent. Legal basis: Art. 6(1)(a) GDPR (consent). You can revoke your consent at any time with future effect, e.g. by email. Storage duration: until your matter is resolved or you withdraw consent, provided that no statutory retention obligations prevent deletion.
Registration on our website
You may register on our website to use additional features. The data collected will be used exclusively to provide the features for which you have registered. Mandatory fields must be fully completed; otherwise registration is not possible. Purpose: user management, notifications of offer changes or technical updates. Legal basis: Art. 6(1)(a) GDPR (consent). Revocation: at any time by informal email. Storage duration: as long as your account is active. Legal retention obligations remain unaffected.
Registration via Facebook Connect
Alternatively, you can register via Facebook Connect. After clicking “Log in with Facebook,” you will be redirected to Facebook. With your consent, Facebook transmits certain profile data to us — including name, email address, profile or cover photo, gender, birthday, country, language, and your Facebook ID. We use this data solely to create and personalize your user account. Legal basis: your explicit consent under Art. 6(1)(a) GDPR. More information can be found in Facebook’s privacy policy and terms of use.
Registration via Google Connect
Alternatively, you can register via Google Connect. After clicking “Log in with Google,” you will be redirected to Google. With your consent, Google transmits certain profile data to us — such as name, email, profile picture, or language settings. We use these data only to create and personalize your user account. Legal basis: your explicit consent under Art. 6(1)(a) GDPR. More information is available in Google’s privacy policy and terms of use.
Data processing for customer and contractual data
We process personal data insofar as it is necessary for the establishment, performance, or termination of a contractual relationship. Examples: name, address, bank details, booked services, usage history. Legal basis: Art. 6(1)(b) GDPR (contract or pre‑contractual measures). Storage duration: after contract termination, subject to legal retention obligations.
Data transfer in orders of digital content
To fulfill the contract, it may be necessary to pass on your data to third parties — e.g. to payment service providers (banks, Stripe, PayPal, etc.). No further disclosure occurs unless you have explicitly consented. Legal basis: Art. 6(1)(b) GDPR.
5. Use of Subcontractors and Third Parties (Subprocessors) under Art. 28 GDPR
5.1 Principle
In the course of providing our services, we make use of carefully selected external service providers (“subcontractors” or “subprocessors”) under Art. 28 GDPR. They process personal data exclusively on our behalf and following our instructions, based on a data processing agreement (DPA) pursuant to Art. 28(3) GDPR.
5.2 Categories of Subprocessors
We use subprocessors in the following areas:
-
Hosting & infrastructure (cloud services, databases, CDN)
-
Operation of our online marketing software (SEO, ads, listings)
-
Customer support & communication
-
Billing & payment processing
-
Contract management with partners & end customers
-
Website tracking & product improvement
-
Cybersecurity measures
-
Marketing activities (including testimonials)
-
Employee & applicant management
-
Newsletter distribution
-
AI‑assisted processing
-
Internal communication
-
Data infrastructure & analytics platforms
5.3 Subprocessor Overview
|
Provider / Subprocessor |
Purpose / Area of Use |
Data Types (fully listed) |
Country / Third‑Country / Mechanism |
Technical & Organizational Measures (TOMs) |
Deletion Period |
Privacy Link |
Categories |
|
Advantago GmbH & Co. KG |
Digital Presence Management |
Company name, company address, phone numbers, business email, opening hours, categories/sectors, logos/images, URLs/profile links, locations/geodata, if applicable contact person name & email |
Germany (EU) |
Authentication, access control |
Upon client deregistration |
Operation of the online marketing software |
|
|
Afi Technologies Inc. |
E‑mail backup |
