Last updated: March 16, 2026

Privacy Policy

This Privacy Policy ("Policy") describes how Rulewize LLC ("Rulewize," "Company," "we," "us," "our"), a New Mexico limited liability company, collects, uses, discloses, retains, and protects information obtained from users ("you," "your") of the Rulewize platform, website located at rulewize.com, all associated subdomains, and any related services (collectively, the "Service").

BY CREATING AN ACCOUNT, ACCESSING, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND CONSENT TO THE COLLECTION, USE, AND PROCESSING OF YOUR INFORMATION AS DESCRIBED IN THIS POLICY. IF YOU DO NOT AGREE WITH THIS POLICY, DO NOT USE THE SERVICE.

This Policy is incorporated into and subject to our Terms of Service. Capitalized terms not defined herein have the meanings set forth in the Terms of Service.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Registration Data: Full name, email address, password (stored in hashed form), and organizational role when you create an account.
  • Business Profile Data: Legal entity name, doing-business-as name, primary state and additional states of operation, city, industry classification, employee count, pay structure, employee classifications (minors, remote, part-time, seasonal), compensation details (PTO, sick leave, parental leave, pay frequency, insurance offerings), workplace details (physical locations, cash handling, dress codes, background checks, drug testing, cannabis compliance), and policy preferences (at-will employment, discipline, anti-harassment, social media, confidentiality, non-compete, arbitration). This data is provided during onboarding and used to generate content tailored to your business.
  • SOP Interview Data: Questions and answers provided during the Standard Operating Procedures creation wizard, including operational details about your business processes.
  • User-Generated Content: Edits, modifications, and customizations you make to Generated Content through the Service, including handbook sections, SOPs, and custom policies.
  • Payment Information: Billing name, billing address, and payment method details. Credit card numbers and sensitive payment credentials are collected and processed exclusively by our third-party payment processor, Stripe, Inc. Rulewize does not receive, store, or have access to your full credit card number.
  • Communications: Information you provide when contacting customer support, submitting feedback, responding to surveys, or communicating with us through any channel.
  • Custom Branding Data: Company logos, brand colors, and custom footer text uploaded for document export customization.

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, actions taken within the Service, session duration, click patterns, and navigation paths. This data helps us understand how the Service is used and identify areas for improvement.
  • Device and Browser Information: Device type, operating system, browser type and version, screen resolution, language preference, and time zone.
  • Network Information: Internet Protocol (IP) address, internet service provider, and general geographic location (city/region level, not precise location).
  • Log Data: Server logs that record requests made to our Service, including timestamps, request URLs, HTTP status codes, referrer URLs, and error logs. Log data is used for security monitoring, debugging, and performance optimization.
  • Authentication Data: Session tokens, authentication timestamps, login history, and OAuth provider identifiers (e.g., Google account ID if using Google Sign-In).

1.3 Information from Third Parties

  • OAuth Providers: If you sign in using Google or another OAuth provider, we receive your name, email address, and profile picture as authorized by you during the OAuth consent flow. We do not receive your password from OAuth providers.
  • Payment Processor: Stripe provides us with transaction confirmations, subscription status, payment failure notifications, and limited billing information (last four digits of card, card brand, expiration date) necessary for account management.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

  • To create and manage your account and organizational profile
  • To generate employee handbooks, SOPs, and custom policies tailored to your business
  • To provide AI-driven interview questions and section outlines during SOP creation
  • To monitor publicly available legal sources for employment law changes relevant to your jurisdictions
  • To deliver compliance alerts and impact assessments
  • To enable document export (PDF, DOCX, printable checklist) with custom branding
  • To manage team invitations and multi-user access

2.2 Billing and Transactions

  • To process subscription payments, renewals, upgrades, and cancellations
  • To enforce subscription tier feature limits
  • To send payment confirmations, receipts, and billing failure notifications
  • To detect and prevent fraudulent transactions

2.3 Communications

  • To send transactional emails (account verification, password resets, subscription confirmations)
  • To deliver compliance alert notifications when relevant legal changes are detected
  • To respond to customer support inquiries
  • To send service announcements, maintenance notices, and Terms/Policy updates

