1 Who we are
TamRank is a WordPress SEO plugin built and operated by Kloeth Digital B.V., a company registered in the Netherlands. This privacy policy explains how we collect, use, and protect your data when you use our plugin and website.
| Company | Kloeth Digital B.V. |
| KvK number | 42106998 |
| Location | The Netherlands |
| [email protected] |
Kloeth Digital B.V. is the controller for the processing described in this policy. We do not publish a street address; you can identify the company through its registration with the Dutch Chamber of Commerce (KvK 42106998), and you can reach us for any privacy question or request by email at [email protected]. We answer privacy requests through that address.
When we are the controller, and when we are the processor
For your account, licence, billing and support data, and for the way our own website is used, we are the controller: we decide why and how that data is processed.
When you use the AI features or the Google Search Console integration, TamRank processes content and data from your WordPress site, which may include personal data of your own visitors or customers. For that processing we act as a processor on your instructions, and you are the controller. If you need a data processing agreement under Article 28 GDPR for that relationship, email [email protected] and we will provide one.
2 What we collect
Information you provide
When you create an account, purchase a license, or contact us, we collect:
- Name and email address
- Billing details (name, country, company name, VAT number if applicable)
- Your website URL (for license activation)
- Support messages and correspondence
Information collected automatically
When you visit our website, we may collect:
- IP address
- Browser type and version
- Pages visited and time spent
- Referring website
See section 10 for exactly which cookies and analytics our website uses, and how you control them.
3 How we use your data
We use your data for the following purposes:
- Providing and maintaining the TamRank plugin and services
- Processing purchases and managing your subscription
- Validating your license key
- Sending transactional emails (purchase confirmation, renewal reminders, support replies)
- Improving the plugin based on aggregated, anonymized usage patterns
- Understanding how our website is used and measuring our marketing, where you have given consent (see section 10)
- Responding to support requests
- Sending product updates and newsletters (only with your explicit consent)
Legal bases
Under Article 6 GDPR we must have a legal basis for every purpose. These are ours:
| Providing the plugin and services, validating your licence, managing your account, processing purchases and subscriptions, sending transactional emails, and answering support requests | Performance of a contract (Article 6(1)(b)) |
| Keeping invoices and financial records | Legal obligation (Article 6(1)(c)) — Dutch tax law requires a seven-year retention period |
| Cookieless measurement of our website before you make a cookie choice; preventing fraud and abuse; keeping our service secure; improving the plugin using aggregated, anonymised usage patterns | Legitimate interest (Article 6(1)(f)) — our interest in running a secure service and understanding at a basic level how our website and plugin perform. We have weighed this against your privacy and limited the data accordingly |
| Analytics, marketing and preference cookies; marketing emails and newsletters; AI features that send your content to an external provider | Consent (Article 6(1)(a)) — you can withdraw it at any time |
Where we rely on legitimate interest, you can object to the processing at any time (see section 13). Where we rely on consent, withdrawing it does not affect processing that already took place.
We never sell your personal data to third parties.
4 Data the plugin sends
The TamRank plugin communicates with our servers for specific features. Here is exactly what is sent and when:
License validation
When you activate your PRO license, the plugin sends your domain name and license key to our server to verify your subscription. This happens on activation and periodically to confirm your license status.
PageSpeed scans
When you run a PageSpeed analysis, your page URL is sent to the Google PageSpeed Insights API through our server. The results are cached temporarily to reduce repeated API calls.
Update checks
The plugin checks for updates through the standard WordPress update system. This sends your WordPress version and plugin version to our server.
5 Google Search Console and Analytics integration
TamRank offers two optional Google integrations: Google Search Console and Google Analytics 4. This section describes how we access, use, store, and protect the data from each. Both reuse a single Google sign-in.
What we request access to
When you connect Google Search Console, TamRank requests the following permissions (OAuth scopes):
- Search Console read access: to retrieve your search performance data (clicks, impressions, average position, CTR) and view your verified properties
- Search Console management: to allow property selection within the plugin
- Indexing API access: to submit URLs for indexing and check indexing status on your behalf
How we use your Google data
Your Google Search Console data is used exclusively to:
- Display search performance metrics inside the TamRank plugin on your WordPress dashboard
- Show per-page keyword data and position tracking
- Compare performance between time periods
- Submit indexing requests to Google on your behalf
- Check the indexing status of your pages
How we store and protect your Google data
- Your Google authentication tokens are encrypted using AES-256 encryption and stored on our secured servers
- Search performance data is cached temporarily (up to 6 hours) to reduce API calls. Cache is cleared automatically when you switch properties or disconnect
- We do not store historical copies of your Search Console data beyond the temporary cache
- All communication with Google APIs and between the plugin and our servers happens over HTTPS
How we share your Google data
We do not share, sell, or transfer your Google Search Console data to any third party. Your data is only used to provide the Search Console features within the TamRank plugin. No human at TamRank accesses your Google data unless you explicitly request support help and grant permission.
