Privacy Policy

1. Who we are

RakshEx (“RakshEx”, “we”, “us”) provides a security and operations platform for production AI agents. We act as the data controller for the personal data you provide when you create an account and as a data processor for the API traffic, telemetry, and findings you choose to route through the platform. Our contact address for privacy matters is privacy@rakshex.in.

2. Data we collect

• Account data: name, email address, hashed password (PBKDF2-SHA512, 100k iterations), and OAuth provider identifiers if you sign in with Google.
• Product usage: dashboard interactions, feature flags, browser user-agent, IP address (for rate limiting and audit logs), request timestamps.
• Customer content: API collections (Postman / OpenAPI), scan results, shadow API detections, LLM cost telemetry, kill-switch events, team membership, audit log entries.
• Billing data: plan tier, subscription status, and a Razorpay order ID. We do not store full card numbers — those are handled by Razorpay under PCI-DSS.
• VS Code extension telemetry: session start/stop, file-change counts, relative file paths (never file contents). Opt-out is available via the extension settings.
• Cookies: one strictly-necessary session cookie and one CSRF-protection cookie. No advertising, no cross-site tracking, no third-party analytics by default.

3. Legal basis and purposes (GDPR art. 6)

• Contract (6(1)(b)): provide the service you signed up for — authentication, scanning, dashboards, team invites, billing.
• Legitimate interest (6(1)(f)): security monitoring, fraud prevention, rate limiting, aggregated analytics used to improve the product. Balancing-test documentation is available on request.
• Legal obligation (6(1)(c)): tax records, responding to lawful requests from supervisory authorities.
• Consent (6(1)(a)): optional email digests and any analytics beyond the default strictly-necessary set. You can withdraw consent at any time from the email preferences page or the unsubscribe link in every email.

4. How we store and secure your data

Account data and customer content are stored in MySQL 8 hosted in the region you select at signup (EU or US). Data in transit uses TLS 1.3. Passwords are never stored in plaintext — only the PBKDF2 hash plus a per-user 32-byte salt. Secrets and API keys are stored server-side only and never logged. Access to production data is limited to named personnel, gated by hardware-backed SSO, and every access is written to an append-only audit log.

5. Sub-processors

We use a small set of sub-processors, each bound by a data processing addendum:

• Razorpay — payments & subscriptions.
• Your chosen SMTP provider (Resend / SendGrid / SES / Postmark) — transactional email.
• Sentry — error monitoring (if you enable it).
• Your cloud provider (AWS / Fly.io / Railway / self-host) — compute and storage.

A current list with addresses is available at dpo@rakshex.in. We will notify customers of material changes 30 days in advance.

6. International transfers

If you select a US-hosted deployment from the EU or UK, transfers rely on the EU Commission’s Standard Contractual Clauses (2021/914) with supplementary measures (encryption at rest and in transit, audit logging, limited administrative access). You can request a copy of the executed SCCs.

7. Data retention

• Account data: for as long as your account is active.
• Scan results & shadow API detections: 12 months rolling by default (configurable per workspace).
• Audit logs: 24 months.
• Invoices & tax records: 7 years (legal obligation).
• Backups: 30 daily snapshots, 12 monthly snapshots, then purged.

On account deletion we purge active data within 30 days and backups within an additional 90 days.

8. Your rights (GDPR / UK GDPR / CCPA)

• Right of access to the personal data we hold about you
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restrict or object to processing
• Right to data portability (machine-readable export)
• Right to lodge a complaint with your supervisory authority
• CCPA: right to know, delete, correct, and opt out of “sale” (we do not sell personal information)

Email privacy@rakshex.in from the email address on your account to exercise any of these. We respond within 30 days.

9. Security incident response

In the event of a personal-data breach likely to cause risk to you, we notify the relevant supervisory authority within 72 hours and, where the risk is high, notify affected users without undue delay. Our incident response playbook is audited annually.

10. Children

RakshEx is not directed at children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to this policy

We post changes here and, for material changes, send an email notice 30 days before they take effect. Continued use of RakshEx after the effective date constitutes acceptance.

12. Contact

Privacy or DPO questions: privacy@rakshex.in. If you are in the EU/EEA you may also contact our representative listed in the data processing addendum.