Legal · Privacy

Privacy Policy

Effective date: 23 April 2026 Last updated: 23 April 2026 Version: 1.5

RPTX LLC ("RPTX", "we", "us") is the data controller for information collected through rptxsoftware.com and our products, including AskFolder. This policy explains what we collect, why we collect it, who we share it with, and the choices available to you.

1. Who we are

RPTX LLC is a limited liability company registered in the State of Wyoming, United States. We publish this website and our products under the brand name “RPTX Software”; the contracting legal entity is always RPTX LLC. Our mailing address is 30 N Gould St Ste N, Sheridan, WY 82801, USA.

For any privacy-related request — including access, correction, deletion, or portability — email legal@rptxsoftware.com. We aim to acknowledge requests within one business day and complete verified requests within one month of receipt. Where a request is particularly complex, or where you have submitted several requests at once, we may extend that period by a further two months, as permitted by GDPR Article 12(3); in that case we will inform you of the extension and the reasons for it within one month of receiving your request.

2. What we collect

2.1 Information you give us

Account data — email address, display name, and, if you create a workspace, your organisation name.
Billing data — handled by Paddle acting as our Merchant of Record. Per Paddle's published Buyer Terms, the contracting Paddle entity is Paddle.com, Inc. for buyers in the United States and Paddle.com Market Limited for buyers outside the United States. Paddle is the seller named on your receipt, collects applicable consumption taxes (US sales tax, VAT, GST, etc.), and processes payments on our behalf. RPTX does not store card numbers, CVV codes, or full bank details; we retain only the last four digits, card brand, and Paddle's customer/subscription identifier so we can reconcile subscriptions. See our Subprocessors page for Paddle's certifications and data-protection terms.
Support correspondence — the contents of messages you send to our support or legal inboxes.
Content you upload to AskFolder — documents, file metadata, and derived embeddings. You control what you upload and can delete it at any time.

2.2 Information collected automatically

Service logs — IP address, user-agent, timestamps, request paths, and error traces. Retained for up to 90 days for security and debugging.
Authentication & audit logs — records of account sign-in events and administrative actions. Retained for up to 13 months for security, abuse prevention, and compliance.
Usage metrics — aggregate, anonymised counts of product events (e.g. "a query was answered"). No document content is included in metrics.
Cookies — session cookies required for authentication inside the product. The marketing site rptxsoftware.com does not set any cookies. We do not use third-party advertising or cross-site tracking cookies anywhere.

2.3 Website performance analytics

We use Cloudflare Web Analytics (Real User Monitoring) to measure the performance and reliability of rptxsoftware.com and askfolder.com. It is a deliberately minimal, privacy-first service:

It does not set cookies, read localStorage, or place any identifier on your device.
It does not fingerprint the browser or build a cross-site or cross-session profile.
Cloudflare discards the originating IP address at the edge and stores only aggregate performance metrics — Core Web Vitals (LCP, CLS, INP), page and resource load timings, referrer domain, and coarse country-level geolocation.
We use this data solely to detect regressions, fix slow pages, and understand how visitors find the site. It is never combined with account data or sold to third parties.

Cloudflare, Inc. acts as our processor for this data under Cloudflare's customer Data Processing Addendum and the EU Standard Contractual Clauses. Cloudflare is certified under the EU–U.S., Swiss–U.S., and UK Data Privacy Framework. Because this service is cookieless and does not track individual users, no separate consent banner is served. Cloudflare's role and certifications are listed on our subprocessors page.

Our legal basis for this processing is our legitimate interest in operating, securing, and improving the website (GDPR Art. 6(1)(f)). You can object to this processing at any time by emailing legal@rptxsoftware.com.

3. How we use it

To operate, maintain, and improve the services you have signed up for.
To authenticate you and prevent unauthorised access to your workspace.
To provide customer support and respond to your requests.
To comply with applicable legal obligations, including tax, accounting, and sanctions screening.
To detect, investigate, and prevent fraud, abuse, or security incidents.

We do not sell personal data. We do not use your content to train our own AI models, and we send inputs only to AI providers under paid or enterprise API terms that prohibit the use of your prompts, uploads, or generated outputs to train or improve their models. Specific providers and the controls relied on are listed on our Subprocessors page.

4. Subprocessors

We rely on a small number of reputable service providers to run the business. A current list is maintained at rptxsoftware.com/subprocessors. Each subprocessor is contractually bound to handle personal data consistently with this policy.