Disconnecting and data deletion
You can disconnect Google Search Console at any time from the TamRank settings in your WordPress dashboard. When you disconnect:
- Your stored authentication tokens are permanently deleted from our servers
- All cached Search Console data is cleared immediately
- The OAuth access is revoked at Google, so TamRank can no longer access your account
You can also revoke access manually at any time by visiting your Google Account permissions page.
Google Analytics 4 (conversions)
TamRank PRO also offers an optional Google Analytics 4 (GA4) integration. It reuses the same Google sign-in as Search Console — one extra permission, no separate login — and shows which of your pages actually drive conversions.
- What we request access to: one additional read-only permission, the scope
https://www.googleapis.com/auth/analytics.readonly, to read your GA4 key events (conversions) aggregated per landing page via the Google Analytics Data API. TamRank never writes to or modifies your Google Analytics account. - How we use your Google Analytics data: to display the number of conversions per landing page inside Page Insights, next to your Search Console data, and to let you choose which key events count as a conversion. We read only aggregated per-landing-page counts, never user-level or session-level data.
- How we store and protect your Google Analytics data: the OAuth token is stored server-side on our secured servers in the EU, the same as the Search Console tokens; the WordPress plugin itself stores only the connection status, the selected GA4 property ID, and the selected key events, never the token. GA4 conversion data is cached temporarily (up to 6 hours) to reduce API calls, and is cleared when you switch property, change the key-event selection, or disconnect. All communication happens over HTTPS.
- How we share your Google Analytics data: we do not share, sell, or transfer it to any third party. It is used only to provide the conversion features within the TamRank plugin. No human at TamRank accesses it unless you explicitly request support and grant permission.
- Disconnecting and data deletion: you can disconnect Google Analytics at any time from the TamRank settings. When you disconnect, your stored Google Analytics token and selected property are permanently deleted from our servers and all cached GA4 data is cleared immediately. Because the Analytics permission is granted through the same Google sign-in as Search Console, disconnecting Analytics alone does not revoke your overall Google authorization; to revoke access entirely, disconnect Search Console or remove TamRank on your Google Account permissions page.
6 AI features and data processing
TamRank PRO includes AI-powered features that process content to generate suggestions. This section explains what data is involved.
Which AI providers we use
These features are powered by external large language model providers, not by models we host ourselves. We use Anthropic and OpenAI. Both are established in the United States, so using an AI feature involves a transfer of the content you submit outside the European Economic Area (see section 9). They act as sub-processors on our behalf under their data processing terms, and they are listed in the table in section 8.
How long the content is kept. We do not store the content you submit: it is processed and discarded. Our AI providers, however, may retain it for a short period, typically up to 30 days, to monitor for abuse and to keep their services secure, as set out in their data processing terms. We have not agreed a zero-retention arrangement with them, so we cannot tell you that nothing is retained anywhere in the chain. What we can tell you is that we keep nothing ourselves.
AI meta generation
When you generate AI meta titles or descriptions, the page title, a content excerpt, and your focus keyword are sent through our servers to the AI provider. The generated suggestions are returned to the plugin and we do not store the input data after processing.
Vision AI alt text
When you generate alt text for an image, the image URL is sent to the AI provider for analysis. We do not store or copy the image. Only the generated alt text is returned.
AI internal link suggestions
When you request link suggestions, the current page title and a content summary are sent to identify relevant linking opportunities across your site. We do not store this data after processing.
7 Payment processing
We use third-party payment processors to handle all transactions:
- Mollie (privacy policy) for iDEAL and Bancontact payments
- Stripe (privacy policy) for credit card and Apple Pay payments
Your payment details (card numbers, bank account details) are processed and stored entirely by these providers. We never see or store your full payment information. We only receive a transaction confirmation with the amount, payment method, and a reference ID.
Both Mollie and Stripe are PCI-DSS compliant and process data in accordance with GDPR.
