Privacy Policy

Last Updated: December 9, 2025

1. Introduction

Rapid Risk Review ("we," "us," "our," or "RRR") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our vendor risk assessment platform and services (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, password, and organization details when you create an account
• Vendor Assessment Data: URLs of vendors you assess, assessment results, notes, and comments
• Payment Information: Billing details processed through our third-party payment processor (Stripe)
• Communications: Messages you send us through contact forms or email

2.2 Automatically Collected Information

• Usage Data: Information about how you interact with our Service, including pages visited, features used, and assessment activity
• Device Information: IP address, browser type, operating system, and device identifiers
• Cookies and Tracking: We use cookies and similar technologies to enhance your experience and analyze usage patterns

2.3 Information from Third Parties

• Vendor Data: Publicly available information about vendors collected through web scraping and analysis
• Authentication Providers: Information from Google or other OAuth providers if you use social sign-in

Web Scraping Disclaimer: We collect publicly available or authorized data only and respect robots.txt and applicable terms. We do not intentionally access restricted or confidential information.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our vendor risk assessment Service
• Process and complete vendor risk analyses using AI-powered tools
• Manage your account and provide customer support
• Send you technical notices, updates, and administrative messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our Terms of Service
• Send marketing communications (with your consent, where required)

AI Processing Transparency: We use artificial intelligence and automated systems to analyze publicly available vendor information. We do not use personal data to train external AI models.

Legal Basis for Processing (GDPR): We process data under the legal bases of contract performance, legitimate interest, and consent where applicable.

4. How We Share Your Information

4.1 Service Providers

We work with third-party service providers to operate our Service:

• Supabase: Database and authentication infrastructure
• OpenAI: AI-powered risk analysis (vendor data only, not personal information)
• Firecrawl: Web scraping and data extraction
• Stripe: Payment processing
• Google reCAPTCHA: Bot protection and fraud prevention
• Resend: Transactional email delivery
• PDFShift: PDF report generation
• Trigger.dev: Background job processing for risk analysis
• Lovable.dev: Development platform and infrastructure services
• GitHub: Code hosting, version control, and CI/CD infrastructure

4.2 Within Your Organization

Assessment data may be visible to other users within your organization based on your subscription plan and permissions.

4.3 Public Sharing

If you choose to make a risk assessment report public, it will be accessible to anyone with the link. Public reports include your email address and name as the report creator. When you choose to make a report public, your name and email may be displayed; you can revoke public access anytime. We disclaim liability for third-party access or redistribution once made public.

4.4 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests, such as court orders or subpoenas.

4.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify users before any personal information becomes subject to a materially different privacy policy.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using HTTPS/TLS
• Encryption of sensitive data at rest
• Regular security assessments and monitoring
• Access controls and authentication mechanisms
• Employee training on data protection and privacy

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Breach Notification: In the event of a confirmed security incident affecting your personal information, we commit to notifying affected customers within 72 hours via email. Notifications will include: the nature of the incident, categories of data affected, remediation steps taken, and recommended protective actions. This commitment meets or exceeds requirements under GDPR (Article 33/34) and CCPA regulations.

6. Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this Privacy Policy. We will retain and use your information to comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we will delete or anonymize your personal information, except where we are required to retain it by law.

Retention Timeline: Inactive accounts are deleted or anonymized after 24 months unless required for legal or accounting purposes.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Objection: Object to our processing of your personal information
• Portability: Request transfer of your data to another service
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us at privacy@rrr.dev.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are files with small amounts of data that are sent to your browser and stored on your device.

Types of cookies we use:

• Essential Cookies: Required for the Service to function properly
• Analytics Cookies: Help us understand how users interact with our Service
• Preference Cookies: Remember your settings and preferences

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

GDPR Compliance: Where data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure adequate protection.

10.1 Data Processing Agreement (DPA)

For customers who require a Data Processing Agreement (DPA) to comply with GDPR or other data protection regulations, we offer a standard DPA that covers:

• Scope and nature of data processing activities
• Subject matter and duration of processing
• Types of personal data and categories of data subjects
• Security measures and technical safeguards
• Sub-processor management and notification requirements
• Data subject rights and incident notification procedures
• Standard Contractual Clauses for international transfers

Access DPA: Business and Enterprise customers can view our standard DPA at rrr.dev/dpa or download the PDF. For customized agreements, contact legal@rrr.dev. For more information about our security practices, visit our Trust & Security Center.

11. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising your privacy rights

Do Not Sell or Share: We do not sell or share personal information for cross-context behavioral advertising.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us:

Rapid Risk Review
Email: privacy@rrr.dev
General Inquiries: contact@rrr.dev