Privacy Policy

Last Updated: May 9, 2026

1. Introduction

Rapid Risk Review ("we," "us," "our," or "RRR") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our vendor risk assessment platform and services (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, password, and organization details when you create an account
• Vendor Assessment Data: URLs of vendors you assess, assessment results, notes, and comments
• Payment Information: Billing details processed through our third-party payment processor (Stripe)
• Communications: Messages you send us through contact forms or email

2.2 Automatically Collected Information

• Usage Data: Information about how you interact with our Service, including pages visited, features used, and assessment activity
• Device Information: IP address, browser type, operating system, and device identifiers
• Cookies and Tracking: We use cookies and similar technologies to enhance your experience and analyze usage patterns

2.3 Information from Third Parties

• Vendor Data: Publicly available information about vendors collected through web scraping and analysis
• Authentication Providers: Information from Google or other OAuth providers if you use social sign-in

Web Scraping Disclaimer: We collect publicly available or authorized data only and respect robots.txt and applicable terms. We do not intentionally access restricted or confidential information.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our vendor risk assessment Service
• Process and complete vendor risk analyses using AI-powered tools
• Manage your account and provide customer support
• Send you technical notices, updates, and administrative messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our Terms of Service
• Send marketing communications (with your consent, where required)

AI Processing Transparency: We use artificial intelligence and automated systems to analyze publicly available vendor information. We do not use personal data to train external AI models.

Legal Basis for Processing (GDPR): We process data under the legal bases of contract performance, legitimate interest, and consent where applicable.

4. How We Share Your Information

4.1 Service Providers

We work with third-party service providers to operate our Service:

• Supabase: Database and authentication infrastructure
• OpenAI: AI-powered risk analysis (vendor data only, not personal information)
• Firecrawl: Web scraping and data extraction
• Stripe: Payment processing
• Google reCAPTCHA: Bot protection and fraud prevention
• Resend: Transactional email delivery
• PDFShift: PDF report generation
• Trigger.dev: Background job processing for risk analysis
• Lovable.dev: Development platform and infrastructure services
• GitHub: Code hosting, version control, and CI/CD infrastructure
• PostHog: Product analytics, session recording, and user experience optimization

4.2 Within Your Organization

Assessment data may be visible to other users within your organization based on your subscription plan and permissions.

4.3 Public Sharing

If you choose to make a risk assessment report public, it will be accessible to anyone with the link. Public reports include your email address and name as the report creator. When you choose to make a report public, your name and email may be displayed; you can revoke public access anytime. We disclaim liability for third-party access or redistribution once made public.

4.4 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests, such as court orders or subpoenas.

4.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify users before any personal information becomes subject to a materially different privacy policy.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using HTTPS/TLS
• Encryption of sensitive data at rest
• Regular security assessments and monitoring
• Access controls and authentication mechanisms
• Employee training on data protection and privacy

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Breach Notification: In the event of a confirmed security incident affecting your personal information, we commit to notifying affected customers within 72 hours via email. Notifications will include: the nature of the incident, categories of data affected, remediation steps taken, and recommended protective actions. This commitment meets or exceeds requirements under GDPR (Article 33/34) and CCPA regulations.

6. Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this Privacy Policy. We will retain and use your information to comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we will delete or anonymize your personal information, except where we are required to retain it by law.

Retention Timeline: Inactive accounts are deleted or anonymized after 24 months unless required for legal or accounting purposes.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Objection: Object to our processing of your personal information
• Portability: Request transfer of your data to another service
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us at privacy@rrr.dev.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are files with small amounts of data that are sent to your browser and stored on your device.

Types of cookies we use:

• Essential Cookies: Required for the Service to function properly
• Analytics Cookies: Help us understand how users interact with our Service
• Preference Cookies: Remember your settings and preferences

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

GDPR Compliance: Where data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure adequate protection.

