Changelog

23 April 2026 · Legal pages — reduced operational detail — Privacy v1.5, Trust v1.4, DPA v1.3, Subprocessors v1.3

rptxsoftware.com

• Subprocessors, Trust, Privacy, and DPA — prose tightened to remove incidental operational detail (specific datacentre locations, specific cryptographic primitive choices, specific internal tooling) that was over and above what these policies need to assure customers. The authoritative obligations themselves are unchanged: encryption in transit and at rest, per-workspace isolation and key destruction on deletion, 60-day post-termination retention, 72-hour breach notification, and the same list of vendors — now with country-level residency only.
• Homepage FAQ — "AI training" answer updated to point to the Subprocessors page as the authoritative vendor list rather than naming vendors inline, so the policy surface stays in one place.
• Footers — phone number removed from marketing and legal footers; email and postal address remain the canonical contact channels.

23 April 2026 · Legal review round — Terms v1.3, Privacy v1.3, DPA v1.2, Trust v1.2, Subprocessors v1.2

rptxsoftware.com

• Terms §3 (Acceptable use) — added an explicit prohibition on uploading protected health information (PHI), PCI-DSS-scope payment-card data, or other contract-required categories without a signed HIPAA BAA or equivalent, and disclosed that we may redact, quarantine, or delete content that appears to violate this rule and suspend the offending account.
• Terms §5 (Fees and billing) rewritten to name Paddle as Merchant of Record — per Paddle's published Buyer Terms, the contracting Paddle entity is Paddle.com, Inc. for buyers in the United States and Paddle.com Market Limited for buyers outside the United States.
• New Terms §10A (Our indemnity to you — IP infringement). RPTX will defend and indemnify you against third-party IP-infringement claims arising from your authorised use of the services (excluding claims based on content you uploaded), capped at the greater of USD 10,000 and the fees paid to RPTX in the preceding 12 months.
• New Terms §11A (Binding arbitration & class-action waiver). Disputes resolve through AAA Consumer or Commercial Arbitration rather than court, except for small-claims and injunctive-relief carve-outs. Includes a class-action waiver and a 30-day opt-out window.
• New Terms §13 (Reporting illegal content — EU DSA). A published Article 16 notice-and-action channel, an Article 11/12 single electronic point of contact at legal@rptxsoftware.com, and a postal DSA-contact address.
• Privacy §1 — DSAR window aligned to GDPR Art. 12(3): "within one month, extendable by two further months for particularly complex or voluminous requests", replacing the earlier self-imposed 30-day hard deadline.
• Privacy §8 (Security) strengthened to describe the per-workspace application-layer encryption and per-workspace collection isolation that are already in production.
• New Privacy §10 (EU & UK representatives). Article 27 representatives are in the process of being appointed; details will be published here and in the DPA on appointment. Interim electronic point of contact is legal@rptxsoftware.com.
• Subprocessors list updated. Updated the Google Gemini entry with accurate paid-tier language and the Gemini API Additional Terms link, and named Paddle (both entities, per its Buyer Terms) as our Merchant of Record.
• Trust page: third-party security review restated as internal application-layer review on every release plus external pen-testing on customer request and an annual cadence as the customer base grows.
• Trust page: CCPA/CPRA row restated as "Rights honoured" rather than "In effect", reflecting that we honour the rights for all customers even where we fall below the California statutory thresholds.
• Trust §2 (Encryption) now explicitly documents the per-workspace application-layer encryption that the application enforces. Trust §3 (IAM) rewritten to accurately describe the Google Drive connector: a folder explicitly shared with the RPTX service-account email, read-only, with no write, edit, share, or delete permission requested.
• Trust page, About, homepage FAQ, and DPA preamble — "respond within one business day" softened to "aim to respond within one business day" to avoid turning an aspirational SLA into an express warranty.
• DPA Annex II — added the per-workspace application-layer encryption control and the customer-authorised service-account Drive connector, matching the production implementation.

23 April 2026 · Merchant of Record — Paddle

rptxsoftware.com · askfolder.com

• Merchant of Record: Paddle. Per Paddle's published Buyer Terms, the contracting Paddle entity on the buyer's receipt is Paddle.com, Inc. for buyers in the United States and Paddle.com Market Limited for buyers outside the United States. Paddle is the seller named on your receipt, collects applicable VAT, GST, and US sales tax, and issues compliant invoices on our behalf. RPTX LLC does not store card numbers, CVV codes, or full bank details — card data is handled exclusively by Paddle.
• Product billing FAQ retired from rptxsoftware.com. Payment-processor mechanics live on the product site (askfolder.com) and in the legal pages; the parent-company FAQ and About page link out rather than duplicating the detail.

23 April 2026 · Terms of Service v1.2

rptxsoftware.com

• Section 3 (Acceptable use) extended to describe the specific, code-enforced limits that apply to every workspace — daily and monthly cost caps, per-API-key and per-IP request-rate limits, concurrent-chat cap, and the widget-origin allowlist — and to prohibit deliberately circumventing them or spoofing Origin/Referer headers.
• Section 4 (Your content) clarified. We do not sell or rent customer content, derivative artefacts (vector embeddings, keyword indexes, cached answers) live in a per-workspace namespace with no cross-tenant co-mingling, and the deletion timeline tracks the published retention window in the Privacy Policy.
• New Section 4A (No professional advice). Selecting a regulated vertical (legal, financial, tax, medical, insurance) tunes the model to that domain's sources but does not turn RPTX into a licensed professional. Customers who deploy the widget to end-users may not remove or contradict the server-side disclaimer the platform attaches to answers in those verticals.
• New Section 7A (Automated controls). Explicitly discloses the automated enforcement actions the platform already takes — refusing further requests after a cost cap is hit, rate-limiting an abusive key or IP, rejecting requests from non-allowlisted widget origins, and temporarily suspending chat completion on past-due cards — and confirms those actions do not count as service outages.
• Version bumped to 1.2. No changes to liability limits, governing law, retention windows, or your rights to export and delete.

23 April 2026 · AskFolder v1.0 launch

askfolder.com

• Public launch. AskFolder is live at askfolder.com.
• Natural-language retrieval with citations back to the exact page.
• Google Drive connector at launch; local folder ingestion supported.
• Incremental re-indexing — new and changed files show up in seconds.
• Workspace-isolated index — each customer's content is held in its own namespace; no co-mingling across customers.
• AI providers contracted under no-training / zero-retention terms; full list at /subprocessors.
• Primary customer data hosted in the European Union.

22 April 2026 · Marketing site v1

rptxsoftware.com

• The rptxsoftware.com marketing site goes live ahead of the AskFolder launch.
• Published manifesto, process, FAQ, and the AskFolder product page.
• Legal pages live: Privacy Policy, Terms of Service, Data Processing Agreement, Subprocessors, Trust & Security, and security.txt (RFC 9116).
• Privacy-first analytics enabled via Cloudflare Web Analytics (cookieless, no fingerprinting).

Coming next

Post-launch we are focused on stability, citation quality, and the rough edges of the first connectors. The next release notes will appear on this page. If you want updates by email, write to hello@rptxsoftware.com.