Where is Rankio's data hosted?

Rankio data is hosted entirely in the European Union. Primary infrastructure is in France with disaster recovery in another EU member state. No production data leaves the EU. We use EU-headquartered sub-processors where possible, and where a non-EU sub-processor is unavoidable (e.g., LLM provider APIs), we apply Standard Contractual Clauses and document the transfer in our DPA.

Is Rankio RGPD / GDPR compliant?

Yes. Rankio is built RGPD-native by design: lawful basis for every processing activity is documented in our DPA, data subjects can exercise their rights (access, rectification, erasure, portability, objection) directly through their account or by emailing dpo@rankio.studio, data retention is minimized and configurable per workspace, and breach notification meets the 72-hour requirement. The DPA is available to all customers including those on the Basic plan.

How does Rankio handle data when querying LLMs?

When Rankio runs a prompt against an LLM (ChatGPT, Perplexity, Claude, Gemini, Le Chat), the prompt contains the brand and keyword you configured — never customer-identifiable data, never personal data unless you explicitly entered it. The LLM response is captured, parsed for citations, and stored in EU infrastructure. Where the LLM provider is non-EU, we use the LLM's available enterprise / API contracts with data-processing addenda that prohibit training on submitted data.

What about the EU AI Act?

Rankio is not a high-risk AI system under the AI Act classification, but we treat AI Act expectations as best practice. We document the AI models we use and how, we provide transparency on how Visibility Scores are calculated, and we publish an annual report on AI methodology. As AI Act enforcement specifics evolve through 2026 and beyond, we update our compliance posture and document changes in the trust section.

Can I get a signed Data Processing Agreement (DPA)?

Yes. A signed DPA is available to all Rankio customers regardless of plan. The DPA defines Rankio as the data processor and the customer as the data controller, lists all sub-processors with their location and purpose, includes Standard Contractual Clauses for any non-EU transfer, and meets RGPD Article 28 requirements. Email dpo@rankio.studio to request the signed copy.

How is Rankio different from US-built GEO platforms on compliance?

Most major GEO platforms — Otterly, Peec AI, Profound, ZipTie, AthenaHQ — are US-built, US-hosted, and pricing in USD. Their default contracts route customer data through US infrastructure, and DPAs typically require negotiation. Rankio is EU-built, EU-hosted, pricing in EUR, and a customer-friendly DPA is available on the lowest plan. For French and European brands — especially in regulated industries (finance, healthcare, legal, public sector) — this difference is material to procurement and not optional.

GDPR Compliance for AI Visibility — EU-Hosted, RGPD-Native by Design

Rankio is the only GEO platform built EU-native, hosted in France, and RGPD-compliant by design. Data residency is in the European Union. A signed DPA is available on every plan including Basic. Sub-processors are documented and EU-first. AI Act expectations are treated as best practice. For French and European brands — and especially regulated industries — this is the difference between a tool procurement signs off and one that gets blocked.

The short version: EU hosting (France primary, EU disaster recovery). Signed DPA on every plan. Transparent sub-processor list. Standard Contractual Clauses on any non-EU transfer. AI Act-ready. EUR pricing. Built and operated under European law. No data leaves the EU without explicit, documented contractual safeguards.

Why it matters

Why GDPR compliance matters for a GEO platform

A GEO platform sits between your marketing data and external AI models. It runs your queries through LLMs, parses the answers, stores citation history, and produces analytics. Every step touches data that — depending on what you input — can include identifiers, customer references, internal product context, and sometimes personal data. RGPD applies the moment any of that information is personal data of an EU data subject, regardless of where the platform is hosted.

For procurement at French and European companies, the practical question is not "does your platform comply" but "can you prove it, contractually, in less than two weeks of legal review." US-built tools usually answer this with a long negotiation, a non-EU sub-processor list, and a DPA addendum. Rankio answers it with a one-page DPA, an EU-first sub-processor map, and EUR pricing — all available before the demo.

The 7 principles

The 7 RGPD principles, applied to Rankio

RGPD principle	How Rankio applies it
Lawfulness, fairness, transparency	Each processing activity is documented in our public DPA with the lawful basis (contract performance for customer data, legitimate interest for security logs)
Purpose limitation	Customer prompts and brand keywords are processed only to compute Visibility Scores and competitor benchmarks — not for marketing, not for training models, not for resale
Data minimization	Rankio does not require or collect personal data of your customers — your prompts contain your brand and keyword, not your CRM. Where personal data appears in user-entered prompts, we recommend pseudonymization and document the recommendation
Accuracy	Visibility data is timestamped per measurement. Erroneous or outdated records can be corrected on request and we publish methodology updates that affect historical scores
Storage limitation	Default retention is 24 months for citation history with configurable shorter retention per workspace. Account deletion triggers full erasure within 30 days, exports earlier on request
Integrity & confidentiality	TLS 1.3 everywhere, AES-256 at rest, role-based access with audit logs, secrets in a dedicated vault, security incidents reported within 72 hours of detection
Accountability	A designated DPO (Data Protection Officer), this public compliance page, an updated record of processing activities, a tested incident response plan, and an annual third-party security review

Hosting & data flow

Where your data lives

Primary infrastructure: France (Paris region). Disaster recovery: a second EU member state. Backups: encrypted, EU-resident only. No production data is stored outside the EU.