8 Data sharing and sub-processors
We only share your data with third parties when necessary to provide our services:
| Mollie | Payment processing (iDEAL, Bancontact) |
| Stripe | Payment processing (credit card, Apple Pay) |
| Search Console API, PageSpeed API, Indexing API (only when you use these plugin features) | |
| Google Analytics 4 | GA4 Data API — reads your own key-event conversions per landing page, read-only, only when you connect the optional GA4 integration (see section 5) |
| Anthropic | AI features in TamRank PRO (meta generation, alt text, internal link suggestions). Only the content you submit when you use such a feature is processed, in the United States (see sections 6 and 9) |
| OpenAI | The same AI features in TamRank PRO. Only the content you submit when you use such a feature is processed, in the United States (see sections 6 and 9) |
| Cloudflare | Content delivery and security (WAF) for our website; processes traffic metadata such as IP address under Cloudflare's EU-inclusive Data Processing Addendum |
| Hosting provider | Server infrastructure for our API and website, within the EU |
| Brevo (Sendinblue GmbH / Brevo SAS) | Email delivery for transactional messages (purchase confirmations, renewal reminders, support replies) and, only with your explicit consent, product updates and newsletters. Data is processed within the EU under Brevo's Data Processing Agreement. You can withdraw newsletter consent at any time via the unsubscribe link in every marketing email. |
| Sentry | Error and crash monitoring for our API and website (EU region; no customer content, IP addresses, or other personal identifiers are sent) |
Sentry processes this data on our behalf under its Data Processing Addendum, hosted in the EU.
We do not sell, rent, or trade your personal data, and we never share your data with advertisers for their own purposes.
If we run paid advertising campaigns and you have accepted marketing cookies, we may share limited conversion and attribution data (such as a hashed identifier and the fact that a purchase happened) with the relevant advertising platform, for example Google Ads, solely to measure our own campaigns. We never do this without your marketing consent, and you can refuse or withdraw it at any time (see section 10). This attribution data comes solely from our own tamrank.com website marketing cookies and never includes any data obtained through the Google Search Console or Google Analytics integrations in the plugin.
9 Transfers outside the EU
Most of the processing described in this policy happens inside the European Union. Our server infrastructure, our error monitoring (Sentry) and our email delivery (Brevo) all run on EU infrastructure, and Mollie is established in the Netherlands.
Some of the sub-processors listed in section 8 are established in the United States. Using them means your personal data is transferred outside the European Economic Area:
| Stripe | Payment processing |
| Search Console, PageSpeed, Indexing and Google Analytics 4 APIs — the plugin integrations you connect (see section 5) | |
| Google Ads | Only if we run advertising campaigns and you have accepted marketing cookies; used for website conversion and attribution measurement only, never for data from the Search Console or Google Analytics integrations |
| Cloudflare | Content delivery and security for our website |
| Anthropic | AI features, when you choose to use them (see section 6) |
| OpenAI | AI features, when you choose to use them (see section 6) |
For all of these transfers we rely on the European Commission's Standard Contractual Clauses, as set out in each provider's data processing agreement, together with additional safeguards where these are needed. Stripe, Google, Cloudflare and OpenAI are in addition certified under the EU-U.S. Data Privacy Framework, which the European Commission has recognised as providing an adequate level of protection for personal data transferred to the United States; that certification comes on top of the contractual clauses rather than replacing them. Anthropic is not certified under that framework, so for Anthropic the Standard Contractual Clauses are the sole basis.
You have the right to know which safeguard applies to a specific transfer and to receive a copy of it. Email [email protected] and we will tell you which mechanism we rely on for that provider and how to obtain the relevant documentation.
10 Cookies and website tracking
This section is about our own website (tamrank.com and the customer portal). It does not describe the TamRank plugin: the plugin sets no cookies on your WordPress site or your visitors' browsers, and adds no analytics to your frontend (see sections 2 and 4).
Your choice comes first
When you first visit our website, a consent banner lets you choose which categories of cookies you allow. Everything except strictly necessary cookies stays switched off until you opt in. We use Google Consent Mode v2, which means that before you consent, analytics and advertising storage are set to "denied" by default. You can change or withdraw your choice at any time through the "Cookie preferences" link in the footer.
