Back to home

Privacy Policy

Effective Date: April 18, 2026

1. Introduction

In Plain English:

We respect your privacy. This document outlines exactly what data we collect, how we use it, and how we protect it.

This Privacy Policy describes how RAA, Inc. (“RAA,” “we,” “us,” or “our”) collects, uses, stores, and shares information about you when you use Alyph (the “Service”), accessible at alyph.ai, alyph.app, and related subdomains.

Please read this Privacy Policy carefully. By creating an account, accessing the Service, or otherwise using Alyph, you acknowledge that you have read and understood this Privacy Policy.

2. AI Model Data Handling

In Plain English:

Your private data is safe. We use Enterprise agreements with AI providers so they cannot use your documents or conversations to train their AI models.

Because Alyph is an AI-powered workspace, we maintain strict data boundaries regarding how your content is processed by Large Language Models (LLMs).

  • No Model Training: We access all AI Models (including those from OpenAI, Anthropic, and Google) exclusively through enterprise-tier API agreements. Under these agreements, AI Providers are contractually prohibited from using your inputs, outputs, files, or conversation history to train or fine-tune their models.
  • Content Transmission: When you submit a prompt or file to the Service, the relevant content is securely transmitted to the AI Provider’s API solely for the purpose of generating your requested response.
  • Sandbox Exemption: Content submitted in the public collaborative "Sandbox" is visible to all active Sandbox users. Do not submit sensitive, confidential, or personally identifiable information in the public Sandbox.

3. Information We Collect

In Plain English:

We only collect what we need to run your workspace: your email to log you in, the notes/files you upload, and anonymous usage data to fix bugs.

A. Information You Provide Directly

  • Account Data: Email address, optional full name, and country of residence (required for compliance and data residency configuration).
  • Workspace Content: The text, conversation threads, board structures, and files (images, PDFs, spreadsheets) you upload to the Service.
  • Payment Information: Processed securely via Stripe, Inc. We do not store your full card number or CVV, but we retain transaction records, the last four digits of your card, and billing addresses for accounting purposes.

B. Information Collected Automatically

  • Telemetry & Usage Data: Pages visited, features utilized, session duration, and errors encountered.
  • Technical Information: IP address, browser type, operating system, and time zone.
  • Collaboration Metadata: Cursor positions and view states during live multiplayer collaboration sessions.

4. How We Share Your Information

In Plain English:

We never sell your data. We only share it with the necessary infrastructure partners (like Stripe for payments or Supabase for logging in) to make the app work.

We do not sell your personal information. We disclose information only to the following types of third parties:

  • Service & Infrastructure Providers: Web hosting (Vercel), database and authentication (Supabase), payment processing (Stripe), and bot protection (Cloudflare).
  • AI Providers: As detailed in Section 2, limited dynamically to the content you prompt.
  • Workspace Members: Information, files, and content you submit within a shared workspace are visible to the invited members of that workspace.
  • Legal Obligations: We may disclose information if required to comply with applicable laws, court orders, or lawful government requests.

5. Data Retention & Security

In Plain English:

We keep your data safe using enterprise-grade encryption. If you delete a file or cancel your account, we delete your data from our active servers.

We implement technical, organizational, and physical security measures designed to protect your information, including TLS encryption for data in transit and AES-256 for data at rest.

Retention Periods:

  • Account information is retained as long as your account is active.
  • Uploaded files and board content are retained until deleted by you. Once deleted, artifacts may reside in encrypted backups for up to 90 days before permanent destruction.
  • Payment records are retained for up to 7 years to comply with tax and accounting laws.

6. Your Privacy Rights (GDPR & CCPA)

In Plain English:

If you're in Europe, California, or anywhere else with strict privacy laws, you have the right to ask us for a copy of your data or ask us to delete it entirely.

Depending on your location (including the EEA, UK, Switzerland, California, Colorado, and Virginia), you may possess specific legal rights regarding your personal data:

  • The right to access the personal data we hold about you.
  • The right to request correction of inaccurate data.
  • The right to request deletion of your account and personal data (the "Right to be Forgotten").
  • The right to opt-out of marketing communications.
  • The right to data portability (receiving your data in a machine-readable format).

Legal Bases for Processing (EEA/UK): We process data to perform our contract with you (providing the service), to comply with legal obligations, and based on our legitimate business interests (improving the product and preventing fraud).

To exercise any of these rights, please email us directly at hello@alyph.app. We respond to all requests within 30 days.

7. Contact Information

In Plain English:

Have a question? Just email us. We're real people and we read every message.

If you have concerns about this Privacy Policy or your data, please contact the legal entity operating this software:

RAA, Inc.

Privacy & Data Governance Team

Email: hello@alyph.app