Sub-processors are listed in the DPA with location, purpose, and the safeguard applied. Where the function can be served by an EU-based provider, we use it. Where the function requires a non-EU provider (typically LLM provider APIs that do not have EU-region endpoints), we apply Standard Contractual Clauses and a data-processing addendum that prohibits training on submitted data and limits retention.

When Rankio queries an LLM: the request contains the brand name and the keyword(s) you configured. We do not include customer identifiers, account data, or personal data of your end-users unless you explicitly put them in the prompt. We log the LLM's response and the citations it produced. That data is stored in EU infrastructure and bound by your account's retention setting.

AI Act

EU AI Act — our posture

Rankio is not a high-risk AI system under the AI Act classification. We do not deploy AI to make automated decisions about people, we do not score individuals, we do not affect access to essential services. The AI we operate measures brand visibility in third-party AI assistants and produces analytics.

That said, we treat AI Act transparency expectations as best practice. We document which AI models we use and for what. We publish the methodology behind Visibility Scores. We disclose when content is AI-generated in the platform. And we update our compliance posture as AI Act enforcement specifics evolve. The Trust section of our site records changes.

Comparison

How Rankio compares on compliance

Compliance dimension	Rankio	Typical US-built GEO platform
Headquarters	France 🇫🇷 (EU)	USA
Production hosting	EU only (France primary)	USA primary, EU optional on enterprise tier
Pricing currency	EUR €	USD $
DPA availability	Standard, on every plan including Basic	Often gated to mid-tier or enterprise; negotiation required
Sub-processor transparency	Public list with location and purpose	Generally available on request
Standard Contractual Clauses	Built into the DPA	Addendum, often negotiated
Le Chat (Mistral) coverage	Native ✅	Usually not supported
French language support	FR-native UI, prompts, and content	EN only or machine-translated
Procurement-friendly for FR & EU regulated industries	Yes — designed for it	Usually requires significant legal addenda

Trust signals

Certifications & trust commitments

Designated DPO reachable at dpo@rankio.studio
Signed DPA available on every plan — no gating to enterprise
Annual third-party security review — results summarised in the Trust section
SOC 2 Type II — in progress, target completion 2026
ISO 27001 — on roadmap for 2026-2027
72-hour breach notification commitment as required by RGPD Article 33
Pseudonymization and encryption at rest and in transit (AES-256, TLS 1.3)
Public sub-processor list updated whenever a new sub-processor is added — customers notified before activation

FAQ

Frequently asked questions

Entirely in the European Union. Primary infrastructure in France (Paris region), disaster recovery in another EU member state. No production data leaves the EU. EU-headquartered sub-processors where possible; Standard Contractual Clauses applied to any unavoidable non-EU transfer.

Yes — RGPD-native by design. Lawful basis documented, data subject rights honored via account or dpo@rankio.studio, retention minimized and configurable, breach notification meets the 72-hour requirement. DPA available on every plan.

The prompt contains your brand and keyword — not customer-identifiable data unless you put it there. The LLM response is captured, parsed for citations, stored in EU infrastructure. Where the LLM provider is non-EU, we use the LLM's enterprise contracts with addenda prohibiting training on submitted data.

Rankio is not a high-risk AI system, but we treat AI Act expectations as best practice. We document the AI models used and how, we publish methodology, we disclose AI-generated content in the platform. We update compliance posture as enforcement specifics evolve.

Yes. Available on every plan including Basic. Defines Rankio as processor and customer as controller, lists sub-processors with location and purpose, includes Standard Contractual Clauses for non-EU transfers. Email dpo@rankio.studio.

Most major GEO platforms (Otterly, Peec, Profound, ZipTie, AthenaHQ) are US-built, US-hosted, USD-priced. DPAs typically require negotiation. Rankio is EU-built, EU-hosted, EUR-priced, with a customer-friendly DPA on the lowest plan. For regulated industries this difference is material.

The compliant choice for European brands

Talk to us about your procurement requirements — DPA, sub-processor list, security review. We answer in days, not weeks.

Book a compliance call See pricing in EUR

GDPR Compliance for AI Visibility — Built EU-Native