Privacy Policy

RWRD Innovations, Inc. ("RWRD," "we," "our," or "us"), a Delaware C Corporation, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the RWRD Enterprise Intelligence Platform (the "Service").

The Service is currently in Beta. This Privacy Policy applies to all data collected during the Beta period and will continue to apply when the Service reaches general availability, subject to any updates communicated in accordance with Section 12.

1. Information We Collect

1.1 Information You Provide

Account Information

• Name and email address
• Company name and industry
• Job title and role
• Password (encrypted via bcrypt hashing — we never store plaintext passwords)

Company Profile

• Website URL
• Business description
• Ticker symbol (optional, used for SEC EDGAR lookups)
• Employee count range and revenue range
• Industry classification

Business Data

• Objectives and Key Results (OKRs)
• Financial metrics, targets, and historical values
• Risk categories, risk indicators, and Key Risk Indicators (KRIs)
• Custom metrics and scoring thresholds
• Notes, comments, action plans, and status assessments
• Network analysis relationships and scenario analysis parameters

Communications

• Support requests and correspondence
• Feedback and survey responses
• AI chat conversations and prompts (including uploaded images)

Payment Information

• Billing name and address
• Payment method details (processed and stored by Stripe, Inc. — we do not store your full card details)

Uploaded Documents

• PDF financial statements, annual reports, and risk assessments uploaded for AI extraction
• CSV files (processed locally in your browser — never transmitted to our servers)

1.2 Information Collected Automatically

Usage Data

• Features accessed and actions taken
• Time spent on the Service
• Click patterns and navigation paths
• Error logs and performance data (sent to Sentry with PII scrubbed)

Device and Browser Information

• IP address
• Browser type and version
• Operating system
• Device identifiers and screen resolution

Geolocation (Limited)

Your IP address is sent to a geolocation service (ipapi.co) to determine your country for sanctions compliance. We do not collect or store precise geolocation (GPS coordinates). Results are cached locally on your device for up to 24 hours.

Cookies and Similar Technologies

• Session cookies (required for login)
• Preference cookies (your settings)
• Analytics cookies (usage patterns)

See Section 7 for more details.

1.3 Information from Third Parties

Single Sign-On (SSO)

When you use Google to sign in, we receive your name and email from the identity provider and authentication tokens (not your password).

AI Service Providers

When you use AI features, interactions may be processed by third-party AI services. We receive AI-generated responses but do not receive data about other users of those services.

Public Data Sources

When you use Research Intelligence features (Strategic tier), the Service may retrieve publicly available information from SEC EDGAR filings and public web sources via AI-powered web search. This data is used to enrich your analysis and is attributed with source citations.

2. How We Use Your Information

2.1 Providing the Service

• Create and manage your account
• Display your dashboards and metrics
• Generate AI-powered reports, insights, and recommendations
• Process document uploads for financial metric and risk extraction
• Conduct scenario analysis based on your parameters
• Perform research intelligence searches relevant to your industry
• Render PDF reports from your published dashboard data
• Send transactional emails (publish notifications, contributor reminders, report delivery, account deletion confirmations)
• Enable team collaboration features (contributor workflow, published dashboards)

2.2 Improving the Service

• Analyze usage patterns to improve features
• Identify and fix bugs and errors (via Sentry error monitoring)
• Develop new features based on user needs
• Conduct research and analytics

2.3 Communications

• Send transactional emails (confirmations, alerts, contributor reminders)
• Provide customer support
• Send product updates and announcements

2.4 Security and Compliance

• Detect and prevent fraud and abuse
• Enforce our Terms of Service
• Comply with legal obligations
• Enforce geographic restrictions (sanctions compliance via IP geolocation)
• Monitor for security incidents

2.5 AI-Powered Analysis

• Provide industry-specific risk assessments and recommendations
• Customize AI responses based on your company profile, industry, and business context
• Generate network analysis identifying relationships between your metrics
• Conduct scenario impact analysis based on your hypothetical parameters
• Perform web-based research intelligence relevant to your competitive landscape

3. How We Share Your Information

We do not sell your personal information.

3.1 With Your Organization

• Administrators can view team member activity and audit logs
• Colleagues may see shared dashboards, published snapshots, and metrics
• Your name appears on metrics you own or update
• Contributors see only their assigned metrics (not the full dashboard)

3.2 Service Providers (Sub-Processors)

3.3 AI Service Providers — Detailed Disclosure

What is sent to Anthropic (Claude):

• Your text prompts and messages (interactive chat)
• Images you upload for visual analysis
• Relevant metric context from your dashboard
• Your company profile information (name, industry, business description, ticker symbol)
• Uploaded PDF documents for extraction
• Scenario parameters and analysis context
• Search queries derived from your company context (research intelligence)

What is NOT sent to Anthropic:

• Your password or authentication credentials
• Your payment information
• Other users' personal data

Anthropic does not use API data to train their models. For Anthropic's full privacy practices, see anthropic.com/privacy.