5. Where your data is processed

RPTX LLC is established in the United States. Our services are offered to customers in the United States; we do not actively market to residents of the European Economic Area, the United Kingdom, or Switzerland and we do not localise the site into EU/UK languages or charge in Euros or Pounds. As a factual matter about our infrastructure — not as a compliance claim — our application database and vector index happen to run on a provider with datacentres in Germany, and object storage for uploaded documents is held with a provider whose region can be configured on request. Other subprocessors (AI model providers, transactional email, website analytics) are based in the United States. A current list of subprocessors and their locations is maintained at rptxsoftware.com/subprocessors.

If you are a resident of the EEA, the UK, or Switzerland and nevertheless choose to use the service, you consent to your information being transferred to, processed in, and stored in the United States and any other country in which RPTX or our subprocessors operate. Where the GDPR or UK GDPR nonetheless applies to a transfer, we rely on the European Commission's Standard Contractual Clauses (Commission Decision 2021/914 of 4 June 2021) and the UK International Data Transfer Addendum, and on the EU–U.S., Swiss–U.S., and UK Data Privacy Framework certifications held by several of our subprocessors, as noted on the subprocessors page.

6. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain uses. California residents have additional rights under the CCPA/CPRA, including the right to know and the right to opt-out of "sharing" (we do not share personal data in the sense defined by the CCPA).

To exercise any of these rights, email legal@rptxsoftware.com from the address associated with your account. We may ask for additional information to verify your identity.

7. Retention

We retain account data for as long as your account is active. On account or subscription termination, you have 60 days to export your data in standard formats, after which primary copies are permanently deleted. You can request deletion at any time before that window closes. Encrypted backups are overwritten in the normal rotation cycle within a further 90 days.

Service logs are retained for up to 90 days; authentication and audit logs are retained for up to 13 months. Billing and tax records are retained for the period required by applicable US and EU law (typically seven years).

8. Security

All network traffic is encrypted with modern TLS using current cipher suites. Uploaded documents are stored in object storage that encrypts every object at rest with AES-256 by default. Sensitive payload fields inside the vector search index are additionally encrypted at the application layer using a key that is unique to each workspace, and each workspace's content is held in its own logically-isolated collection so it is never co-mingled with another customer's index.

Multi-factor authentication is required on every account that can touch production, access follows the principle of least privilege, and administrative actions are logged. When a workspace is deleted, its encryption key is destroyed so any residual ciphertext on rotated backups becomes unreadable before the backup is naturally overwritten.

A fuller summary of technical and organisational measures is published on the Trust & security page, which is the authoritative, continuously-updated version referenced by our Data Processing Agreement.

9. Changes to this policy

We will post updates to this page and update the "Last updated" date above. For material changes we will notify account holders at least 30 days in advance via email.

10. Children

The service is intended for business use by adults. You must be at least 18 years old to create an account (see Section 2 of our Terms of Service). We do not knowingly collect personal data from children under 18. If you believe a child has provided us personal data, email legal@rptxsoftware.com and we will delete it promptly.

11. EEA / UK / Swiss data subjects

RPTX LLC does not target users in the European Economic Area, the United Kingdom, or Switzerland, and we have not appointed an Article 27 representative. If you are an EEA, UK, or Swiss data subject and you nonetheless use the service, you may exercise all of the rights described in Section 6 of this policy by writing to legal@rptxsoftware.com, which is our permanent electronic point of contact for privacy questions. You also have the right to lodge a complaint with a supervisory authority — in the EU, the data protection authority of the member state where you live, work, or where the alleged infringement took place; in the UK, the Information Commissioner's Office.

12. Third-party data we connect to on your request

If you choose to connect a Google Drive account so that AskFolder can index selected documents, we request only the narrowly-scoped https://www.googleapis.com/auth/drive.file OAuth scope via the Google Picker. This scope grants RPTX access only to the specific files you explicitly select with the Picker — we cannot see, list, or index any other file in your Drive, and revoking access at myaccount.google.com/permissions immediately stops any further access.

Google API Services — Limited Use disclosure. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data solely to provide or improve user-facing features prominent in the RPTX application, we do not transfer this data to third parties except to provide those features, we do not use it for advertising, and no humans read the data except (a) with your explicit consent, (b) for security, or (c) to comply with applicable law.

13. Contact

Email legal@rptxsoftware.com for any privacy question. Postal mail can be sent to the address listed in section 1.

← Back to rptxsoftware.com