2.4 Service Improvement and Analytics

  • To analyze usage patterns and identify feature adoption trends
  • To diagnose and fix technical issues, bugs, and performance problems
  • To develop new features and improve existing functionality
  • To track AI generation costs, token usage, and model performance for optimization
  • To generate anonymized, aggregated statistics about Service usage

2.5 Security and Compliance

  • To detect, prevent, and respond to security threats, fraud, and abuse
  • To enforce our Terms of Service and Acceptable Use policies
  • To comply with applicable legal obligations, court orders, and regulatory requirements
  • To verify admin access and protect administrative functions

3. Legal Bases for Processing

We process your information under the following legal bases, as applicable under the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws:

  • Contractual Necessity: Processing necessary to perform our contract with you (providing the Service, processing payments, managing your account).
  • Consent: Processing based on your explicit consent (e.g., sending your business data to AI providers for content generation, using OAuth sign-in).
  • Legitimate Interests: Processing necessary for our legitimate business interests, including Service improvement, security, fraud prevention, and analytics, provided such interests are not overridden by your data protection rights.
  • Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal process.

4. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

4.1 Third-Party Service Providers

We share data with the following categories of service providers who process data on our behalf under contractual obligations to protect your information:

  • Anthropic (Claude AI): Business profile data, SOP interview responses, and contextual information are transmitted to Anthropic's API to generate handbook content, SOPs, and policy documents. Anthropic has represented that data submitted through their API is not used to train their AI models. However, Rulewize does not control Anthropic's data practices and cannot independently verify this representation. Anthropic's data handling is governed by their own privacy policy and terms of service.
  • Stripe, Inc.: Payment method details and billing information for subscription payment processing. Stripe is PCI DSS Level 1 certified.
  • Supabase, Inc.: All account data, business profiles, Generated Content, and application data is stored in Supabase-hosted PostgreSQL databases. Supabase provides database hosting, authentication services, and real-time data synchronization.
  • Resend: Email addresses and message content for transactional email delivery (account verification, password resets, compliance alerts, billing notifications).
  • Vercel, Inc.: Application hosting and content delivery. Vercel processes HTTP requests including IP addresses, request headers, and URL paths.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in good faith belief that such disclosure is necessary to:

  • Comply with a legal obligation, subpoena, court order, or government request
  • Protect and defend the rights, property, or safety of Rulewize, our users, or the public
  • Detect, prevent, or address fraud, security issues, or technical problems
  • Enforce our Terms of Service

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar business transaction, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your information, as well as any choices you may have regarding your information.

4.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

4.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, analytics, benchmarking, or marketing purposes. This data does not constitute personal information under applicable privacy laws.

5. Data Retention

5.1 Active Accounts. We retain your information for as long as your account is active and as necessary to provide the Service. Business profile data, Generated Content, and usage data are retained throughout the life of your subscription.

5.2 Post-Cancellation. Upon cancellation of your subscription, your account data (including business profiles, Generated Content, SOPs, and custom policies) is retained for thirty (30) calendar days to allow for re-subscription. After this 30-day period, your data is permanently and irreversibly deleted from our production systems.

5.3 Backup Retention. Deleted data may persist in encrypted backup systems for up to an additional ninety (90) days as part of our disaster recovery procedures. Backup data is not accessible for operational purposes and is automatically purged according to backup rotation schedules.

5.4 Legal Holds. We may retain information beyond the standard retention period if required by law, legal proceedings, regulatory requirements, or to resolve disputes.

5.5 AI Generation Logs. Anonymized AI generation logs (token counts, costs, model identifiers, and success/failure status) may be retained indefinitely for analytics and cost tracking purposes. These logs do not contain your business content or personal information.

5.6 Payment Records. Transaction records and billing history are retained for seven (7) years as required by applicable tax and financial regulations.

6. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information. To exercise any of these rights, contact us at privacy@rulewize.com.

6.1 Rights Available to All Users

  • Right to Access: Request a copy of the personal information we hold about you.
  • Right to Correction: Request that we correct inaccurate or incomplete personal information. You can also update most information directly through your account settings.
  • Right to Deletion: Request deletion of your personal information, subject to legal retention requirements. Account deletion can be initiated through account settings or by contacting support.
  • Right to Data Portability: Request your data in a structured, commonly used, machine-readable format (JSON or CSV). You can also export Generated Content via the Service's built-in PDF and DOCX export features.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

6.2 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell personal information. However, if this changes, you will have the right to opt out.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information to what is necessary to provide the Service.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization.