3.4 Document Processing

• PDF documents are securely transmitted to our AI provider for extraction of financial metrics and risk factors
• CSV files are processed entirely locally in your browser and are never transmitted to our servers
• Uploaded documents are processed in memory and are not permanently stored
• Only extracted data (metric values, risk factors) is retained in your account

3.5 Legal Requirements

We may disclose information if required by law, including court orders, government requests, and to protect our legal rights. We will notify you of such disclosures to the extent permitted by law.

3.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you at least 30 days in advance.

4. Data Retention

4.1 Active Accounts

We retain your information for as long as your account is active and as needed to provide the Service.

4.2 After Account Closure

• Grace Period: 30-day cancellation window after deletion is requested
• Your Data: Permanently and irreversibly deleted when the grace period ends
• Anonymized Data: May be retained indefinitely for analytics
• Legal Holds: Data may be retained longer if required by law

4.3 Specific Retention Periods

4.4 Deletion Process

1. You request deletion through account settings
2. Confirmation email sent with cancellation link
3. 30-day grace period begins
4. Automated process permanently deletes all organization data
5. Confirmation email sent upon completion

5. Data Security

5.1 Technical Safeguards

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Secure password hashing (bcrypt)
• Row-Level Security (RLS) policies enforcing data isolation between organizations
• Rate limiting on AI features and authentication endpoints
• Input validation and sanitization on all user inputs
• PII scrubbing on error monitoring data

5.2 Organizational Safeguards

• SOC 2 Type 2 compliance
• Access controls and least-privilege principles
• Incident response procedures (documented and tested)
• SOC 2 Type II compliance program (certification in progress)

5.3 Your Responsibilities

• Maintaining strong, unique passwords
• Enabling multi-factor authentication (MFA) when available
• Protecting your login credentials and devices
• Reporting suspected security incidents to security@rwrd.ai

6. Your Rights and Choices

6.1 Access and Portability

You can view your data at any time, export it in JSON or CSV format via the built-in data export feature, or request a copy by contacting privacy@rwrd.ai.

6.2 Correction

You can update your account information in Settings. Contact us to correct other data.

6.3 Deletion

You can delete individual data points within the Service or request full account deletion (all data removed after 30-day grace period).

6.4 Opt-Out

• Marketing emails (unsubscribe link)
• Non-essential cookies (via cookie consent banner)

6.5 Exercising Your Rights

Contact privacy@rwrd.ai. We will respond within 30 days.

7. Cookies and Tracking

7.1 Types of Cookies

7.2 Local Storage

The Service uses browser localStorage for cached dashboard data, user preferences, AI chat conversation history (stored locally only), and UI state. This data persists until you clear browser storage or delete your account.

7.3 Managing Cookies

You can manage cookies via the cookie consent banner on first visit, your browser settings, or by clearing browser storage.

7.4 Do Not Track

We currently do not respond to "Do Not Track" browser signals, as there is no industry standard for this.

8. Data Location and International Transfers

8.1 Data Location

Your data is stored and processed in the United States by SOC 2 Type II compliant cloud providers.

8.2 International Transfers

For EEA, UK, or Swiss users, we use EU-approved Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) with all sub-processors.

8.3 Service Availability Restrictions

In compliance with U.S. sanctions, the Service is not available in Cuba, Iran, North Korea, Syria, Crimea, Donetsk, Luhansk, Russia, or Belarus. We use IP-based geolocation to enforce these restrictions.

8.4 EU/UK Users (GDPR)

Lawful Bases: Contract performance, legitimate interests, legal obligations, and consent.

Your GDPR Rights: Access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right to lodge a complaint with a supervisory authority.

Contact our Data Protection Officer at dpo@rwrd.ai.

9. California Privacy Rights (CCPA/CPRA)

California residents have rights to know, delete, correct, and opt-out under the CCPA/CPRA. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

To exercise your California rights, contact privacy@rwrd.ai.

10. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it promptly.

11. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices.

12. Changes to This Policy

We may update this policy with at least 30 days' notice via email or in-app notification. A material update is anticipated when the Service transitions from Beta to general availability.

13. Contact Us

14. Additional Disclosures

14.1 Categories of Personal Information

14.2 Sensitive Personal Information

We do not intentionally collect sensitive personal information (SSNs, financial account numbers, precise geolocation, health information, biometric data, etc.). If your business data includes such information, you are responsible for ensuring appropriate protections. The Service is not designed for HIPAA or PCI-DSS regulated data without a separate agreement.