Privacy Policy

Rufus is operated by ExpoSQL AI Labs (“ExpoSQL”, “we”, “us”). This Privacy Policy explains what personal data we collect, how we use it, and the choices you have. It applies to rufus.exposql.com and the in-app workspace.

• Account data: name, email, profile image, and a unique user ID from Google when you sign in.
• Workspace content: the company profile, knowledge-base entries, proposals, RFP responses, contract uploads, and brand assets you create or upload.
• Billing data: Stripe customer ID, subscription status, and credit ledger. Card details are handled by Stripe, not us.
• Usage data: device, browser, IP, and product interaction logs we use to keep the service running and improve it.
• Cookies: a session cookie for authentication and (where used) a small set of analytics cookies. See section 8.

• To provide and run the Rufus product, including generating proposals, answering RFPs from your knowledge base, and reviewing contracts you submit.
• To bill, track credits, and prevent abuse.
• To send service announcements and respond to support requests.
• To debug, monitor performance, and improve features. Aggregate or de-identified analytics may be retained.

We do not sell your personal data, and we do not use your workspace content to train third-party foundation models. Your content is processed by AI providers (currently Anthropic) only as needed to fulfil the requests you initiate.

When you ask Rufus to generate or analyse something, the relevant text from your workspace (e.g. the knowledge-base entries you select, the contract you upload, the proposal form you submit) is sent to our AI provider to compute the response. Outputs are returned to your workspace, stored under your account, and not shared with other customers.

Rufus is not a law firm. Contract review outputs (summaries, red flags, suggested edits) are for your review and convenience — they are not legal advice and you should not rely on them as a substitute for qualified counsel.

We rely on a small set of providers, each with appropriate data-processing terms:

• Google — sign-in (OAuth).
• Neon — managed Postgres database hosting.
• Vercel — application hosting and CDN.
• Stripe — payments and subscriptions.
• Anthropic — AI generation and review.

Data is stored on managed infrastructure operated by the sub-processors listed above, in the regions they support. Backups are encrypted at rest.

• Workspace content (knowledge base, proposals, RFP responses, contract reviews, brand kit) — retained while your account is active. You can delete individual items at any time. We delete on account closure within 30 days.
• Account & identity (name, email, Google user ID) — retained while the account is active; deleted within 30 days of closure.
• Credit ledger — retained for as long as the workspace exists, then deleted with it.
• Billing records (Stripe receipts, invoices) — retained for 7 years after the transaction, as required by tax and accounting laws.
• Server logs — typically 30–90 days for security and debugging; longer when investigating an incident.
• Backups — encrypted database backups roll off on Neon's retention schedule, typically within 30 days.

Deletion may take longer where data has propagated to backups; we ensure deleted data is not restored to active systems and is overwritten on the normal backup rotation.

We set a session cookie for authentication and store your cookie preferences in local storage. Analytics and marketing cookies are off by default; they only load if you opt in via our banner, and we honour the Global Privacy Control browser signal as an automatic opt-out. Full detail in the Cookie Policy.

Wherever you live, you may ask us to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. Email privacy@exposql.com and we'll respond within 30 days (45 in California). We may need to verify your identity using information we already hold about you.

For users in the European Economic Area, United Kingdom, or Switzerland, the following supplements section 9.

Controller. ExpoSQL AI Labs is the controller of your personal data for purposes of GDPR / UK GDPR.

Legal bases for processing. We rely on:

• Contract — to provide the service you signed up for (account creation, document generation, billing).
• Legitimate interests — to keep the service secure, prevent abuse, debug, and improve features. We balance these against your rights and can give you details of the assessment on request.
• Consent — for analytics and marketing cookies, and any optional features that ask for it. Consent can be withdrawn at any time.
• Legal obligation — to keep tax/accounting records, to respond to lawful requests from authorities.

Your rights include access, rectification, erasure, restriction, objection, portability, and the right to withdraw consent. You also have the right to lodge a complaint with your supervisory authority— for example, the UK ICO or your country's data-protection authority — though we'd appreciate the chance to address concerns first.

International transfers.Most of our sub-processors are in the United States. When personal data is transferred from the EEA/UK/Switzerland to a third country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (with the UK addendum where applicable), supplemented by technical and organisational measures the receiver maintains under their DPA. See the Subprocessors page for the current list.

See our dedicated Do Not Sell or Share My Personal Information page for the full California disclosures, including your rights to know, access, delete, correct, opt out of sale/sharing, and limit the use of sensitive personal information.

Summary: we do not sell personal information for money, and we do not share it for cross-context behavioural advertising. We honour Global Privacy Control as an automatic opt-out.

Rufus is not intended for users under 16. We do not knowingly collect data from children.

We may update this policy. If the change is material, we'll notify you via the product or by email. The “Last updated” date at the top of this page will always reflect the current version.

Questions or requests: hello@exposql.com.