RGL8R Privacy Policy (v1)
Effective date: 2026-03-02
1. Overview
RGL8R Inc. (“RGL8R,” “we,” “us”) operates the RGL8R compliance platform, including the marketing site at rgl8r.com, the product dashboard, and the REST API. This Privacy Policy describes how we collect, use, store, and protect information when you interact with our services.
This policy applies to all users of the RGL8R platform, including authenticated customers, guest audit users, and visitors to our website.
2. Data We Collect
Account Data: Organization name, contact name, email address, and account configuration provided during onboarding or self-serve signup (including OTP verification data during signup sessions).
Operational Data: API request logs, job processing metadata, authentication events, and system health telemetry. Operational data is used for security monitoring, debugging, and service reliability.
Workflow Data: Files and records uploaded to or generated by the platform, including shipment CSVs, product catalogs, order files, classification results, SIMA screening outcomes, compliance findings, dispute records, and compliance reports.
Billing Data: Stripe customer identifiers, invoice records, payment method metadata (card type and last four digits — full card numbers are never stored by RGL8R), and billing event history.
Guest Audit Data: For unauthenticated discovery audits — email address (hashed for abuse controls; raw email stored encrypted only with explicit follow-up consent), uploaded files, and processing results. Guest data is session-scoped and subject to retention limits.
Website Data: Information submitted through contact forms (processed by Formspree), including email address and message content.
3. How We Use Data
- Service delivery: Processing uploads, generating classifications and findings, running compliance checks, managing disputes, and producing reports.
- Billing: Calculating fees based on realized carrier credits (SHIP) and SKU volume (TRADE), generating invoices, and processing payments through Stripe.
- Security operations: Monitoring for unauthorized access, enforcing rate limits, validating authentication tokens, and maintaining audit trails.
- Product improvement: Using aggregated, anonymized data to improve detection accuracy, classification models, and platform performance. No individual Customer or data subject can be identified from aggregated data.
- Legal compliance: Responding to lawful requests from regulatory authorities or courts of competent jurisdiction.
- Communications: Sending transactional emails related to account activity, billing, and service notifications (via Resend). We do not send marketing emails without explicit opt-in.
4. Tenant Isolation
RGL8R enforces strict multi-tenant isolation at the database layer:
- PostgreSQL row-level security (RLS) policies are applied to every tenant-scoped table, with FORCE RLS enabled.
- Every API request is bound to an authenticated tenant context. Cross-tenant data access is architecturally prevented.
- Integration keys are cryptographically scoped to their issuing tenant. Key secrets are hashed after the initial one-time reveal and cannot be recovered.
- Administrative operations are restricted to explicitly allowlisted Clerk organization IDs.
5. Subprocessors
RGL8R uses the following third-party services to deliver the platform:
| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Render | Application hosting and PostgreSQL database | All platform data (encrypted at rest and in transit) |
| Clerk | User authentication and organization management | User identity, session tokens, organization membership |
| Stripe | Payment processing and billing | Billing metadata, payment method tokens (PCI DSS compliant) |
| Resend | Transactional email delivery | Email addresses, notification content |
| Formspree | Contact form processing | Email addresses, form message content |
We evaluate subprocessors for security practices and data handling before engagement. The list above is current as of the effective date of this policy and may be updated with notice.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Workflow Data | Duration of the customer agreement plus a 30-day export window after termination |
| Operational Logs | 90-day rolling window |
| Billing Records | 7 years (tax and regulatory requirements) |
| Guest Audit Data | Deleted after session expiry (configurable, default 7 days) |
| Signup Session Data | Purged after session completion or expiry |
After the applicable retention period, data is permanently deleted from all RGL8R systems, including database records and stored files.
7. Data Subject Rights
Customers and authorized users may exercise the following rights, subject to applicable law:
- Access: Request a copy of personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion: Request deletion of personal data, subject to legal retention requirements and active contractual obligations.
- Export: Export Workflow Data via the API or dashboard export features at any time during the agreement term.
- Objection: Object to specific processing activities where we rely on legitimate interest as the legal basis.
We respond to data subject requests within 30 days. Requests should be directed to privacy@rgl8r.com.
8. International Transfers
RGL8R infrastructure is hosted in North America. All platform data is processed and stored within North American data centers.
Where personal data originates from jurisdictions requiring additional transfer safeguards (e.g., the European Economic Area), we rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by applicable law.
9. Security Measures
RGL8R implements the following security controls to protect platform data:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest via infrastructure provider controls
- RS256 JWT authentication with short-lived tokens
- Row-level security (RLS) on every tenant-scoped database table
- Integration key secrets hashed after one-time reveal (never stored in plaintext)
- Webhook HMAC signature verification for callback integrity
- API input validation, parameterized queries, and file upload content verification
- Immutable audit trail for compliance-relevant events
- Operational runbooks for incident response, billing controls, and rollback procedures
For more detail on our security architecture, see our Security page.
10. Cookies and Tracking
RGL8R does not currently use third-party tracking cookies or analytics scripts on the marketing site or product dashboard.
- Session cookies: Used for authentication session management only.
- No third-party trackers: We do not embed advertising pixels, social media trackers, or third-party analytics on our platform.
If we introduce analytics or tracking in the future, this policy will be updated with at least 30 days notice.
11. Changes and Contact
RGL8R may update this Privacy Policy from time to time. We will provide at least 30 days advance notice of material changes via email to the account contact on file.
Continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.
Contact:
- Privacy questions: privacy@rgl8r.com
- Legal questions: legal@rgl8r.com
- Security concerns: security@rgl8r.com