ThumbRank
DRAFT — not legal advice. This template is a starting point only. Have a licensed attorney review it before publishing or relying on it.

Privacy Policy

Last updated: June 13, 2026

1. Overview

This Privacy Policy explains how ThumbRank (“we”, “us”, or “our”) collects, uses, discloses, and protects information about you when you use the Service. We process the minimum data needed to operate the Service and we never sell personal information.

2. Information We Collect

2.1 Information you provide

  • Account email — to create and authenticate your account.
  • Billing information — handled entirely by Paddle; we receive only the last 4 digits of the card and the billing country.
  • Saved searches and preferences — anything you choose to save within the app.
  • Support messages — when you email us, we keep what you sent.

2.2 Information collected automatically

  • Server logs. IP address, user agent, request path, timestamp, and response status. Retained for 30 days for security and debugging.
  • Usage data. Aggregated counts of features used (e.g. searches per day) for product improvement. No profiling, no ad targeting.

2.3 Information from third parties

  • YouTube Data API v3. When you request video metadata, we query YouTube on your behalf. YouTube may log the request per its own privacy policy.
  • Paddle. We receive subscription status, plan, and renewal dates via webhooks.

3. Cookies and Local Storage

We use a small number of first-party cookies and localStorage items for authentication and to remember your preferences (e.g. billing-period toggle on the pricing page). We do not use third-party advertising cookies.

4. How We Use Your Information

We use the information we collect to:

  • Operate, maintain, and improve the Service.
  • Process subscriptions and prevent fraud.
  • Respond to support requests.
  • Send transactional emails (account confirmation, payment receipts, plan changes). We do not send marketing email unless you opt in.
  • Detect and prevent abuse or violations of our Terms.

5. Legal Bases (for EEA/UK users)

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases under the GDPR:

  • Contract — to provide the Service you signed up for.
  • Legitimate interest — to keep the Service secure, prevent fraud, and improve the product.
  • Consent — for any non-essential cookies or optional communications.

6. How We Share Your Information

We do not sell your personal information. We share data only with:

  • Paddle — for payment processing and tax compliance.
  • Supabase — for database hosting and authentication. Data is stored in the United States.
  • Vercel — for application hosting and serverless compute. Data is stored in the United States.
  • Google (YouTube Data API) — for video-metadata lookups you trigger.
  • Law enforcement — if we receive a valid legal process. We will notify you before disclosing, unless legally prohibited from doing so.

7. International Data Transfers

ThumbRank is operated from Honduras with infrastructure in the United States. By using the Service, you understand that your information may be transferred to and processed in the United States and Honduras. We rely on standard-contractual-clauses-equivalent safeguards with our processors where required.

8. Data Retention

  • Account data. Kept while your account is active. Deleted within 30 days of account closure, except where retention is required for legal or tax purposes (typically 7 years for billing records).
  • Server logs. 30 days.
  • Support emails. Up to 24 months, then anonymized or deleted.

9. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data.
  • Object to or restrict processing.
  • Port your data to another service.
  • Withdraw consent at any time (without affecting prior processing).

To exercise any of these rights, email privacy@thumbrank.io. We respond within 30 days.

10. Children’s Privacy

The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Security

We use industry-standard safeguards: HTTPS everywhere, hashed passwords (Supabase Auth), rate limiting on all public endpoints, and least-privilege access for our team. No system is 100% secure; if you discover a vulnerability, please report it to security@thumbrank.io.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date will reflect the most recent change. Material changes will be communicated by email or in-app notice.

13. Contact

Questions about privacy? Email privacy@thumbrank.io.