Privacy Policy

This Privacy Policy describes how Ragex (“we,” “us,” or “our”), operated by [PLACEHOLDER: Legal entity name, e.g., “Ragex Technologies” or your sole proprietorship name], collects, uses, and shares information when you use our website at useragex.com and its subdomains (the “Website”), our dashboard at app.useragex.com, our API at api.useragex.com, our documentation at docs.useragex.com, and any related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address — used for authentication, account notifications, and support communication.
Name (optional) — used for personalizing your dashboard experience.
Password hash — if you sign up with email and password. We never store your password in plaintext; we use the argon2 hashing algorithm.
OAuth profile information — if you sign in via GitHub or Google, we receive your email address, display name, and profile identifier from the respective provider. We do not receive or store your password from these providers.

1.2 Documents and Content You Upload

The core function of Ragex is to process documents you upload. When you upload a document or submit text content to our API, we store:

The original file in encrypted-at-rest cloud storage.
Parsed text content, text chunks, and vector embeddings derived from your documents (used to power search).
Document metadata you provide (file name, custom metadata key-value pairs).

You retain full ownership of all documents and content you upload. We process this content solely to provide the Service to you. See our Terms of Service for details on intellectual property rights.

1.3 Usage and API Data

We automatically collect:

API request logs — endpoint called, HTTP method, response status code, response time, timestamp, and authentication type (API key vs. dashboard session). We log these for billing, debugging, and abuse prevention. Request logs are retained for 90 days.
Usage metrics — pages processed, search queries executed, storage consumed. Used for plan enforcement and billing.

1.4 Payment Information

Payments are processed by Dodo Payments, our Merchant of Record. When you subscribe to a paid plan, Dodo Payments collects your payment details (credit card number, billing address). We do not store your full credit card number or payment credentials on our servers. We receive from Dodo Payments only:

Subscription status (active, cancelled, etc.).
Plan type and billing period.
Customer and subscription identifiers.

1.5 Cookies and Similar Technologies

We use the following cookies:

Authentication cookies (strictly necessary) — httpOnly, secure JWT session cookies on app.useragex.com to keep you signed in to the dashboard. These are essential for the Service to function and cannot be disabled.
Cookie consent preference (strictly necessary) — a localStorage entry that records whether you have acknowledged our cookie notice.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies at this time. If we add analytics tools in the future, we will update this policy and present you with a choice before enabling non-essential cookies.

1.6 Server Logs

Our infrastructure providers automatically collect standard server log information, including IP addresses, browser type, referring URL, and request timestamps. This data is used for security monitoring and is retained according to our infrastructure provider’s policies.

2. How We Use Your Information

We use collected information to:

Provide the Service — process your documents, generate embeddings, execute search queries, and return results.
Manage your account — authenticate you, manage your subscription, enforce usage limits, and communicate about your account.
Improve the Service — analyze aggregate usage patterns (not your document content) to improve performance, reliability, and features.
Prevent abuse — enforce rate limits, detect fraudulent usage, and protect the security of our systems.
Comply with legal obligations — respond to lawful requests from authorities and comply with applicable laws.

We do not sell your personal information. We do not use your uploaded documents or their content to train machine learning models. We do not share your document content with other customers.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Contract performance — processing your account information, documents, and usage data is necessary to provide the Service you have signed up for (Article 6(1)(b) GDPR).
Legitimate interests — we process server logs and aggregate usage data for security, fraud prevention, and service improvement, which are our legitimate interests that do not override your rights (Article 6(1)(f) GDPR).
Legal obligation — we may process data to comply with applicable laws, regulations, or lawful government requests (Article 6(1)(c) GDPR).
Consent — where required (e.g., for any future non-essential cookies or marketing communications), we will obtain your explicit consent before processing (Article 6(1)(a) GDPR).

4. Third-Party Service Providers

We use third-party service providers to operate the Service. These providers process data on our behalf and are contractually obligated to protect your information. We do not sell or share your data with third parties for their own independent purposes.

Categories of processors include:

Cloud infrastructure — servers, databases, and file storage. Your documents and data are stored in data centers operated by our cloud infrastructure provider.
Document processing — third-party APIs that parse uploaded documents (e.g., extract text from PDFs). These services process document content only to return parsed results and do not retain your documents.
AI/ML processing — third-party APIs that generate text embeddings and perform semantic reranking of search results. These services process text content only to return computational results and do not retain your data for training purposes.
Payment processing — Dodo Payments acts as our Merchant of Record and processes billing transactions on our behalf.
Error monitoring — we use an error tracking service to detect and diagnose software issues. This service may receive anonymized error context but not your document content.
OAuth providers — if you sign in via GitHub or Google, those providers share limited profile information with us as described in Section 1.1.

5. Data Storage and Security

5.1 Where We Store Data

Your data is stored on servers located in the Southeast Asia (Singapore) region. If you are accessing the Service from outside this region, your data will be transferred to and processed in Singapore. By using the Service, you consent to this transfer.

5.2 Security Measures

We implement industry-standard security measures, including:

Encryption in transit — all data is transmitted over HTTPS/TLS. Our API, dashboard, and documentation sites all enforce HTTPS.
Encryption at rest — uploaded documents and database contents are encrypted at rest by our cloud infrastructure provider.
API key security — API keys are cryptographically hashed (SHA-256) before storage. We never store plaintext API keys in our database.
Password security — passwords are hashed using the argon2 algorithm, which is resistant to brute-force and side-channel attacks.
Tenant isolation — all database queries are scoped by account, ensuring that your data is never accessible to other users.
Rate limiting — API endpoints are rate-limited per plan to prevent abuse.

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

6. Data Retention

Account data — retained for as long as your account is active, plus 30 days after account deletion to allow for recovery.
Documents and chunks — retained for as long as your account is active. When you delete a document, its content, chunks, and embeddings are permanently removed within 7 days. When you delete a knowledge base, all associated documents are cascaded and deleted.
API request logs — retained for 90 days, then automatically purged.
Server/infrastructure logs — retained according to our infrastructure provider’s standard retention policies (typically 30–90 days).
Payment records — retained for as long as required by applicable tax and financial regulations (typically 7 years for India).

After the retention period, data is permanently deleted or anonymized so that it can no longer be associated with you.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate personal data.
Erasure — request deletion of your personal data (“right to be forgotten”). You can delete your documents through the API or dashboard at any time. To delete your entire account, contact us.
Data portability — request your data in a structured, machine-readable format. You can export your documents and search data via the API at any time.
Restriction of processing — request that we limit processing of your data in certain circumstances.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at manmeet@useragex.com. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority.

8. International Data Transfers

Our servers are located in Singapore. If you are using the Service from the European Economic Area, United Kingdom, or other regions with data transfer restrictions, please note that your data will be transferred to and processed in Singapore. We rely on the following safeguards for such transfers:

Your explicit consent to the transfer when you create an account and use the Service.
Contractual obligations with our sub-processors that include data protection commitments equivalent to those required under GDPR.

9. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at manmeet@useragex.com, and we will take steps to delete such information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the “Last updated” date at the top of this page.
Notify you via email (for account holders) or a prominent notice on our Website at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: manmeet@useragex.com
Entity: [PLACEHOLDER: Legal entity name and registered address]

For GDPR-related inquiries, you may also contact our data protection point of contact at the email address above.