Email contents, attachments, subject lines, sender/recipient/CC/BCC, message IDs, timestamps, routing headers (incl. possible IP), folders/labels, metadata |
USA* / SCC |
End‑to‑end encryption, backup rotation |
Rolling backup |
Customer support & communication, cybersecurity measures |
|
|
Amazon Web Services (AWS) |
Hosting, Cloud Services |
All data stored or processed in systems, including: name, address, email, phone number, user/customer IDs, IP addresses, login/access data, usage/server/app logs, location data, images/files, contract/order/invoice data, support/communication data, backups |
USA* / Ireland / SCC, DPF |
Encryption, access control, compliance certificates |
30 days after contract termination |
Operation of the online marketing software, data infrastructure & analytics platforms |
|
|
Anthropic PBC |
Generative AI (Claude) |
Prompts/inputs (text), possibly contextual metadata (timestamp, request ID), generated outputs |
USA* / SCC |
API isolation, access control |
No default storage |
AI‑assisted processing |
|
|
Atlassian US, Inc. |
Project management (Jira, Confluence) |
Names, emails, user IDs, roles/permissions, project titles/content, tickets/comments/attachments, files, timestamps, activity/access logs, possibly IP, integration/webhook data |
USA* / SCC |
Access controls, encryption |
Project completion + 90 days |
Customer support & communication, internal communication |
|
|
Celonis Inc. (make.com) |
Process automation |
Workflow payloads from connected systems (depending on source): names, emails, phone numbers, addresses, customer/ticket/order IDs, form/webhook data, timestamps, possibly IP, metadata |
USA* / SCC |
Access restriction, TLS |
Automation logs 30 days |
Customer support & communication, internal communication, data infrastructure |
|
|
Configo LTD (Provesource) |
Customer engagement tool |
Page/event views, pseudonymous user/session IDs, cookies / local storage, URLs / referrer, click/scroll events, timestamps, possibly truncated IP, device/browser data, consent status |
Israel* / SCC |
Pseudonymization, consent-only |
After project end |
Website tracking & product improvement |
|
|
Docusign Inc. |
Electronic signatures |
Names, emails, signature / signing data, document contents, audit trail (timestamps, IP address, events), possibly 2FA data |
USA* / DPF |
Audit trail, authentication |
At contract end + statutory period |
Contract management with partners & customers |
|
|
Drooms GmbH |
Secure data room |
Documents/files, file contents/metadata, user master data (name, email), permissions/roles, access/activity logs, timestamps, possibly IP |
Germany (EU) |
Access control, encryption |
After project end |
Contract management with partners & customers |
|
|
ebuero AG |
Inbound call center |
Caller name, phone number, possibly email, inquiry/notes, possibly audio recordings, date/time, ticket/customer number, timestamp |
Germany (EU) |
GDPR training, access control |
5 years (archives law) |
Customer support & communication |
|
|
ElevenLabs Inc. |
Voice AI / speech synthesis |
Text prompts, voice samples / speech uploads, generated audio files, user/project IDs, timestamps, possibly IP / metadata |
USA* / SCC |
Encryption, access control |
Delete after use |
AI‑assisted processing |
|
|
etracker GmbH |
Web analytics, push notifications |
IP address (truncated), cookie/client ID, device/browser data (user agent), page views, events, referrer, campaign parameters (UTM), geolocation (derived), timestamp, opt‑in/opt‑out |
Germany (EU) |
GDPR‑compliant, consent-based |
6 months |
Website tracking & product improvement |
|
|
FullStory Inc. |
Session recording & usage analytics |
Session IDs, mouse/scroll/click events, page views, form interactions (masked), device/browser data, screen resolution, truncated IP address, timestamps, referrer / UTM, possibly console errors |
USA* / SCC |
Anonymization, opt-out |
30 days |
Website tracking & product improvement |
|
|
GoCardless Ltd. |
SEPA direct debit |
Name, email, IBAN, mandate reference, address, customer/account IDs, transaction/payment dates, status, timestamp |
UK* / SCC |
Access control, mandate management |
At mandate termination |
Billing & payment processing |
