RUIA

Privacy Policy

Last updated: 27 April 2026 · Effective globally

Ruia Ltd. ("Ruia", "Ruia", "we", "us", "our") provides Ruia, an AI-assisted research workspace. This Privacy Policy explains what personal data and research content we collect, why we collect it, how we use and protect it, and the rights you have over it. It applies to everyone who uses Ruia, anywhere in the world, and is intended to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable privacy laws.

If you do not agree with this Policy, please do not use Ruia.

1. Who we are (Data Controller)

For the purposes of GDPR and UK GDPR, the data controller is Ruia Ltd.For CCPA/CPRA purposes, Ruia is the "business" that determines the purposes and means of processing your personal information. You can reach our privacy team at privacy@ruialabs.com.

2. Data we collect

2.1 Account data

When you create an account we collect your email address, an authentication identifier, optional display name, and a hashed password (or, if you sign in via a third-party provider such as Google, the identifier that provider returns).

2.2 Research content

While using Ruia you may submit research questions, hypotheses, draft text, uploaded papers, annotations, notes, methodology details, deadlines, and other project context (collectively, "Research Content"). Research Content is treated as confidential and is processed only to deliver the workspace functions you invoke.

2.3 Subscription & billing data

If you subscribe to a paid plan, payments are processed by Stripe, Inc. We receive a customer identifier, subscription status, plan, billing period, and invoice metadata, but we do not receive or store full payment card numbers. Stripe is the processor of card data; see Stripe's privacy notice for details.

2.4 Usage and technical data

We collect technical logs necessary to operate and secure the service: IP address, user-agent, request timestamps, and high-level usage events (such as feature-level activity and error states). These logs are retained for up to 30 days for security, debugging, and abuse prevention.

2.5 Third-party integrations you enable

If you connect a reference manager such as Zotero, you provide us with the credentials needed to read your library on your behalf. We store those credentials in encrypted form and use them only for the syncs you explicitly request.

3. How we use your data

  • To provide, maintain, and personalise the Ruia workspace and the responses it generates for you.
  • To authenticate you, secure your account, and prevent fraud and abuse.
  • To process subscriptions, invoices, and refunds via Stripe.
  • To respond to support requests and communicate service-critical updates.
  • To comply with legal obligations.

4. What we never do with your Research Content

  • We do not use your Research Content to train any AI model — ours or anyone else's.
  • We do not index your Research Content for any product feature outside your own workspace.
  • We do not sell, rent, or share your personal information for cross-context behavioural advertising. (CCPA/CPRA: this means we do not "sell" or "share" your personal information as those terms are defined.)
  • We do not disclose your Research Content to third parties except the strictly necessary sub-processors listed below, and only to deliver the service to you.

5. Legal bases (GDPR / UK GDPR)

We rely on the following legal bases under Articles 6 and 9 GDPR / UK GDPR:

  • Contract (Art. 6(1)(b)) — to provide the workspace you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse, and improve reliability, balanced against your rights.
  • Legal obligation (Art. 6(1)(c)) — to retain billing records and respond to lawful requests.
  • Consent (Art. 6(1)(a)) — for optional integrations and any marketing communications, which you can withdraw at any time.

6. Sub-processors

We use carefully chosen sub-processors who act on our written instructions and under data processing agreements that meet GDPR Article 28 requirements:

  • Supabase, Inc. — managed Postgres, authentication, file storage. Hosted in our chosen region.
  • Cloudflare, Inc. — application delivery and edge runtime.
  • Third-party large-language-model providers — model inference for platform functionality. Content sent to these providers is governed by their zero-retention or no-training APIs where available. A current list of LLM sub-processors is available on request at privacy@ruialabs.com.
  • Stripe, Inc. — payment processing and tax compliance.

7. International data transfers

Ruia is operated globally. Where we transfer personal data outside the UK / EEA / your home jurisdiction, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs), the UK Addendum to the SCCs, and (where applicable) the EU–US and UK–US Data Privacy Framework. A copy of the safeguards in place can be requested at privacy@ruialabs.com.

8. Retention

  • Account & Research Content — kept for as long as your account is active.
  • After deletion — Research Content, projects, sessions, papers, and annotations are permanently deleted from our active systems within 30 days, and from encrypted backups within 90 days.
  • Billing records — retained for the period required by tax law (typically 6–10 years depending on jurisdiction).
  • Technical logs — up to 30 days.

9. Your rights

9.1 GDPR & UK GDPR rights

If you are in the EU, EEA, UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request erasure ("right to be forgotten").
  • Restrict or object to processing.
  • Data portability (receive your data in a machine-readable format).
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your supervisory authority — in the UK, the Information Commissioner's Office (ICO); in the EU, your national Data Protection Authority.

9.2 California (CCPA / CPRA) rights

If you are a California resident, you have the right to:

  • Know what personal information we have collected about you and how we use it.
  • Delete your personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Limit use of sensitive personal information (we do not collect sensitive PI as defined by CPRA in the ordinary course of providing Ruia).
  • Opt out of sale or sharing — note that we do not sell or share personal information for cross-context behavioural advertising.
  • Non-discrimination — we will not deny service or charge a different price for exercising any of these rights.

9.3 Other jurisdictions

Where local law (e.g. Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act) grants you similar rights, we honour those rights on the same basis. To exercise any right, email privacy@ruialabs.com from the address associated with your account, or use the in-product Account → Delete account flow. We respond within 30 days (45 days for CCPA requests, extendable as permitted by law).

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, row-level security on every database table, principle of least privilege, and continuous monitoring. No system is perfectly secure; we will notify affected users and the relevant supervisory authority of a personal-data breach within 72 hours where required by law.

11. Children

Ruia is intended for researchers and is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data, contact us and we will delete it.

12. Cookies and similar technologies

We use a small number of strictly necessary cookies and local-storage entries to keep you signed in and remember workspace preferences. We do not use third-party advertising or cross-site tracking cookies.

13. Automated decision-making

Ruia generates AI-assisted research outputs, but those outputs are guidance — they do not produce legal or similarly significant effects without your review. Ruia Ltd. does not engage in fully automated decision-making within the meaning of GDPR Article 22 with respect to your personal data.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced in-product and by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current version.

15. Contact

Questions, requests, or complaints? Email privacy@ruialabs.com. EU residents may also contact our EU representative at the same address.

RUIA© 2026 RUIA