Legal
Privacy Policy
Effective: May 26, 2026
1. Who We Are
RigRAG ("we", "us", "our") is a RAG-as-a-Service platform that provides semantic memory for AI agents. This policy explains how we collect, use, store, and protect personal data when you create an account, use our dashboard, or access our API.
2. Information We Collect
- →Account data — email address and authentication metadata managed by Supabase.
- →Documents & content — text extracted from files you upload to your memory spaces. This content is stored in our Supabase database and is used solely to power your RAG queries.
- →Chunks & embeddings — uploaded documents are split into chunks and converted into vector embeddings for semantic search. Both chunks and embedding vectors are stored as service data associated with your account.
- →Search queries — queries sent through the API or dashboard for retrieval purposes. Queries are not stored beyond the scope of processing your request.
- →Billing data — payment information is processed by Stripe. We store only your Stripe customer ID, subscription tier, and invoice references; no raw card data ever touches our servers.
- →Usage & credit data — credit consumption, API key activity, and space metadata to operate the service and enforce plan limits.
- →Deletion records — when an account is deleted, we keep a minimal pseudonymous record (hashed account and request fingerprints, deletion time, billing tier, and aggregate usage counts) for security, fraud prevention, and legal compliance.
3. How RAG Processing Works
When you upload documents, we extract text, split it into chunks, generate vector embeddings via a third-party provider, and store the resulting chunks and metadata in our database. Embeddings are dense numerical vectors used for semantic search; they are derived from your content and treated as protected service data.
When you perform a search query, your query text is embedded and matched against stored vectors. Matching chunks are returned to you or your AI agent.
When answer generation is enabled, retrieved chunks and your query are sent to the selected AI model provider to produce a response.
4. Subprocessors & Third-Party Providers
We use the following subprocessors to deliver the service. Each provider's own data-processing terms apply to content sent to them.
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Auth, database, storage & backend infrastructure | Account data, documents, chunks, embeddings, metadata |
| Stripe | Billing and payments | Billing, customer, and subscription data |
| OpenRouter | Embeddings (default) and optional answer generation | Text chunks, queries, and retrieved context |
| Cohere | Optional reranking (when enabled for a space) | Query text and candidate chunks |
| Email provider | Transactional emails (account, billing events) | Email address and message metadata |
Only the text required to generate an embedding or response is transmitted to each provider. We do not send unnecessary personal data to any third party.
5. How We Use Your Data
- →Provide, operate, and improve the RigRAG service.
- →Process documents and return search results to you or your AI agents.
- →Track credit usage and enforce plan limits.
- →Send transactional emails (account, billing events) — never marketing without explicit consent.
- →Detect and investigate abuse or violations of our Terms of Service.
We do not sell, rent, or share your data with third parties for advertising purposes.
No AI training: We do not use your documents, chunks, embeddings, queries, or retrieved context to train our own AI models or any third-party AI models.
6. Sensitive & Special Category Data
The Service is not intended for processing special categories of personal data (as defined under GDPR Article 9), highly sensitive personal data, children's data, payment card data, government identifiers, or regulated health information, unless you have a separate written agreement with us and have ensured you have the necessary legal basis for such processing.
7. Legal Basis for Processing (GDPR)
Where the General Data Protection Regulation (GDPR) applies, we process personal data on the following legal bases per Article 6:
| Purpose | Data | Legal basis |
|---|---|---|
| Account creation & login | Email, auth metadata | Contract, Art. 6(1)(b) |
| Providing RAG search & answer generation | Uploaded content, chunks, embeddings, queries | Contract, Art. 6(1)(b) |
| Billing & subscription management | Stripe customer ID, subscription tier, invoices | Contract + legal obligation, Art. 6(1)(b)/(c) |
| Abuse prevention & security | API activity, deletion fingerprints, logs | Legitimate interest, Art. 6(1)(f) |
| Transactional emails | Email address | Contract / legitimate interest, Art. 6(1)(b)/(f) |
8. Data Controller & Processor Roles
For account data, billing, security, and general service administration, RigRAG acts as the data controller.
For documents, chunks, embeddings, and queries uploaded or submitted by customers for processing through the Service, RigRAG generally acts as a data processor on behalf of the customer, unless otherwise required by law.
Business customers who require a Data Processing Agreement (DPA) under GDPR Article 28 can contact us at privacy@rigrag.com.
9. International Data Transfers
Some of our subprocessors (including Supabase, Stripe, OpenRouter, and Cohere) may process data outside the European Economic Area (EEA). Where such transfers occur, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent safeguards provided by our service providers. This is particularly relevant for AI providers, as document chunks and queries may contain personal data.
10. API Keys
API keys you generate are hashed before storage — we cannot recover the plaintext value. Keys grant access to your spaces on your behalf; treat them like passwords. You can revoke keys at any time from your account settings.
11. Data Retention
| Data | Retention |
|---|---|
| Documents, chunks, embeddings, space configurations | Until deleted by you or on account closure; purged within 30 days |
| Search queries | Not stored beyond the scope of processing your request |
| Billing records | As required by applicable tax and accounting law (retained by Stripe per financial regulations) |
| API activity & security logs | Up to 90 days |
| Pseudonymous deletion records | Up to 2 years for security, anti-abuse, and legal compliance |
| Backups | Rotated and deleted within 30 days |
12. Security
All data is encrypted in transit (TLS) and at rest. Access to production data is limited to authorised personnel. Row-Level Security policies in Supabase ensure that users can only access their own data.
13. Your Rights
Under the GDPR and other applicable privacy laws, you may have the following rights regarding your personal data:
- →Access — obtain a copy of the personal data we hold about you.
- →Rectification — request correction of inaccurate data.
- →Erasure — request deletion of your personal data (right to be forgotten).
- →Restriction — request that we restrict processing of your data in certain circumstances.
- →Portability — receive your data in a structured, machine-readable format.
- →Objection — object to processing based on legitimate interests.
- →Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any right, contact us at privacy@rigrag.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
14. Cookies & Analytics
We use only strictly necessary session cookies for authentication (managed by Supabase). We do not run third-party analytics or advertising trackers.
15. Changes to This Policy
We may update this policy as the service evolves. Material changes will be communicated via email or an in-app notice at least 14 days before taking effect. Continued use of RigRAG after the effective date constitutes acceptance of the revised policy.
16. Contact
Questions, requests, or DPA inquiries? Reach us at privacy@rigrag.com.