Rulecatch

Privacy Policy

Last updated: February 9, 2026

1. Data Controller

The data controller for the purposes of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws is:

Rulecatch AI™

417 Florence St.

Mamaroneck, NY 10543

United States

Data Protection Contact: privacy@rulecatch.ai

2. What We Collect

We collect the following categories of personal data:

  • Account Data: Email address, name, account type, selected region, and onboarding preferences. Provided directly by you during registration.
  • Billing Data: Processed by Stripe, Inc. We do not store credit card numbers, CVVs, or full payment details on our servers. We receive and store only a Stripe customer ID, subscription status, and plan information.
  • AI Session Metadata: Tool call events (tool name, success/failure, file path, input/output size), session timing, model identifiers, token counts, estimated cost, git branch, and commit hashes. This metadata describes AI tool usage patterns—not the content of your work.
  • Client-Side Hashed PII: Personally identifiable fields (such as file paths, git email addresses, and project names) are hashed on your local machine using SHA-256 before transmission. We receive only the hash values. See Section 7 for details.

3. What We Do NOT Collect

Rulecatch™ is designed to never access your intellectual property. We do not collect:

  • Source code or file contents
  • AI prompts or prompt text
  • AI responses or generated content
  • Chat or conversation history
  • Screenshots, images, or binary file data

4. Lawful Basis for Processing (GDPR Art. 6)

We process personal data on the following legal bases:

  • Performance of a Contract (Art. 6(1)(b)): Processing your account data and AI session metadata is necessary to provide you with the Rulecatch™ service, including violation detection, analytics, and billing.
  • Legitimate Interest (Art. 6(1)(f)): We process aggregated, anonymized usage data for service improvement, security monitoring, and infrastructure optimization. You may object to this processing at any time.
  • Legal Obligation (Art. 6(1)(c)): We retain billing records as required by tax and financial reporting laws.

5. How We Use Your Data

  • Service Delivery: Providing your dashboard, analytics, alerts, and rule violation detection.
  • Violation Detection: Analyzing AI session metadata against your configured rules to detect deviations.
  • Analytics: Generating usage summaries, token consumption reports, and cost estimates for your account.
  • Billing: Managing subscriptions, processing payments through Stripe, and generating invoices.
  • Support: Responding to your support requests and troubleshooting technical issues.
  • Service Improvement: Using aggregated, anonymized data to improve platform reliability and features.

6. Data Retention

We retain data only as long as necessary for the stated purposes:

  • AI Event Data: Retained according to your subscription plan—Starter: 7 days, Pro: 30 days, Enterprise: 90 days. After the retention period, event data is automatically and permanently deleted.
  • Account Data: Retained for the duration of your active account. After account deletion, personal data is removed within 30 days.
  • Billing Records: Retained for 7 years as required by applicable tax and financial regulations.

7. Client-Side Encryption

Rulecatch™ employs a zero-knowledge architecture for personally identifiable fields. Before any data leaves your machine:

  • File paths, git email addresses, and project names are hashed using SHA-256.
  • Your encryption key is generated and stored locally on your machine. It is never transmitted to our servers.
  • We receive only hash values—we cannot reverse, decrypt, or read the original data.
  • If you lose your encryption key, we cannot recover it. Analytics metrics will continue to function, but hashed fields cannot be restored to their original values.

8. Data Regions & International Transfers

Rulecatch™ maintains completely isolated infrastructure in two regions:

  • United States: US-East (Virginia)
  • European Union: EU-West (Frankfurt, Germany)

Your data is stored and processed exclusively in the region you selected during registration. US infrastructure cannot access EU data and vice versa. This isolation is enforced at the network and database level.

Where third-party subprocessors operate outside your selected region, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Third-Party Processors

We use the following subprocessors, all bound by Data Processing Agreements (DPAs):

  • MongoDB Atlas: Database hosting. Data stored in your selected region (US-East or EU-Frankfurt).
  • Stripe, Inc.: Payment processing. Subject to Stripe's privacy policy. PCI DSS Level 1 certified.
  • Twilio SendGrid: Transactional email delivery (verification emails, alerts, billing notifications).

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
  • Right to Restrict Processing (Art. 18): Request that we limit how we use your data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
  • Right to Lodge a Complaint: File a complaint with your local Data Protection Authority.

To exercise any of these rights, email privacy@rulecatch.ai. We will respond within 30 days.

11. Your Rights Under CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know: You may request what personal information we collect, use, disclose, and sell.
  • Right to Delete: You may request deletion of personal information we have collected.
  • Right to Opt-Out of Sale: We do not sell personal information to third parties. We do not share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your CCPA/CPRA rights, email privacy@rulecatch.ai.

12. Cookies & Analytics

Rulecatch™ uses minimal cookies and tracking:

  • Authentication Cookies: Session cookies required for login and maintaining your authenticated state on the dashboard. These are strictly necessary and cannot be disabled.
  • Analytics: We use Rybbit, a privacy-focused analytics platform. Rybbit does not use tracking cookies, does not fingerprint users, and does not collect personal data. Analytics data is aggregated and cannot identify individual users.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.

13. Children's Privacy

Rulecatch™ is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us at privacy@rulecatch.ai and we will promptly delete such information.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay (GDPR Article 34).

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice by email to the address associated with your account. The “Last updated” date at the top of this policy indicates when it was most recently revised. Continued use of the service after the effective date of a revised policy constitutes acceptance.

16. Contact

For privacy-related inquiries, data subject requests, or complaints:

Rulecatch AI™
417 Florence St.
Mamaroneck, NY 10543
United States