Your data is yours.

We collect information you provide directly (such as your name, email address, and business details when you sign up or configure your account), as well as information generated when you use Rufio (such as messages, schedules, reports, and workflow data specific to your business).

We also collect standard technical data: IP address, browser type, device type, referring URL, and pages visited within the application. This data is collected automatically via server logs and analytics tooling.

We do not sell your data. We do not use your business data to train shared AI models. Your data is used solely to operate and improve Rufio for you.[CONFIRM: AI training policy — confirm no training on customer data]

Data is collected through:

• Account registration and profile setup
• In-app conversations and configuration
• Inbound communications (calls, SMS, email) routed through Rufio
• Billing and payment processing via our payment provider
• Cookies and similar tracking technologies (see Section 4)
• Integrations you authorise (e.g. calendar connections, CRM imports)
• Support requests submitted to our team

We collect and process your data to:

• Create and maintain your account
• Deliver and improve Rufio features and AI capabilities
• Process payments and manage your subscription
• Provide customer support
• Comply with legal obligations
• Send transactional and service communications (not marketing, unless you opt in)
• Monitor security, fraud, and abuse

We rely on the following legal bases for processing (where applicable): performance of a contract (providing the service), legitimate interests (product improvement, security), legal obligation, and consent (marketing communications).

Rufio uses cookies and similar technologies. We categorise them as follows:

You can manage cookie preferences through your browser settings. Disabling essential cookies will impair the service.

Rufio relies on the following third-party service providers to deliver the product. Each is bound by data processing agreements consistent with applicable privacy law.[CONFIRM: confirm DPAs are in place with all listed processors]

We do not sell your data to any third party and do not share it with third parties for their independent marketing or commercial purposes.

We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:

• Account data — retained for the duration of your subscription plus 30 days after cancellation to allow reactivation.[CONFIRM: confirm 30-day reactivation window]
• Business data (customers, jobs, reports) — retained while your account is active. Exported and deleted upon verified account deletion request.[CONFIRM: confirm deletion pipeline exists and timeline]
• Communication records (call logs, SMS) — retained for[CONFIRM: confirm retention period for comms records (e.g. 12 months)]
• Billing records — retained for 7 years as required by tax and financial regulations.
• Server logs — retained for 90 days.[CONFIRM: confirm server log retention]

Regardless of where you are located, you may:

• Access — request a copy of the personal data we hold about you
• Correct — update or correct inaccurate data
• Delete — request deletion of your account and associated data (right to erasure / right to be forgotten)
• Restrict — ask us to pause processing while a dispute is resolved
• Portability — receive your data in a structured, machine-readable format
• Object — opt out of processing based on legitimate interests

To exercise any of these rights, email privacy@strata19.com with your request. We will respond within 30 days.[CONFIRM: confirm canonical privacy email address]

If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR. Our legal bases for processing are:

• Contract performance — to deliver the Rufio service
• Legitimate interests — security monitoring, fraud prevention, product improvement
• Legal obligation — tax, accounting, law enforcement requests
• Consent — marketing emails, non-essential cookies

Data transfers to the United States use Standard Contractual Clauses (SCCs) approved by the European Commission.[CONFIRM: confirm SCCs are executed with all US subprocessors]

You have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated.

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to:

• Know what personal information we collect and how it is used
• Request deletion of personal information (subject to exceptions)
• Opt out of the sale of personal information — we do not sell personal information
• Non-discrimination for exercising privacy rights
• Correct inaccurate personal information
• Limit the use and disclosure of sensitive personal information

To submit a CCPA request, email privacy@strata19.com or use the rights exercise process in Section 7.[CONFIRM: confirm CCPA request process and 45-day response timeline]

Rufio honours privacy rights for residents of states with applicable privacy legislation, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others as they come into effect. The rights described in Section 7 apply to residents of these states.[CONFIRM: confirm which state laws apply based on customer geography and revenue thresholds]

If your state enacts a privacy law not listed here, contact us and we will work with you under the spirit of the applicable regulation.

For all privacy inquiries, access requests, deletion requests, or complaints:

privacy@strata19.com[CONFIRM: confirm canonical privacy email address]

We aim to respond to all requests within 30 days. Complex requests may take up to 90 days; we will notify you if additional time is required.

This policy may be updated from time to time. Material changes will be communicated via email or an in-app notice before they take effect.