Strictly necessary (always on)
These are required for the website to work and cannot be switched off:
- Session cookie: keeps you logged in while browsing the website
- WooCommerce cookies: remember your cart contents and checkout progress
- CSRF token: protects form submissions against cross-site request forgery
- Consent cookies (
tamrank_consent,tamrank_consent_marketing): remember the cookie choices you made, so we can honour them
Analytics (only with your consent)
If you accept analytics cookies, we measure how the website is used so we can improve it. This uses first-party analytics collected through our own endpoint (edge.tamrank.com). We do not currently use Google Analytics 4; if we add it, it will run under Google Consent Mode v2 and only after you accept analytics cookies. We minimise personal data: IP addresses and email addresses are stored only as a one-way hash, never in the clear.
Before you make a cookie choice, we do not place cookies and we store nothing on your device. We do still measure individual page views, using a short-lived pseudonymous identifier derived from a hash that rotates every day, so the same visitor cannot be recognised from one day to the next. This is pseudonymous personal data rather than anonymous data, and we rely on our legitimate interest in understanding how our website performs (see section 3). You can object to it at any time (see section 13).
Marketing (only with your consent)
If you accept marketing cookies, we can measure the effectiveness of any advertising campaigns we run and attribute sign-ups and purchases to them. This is what allows the limited attribution data described in section 8 to be shared with an advertising platform. If you do not accept marketing cookies, none of this happens.
Preferences (only with your consent)
If you accept preference cookies, we remember choices you make so we can personalise your experience.
Server-side records
Independently of cookies, we also record essential business events on our own servers, such as a completed purchase or a payment, because we need them to run the service and meet legal obligations (for example tax and accounting). These records are kept to what is necessary and are covered by the retention periods in section 11.
11 Data retention
We keep your data only as long as necessary:
| Account data | As long as your account is active, plus 30 days after deletion |
| Purchase records | 7 years (Dutch tax law requirement) |
| Support conversations | 2 years after last activity |
| License validation logs | 90 days |
| GSC cached data | Maximum 6 hours, deleted on disconnect |
| GSC auth tokens | Until you disconnect, then permanently deleted |
| GA4 cached data | Maximum 6 hours, deleted on disconnect |
| AI processing data | Not stored by us: processed in memory and discarded. Our AI providers (Anthropic, OpenAI) may retain it for a short period, typically up to 30 days, for abuse and security monitoring under their data processing terms (see section 6) |
| Server logs | 30 days |
| Marketing contact data (Brevo) | Kept until you unsubscribe or request deletion; suppressed contacts are retained only to honour your opt-out |
| Website analytics data | Pseudonymized (hashed identifiers). Our own first-party analytics database is kept for up to 36 months, so we can compare year-on-year trends and improve the product over the longer term. If we enable Google Analytics 4 in the future, its event data would be kept for 14 months, the retention limit Google applies to the free version. |
| Consent records | Up to 3 years, as proof of the cookie consent you gave |
When you delete your account, we remove all personal data within 30 days, except purchase records which we are legally required to keep for 7 years.
12 Security
We protect your data with the following measures:
- All data transmitted between the plugin, our servers, and third-party APIs uses HTTPS/TLS encryption
- Sensitive credentials (such as Google OAuth tokens) are encrypted at rest using AES-256
- Access to our servers is restricted and protected with key-based authentication
- Payment data is handled exclusively by PCI-DSS compliant providers (Mollie and Stripe)
- We regularly update our server software and dependencies to patch known vulnerabilities
No system is 100% secure. If a personal data breach occurs, we will report it to the Dutch Data Protection Authority without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to your rights and freedoms (Article 33 GDPR). If the breach is likely to result in a high risk to you, we will also inform you directly, without undue delay (Article 34 GDPR).
13 Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you
- Correction: ask us to correct inaccurate or incomplete data
- Deletion: ask us to delete your personal data
- Restriction: ask us to limit how we process your data
- Portability: request your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest
- Withdraw consent: withdraw consent for marketing emails, and for analytics or marketing cookies (via "Cookie preferences" in the footer), at any time
To exercise any of these rights, email us at [email protected]. We respond within one month. If your request is complex, or if you have made a number of requests, we may extend that by up to two further months, and we will tell you within the first month if we do (Article 12(3) GDPR).
We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you, including profiling of that kind (Article 22 GDPR).
If you believe we are not handling your data correctly, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
14 Children's privacy
TamRank is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
15 Changes to this policy
We may update this privacy policy to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you by email or through a notice on our website. The "last updated" date at the top always shows the most recent version.
16 Contact
Questions about your privacy or this policy? We're happy to help.