|
|
Google LLC / Ireland Ltd. |
Analytics, Ads, Maps, Webfonts, YouTube |
IP address, cookie / client ID, device/browser data, page views / events, referrer / UTM, campaign/conversion data, location (derived / Maps), video views, font requests, timestamps, opt‑in/opt‑out, possibly hashed emails (Audience Match) |
Ireland / USA* / DPF |
IP anonymization, opt-outs |
Default: 14 months |
Website tracking & product improvement, marketing activities, newsletter distribution |
|
|
Hetzner Online GmbH |
Hosting (Germany) |
All data stored/processed in systems, including: name, address, email, phone number, customer/user IDs, IP address, server / access / application logs, images/files, contract/order/invoice data, support/communication data, backups |
Germany (EU) |
ISO 27001, TLS, access restrictions |
30 days after contract end |
Operation of the online marketing software |
|
|
HubSpot Inc. |
CRM & Marketing Automation |
Names, emails, phone numbers, company/position, address (if given), interaction data (opens/clicks), website activity (tracking, if consent), form submissions / leads, notes, support tickets, consent status, IP address, UTM/campaign, timestamps |
USA* / Ireland / DPF |
Double opt-in, access controls |
Deletion of customer or 5 years |
Customer support & communication, marketing activities, newsletter distribution |
|
|
Intercom Inc. |
Customer communication |
Names, email, chat / message contents, attachments, page view/events, IP address, device/browser data, derived location, user IDs, tags/segments, timestamps |
USA* / Ireland / DPF |
Pseudonymization, encryption |
90 days after conversation end |
Customer support & communication |
|
|
Meta Platforms (Facebook) |
Social plugins, ads, pixel |
IP address, cookie / pixel IDs, page view / event data (PageView, AddToCart, Purchase etc.), referrer / UTM, campaign / conversion data, device/browser data, possibly hashed emails (custom audiences), timestamps |
Ireland / USA* / DPF |
Opt-out tools, pseudonymization |
Until withdrawal |
Website tracking & product improvement, marketing activities |
|
|
Notion Labs, Inc. |
Internal collaboration & wiki |
Names, emails, user IDs, workspace/teams, page/database content, comments, attachments/files, permissions, activity/access logs, timestamps, possibly IP |
USA* / SCC |
Access restriction, encryption, logging |
After account deletion |
Internal communication |
|
|
OpenAI OpCo, LLC |
AI platform – text generation |
Prompts/inputs (text), if used file uploads, outputs / generation, technical metadata (timestamps, request / organization ID) |
USA* / DPF |
API isolation, optional non‑storage |
No long-term storage |
AI‑assisted processing |
|
|
PayPal (Europe) S.à.r.l. |
Payment processing |
Account holder name, email, billing/delivery address, transaction amount / currency, transaction / customer IDs, payment status, possibly IBAN/BIC, card token, risk assessment data, timestamp, possibly IP / device fingerprints |
Luxembourg (EU) |
PCI-DSS, encryption |
10 years (statutory) |
Billing & payment processing |
|
|
rankingCoach SRL |
Software development & testing |
Source code / artifacts, test data (possibly pseudonymized personal / customer data), logs / error reports, screenshots, timestamps, internal user IDs |
Romania (EU) |
Access rights, VPN |
After project end |
Operation of the online marketing software |
|
|
Review.io |
Customer reviews |
Name, email, order/reference (if verified), review text, rating stars, images, timestamp, possibly IP, profile / public status |
UK* / Germany (EU) |
Voluntary submission, opt-out |
Entry remains if requested |
Marketing activities |
|
|
Salesforce (Tableau) |
BI & data analytics |
Aggregated / derived metrics, dimensions (customer/user IDs, possibly name/email), revenue / usage metrics, UTM/campaign, timestamps, possibly location |
USA* / Germany (EU) |
Access restriction, audits |
After analysis purpose ends |
Data infrastructure & analytics platforms |
|
|
Satismeter s.r.o. |
NPS feedback |
Email, name, user/customer ID, NPS score, free-text responses, timestamp, possibly device/browser data, possibly IP |
Czech Republic (EU) |
Anonymous processing, GDPR-compliant |
