Privacy Policy

We collect the information necessary to operate Rasm, including:

• Account information — your email address, name, and organization details provided at sign-up.
• Workspace connection tokens — OAuth tokens granted by your integrations (such as Slack or GitHub) to allow scanning. These are encrypted at rest using AES-256-GCM.
• Scanned message content and metadata — messages and associated metadata processed by the scanning engine to identify compliance violations. Only messages that trigger violations are stored long-term.
• Product usage data — logs of actions taken within the application for security, debugging, and audit trail purposes.

All data is collected solely to provide our compliance monitoring services: scanning communications for policy violations, producing audit-ready reports, and surfacing alerts to authorized reviewers in your organization. We do not sell personal data. We do not use customer content to train AI models.

We rely on a small set of subprocessors to deliver the service. Each receives only the data required for their specific function:

• OpenAI
  Message content is sent to OpenAI for AI-powered compliance scanning via their API. OpenAI's API data usage policy prohibits training on API inputs. We do not send data to OpenAI for model training purposes.
• Paddle
  Our Merchant of Record for billing, subscriptions, and payment method storage. Paddle handles checkout, invoicing, and global tax compliance on our behalf. We never store full payment card details on our systems. Paddle is PCI-DSS Level 1 certified.
• Resend
  Delivers transactional email including account notifications, alert digests, and compliance reports. Only email addresses and message content are shared.
• Vercel
  Provides hosting, edge delivery, and serverless compute for the Rasm application. Vercel is SOC 2 Type II certified.

Customers control data retention periods through their organization settings. The default retention period is 90 days for scanned content and violation records. Backups are retained on a short rolling window and are deleted automatically. Upon account termination, all data is permanently deleted within 30 days.

If you are a resident of the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR), including:

• The right to access the personal data we hold about you (Article 15).
• The right to correct inaccurate data (Article 16).
• The right to request deletion of your data (Article 17).
• The right to data portability (Article 20).
• The right to object to processing (Article 21).

To exercise these rights, contact us at the address below. We will respond within 30 days as required by law.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to know — you may request details about the personal information we collect and how we use it.
• Right to delete — you may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale — we do not sell personal information to third parties. There is nothing to opt out of.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@rasm.ai with the subject line "CCPA Request."

Rasm processes data in the United States. If you are located outside the US, your data will be transferred to and processed in the US. For customers in the European Economic Area, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for cross-border transfers. Contact us if you require a copy of our SCCs or a Data Processing Agreement (DPA).

We use a small number of first-party cookies strictly for authentication and session management. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individual users.

Rasm is a business-to-business service not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

We may update this privacy policy from time to time. For material changes, we will notify you via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Privacy questions or data requests should be directed to privacy@rasm.ai.