Last updated: 22 June 2026
This policy explains what personal data Ralf ("we", "us") collects when you use ralfhq.com and app.ralfhq.com, why, and your rights under UK GDPR.
Account data: your email address and password (stored as a secure hash), and if you sign in with Google, your Google account email. Billing data: handled by Stripe — we never see or store your card number; we store your subscription status and Stripe references. Service data: the website domains you add, crawl results for those sites, search and AI-visibility data about them, settings you configure, and (where you use outreach features) the business-contact details of recipients you choose to contact. Usage data: product analytics about how the Service is used, and standard server logs (IP address, browser type) for security.
To provide the Service you signed up for (contract); to bill you (contract / legal obligation); to secure the Service and prevent abuse (legitimate interest); to send service emails such as trial reminders, payment and product notifications (contract / legitimate interest). We don't send marketing email without consent, and we don't sell personal data.
We use a small set of processors to run the Service: Supabase (database and authentication, hosted in the EU), Vercel (web hosting), Stripe (payments), Instantly (delivery of outreach emails you configure), and AI/data providers used to generate the product's analysis — including OpenRouter (which routes to model providers such as OpenAI, Anthropic, Google and Perplexity) DataForSEO and Ahrefs (search and SEO data), and Resend (delivery of our service emails). Website data sent to AI providers relates to the sites you monitor, not your account identity. Some providers process data outside the UK/EEA under appropriate safeguards (standard contractual clauses). A full list of sub-processors and our processing terms are set out in our Data Processing Addendum.
If you connect Google Search Console or Google Analytics, Ralf requests read-only access (the webmasters.readonly and analytics.readonly scopes) to the properties for the websites you choose to connect. We use this data for a single purpose: to show you your own search-performance and traffic analytics inside Ralf, and to inform the SEO recommendations the product generates for those sites. OAuth access and refresh tokens are stored encrypted and are used only to retrieve that data on your behalf.
We do not sell Google user data, use it for advertising, or use it to train AI/ML models. We share it only with the infrastructure processors listed above as strictly necessary to operate the Service. You can disconnect at any time in Ralf (Settings → Integrations) or revoke access at myaccount.google.com/permissions; on disconnection we delete the stored Google tokens.
Ralf’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Account and service data is kept while your account is active. If you close your account, or it remains inactive after cancellation, we delete personal data within 90 days, except records we must keep for tax and accounting (kept up to 6 years). Aggregated, de-identified data may be retained.
Under UK GDPR you can request access to, correction of, deletion of, or a copy of your personal data, object to or restrict processing, and withdraw consent. Email hello@ralfhq.com and we'll respond within one month. You can also complain to the UK Information Commissioner's Office (ico.org.uk).
app.ralfhq.com uses essential cookies/local storage for login sessions. The marketing site uses privacy-respecting analytics without cross-site tracking.
We'll post updates here and notify account holders of material changes by email or in-app.
Data questions or requests: hello@ralfhq.com