After survey ends |
Website tracking & product improvement |
|
| Sentry, Inc. | Application error and performance monitoring | Technical error and performance data, stack traces, error messages, application events, project/organization identifiers, timestamps, browser and device information, operating system, application version, IP address (possibly truncated or anonymized), requested URL, selected HTTP headers, session identifiers | United States* / SCC, DPF | Encryption in transit and at rest, role-based access control, configurable pseudonymization/anonymization, project-level isolation, audit logs | According to customer configuration (configurable retention) | https://sentry.io/privacy/ | Technical infrastructure, application monitoring, product security & stability |
|
Sparkpost (Message Systems) |
Mail server / newsletter |
Recipient name, email, subject, email content / templates, send status, opens / clicks, IP address, user agent, timestamp, bounces / spam reports |
USA* / SCC |
SPF / DKIM, TLS, opt-in |
Until unsubscription |
Newsletter distribution |
|
|
Stitch Inc. (Talend) |
ETL / data integration |
Depending on connected source: names, emails, addresses, customer/user/contract/order IDs, invoicing/payment data (tokenized), usage/log data, tracking/analytics data, timestamps |
USA* / SCC |
Data minimization, TLS |
After integration deletion |
Data infrastructure & analytics platforms |
|
|
Stripe Payments Europe Ltd. |
Credit card payments |
Name, email, billing address, card data (token, last 4 digits, expiry), customer/payment/subscription IDs, transaction amounts/status, risk assessment data, timestamp, possibly IP / device |
Ireland (EU) / USA* / DPF |
PCI-DSS, tokenization, access control |
10 years (statutory) |
Billing & payment processing |
|
|
Zapier Inc. |
Web integration / automation |
Workflow payloads / webhooks (depending on source): names, emails, phone numbers, addresses, ticket/order/customer IDs, form/event data, content/attachments (if transferred), timestamps, possibly IP, metadata |
USA* / DPF |
Access control, HMAC signature |
Automatically after use |
Customer support & communication, internal communication, data infrastructure |
|
|
Zuora Inc. |
Subscription management, billing |
Customer master data (name, email, address), contract/subscription data, invoices, payment history, customer/invoice IDs, possibly payment token (via PSP), tax numbers, timestamps |
USA* / SCC |
Access control, TLS |
Subscription end + 2 years archiving |
Billing & payment processing |
|
|
Zoom Video Communications Inc. |
Videoconferencing |
Participant names/emails, meeting IDs/invitations, audio/video/screen share data (possibly recordings), chat messages during meeting, timestamps, possibly IP / device / network data |
USA* / DPF |
Meeting passwords, moderator control |
30 days after meeting |
Customer support & communication, internal communication |
*Data transfers to third countries (USA, UK, Israel) are based on Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.
5.4 Technical and Organizational Measures (TOMs)
All subprocessors are contractually obligated to implement appropriate technical and organizational measures pursuant to Art. 32 GDPR. This includes, in particular:
- Access controls (entry cards, 2FA)
- Encryption of data transmissions (TLS)
- Data minimization & pseudonymization
- Backups & redundancies
- Logging & auditing
- Staff training
5.5 Data transfer to third country
Some of our subprocessors are located outside the European Union (EU) or European Economic Area (EEA), particularly in the USA, Israel, and the UK. In using these services, personal data may be transferred to those third countries. We point out that comparable data protection standards as in the EU may not be guaranteed there. In order to ensure an adequate level of protection, we have concluded Standard Contractual Clauses (SCCs) with all relevant providers adopted by the European Commission. These oblige the providers to process our users’ data in accordance with GDPR standards. In addition, where possible, we apply technical and organizational safeguards (e.g. encryption, minimizing the transmitted data) to best protect your data.