Privacy Policy

Last Updated: December 27, 2025

1. Introduction

Raavue ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered business intelligence platform.

This Privacy Policy complies with Saudi Arabia's Personal Data Protection Law (PDPL) and incorporates principles from the General Data Protection Regulation (GDPR) to ensure comprehensive protection of your personal data.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy.

2. Data Controller

Raavue is the data controller responsible for your personal data. If you have any questions about this Privacy Policy, please contact us at:

Email: privacy@raavue.com

3. Information We Collect

3.1 Personal Data

  • Identity Data: First name, last name, full name, and email address.
  • Organization Data: Organization name, display name, industry selection (from 20+ industry categories), and team member information.
  • Contact Data: Email address for communications and account management.
  • Technical Data: IP address (collected at signup for fraud prevention and security), browser type, time zone, operating system, and device information.
  • Authentication Data: Password (encrypted), email verification status, and optional two-factor authentication (2FA) tokens stored securely.
  • Profile Data: User preferences including language (English/Arabic), timezone, date format preference, and notification settings.
  • Usage Data: Information about how you use our Service, including login timestamps, report generation activity, and feature usage patterns.
  • Financial Data: Subscription plan information, payment method details (processed securely through Stripe), billing history, and trial status.
  • Team & Collaboration Data: Team member invitations, organization membership, roles, and collaboration activity.
  • Communication Preferences: Email notification settings, marketing email opt-in status, and report notification preferences (managed through Brevo).

3.2 Business Data

When using our Service, you may upload business information for AI-powered analysis including:

  • Business metrics and financial data from CSV, Excel, or PDF files
  • Sales information, revenue data, and performance metrics
  • Industry-specific business intelligence data
  • Custom data for report generation and analysis

Important: Your business data is processed by AI systems (Claude Sonnet 4 and/or GPT-4) to generate reports. We use industry-specific prompts based on your selected industry to provide customized insights.

3.3 AI Processing Data

When generating AI-powered reports, we process:

  • Your uploaded business data files
  • Your selected industry for context-specific analysis
  • Your language preference for report generation
  • Your timezone and date format for proper data formatting
  • Historical report data for improved insights

3.4 Cookies and Tracking

We use cookies and similar tracking technologies for:

  • Session management and authentication
  • User preference storage (language, theme, etc.)
  • Analytics and usage patterns
  • Security and fraud prevention

For more information, see our Cookie Policy.

4. How We Collect Information

  • Direct interactions: When you create an account, subscribe, upload files, configure settings, invite team members, or contact us.
  • Automated technologies: As you interact with our Service, we collect technical data about your equipment, browsing patterns, and usage activity.
  • Third parties: From analytics providers (Vercel Analytics), payment processors (Stripe), authentication services (Supabase Auth), email service providers (Brevo), and AI providers (Anthropic Claude, OpenAI GPT-4).
  • Team invitations: When you are invited to join an organization by another user.

5. How We Use Your Information

  • To register you and create your account with automatic organization assignment
  • To provide and maintain our AI-powered business intelligence Service
  • To personalize your experience based on language, timezone, date format, and industry preferences
  • To generate customized AI reports using industry-specific prompts and your uploaded data
  • To process your business intelligence insights using Claude Sonnet 4 and/or GPT-4
  • To manage team invitations and organization memberships
  • To send you notifications about report completion, team invitations, and account activity
  • To send marketing communications (only if you opt-in via email preferences)
  • To improve our Service, develop new features, and train our AI systems
  • To respond to your requests and questions
  • To send technical notices, security alerts, and password reset emails
  • To process payments through Stripe and manage subscriptions
  • To enforce our terms, prevent fraud, and comply with legal obligations
  • To track usage for anti-fraud protection (including IP address monitoring)
  • To provide two-factor authentication (2FA) security features
  • To enable data export functionality for user data portability

Legal Basis for Processing

  • Consent: Where you have given clear consent (e.g., marketing emails, optional features)
  • Contract Performance: Where necessary to perform our contract with you (e.g., providing AI reports, managing your account)
  • Legitimate Interests: For our legitimate business interests (e.g., fraud prevention, service improvement, analytics)
  • Legal Obligation: Where required by law (e.g., tax compliance, law enforcement requests)

6. Information Sharing and Third-Party Services

We may share your data with:

  • AI Service Providers: Anthropic (Claude Sonnet 4) and OpenAI (GPT-4) for generating AI-powered business intelligence reports. Your business data and preferences are sent to these providers for processing.
  • Payment Processors: Stripe for secure payment processing and subscription management. Stripe receives your payment information and subscription details.
  • Email Service Provider: Brevo (formerly Sendinblue) for sending transactional emails, notifications, team invitations, and marketing communications (if opted-in). Brevo stores your email address, name, and communication preferences.
  • Authentication Provider: Supabase for user authentication, 2FA management, and database services. Supabase stores your account credentials and profile data.
  • Cloud Storage: Supabase Storage for secure file uploads and storage of your business data files.
  • Analytics Providers: Vercel Analytics for usage statistics and performance monitoring.
  • Hosting Services: Vercel for application hosting and deployment.
  • Business Transfers: In connection with mergers, acquisitions, or asset sales.
  • Legal Compliance: Law enforcement, regulators, or courts where required by law.
  • Team Members: With other members of your organization for collaboration features.
  • With Your Consent: Based on your explicit consent for specific purposes.

