Back to RumbAI

Privacy Policy

Last updated: March 25, 2026

1. Who we are

RumbAI is an AI-powered employee training platform operated from Catalunya, Spain. Throughout this policy, “we,” “us,” and “our” refer to RumbAI.

For any privacy-related questions, contact us at hello@rumbai.com.

2. Data we collect

We collect only what is necessary to provide and improve the service:

  • Account information — name, email address, and hashed password (or Google OAuth identifier).
  • Organization information — company name, industry, and team member details provided by the account owner.
  • Training data — lesson progress, quiz scores, completion dates, and XP earned.
  • Company documents (optional) — files uploaded for RAG-enhanced content generation. These are stored securely and used only for your organization’s training.
  • Usage data — pages visited, features used, and browser/device information collected automatically.

3. Why we process your data

We process personal data for:

  • Providing and personalizing the training experience (legal basis: contract performance).
  • Generating AI-powered training content tailored to your role and organization (legal basis: contract performance).
  • Sending transactional emails such as invitations, password resets, and training digests (legal basis: contract performance).
  • Improving the platform through aggregated, anonymized analytics (legal basis: legitimate interest).
  • Processing payments when applicable (legal basis: contract performance).

4. Third-party services

We share data with the following processors, all of which maintain appropriate data protection agreements:

  • Supabase (database, authentication, file storage) — data stored in EU-region servers.
  • OpenAI (AI content generation) — training prompts and organization context are sent to generate personalized content. No personal data is used to train OpenAI models.
  • Stripe (payment processing) — billing information is handled directly by Stripe and never stored on our servers.
  • Resend (email delivery) — email addresses are shared to deliver transactional messages.
  • Vercel (hosting) — application hosting and edge delivery.

We do not sell, rent, or trade your personal data to any third party.

5. Data retention

We retain your data for as long as your account is active or as needed to provide the service. When an organization cancels its account, we delete all associated data within 30 days, unless legally required to retain it longer. You can request earlier deletion at any time.

6. Data security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, row-level security on our database, and secure authentication flows. Access to production data is restricted to authorized personnel only.

7. Your rights under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data.
  • Restriction — restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.

To exercise any of these rights, email us at hello@rumbai.com. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or the Catalan Data Protection Authority (APDCAT).

8. Cookies

We use strictly necessary cookies for authentication session management and locale preferences. We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required as we only use technically essential cookies as defined under EU ePrivacy regulations.

9. International transfers

Some of our processors (OpenAI, Vercel) may process data outside the European Economic Area. In such cases, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For any questions about this privacy policy or our data practices, contact us at hello@rumbai.com.