Privacy Policy

This Privacy Policy describes how Rankabl (“Rankabl,” “we,” “us”) collects, uses, and shares personal data when you use the service. For the contractual terms governing your use, see our Terms of Service.

Account and profile data. When you sign up, our authentication provider Clerk processes your email address and any sign-in identifiers (such as a Google account ID if you use OAuth). We store a local user record linked to that Clerk identity, plus the optional profile fields you choose to add: username, display name, avatar image, bio, pronouns, first name, and last name.

Voting and ranking activity. Each vote you cast records the two items compared, which one you picked (or whether you skipped), the timestamp, and the milliseconds you took to decide. We also record items you exclude from your pair pool and lists you create or modify.

Anonymous identifier. If you use Rankabl without signing in, we set a secure HTTP-only cookie called rankabl_anon containing a random UUID. This cookie is your only identifier as an anonymous user; it is not linked to any other personal data unless you later create an account, at which point your anonymous votes are merged into your account.

IP addresses. When you submit a vote, we record a salted SHA-256 hash of your IP address (we do not store the raw IP). The hash lets us investigate coordinated abuse without retaining personally identifying network data.

Social graph. Following another user creates a follow record between your account and theirs, used to populate friend rankings, comparison views, and in-app notifications.

Notifications. We store records of in-app notifications generated by social events (new followers, friends ranking shared lists, friends creating lists) and which ones you have viewed.

Cookies. See Section 5 below.

We use the data described above to:

• Run the service — present rankings, profiles, follower graphs, notifications, and search.
• Compute and cache personal, friends, and global rankings.
• Detect and prevent abuse, including bot voting, ranking manipulation, and spam.
• Investigate incidents using IP-hash forensics (without storing raw IPs).
• Improve the service through aggregate analysis of how features are used.
• Communicate with you about the service when needed.

We may also derive aggregated and anonymized data from the above and use, share, or license that aggregated data commercially, as described in our Terms of Service. Aggregated and anonymized data does not identify you.

Rankabl relies on the following processors to operate. They access your data only to provide their service to us and are bound by their own privacy commitments.

• Clerk (authentication, account management, optional profile photo).
• Neon (managed PostgreSQL database hosting in the US).
• Upstash (Redis cache and rate limiting in the US).
• Vercel (web hosting and edge runtime).
• TMDB, Spotify, IGDB, and similar metadata providers — when you search for items, we proxy your search query to these services to return canonical metadata (titles, posters, cover art). We do not send these services your account information; they receive only the query text and standard request metadata such as IP, which they handle under their own privacy policies.

We do not sell your personal data. We may disclose data if required to comply with law, enforce our Terms, or protect the rights, safety, or property of Rankabl or others.

We use a small number of cookies, all functional:

• rankabl_anon — HTTP-only UUID identifying anonymous voters across sessions. One year expiry. Cleared on account merge.
• Clerk session cookies — set and managed by Clerk to keep you signed in.

We do not currently use analytics or advertising cookies. If we add them in the future, we will update this policy and surface appropriate consent.

We retain your account and profile data while your account is active. When you delete your account, we remove personal identifiers — email, profile fields, avatar, and internal identifiers linking back to you — within 30 days. Your votes and ranking contributions are retained in anonymized form so community rankings and aggregate signals remain stable; once anonymized, this data is no longer personal data.

Daily integrity counters (rate-limit hits, duplicate-vote attempts) are retained in our cache for up to 30 days, after which they expire automatically.

Backups created for disaster recovery may persist for up to 30 days after deletion before they roll off.

Access, correction, deletion. You can view and edit much of your profile data through your account settings. You can delete your account at any time through the account settings; deletion follows the policy in Section 6. To make a request that you cannot complete in-product, email privacy@rankabl.com.

If you are in the EU, UK, EEA, or Switzerland (GDPR / UK GDPR). You also have the right to rectification, restriction of processing, data portability, and objection to processing. You may withdraw any consent you previously gave at any time. You have the right to lodge a complaint with your local data protection supervisory authority. The legal bases on which we process your data are: performance of a contract (operating the service), our legitimate interests (improving the service, preventing abuse), and your consent where applicable.

If you are a California resident (CCPA / CPRA).You have the right to know what personal data we collect about you, to request deletion or correction, to limit use of sensitive personal information, and to opt out of any “sale” or “sharing” of personal data. We do not sell or share personal data as those terms are defined under California law. Aggregated and anonymized data is not personal data.

We will not discriminate against you for exercising any of these rights.

Rankabl is operated from the United States. Our infrastructure providers store data on servers located in the United States. If you access the service from outside the US, you understand that your data is transferred to and processed in the US, which may have different data protection laws than your country. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers from the EEA, UK, or Switzerland.

Rankabl is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, please contact us and we will take appropriate steps to delete it.

We use industry-standard practices to protect your data, including TLS for data in transit, hashed and salted IP addresses, HTTP-only cookies for session identifiers, rate limiting, and bot protection. No system is perfectly secure; we cannot guarantee absolute security.

We may update this policy from time to time. If we make material changes, we will update the “Last updated” date and may surface a notice in-product. Your continued use of the service after changes take effect means you accept the updated policy.

For privacy questions or to exercise any rights described above, email privacy@rankabl.com. Until the rankabl.com domain is in place, write to cameronnolley@gmail.com.