Privacy Policy
Effective date: [EFFECTIVE_DATE] · Last updated: 2026-06-11
This Privacy Policy explains how [ENTITY] ("AskRoby", "we", "us") collects, uses, shares and protects personal data in connection with the AskRoby service at www.askroby.io (the "Services"). We aim to comply with the EU/UK General Data Protection Regulation (GDPR), Ecuador's Ley Orgánica de Protección de Datos Personales (LOPDP) and other applicable data-protection laws.
For most personal data we collect about you (your account, billing, usage), we act as the data controller. For the documents and content you upload and ask us to store and process on your behalf, we act as a data processor and the relevant terms are in our Data Processing Agreement.
1. Data We Collect
Account data. When you create an account we collect your email address, password (stored hashed, never in plain text), and optionally your name, account type (personal/company) and organization name.
Billing data. If you subscribe to a paid plan, payment is handled by our payments provider (Merchant of Record). We receive limited billing information (such as plan, status and country / tax identifiers); we do not store full card numbers.
Content you upload. The documents, files and text you add to your AskRoby memory, plus derived data such as extracted text, vector embeddings (numerical representations used for semantic search) and AI-generated answers.
Usage and technical data. IP address, browser/user-agent, language, pages viewed, timestamps, and basic diagnostic logs, collected to operate, secure and improve the Services.
Communications. If you contact support, the messages and details you provide.
2. How and Why We Use Data (Legal Bases)
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the Services (store your content, generate AI answers, search) | Performance of a contract |
| Account management, billing and notices | Performance of a contract |
| Security, abuse prevention, diagnostics | Legitimate interests |
| Customer support | Contract / legitimate interests |
| Legal and regulatory compliance | Legal obligation |
| Optional marketing emails | Consent (you can withdraw anytime) |
AI processing. To answer your questions, the relevant parts of your content are sent to third-party AI model and embedding providers (see Section 4). We do not use your content to train our own or third parties' foundation models, and we contractually require our AI sub-processors not to use it to train their models other than as needed to provide the Services.
3. Special-Category Data
We do not intentionally collect special categories of data (e.g. health, biometric, religious). However, you may store such data inside the documents you upload. If you do, you are the controller of that data and must ensure you have a lawful basis; we process it only on your instructions as described in the DPA.
4. Sub-processors and Sharing
We share personal data with a limited set of vendors that process it on our behalf under appropriate contractual protections:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database and file storage | [REGION / USA] |
| Vercel | Application hosting / delivery | USA |
| OpenRouter (and the underlying AI model providers it routes to) | Generating AI answers about your content | USA / international |
| OpenAI | Text embeddings for semantic search | USA |
| Resend | Sending transactional emails | USA |
| Polar | Payments (Merchant of Record), billing and tax | USA / EU |
We may also disclose data to comply with a valid legal request, to enforce our Terms, to protect rights, safety or property, or in connection with a merger or acquisition (under confidentiality). We do not sell your personal data.
5. International Transfers
The Services and several sub-processors are located in the United States and other countries. Where we transfer personal data outside your country (including outside the EEA, the UK or Ecuador), we rely on appropriate safeguards such as Standard Contractual Clauses (or equivalent mechanisms) or an applicable adequacy decision.
6. Retention and Deletion
We keep your account and content for as long as your account is active or as needed to provide the Services. When you delete content or close your account, we delete the associated documents, files and embeddings within [RETENTION_DAYS] days, except for limited data we must keep to meet legal, accounting or security obligations, and short-lived copies in encrypted backups which are rotated out within [BACKUP_DAYS] days.
7. Security
We use organizational and technical measures appropriate to the risk, including encryption in transit (TLS), hashing of passwords, access controls, network controls and regular updates. No method of transmission or storage is perfectly secure, but we work to protect your data and will notify you and the competent authority of any qualifying personal-data breach as required by law.
8. Cookies
We use a small number of strictly necessary cookies to keep you logged in and to secure the Services, and — only with your consent — optional analytics cookies. You can accept or reject optional cookies via our cookie banner, and change your choice at any time by clearing the cookie. Necessary cookies cannot be switched off as they are essential to the Services.
9. Your Rights
Subject to applicable law, you have the right to access, rectify, erase, restrict or object to the processing of your personal data, to data portability, and to withdraw consent. You may exercise most rights directly in your account settings, or by contacting [PRIVACY_EMAIL]. We may need to verify your identity. You also have the right to lodge a complaint with your local data-protection authority (in Ecuador, the Superintendencia de Protección de Datos Personales; in the EEA/UK, your national authority).
10. Children
The Services are not directed to children under 13, and we do not knowingly collect their data. If you believe a child has provided us personal data, contact [PRIVACY_EMAIL] and we will delete it.
11. Changes and Contact
We may update this Policy and will post changes here with a new "Last updated" date; material changes will be notified. Controller: [ENTITY], [ADDRESS]. Privacy contact: [PRIVACY_EMAIL]. [DPO_OR_REP].