RustyRAG
Book a demo
Legal

Privacy Policy

Effective date: May 27, 2026

This Privacy Policy explains how RustyRAG, Corp. ("RustyRAG", "we", "us") collects, uses, shares, and protects personal information. It applies to our website at rustyrag.ai, our API at api.rustyrag.ai, our dashboards, and any other product or service that links to this Policy (the "Service"). It does not apply to third-party websites or services that are not under our control.

1. Who we are

RustyRAG, Corp. is a Delaware corporation with offices at 131 Continental Drive, Suite 305, Newark, Delaware 19713, United States. We are the data controller for personal information processed about you in connection with our marketing, sales, billing, and account management activities. When we process Customer Content on your behalf as part of the Service, we act as a data processor or service provider, and you are the controller.

For any privacy question or request, contact us at ignas@rustyrag.ai.

2. Information we collect

2.1 Account and contact data

When you sign up, we collect your name, email address, company name, role, and credentials. We also collect billing details such as billing address and tax identifiers; payment card data is collected and stored directly by Stripe, not by us.

2.2 Customer Content

When you use the Service, you upload documents, files, queries, and metadata ("Customer Content"). Customer Content may contain personal information about you or third parties. You decide what to upload. We process Customer Content under your instructions as set out in our Terms of Service.

2.3 Usage and telemetry

We log API requests, response times, error codes, IP address, user agent, request size, and similar technical metadata. We use this to operate, secure, debug, and improve the Service.

2.4 Website and analytics data

Our marketing website uses Google Analytics. Google Analytics sets cookies and collects information about your visit, such as pages viewed, referrer, approximate location based on IP, device type, and time on page. We use this to understand traffic and improve the website. You can opt out by installing the Google Analytics Opt-out Browser Add-on.

2.5 Communications

When you contact us, we keep the message, your contact details, and any attachments so we can respond and maintain a record.

2.6 Google Workspace data (connectors)

If you connect a Google account through the Service (for example, the Google Drive or Gmail connector), you grant us read access to data in your Google account under the scopes you approve on Google's consent screen. The scopes we may request are:

  • https://www.googleapis.com/auth/drive.readonly — read access to files and folders you select in Google Drive.
  • https://www.googleapis.com/auth/gmail.readonly — read access to messages, labels, and attachments matching the search query you configure in Gmail.
  • openid, email, profile — to identify which Google account is connected.

How we use Google data. We fetch the content of files or messages you have scoped, run text extraction, generate vector embeddings used to answer your queries, and store the embeddings along with a short text snippet for citation. We do not persist the original file bytes after extraction. We do not access any file or message outside the scope you configured.

Limited Use disclosure.RustyRAG's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, RustyRAG does not:

  • Use Google user data to develop, improve, or train generalized or non-personalized AI or machine learning models.
  • Transfer Google user data to third parties except as necessary to provide or improve user-facing features prominent in the requesting app's user interface, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's explicit prior consent.
  • Use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • Allow humans to read Google user data, unless we have obtained your affirmative agreement to view specific messages or files, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized for internal operations and only in accordance with applicable privacy and other jurisdictional legal requirements.

Retention and deletion. Embeddings derived from Google data are retained while the connector is active and the underlying source file or message still exists. When you disconnect the connector, when you delete the target collection, or when the source item is deleted in Google, we remove the associated embeddings from our vector store. You can also request immediate deletion by contacting us at ignas@rustyrag.ai.

Revoking access.You can revoke RustyRAG's access at any time from your Google Account page at myaccount.google.com/permissions, or by disconnecting the connector inside RustyRAG. Revoking access in Google does not automatically delete embeddings already stored; disconnect the connector inside RustyRAG to remove them.

3. How we use information

We use the information we collect to:

  • Operate, maintain, secure, and improve the Service.
  • Process payments and manage your Subscription.
  • Provide customer support, including investigating support requests you submit.
  • Detect and prevent fraud, abuse, security incidents, and violations of our Terms.
  • Send transactional messages (for example, billing receipts and service alerts) and, where allowed, product updates and marketing. You can opt out of marketing at any time.
  • Comply with legal obligations.

No training on Customer Content. We do not use Customer Content to train or fine-tune our models or any third-party model. We do not share Customer Content with anyone except the Subprocessors listed in Section 6, and only to the extent needed to provide the Service.

No human review without consent. We do not access Customer Content for any reason other than automated processing to operate the Service. We only access Customer Content with your explicit consent (for example, when you ask us to investigate a support ticket), to comply with a valid legal request, or to address a security incident.

4. Legal bases (GDPR and UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

  • Contract. To provide the Service you have requested and to take steps before entering into a contract.
  • Legitimate interests. To secure the Service, prevent abuse, measure how our website performs, and grow our business, balanced against your rights.
  • Legal obligation. To comply with tax, accounting, and other laws.
  • Consent. Where required (for example, for non-essential cookies or marketing in certain jurisdictions). You can withdraw consent at any time.

5. Sharing of information

We share personal information only as follows:

  • Subprocessors (Section 6) that help us operate the Service.
  • Professional advisers such as our accountants and lawyers, under duties of confidentiality.
  • Authorities when required by law, by a court order, or by a valid legal request, and only to the minimum extent required.
  • Successors in a merger, acquisition, financing, or sale of assets, subject to the same protections described here.