Third-Party Data Processing

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify. They are required to maintain appropriate security measures.

International Transfers

We may transfer data outside Saudi Arabia to our service providers in the United States and European Union (including Anthropic, OpenAI, Stripe, Brevo, Supabase, and Vercel). We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by relevant authorities
  • Adequacy decisions where applicable
  • Technical measures including encryption and secure data transfer protocols

7. Data Security

We implement comprehensive technical and organizational measures to protect your data:

  • Encryption: All data is encrypted in transit using TLS/SSL and at rest in our databases
  • Authentication: Secure password hashing and optional two-factor authentication (2FA) using TOTP
  • Access Controls: Row-level security (RLS) policies ensure users can only access their own data
  • Infrastructure Security: Enterprise-grade security from Supabase and Vercel
  • Fraud Prevention: IP address tracking at signup to prevent abuse and multiple trial accounts
  • Regular Security Audits: Continuous monitoring and security updates

However, no internet transmission or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Data Retention

We retain your data only as long as necessary to fulfill the purposes for which we collected it. Retention periods vary based on data type and your subscription status:

8.1 Trial Account Data Retention

  • Day 0-7: Active trial period - all data retained
  • Day 7-10: Grace period - all data retained, notifications sent
  • Day 11+: If not subscribed, ALL data permanently and irreversibly deleted:
    • Account information (name, email, profile)
    • All uploaded files (CSV, Excel, PDF)
    • All generated reports and AI insights
    • Organization and team data
    • Usage history and preferences
    • Authentication credentials

Important: Trial account data deletion is automatic and cannot be undone. You must subscribe by day 10 to prevent data loss.

8.2 Paid Subscription Data Retention

For active paying customers, data retention varies by subscription tier:

  • Starter Plan (5 team members):
    • Uploaded files: Automatically deleted after 30 days from upload
    • Generated reports: Automatically deleted after 30 days from generation
    • Account data: Retained while subscription is active
  • Professional Plan (15 team members):
    • Uploaded files: Automatically deleted after 90 days from upload
    • Generated reports: Automatically deleted after 90 days from generation
    • Account data: Retained while subscription is active
  • Enterprise Plan (25 team members):
    • Uploaded files: No automatic deletion (unlimited retention)
    • Generated reports: No automatic deletion (unlimited retention)
    • Account data: Retained while subscription is active

8.3 Other Data Types

  • Transaction Records: Retained for 7 years to comply with financial and tax regulations
  • Communication Logs (emails, notifications): Retained for 2 years for customer service purposes
  • IP Address Logs: Retained for 12 months for security and fraud prevention
  • Usage Analytics: May be anonymized and retained indefinitely for research and service improvement
  • Deleted Account Data: Completely removed within 30 days of account deletion request

8.4 Data Deletion Process

Data deletion occurs automatically through scheduled processes:

  • Trial account expiration: Daily automated check at 2:00 AM UTC
  • Report/file retention cleanup: Daily automated check at 3:00 AM UTC
  • Manual deletion requests: Processed within 30 days

You can export your data at any time from your Account Settings before automatic deletion occurs. We recommend regular backups of important reports and data.

9. Your Rights

Under PDPL and GDPR, you have the following rights:

  • Right to Access: Request copies of your personal data. You can also download your data directly from the Settings page.
  • Right to Rectification: Request correction of inaccurate data. You can update most information in your Settings page.
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Request restriction of how we process your data
  • Right to Object: Object to processing of your data for certain purposes
  • Right to Data Portability: Request transfer of your data to another service in a machine-readable format
  • Right to Withdraw Consent: Withdraw consent for marketing emails or optional features at any time through Settings
  • Right to Lodge a Complaint: File a complaint with supervisory authorities

How to Exercise Your Rights

Many rights can be exercised directly through your account Settings page:

  • Update personal information (name, preferences, etc.)
  • Download your data (JSON export of all your information)
  • Manage notification preferences
  • Change language, timezone, and date format settings
  • Enable or disable two-factor authentication
  • Manage organization and team settings

For other requests, contact us at privacy@raavue.com. We will respond within 30 days.

10. Children's Privacy

Our Service is not intended for children under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us.

11. Changes to This Policy

We may update this Privacy Policy periodically. Changes are effective when posted on this page. We will notify you of material changes.

12. Contact & Complaints

Questions about this Privacy Policy? Contact us at: privacy@raavue.com

You may also submit complaints to the Saudi Data & AI Authority (SDAIA), though we appreciate the opportunity to address concerns directly first.