10.1 Data Processing Agreement (DPA)

For customers who require a Data Processing Agreement (DPA) to comply with GDPR or other data protection regulations, we offer a standard DPA that covers:

• Scope and nature of data processing activities
• Subject matter and duration of processing
• Types of personal data and categories of data subjects
• Security measures and technical safeguards
• Sub-processor management and notification requirements
• Data subject rights and incident notification procedures
• Standard Contractual Clauses for international transfers

Access DPA: Business and Enterprise customers can view our standard DPA at rrr.dev/dpa or download the PDF. For customized agreements, contact legal@rrr.dev. For more information about our security practices, visit our Trust & Security Center.

11. Browser Extension – Public Edition

This section covers the public edition of the RRR browser extension, distributed via the Chrome Web Store, the Microsoft Edge Add-ons store, and Mozilla AMO. The enterprise edition (self-hosted MDM) is governed by the customer's own Data Processing Agreement.

What the extension is

The RRR browser extension is Account-Aware DLP for AI tools. It helps people who use generative-AI chat tools (ChatGPT, Claude, Gemini, Copilot, Perplexity, and similar) tell at a glance whether they are signed in with a personal or corporate account, and warns them locally before they paste personally identifiable information into an AI prompt.

What data leaves your device

Almost nothing. The complete list:

• The domain of the AI site you are looking at (e.g. chat.openai.com) is sent to plugin-lookup when you click the popup, or up to once every 12 hours per visited AI domain, to fetch its public risk score.
• The domain part only of the corporate email of an OAuth-linked account (e.g. acme.com, never alice.smith@acme.com) is sent once after you opt in to the optional Sign-in flow, to associate the device with your organization.
• An OAuth refresh token (if you signed in) is exchanged with the OAuth provider you chose (Google or Microsoft), never with RRR.

That is the complete list of network egress in the public edition.

What data never leaves your device

• Prompt text. When the local PII matcher fires inside an AI prompt input, the warning is rendered locally; the prompt itself is never transmitted.
• Clipboard content. When the optional clipboard guard fires, the warning is rendered locally; the clipboard content itself is never transmitted.
• AI response content. The public edition does not read AI tool responses at all.
• Page content of any non-AI website. The content script only runs on the curated AI host list.
• File uploads, DNS queries, downloads, installed extensions, browser history, bookmarks. The public edition does not request the matching browser permissions and cannot access any of these.

Local PII matching

The local PII matcher uses regular expressions running inside the content script to detect emails, phone numbers, credit-card-like numbers, government IDs, and high-entropy secrets. If a match fires, the matcher renders a warning overlay on the page. No part of the matched content is sent to RRR or any third party. The fact that a match occurred is not transmitted either.

Personal vs corporate session detection

The popup shows a coloured badge telling you whether the AI tool you are looking at is currently signed in with a personal or corporate account. To do this, the content script reads the visible "signed in as" indicator from the AI site's own UI, splits on @, keeps only the domain part, and compares it against your organization's domain list (which is fetched once at sign-in and cached locally). The local part of any email (alice.smith in alice.smith@acme.com) is redacted before any compare, never written to storage, and never transmitted.

OAuth sign-in (optional)

If you choose "Sign in with Google" or "Sign in with Microsoft" from the popup, the extension uses chrome.identity.launchWebAuthFlow to run a standard OAuth flow with the provider you chose. The scopes requested are limited to openid email profile. We never call chrome.identity.getAuthToken and we never request Google Workspace, Microsoft Graph, contacts, drive, calendar, or mail scopes.

Retention

• Domain-of-AI-site lookups are processed in a stateless edge function and are not associated with any user identifier. Edge function logs are retained for 30 days for reliability monitoring and then deleted.
• The corporate email-domain string (e.g. acme.com) submitted at sign-in is retained for as long as the device is associated with the organization. You can disassociate the device by signing out from the popup; this immediately deletes the device record.
• The OAuth refresh token is retained on your device only.

For privacy questions specific to the browser extension, write to privacy@rrr.dev.

12. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising your privacy rights

Do Not Sell or Share: We do not sell or share personal information for cross-context behavioral advertising.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us:

Rapid Risk Review
Email: privacy@rrr.dev
General Inquiries: contact@rrr.dev