Privacy Policy | Rulestack

1. Introduction & Identity

Rulestack ("we," "us," or "our") is a context management platform for AI tools. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, MCP API, and related services (collectively, the "Service").

Contact Information:
Email: privacy@rulestack.co
For data protection inquiries, contact our Data Protection Officer at dpo@rulestack.co

2. Data Collection

We collect the following categories of information:

Account Data

Email address (required for account creation)
Name (optional)
Organization/workspace name
Profile preferences

Usage Data

IP address and approximate location
Browser type and version
Device information
Feature usage logs and timestamps
Pages visited and actions taken

Content Data

Guidelines, rules, and context configurations you create
Uploaded documents and source files
Custom prompts and templates

Integration Data

OAuth tokens and connection metadata for third-party integrations
API keys you generate for programmatic access
Third-party service identifiers (e.g., ChatGPT, Claude)

Audit Data

MCP tool invocations (list_use_cases, get_context, search_context)
Context fetch requests and responses
Authentication events

3. Legal Bases for Processing (GDPR)

We process your personal data under the following legal bases:

Contractual Necessity: Processing account data and content to provide the Service you requested.
Legitimate Interests: Usage analytics, security monitoring, and service improvement, balanced against your privacy rights.
Legal Obligation: Compliance with applicable laws, such as maintaining audit logs.
Consent: Where required, such as for marketing communications (you may withdraw consent at any time).

4. Third-Party Services & Subprocessors

We use the following third-party services to operate Rulestack. Each subprocessor is bound by data protection agreements.

Service	Purpose	Location
Supabase	Database, authentication, storage	US/EU
Vercel	Web hosting, edge functions	US/EU
OpenAI	AI integration (user-initiated)	US
Anthropic	AI integration (user-initiated)	US

For the complete list of subprocessors, see our Subprocessors page.

5. AI Integration Disclosure

Rulestack integrates with third-party AI services. Important disclosures:

User-Initiated Only: Data is sent to AI services only when you explicitly use AI features (e.g., connecting ChatGPT via OAuth).
No Training: Rulestack does NOT use your content to train AI models. Your guidelines, playbooks, and context remain yours.
Third-Party Policies: When you connect to OpenAI, Anthropic, or other AI providers, their respective privacy policies apply to data they receive.
Revocation: You can revoke OAuth connections at any time from your Settings page.

6. Data Retention

Data Type	Retention Period
Account data	Duration of account + 90 days
Usage logs	24 months
User content (guidelines, rules)	Until deleted by user
OAuth tokens	Until revoked or expired
Audit logs	7 years (compliance)

7. Your Rights

You have the following rights regarding your personal data:

Access: Request a copy of your data (data export available in Settings).
Rectification: Correct inaccurate personal information.
Erasure: Request deletion of your data ("right to be forgotten").
Restriction: Request limitation of processing.
Portability: Receive your data in a machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Where processing is based on consent.

To exercise these rights, visit your Settings page or contact us at privacy@rulestack.co. We will respond within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

We do not sell personal information. Rulestack does not sell, rent, or trade your personal information to third parties.
We do not share for cross-context behavioral advertising.
Right to Know: Request disclosure of personal information collected and its use.
Right to Delete: Request deletion of your personal information.
Right to Opt-Out: Opt out of the sale of personal information (not applicable as we do not sell data).
Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

9. Security Measures

We implement industry-standard security measures to protect your data:

Encryption in Transit: TLS 1.3 for all connections.
Encryption at Rest: AES-256 encryption for stored data (via Supabase).
Access Controls: Role-based access with principle of least privilege.
Row-Level Security: Database policies ensure users only access their own data.
Audit Logging: All access events are logged for security monitoring.
Infrastructure: Supabase (SOC 2 Type II compliant) and Vercel hosting.

10. Cookies & Tracking

Rulestack uses minimal cookies:

Essential Cookies: Session management and authentication (required for the Service to function).
Preference Cookies: Theme selection and UI preferences.

We do not use third-party marketing or tracking cookies. We do not engage in cross-site tracking.

11. International Data Transfers

Your data may be processed in the United States and other countries where our subprocessors operate. For transfers from the European Economic Area (EEA), UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Subprocessor agreements with appropriate data protection provisions
Supabase data residency options (EU hosting available)

12. Policy Updates

We may update this Privacy Policy from time to time. For material changes, we will:

Post the updated policy with a new "Last updated" date
Notify you via email or in-app notification
Provide at least 30 days notice before significant changes take effect

Your continued use of the Service after changes indicates acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacy@rulestack.co
Data Protection Officer: dpo@rulestack.co