Privacy policy
Last updated: April 13, 2026
rags.cc handles personal data with a privacy-by-design principle. This policy explains what we collect, why, where it lives, and what your rights are.
1. Who we are
rags.cc is an enterprise RAG platform operated by the operating legal entity (in formation). Website: https://rags.cc. Privacy contact: privacy@rags.cc. DPO: dpo@rags.cc.
2. Data we collect
From landing visitors: minimal technical data (redacted IP, user agent) for aggregate metrics; essential technical cookies; if you contact us: name, email, message. From authenticated users: email, name, role, tenant, locale, activity logs, content of documents you upload, and queries you run. This data belongs to the tenant; we act as processor.
3. Legal basis
Legitimate interest for basic security and operational telemetry. Contract performance for data needed to provide the service. Consent for commercial communications (opt-in).
4. How we use your data
Provide the service. Security: detect abuse, respond to incidents. Billing via Stripe. Product improvement with aggregated anonymized metrics. NEVER: data sales, programmatic advertising, training external LLMs with your content.
5. Where your data lives
On AWS (Amazon Web Services) in us-east-1 by default. Business+ customers can contract eu-west-1. Your content is NEVER sent to public LLM provider APIs, unless your organization configures BYO-LLM with its own credentials. Default inference via AWS Bedrock with private endpoint: data never leaves the AWS network.
6. Sub-processors
AWS (hosting, storage, inference). Stripe (payments). Amazon SES (transactional emails). If the tenant configures BYO-LLM, the LLM provider the tenant chose. Up-to-date list available under DPA.
7. Retention
Audit logs: per tenant tier (30 days Starter, 90 days Pro, 1 year Business, 2+ years Enterprise). Tenant content: for the duration of the contract + 30-day grace period. Backups per policy. Billing data: 10 years by legal obligation.
8. Your rights (GDPR and equivalents)
Access: request a copy of your data. Rectification: correct inaccurate data. Erasure (right to be forgotten): delete your data within 30 days max. Portability: receive your data as JSON/CSV. Objection and restriction: limit use in certain cases. Requests to privacy@rags.cc, response within 30 days.
9. Security
Encryption at rest (KMS) and in transit (TLS 1.2+). Multi-tenant isolation with Row-Level Security and application-level verification. Mandatory MFA for admins. Append-only audit log. External pentest before first Enterprise customer. Technical details at /security/.
10. International transfers
Our sub-processors may operate in the US. Transfers use Standard Contractual Clauses (SCCs) when applicable. Business+ tenants can contract EU-only data residency.
11. Minors
rags.cc is not targeted at minors under 18. We do not knowingly collect minors' data.
12. Changes to this policy
We will publish changes at this URL. Material changes will be notified by email to tenant admin with 30 days' notice.
13. Contact
Data Protection Officer: dpo@rags.cc. Privacy requests: privacy@rags.cc. General: hello@rags.cc.