1. Overview
RGL8R Inc. (“RGL8R,” “we,” “us”) operates the RGL8R compliance platform, including the marketing site at rgl8r.com, the product dashboard, and the REST API. This Privacy Policy describes how we collect, use, store, and protect information when you interact with our services.
This policy applies to all users of the RGL8R platform, including authenticated customers, guest audit users, and visitors to our website.
2. Data We Collect
Account Data: Organization name, contact name, email address, and account configuration provided during onboarding or self-serve signup.
Operational Data: API request logs, job processing metadata, authentication events, and system health telemetry. Used for security monitoring, debugging, and service reliability.
Workflow Data: Files and records uploaded to or generated by the platform, including shipment CSVs, product catalogs, order files, classification results, SIMA screening outcomes, compliance findings, dispute records, and compliance reports.
Billing Data: Stripe customer identifiers, invoice records, and payment method metadata (card type and last four digits). Full card numbers are never stored by RGL8R.
Guest Audit Data:For unauthenticated discovery audits — email address (hashed for abuse controls; raw email stored encrypted only with explicit follow-up consent), uploaded files, and processing results. Guest data is session-scoped and subject to retention limits.
Website Data: Information submitted through contact forms (processed by Formspree), including email address and message content.
3. How We Use Data
- Service delivery: Processing uploads, generating classifications and findings, running compliance checks, managing disputes, and producing reports.
- Billing: Calculating fees based on realized carrier credits (SHIP) and SKU volume (TRADE), generating invoices, and processing payments through Stripe.
- Security operations: Monitoring for unauthorized access, enforcing rate limits, validating authentication tokens, and maintaining audit trails.
- Product improvement: Using aggregated, anonymized data to improve detection accuracy, classification models, and platform performance. No individual Customer or data subject can be identified from aggregated data.
- Legal compliance: Responding to lawful requests from regulatory authorities or courts of competent jurisdiction.
- Communications: Sending transactional emails related to account activity, billing, and service notifications. We do not send marketing emails without explicit opt-in.
4. Tenant Isolation
RGL8R enforces strict multi-tenant isolation at the database layer:
- PostgreSQL row-level security (RLS) policies are applied to every tenant-scoped table, with FORCE RLS enabled.
- Every API request is bound to an authenticated tenant context. Cross-tenant data access is architecturally prevented.
- Integration keys are cryptographically scoped to their issuing tenant. Key secrets are hashed after the initial one-time reveal and cannot be recovered.
- Administrative operations are restricted to explicitly allowlisted organization IDs.
5. Subprocessors
RGL8R uses the following third-party services to deliver the platform:
| Subprocessor | Purpose |
|---|---|
| Render | Application hosting and PostgreSQL database |
| Clerk | User authentication and organization management |
| Stripe | Payment processing and billing (PCI DSS compliant) |
| Resend | Transactional email delivery |
| Formspree | Contact form processing |
We evaluate subprocessors for security practices and data handling before engagement.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Workflow Data | Contract duration + 30-day export window |
| Operational Logs | 90-day rolling window |
| Billing Records | 7 years (tax and regulatory requirements) |
| Guest Audit Data | Deleted after session expiry (default 7 days) |
| Signup Session Data | Purged after session completion or expiry |
7. Data Subject Rights
Customers and authorized users may exercise the following rights, subject to applicable law:
- Access: Request a copy of personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion: Request deletion of personal data, subject to legal retention requirements and active contractual obligations.
- Export: Export Workflow Data via the API or dashboard export features at any time during the agreement term.
- Objection: Object to specific processing activities where we rely on legitimate interest as the legal basis.
We respond to data subject requests within 30 days. Requests should be directed to privacy@rgl8r.com.
8. International Transfers
RGL8R infrastructure is hosted in North America. All platform data is processed and stored within North American data centers.
Where personal data originates from jurisdictions requiring additional transfer safeguards (e.g., the European Economic Area), we rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by applicable law.
9. Security Measures
RGL8R implements the following security controls to protect platform data:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest via infrastructure provider controls
- RS256 JWT authentication with short-lived tokens
- Row-level security (RLS) on every tenant-scoped database table
- Integration key secrets hashed after one-time reveal
- Webhook HMAC signature verification for callback integrity
- API input validation, parameterized queries, and file upload verification
- Immutable audit trail for compliance-relevant events
For more detail on our security architecture, see our Security page.
10. Cookies and Tracking
RGL8R uses Plausible Analytics, a privacy-focused analytics service, on the marketing site, product dashboard, and public documentation site. Plausible provides aggregated usage metrics and is configured without advertising or cross-site tracking.
- Session cookies: Used for authentication session management only.
- Privacy-focused analytics: Plausible analytics scripts are used for aggregate traffic measurement. We do not use advertising pixels or social media trackers.
- No cross-site ad tracking: We do not run third-party ad attribution tags across the platform.
If we materially change analytics or tracking practices in the future, this policy will be updated with at least 30 days notice.
11. Changes and Contact
RGL8R may update this Privacy Policy from time to time. We will provide at least 30 days advance notice of material changes via email to the account contact on file.
Continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.
Privacy questions: privacy@rgl8r.com
Legal questions: legal@rgl8r.com
Security concerns: security@rgl8r.com