Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account information - when you register, we collect your name, email address, and password (stored as a bcrypt hash - we never store plaintext passwords). If you sign up via an OAuth provider (Google, GitHub, or Microsoft), we receive your name and email from the provider.
• Organization information - organization name and billing contact details.
• Payment information - when you upgrade to a paid plan, payment details (credit card number, billing address) are collected and processed directly by Stripe, our payment processor. We do not store your full credit card number. We receive and store your Stripe customer ID and subscription status.
• Corpus configuration - source URLs, crawl policies, search policies, ranking configurations, and connector settings you provide when creating and managing corpora.
• API keys - we store a SHA-256 hash of each API key and a masked prefix for display. We do not store the full plaintext key after initial creation.
• Team member information - when you invite members to your organization, we collect their email addresses and assigned roles.
• Support communications - if you contact us for support, we collect the content of your messages and any information you choose to provide.

1.2 Information We Collect Automatically

• Usage data - we track metered usage counters for billing purposes: search queries, pages crawled, documents fetched, and storage consumed. These are aggregated per organization and billing period.
• Crawl and indexing data - crawl job metadata (status, timing, page counts, error types), source health indicators, and document metadata (URLs, titles, content types, content hashes). This data is necessary to operate the crawling and indexing pipeline.
• Access logs - we log API requests including timestamps, HTTP method, endpoint path, response status codes, and the authenticated organization. We do not log request bodies or search query content in access logs.
• Session data - when you use the dashboard, we issue a JWT session token containing your user ID, organization ID, and role. Sessions expire after 30 days.
• Device and browser information - we collect standard HTTP headers (user agent, IP address, referrer) for security monitoring and abuse prevention. We do not use this information for tracking or advertising.

1.3 Analytics

We use PostHog analytics to understand website usage patterns. This includes pages visited, time on pages, referring websites, general geographic location, device type, and browser information. You can opt out using the "Do Not Sell or Share My Personal Information" link in our footer.

1.4 Information We Do Not Collect

• We do not use cookies for advertising or cross-site tracking.
• We do not collect biometric data.
• We do not use third-party analytics or advertising trackers on the dashboard.
• We do not read, analyze, or use the content of your search queries or indexed documents for any purpose other than delivering the Service to you.

2. How We Use Your Information

2.1 Providing the Service

• Authenticating you and resolving your organization context
• Crawling the web sources you specify, extracting content, and building searchable indexes
• Serving search queries, document fetches, and change feeds
• Delivering webhook notifications to your registered endpoints
• Providing access to Curated Corpora in the Catalog

2.2 Billing and Account Management

• Tracking metered usage for billing
• Processing payments through Stripe
• Enforcing plan limits
• Sending invoices and payment-related notifications

2.3 Communications

• Sending transactional emails: email verification, password resets, team invitations, invoice receipts, and payment failure notices
• Sending service-related notices (e.g., plan changes, scheduled maintenance, Terms updates)
• We do not send marketing emails unless you explicitly opt in

2.4 Security and Abuse Prevention

• Detecting and preventing unauthorized access, fraud, and abuse
• Monitoring for unusual API usage patterns or crawl behavior
• Enforcing rate limits and crawl defense mechanisms
• Investigating security incidents

2.5 Service Improvement

We analyze aggregated, anonymized usage patterns (e.g., query volume distribution, crawl throughput, feature adoption) to improve performance and reliability. We do not use your indexed content, source lists, search queries, or corpus configurations for model training, benchmarking, or any purpose beyond delivering the Service.

3. How We Store and Protect Your Information

3.1 Infrastructure

The Service runs on cloud infrastructure (AWS). Data is stored in PostgreSQL (account information, organization settings, corpus configurations, API key hashes, billing records, team memberships), DynamoDB (indexed documents, document versions, change events, crawl task state), and S3 (shard backups and document snapshots, encrypted at rest).

3.2 Encryption

• Data in transit is encrypted via TLS (HTTPS for all API and dashboard traffic)
• Data at rest is encrypted using cloud-provider managed encryption (AWS)
• Passwords are hashed with bcrypt
• API keys are hashed with SHA-256
• Connector secrets (API tokens for third-party services you configure) are encrypted at rest

3.3 Access Controls

Your organization's data is isolated from other organizations at the application and database level. Every API request is scoped to the authenticated organization. Internal access to production systems is restricted to authorized personnel, requires multi-factor authentication, and is logged.

3.4 Security Practices

• Inter-service communication is authenticated via HMAC-SHA256 signed tokens
• Webhook deliveries are signed with HMAC-SHA256 so you can verify their authenticity
• API key scoping allows you to restrict keys to specific corpora and operations
• We conduct periodic security reviews of our codebase and infrastructure

4. Data Sharing

We do not sell, rent, or trade your personal information.

We share information only in the following circumstances:

4.1 Service Providers

These providers process data solely on our behalf and are contractually bound to protect it.

4.2 Catalog

If you publish a corpus to the Catalog, its title, description, category, tags, and aggregate statistics become visible to other users. The indexed content is accessible to subscribers via search and document fetch. You control what you publish and can unpublish at any time.

4.3 Organization Members

All members of your organization can see and access your organization's corpora, usage data, and API keys (subject to role-based access controls). Admins can see all team members and billing information.

4.4 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request. We will notify you of such requests unless prohibited by law or court order.

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email or dashboard notice before your information becomes subject to a different privacy policy.

5. Data Retention

After the retention period, data is permanently deleted.

6. Your Rights and Choices

6.1 Access and Portability

You can access your account information, organization settings, and corpus configurations through the dashboard and API at any time. You can export your corpus data (documents, search results, change events) via the API.

6.2 Correction

You can update your name, email, and password through the dashboard account settings. Organization admins can update the organization name.

6.3 Deletion

You can delete individual corpora at any time. Corpus deletion permanently removes all associated documents, index data, and change events. You can delete your account through the dashboard. Account deletion permanently removes your personal information, all organizations you own, and your memberships in other organizations.

6.4 Communication Preferences

Transactional emails (verification, password resets, invoices, security alerts) cannot be opted out of while your account is active, as they are necessary to operate the Service. You may opt out of any non-essential communications.

6.5 Additional Rights for EEA, UK, and California Residents

If you are located in the European Economic Area (EEA), United Kingdom (UK), or California, you may have additional rights under GDPR, UK GDPR, or CCPA, including:

• Right to Know - request disclosure of categories and specific pieces of personal information collected
• Right to Delete - request deletion of your personal information (with certain exceptions)
• Right to Correct - request correction of inaccurate personal information
• Right to Opt-Out - opt-out of the "sale" or "sharing" of personal information (we do not sell personal information)
• Right to restriction - request that we restrict processing of your data in certain circumstances
• Right to object - object to processing based on legitimate interests
• Right to lodge a complaint - file a complaint with your local data protection authority
• Right to non-discrimination (CCPA) - we will not discriminate against you for exercising your privacy rights

To exercise any of these rights, use our Privacy Rights Request Form or contact us at privacy@rlvnce.com.

6.6 Do Not Track

We honor "Do Not Track" preferences. You can opt out of analytics tracking by clicking the "Do Not Sell or Share My Personal Information" link in our website footer.

7. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. We rely on standard contractual clauses and other lawful transfer mechanisms where required by applicable data protection laws.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly. If you believe a child has provided us with personal information, contact us at privacy@rlvnce.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the dashboard at least 30 days before they take effect. The "Effective date" at the top of this document indicates when the current version became effective.

10. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: