Privacy Policy

This Privacy Policy explains how Rankingeek Marketing Agency (“Rankingeek,” “we,” “us”) collects, uses, stores, and protects information in connection with AgencyOS (the “Service”), an AI-first agency-operations platform that helps digital marketing agencies manage client analytics, search performance, advertising, tag management, and shared assets across their portfolio.

This policy applies specifically to AgencyOS at https://client.rankingeek.com. Use of Rankingeek’s separate marketing-services business at rankingeek.com is governed by the Rankingeek Marketing Agency Privacy Policy.

1. Who this policy applies to

This policy covers (a) agency staff (“Workspace Users”) who sign in to AgencyOS to manage client work, and (b) agency administrators (“Admin Users”) who connect agency-wide Google accounts so the Service can access Google data on behalf of their organization.

2. Information we collect

2.1 Account information

When you sign in with Google we receive your name, email address, profile picture, and Google user ID via the openid, email, and profile scopes. We store this to identify your account, send service notifications, and display your profile inside the app.

2.2 Google user data accessed via OAuth

When you or your administrator authorizes AgencyOS to connect a Google account, the Service accesses only the data necessary for the features you have enabled. The specific scopes we request, the data they expose, and the in-product feature they power are listed in Section 4.

2.3 Operational data

We collect information you create inside AgencyOS (workspaces, client records, assigned accounts, settings) and standard log data (IP address, browser, timestamps, error traces) to operate and secure the Service.

3. Limited Use of Google user data

In particular:

• We use Google user data only to provide and improve user-facing features of AgencyOS that are visible to you in the product.
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
• We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
• We do not use Google user data to develop, improve, or train generalized or non-personalized AI/ML models. AI features inside AgencyOS operate on your data only to provide recommendations and outputs to you, and human review is required before any AI-generated output is published or acted upon.
• We do not allow humans to read Google user data unless we have your affirmative consent for specific items, it is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or for internal operations on data that has been aggregated and anonymized.

4. Google API scopes we request

AgencyOS requests the minimum scopes required to deliver each feature. Scopes are split between a per-user “Workspace” flow and an agency-wide “Admin” flow.

4.1 Workspace flow (per-user connection)

• openid, email, profile — sign-in and account identification.
• .../auth/analytics.readonly — read your Google Analytics 4 properties and reports so the Service can display traffic, engagement, and conversion metrics for the clients you manage.
• .../auth/webmasters.readonly — read your Google Search Console sites, queries, and performance reports for client search-performance dashboards.
• .../auth/adwords — read Google Ads campaign, ad-group, keyword, and performance data so the Service can display advertising performance for your clients.
• .../auth/drive.file — create and access only the files that AgencyOS itself creates or that you explicitly select for the Service. We never see other files in your Drive.

4.2 Admin flow (agency-wide connection by an authorized admin)

• openid, email, profile — identify the admin account.
• .../auth/analytics.readonly — agency-wide GA4 source for workspaces configured to inherit admin credentials.
• .../auth/webmasters.readonly — agency-wide Search Console access.
• .../auth/adwords — agency-wide Google Ads access, typically via a Manager (MCC) account.
• .../auth/tagmanager.readonly — read Google Tag Manager containers, tags, and triggers so admins can audit GTM configurations across client accounts.
• .../auth/drive.file — create and access only the files and folders the Service itself creates, plus any folder an admin explicitly selects through the Google Picker for shared client-report storage. We never list or access files outside that admin-selected folder.

5. How we use information

• To provide, operate, and improve the Service.
• To render dashboards, reports, and audits inside your account.
• To authenticate you and prevent fraud or abuse.
• To send service-related communications (security alerts, billing).
• To comply with legal obligations and enforce our Terms of Service.

We do not sell personal information. We do not use Google user data to train generalized AI/ML models. We do not use Google user data for advertising.

6. How we store and protect data

Google OAuth refresh and access tokens are encrypted at rest using a dedicated encryption key before being written to our database. Data is transmitted over TLS 1.2+ at all times. Access to production systems is limited to authorized engineering staff using least-privilege credentials and is logged.

We perform annual security reviews and follow the Google Cloud Application Security Assessment (CASA) framework where it applies to scopes we request.

7. Data retention and deletion

We retain Google user data only as long as needed to provide the Service. You may revoke AgencyOS’s access at any time from your Google Account permissions page. You can also disconnect a Google account from inside AgencyOS (Settings → Google Connections), which deletes the associated tokens and cached metadata within 24 hours.

You may request deletion of your entire AgencyOS account and all associated data by emailing contact@rankingeek.com. We will complete deletion within 30 days, subject to any legal retention obligations.

8. Sharing and third parties

We share data only with sub-processors that help us run the Service, under contracts that require equivalent privacy and security protections. Current categories include cloud hosting, database hosting, error monitoring, and email delivery. A current list is available on request from contact@rankingeek.com.

9. International transfers

AgencyOS may process data in countries other than the one in which you reside. Where required, we use Standard Contractual Clauses or equivalent safeguards to protect cross-border transfers.

10. Your rights

Depending on your location you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights contact contact@rankingeek.com.

11. Children

AgencyOS is a B2B product not directed to children under 16. We do not knowingly collect data from children.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email and via an in-product notice at least 14 days before they take effect. The “Effective” date at the top of this page reflects the most recent revision.

13. Contact