Privacy Policy

Effective date: · Version 1.0 · Subject to counsel review before v1.0 launch

1. Who we are

RTSCALE.AI, Inc. ("RTScale," "we," "our") operates the marketing website at rtscale.ai and provides the RTScale SDK and API to integration partners. This policy covers data collected through the rtscale.ai marketing site only. Data collected via the RTScale SDK deployed in a partner's application is governed by the partner's own privacy policy and the Data Processing Agreement between RTScale and the partner.

For GDPR purposes, RTScale is a data controller for marketing-site data and a data processor for SDK-collected data processed under a partner DPA.

2. What we collect

2.1 Forms

When you submit a contact or demo request form we collect: name, work email address, company name, and message content. We also collect an optional role field on the demo form. We do not collect phone numbers. Form data is transmitted to our API service and dispatched to our internal inbox. We do not persist raw form submissions longer than needed to process and reply.

2.2 Server-side analytics

We use Plausible Analytics in its privacy-preserving configuration: no cookies, no cross-site tracking, no fingerprinting. Plausible collects aggregated page-view data (URL, referrer, country, device type, browser family). No individual visitor is tracked or identified. See §5 for full details.

2.3 Server logs

Our API service logs request metadata for operational purposes: IP address (hashed before storage), timestamp, HTTP method, and response code. Honeypot trips are logged at the info level. Logs are retained for 30 days and then purged. No PII from form payloads is written to logs.

3. What we don't collect

  • No biometric data from marketing-site visitors. The SoM Sig capture pipeline is an SDK component deployed in partner applications. The marketing site itself — the pages at rtscale.ai — does not activate any camera, microphone, or biometric capture. No affective-indicator data is collected from visitors to this site.
  • No third-party trackers. We do not load Google Analytics, Meta Pixel, LinkedIn Insight Tag, HubSpot tracking, or any other third-party tracking script on the marketing site. Plausible is self-hosted-compatible and does not share data with advertising networks.
  • No individual visitor profiles. Plausible's aggregate reporting does not allow us to reconstruct the browsing history or identity of any individual visitor.
  • No phone numbers. Our contact form does not ask for a phone number. We don't want it.

4. How we use it

Form data is used exclusively to:

  • Respond to your inquiry or confirm and schedule a demo session.
  • Route your request to the appropriate team member (AE, DevRel, or general inbound).
  • Maintain a record of the correspondence for follow-up.

We do not sell, rent, or share your form data with third parties for marketing purposes. We do not use form data to build advertising audiences. We do not add you to mailing lists without explicit consent separate from the form submission.

5. Analytics

We use Plausible Analytics as our sole analytics provider. Plausible is a privacy-preserving, cookie-free analytics service. It does not use fingerprinting. Data is aggregated; individual visitor tracking is architecturally impossible. Plausible is governed by EU GDPR and does not transfer data to advertising platforms.

The Plausible script is loaded conditionally: it is gated by the PUBLIC_PLAUSIBLE_DOMAIN environment variable and does not load if the variable is absent (e.g., in development and staging environments).

6. Cookies

The marketing site uses no tracking cookies. A functional cookie may be set to remember your locale preference (e.g., if you switch from English to Portuguese) across sessions. This cookie contains no personal data beyond the locale code (e.g., pt) and is not shared with any third party.

7. Your rights

Depending on your jurisdiction, you may have rights including: access to data we hold about you, correction of inaccurate data, deletion of your data, restriction or objection to processing, data portability, and the right to withdraw consent.

To exercise any of these rights, email privacy@rtscale.ai. We will respond within 30 days. For GDPR requests from EEA/UK residents, we will respond within the statutory period.

7.1 Right to erasure (GDPR Article 17)

For marketing-site data: we will delete your form submission records upon request. For SDK-processed SoM Sig data in a partner application: cryptographic erasure is the mechanism — revoking your per-subject root token renders all downstream SoM Sig tokens mathematically unverifiable. The signed artifact may be retained by the partner for evidentiary or regulatory purposes (e.g., E&O retention, state probate record requirements), but the underlying biometric provenance is rendered inaccessible. Contact the partner application directly to initiate this process, or contact us and we will facilitate.

8. Data retention

Data type Retention period Basis
Form submissions (contact) Until request is resolved + 1 year Legitimate interest (follow-up)
Form submissions (demo) Duration of the sales process + 1 year Legitimate interest (commercial relationship)
Server logs (hashed IP + metadata) 30 days Legitimate interest (security + ops)
Analytics (aggregated, no PII) Rolling 24 months Legitimate interest (product improvement)

9. Subprocessors

A complete subprocessor list is published in the Trust Center. Marketing-site subprocessors at v1.0 include: Render (hosting), Plausible (analytics), and the email provider used for form dispatch (configuration-dependent; see Trust Center for the current list).

10. Contact

Privacy inquiries: privacy@rtscale.ai

General contact: rtscale.ai/contact

Note: This document is a v1.0 draft. It will be reviewed by independent counsel before public launch. Material changes will be reflected in an updated effective date.