Verification: We will verify your identity before fulfilling any rights request by matching information you provide with information we have on file.

6.3 Additional Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:

  • Right to Restriction of Processing: Request that we restrict the processing of your personal information in certain circumstances.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.

6.4 Response Timeline

We will acknowledge receipt of your rights request within ten (10) business days and will respond to verified requests within forty-five (45) calendar days. If we require additional time (up to an additional 45 days), we will notify you of the extension and the reason.

7. Cookies and Tracking Technologies

7.1 Essential Cookies. We use strictly essential cookies that are necessary for the operation of the Service. These include authentication session cookies, CSRF protection tokens, and user preference cookies. These cookies cannot be disabled without breaking core Service functionality.

7.2 No Tracking Cookies. We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.

7.3 Analytics. We use privacy-friendly analytics that do not rely on cookies or cross-site tracking. Analytics data is aggregated and does not include personally identifiable information.

7.4 Local Storage. The Service may use browser local storage or session storage for functionality purposes such as saving form progress, user preferences, and editor state. This data remains on your device and is not transmitted to our servers unless you explicitly submit it (e.g., saving a form).

8. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect your information. These measures include:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher).
  • Encryption at Rest: Data stored in our databases is encrypted at rest using AES-256 encryption.
  • Authentication Security: Passwords are hashed using bcrypt with salting. Support for multi-factor authentication (MFA) via OAuth providers. Session tokens are cryptographically generated and expire after periods of inactivity.
  • Access Controls: Row-level security (RLS) policies ensure users can only access their own organization's data. Administrative access requires separate authentication and is limited to authorized personnel.
  • Infrastructure Security: The Service is hosted on SOC 2 Type II compliant infrastructure. Database hosting is provided by Supabase with automatic backups and point-in-time recovery capabilities.
  • Payment Security: Payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. Rulewize systems never process or store full credit card numbers.

Despite these measures, no method of electronic storage or internet transmission is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept the inherent risks of providing information over the internet.

9. International Data Transfers

Your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

If you are located outside the United States, you consent to the transfer of your information to the United States and other jurisdictions as necessary to provide the Service. Where required by applicable law, we rely on appropriate safeguards for international data transfers, including standard contractual clauses or the data recipient's participation in recognized data transfer frameworks.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 18, please contact us at privacy@rulewize.com.

11. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no common industry standard for interpreting DNT signals, the Service does not currently respond to DNT signals. However, as described in Section 7, we do not engage in cross-site tracking of our users.

12. AI-Specific Data Practices

Given the central role of artificial intelligence in the Service, we provide the following additional disclosures regarding AI-related data processing:

12.1 Data Sent to AI Providers. When you use the Service to generate content, the following information is transmitted to our AI provider (currently Anthropic): business profile data (company name, industry, state, employee count, policy preferences), SOP interview questions and answers, previously generated section content (for context continuity), and applicable legal reference data from our knowledge base. Your payment information, password, and email address are never sent to AI providers.

12.2 AI Provider Data Retention. Our AI provider (Anthropic) has represented that API inputs and outputs are not used for model training and are retained for a limited period (typically 30 days) for safety and abuse monitoring before deletion. Rulewize does not control and cannot independently audit these representations.

12.3 AI Generation Logs. We log metadata about each AI generation request, including: token counts (input and output), model identifier, cost, duration, success/failure status, and associated organization and document identifiers. These logs are used for cost tracking, analytics, and Service optimization. Logs do not contain the actual generated content or your business data.

12.4 Content Improvement. We may use anonymized, aggregated patterns derived from usage data (such as which section types are most frequently generated or edited) to improve AI prompts and content quality. We do not use your specific business data, Generated Content, or personal information for this purpose.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last updated" date at the top of this Policy
  • Notify you via email to the address associated with your account at least fifteen (15) days before material changes take effect
  • Display a prominent notice within the Service

Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the revised Policy. If you do not agree to the changes, you must stop using the Service and delete your account.

We encourage you to review this Policy periodically. Prior versions of this Policy are available upon request.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Rulewize LLC — Albuquerque, New Mexico