We do not sell personal information or Customer Content. We do not share personal information for cross-context behavioral advertising.

6. Subprocessors

We use the following Subprocessors to provide the Service. Each is bound by a written agreement that obligates them to protect personal information consistent with this Policy.

SubprocessorPurposeLocation
Stripe, Inc.Payment processing, billing, taxUnited States
Google LLC (Google Analytics)Website analyticsUnited States
Google LLC (Drive API, Gmail API)Source data when you enable the Google Drive or Gmail connector. Data flows from Google to RustyRAG under the OAuth scopes you approve.United States
Cerebras Systems, Inc.LLM inferenceUnited States
Groq, Inc.LLM inferenceUnited States
TensorDock, Inc.Compute and hostingUnited States
Microsoft Azure (Blob Storage)Object storage for Customer ContentUnited States

Milvus (vector database) and Jina AI components (embeddings and reranker) run on infrastructure we manage at our hosting provider and are not external subprocessors. We will give at least 30 days notice before adding a new Subprocessor that processes Customer Content. Customers on paid plans may object in writing within that period.

7. International data transfers

We are based in the United States. Our Subprocessors are also located in the United States. If you are in the European Economic Area, the United Kingdom, Switzerland, or Brazil, your personal information may be transferred to and processed in the United States.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where relevant) and equivalent mechanisms approved by competent authorities. For transfers under Brazilian law (LGPD), we rely on Article 33 mechanisms including specific contractual clauses and your consent where required.

8. Data retention

We keep personal information only for as long as needed to provide the Service and to comply with legal, accounting, or reporting requirements. Specifically:

  • Account data: kept for the duration of your Account and up to 7 years after closure for tax and accounting purposes.
  • Customer Content: kept while your Account is active. After you delete an item, or after Account closure, we keep Customer Content for a 30-day grace period during which you can recover it. After that grace period we permanently delete Customer Content from production systems within 30 additional days; encrypted backups purge on a rolling 90-day cycle.
  • Logs and telemetry: kept up to 12 months, then deleted or aggregated.
  • Marketing data: kept until you unsubscribe or for 3 years after your last interaction, whichever is sooner.

9. Security

We use administrative, physical, and technical safeguards to protect personal information, including:

  • TLS encryption in transit and AES-256 encryption at rest.
  • Tenant isolation: each customer's indexes and Customer Content are logically separated and access-controlled.
  • Least-privilege access controls for employees, with role-based permissions and logged administrative access.
  • Secret management for API keys and credentials; rotation on a regular schedule.
  • Continuous monitoring, vulnerability scanning, and a documented incident response process.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and any required authority without undue delay, consistent with applicable law.

10. Your rights

10.1 EEA, UK, and Switzerland (GDPR)

You have the right to:

  • Access the personal information we hold about you and receive a copy in a portable format.
  • Correct inaccurate or incomplete information.
  • Delete personal information (right to erasure), subject to legal retention obligations.
  • Restrict or object to certain processing.
  • Withdraw consent at any time where we rely on consent.
  • Lodge a complaint with your local data protection authority. We are happy to help if you contact us first.

10.2 California (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, disclose, and share; to request deletion; to correct inaccurate information; to opt out of "sale" or "sharing" (we do neither); and to limit the use of sensitive personal information. We do not discriminate against you for exercising these rights.

Categories of personal information we collect over the past 12 months: identifiers (name, email, IP), commercial information (subscription and payment records), internet activity (log and analytics data), and inferences drawn from the above to operate the Service.

10.3 Brazil (LGPD)

If you are in Brazil, you have the rights set out in Article 18 of Law No. 13.709/2018, including confirmation of processing, access, correction, anonymization or deletion of unnecessary or excessive data, portability, information about sharing, and revocation of consent. To exercise these rights, contact ignas@rustyrag.ai.

10.4 How to exercise your rights

Send a request to ignas@rustyrag.ai from the email address associated with your Account. We will verify your identity and respond within the period required by applicable law (generally 30 days). You may designate an authorized agent to make a request on your behalf consistent with applicable law.

11. Cookies and similar technologies

Our website uses cookies and similar technologies, including:

  • Essential cookies required to operate the website and keep you signed in.
  • Analytics cookies set by Google Analytics to measure traffic and improve the website.

You can control cookies through your browser settings. Blocking essential cookies may break parts of the website.

12. Children

The Service is intended for business users aged 18 and over. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, contact us at ignas@rustyrag.ai and we will delete it.

13. Automated decision-making

We do not use personal information to make decisions that produce legal or similarly significant effects about you without human involvement. Output generated by the Service is intended to be reviewed by a human before consequential decisions are made.

14. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will give at least 30 days notice by email or in-product notice. The "Effective date" at the top of this page shows the most recent revision.

15. Contact

RustyRAG, Corp.
131 Continental Drive, Suite 305
Newark, Delaware 19713, United States
ignas@rustyrag.ai

For EEA and UK users: if we appoint an Article 27 representative (GDPR) or UK representative, we will publish their contact details here.

Book a demo