Back

Privacy Policy for Rhea - Talk to apps with natural language

Effective Date: April 6, 2025 (last updated April 6, 2025)
Data Controller: Matsurge Mateusz Tylec (doing business as “Matsurge Mateusz Tylec”), a sole proprietorship registered in Poland, is the controller of personal data processed via Rhea.Chat.
Contact for Privacy Inquiries: mateusz@mateusztylec.com (or see Contact Information at the end of this Policy) Rhea.Chat is committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). This Privacy Policy explains what information we collect from users, how we use and share that information, and your rights regarding your data. By using Rhea.Chat, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Privacy Policy, please do not use the Service. We may update this Policy from time to time (see Changes to Privacy Policy at the end) and will notify you of any significant changes.

  1. Information We Collect

We collect various types of information from or about you in order to operate Rhea.Chat effectively. The types of data we collect include: Account Information: When you register for Rhea.Chat, we collect personal data such as your name, email address, and password (which is stored in hashed form). We may also record your account creation date, subscription plan (free or paid), and settings or preferences you save (e.g., language, theme). Profile and Contact Data: If you choose to provide additional profile information (such as an avatar, display name, or other optional details in your account settings), we will store that as part of your account. If you contact us for support, we will collect the information you provide in that correspondence (such as your contact email and the content of your inquiry). Content of Chats (User Prompts and AI Conversations): Rhea.Chat stores the conversations you have using our Service. This includes the prompts and messages you input, any files or data you upload into the chat, and the AI-generated responses. We store this data to provide you with a chat history and for service functionality (for example, to allow you to refer back to previous answers or have continuous context in a conversation). Important: These chat contents may include personal information if you choose to include it in your prompts. Please be mindful of what you share. We strongly advise against including sensitive personal data (like health details, financial account numbers, government identifiers, etc.) in your prompts unless absolutely necessary for your use case, as that data will be sent to third-party AI providers for processing. Third-Party Integration Data: If you connect third-party accounts or services to Rhea.Chat we will collect and store certain data needed for that integration: OAuth Tokens/API Keys: For OAuth integrations, we store the credentials that allow us to query those APIs on your behalf. For integrations where you provide an API key, we store that key securely and encrypted at rest. Data Retrieved: When you invoke an integration via the chat, we retrieve the necessary data from the third-party to fulfill the request. This retrieved data may be temporarily cached on our servers for performance, and is typically stored as part of the chat history. We do not continuously pull data from your third-party accounts—only when you ask for it in a conversation or when needed to update something you requested. Metadata: We may store metadata about your connected accounts, such as the fact that you connected a Google account, along with an internal identifier for that connection. We do not receive or store your third-party account passwords; the OAuth process handles authentication tokens. Usage Data and Analytics: We automatically collect information about how you access and use Rhea.Chat: Device and Browser Information: We may log information such as your browser type/version, device type, operating system, and device identifiers. We also record the IP address from which you are accessing Rhea.Chat, which can infer your approximate location. IP addresses are stored for security and logging purposes and to infer location in a coarse sense (we do not do precise geo-tracking). Log Data: Our servers keep logs of requests, which may include timestamps, pages or endpoints accessed, interactions, and errors encountered. For example, we may log that you requested a chat completion from a specific AI provider at a certain time, or that an API call to external service was made. Analytics Tools: We use privacy-conscious analytics services to understand user behavior and improve our Service. Specifically, we use Plausible Analytics and PostHog: Plausible Analytics: Plausible is a GDPR-compliant analytics tool that does not use cookies or collect personally identifiable information. It provides us aggregate usage statistics (such as page visits, feature usage counts, and referral sources). Plausible does not track individual users across sites and does not store personal data about you; all data is aggregated and anonymized. Because of this design, we do not ask for cookie consent for Plausible—no personal cookies are set. PostHog: PostHog is a product analytics platform which we use to analyze user interactions within our app. We use PostHog analytics in Europe to keep the data within the EU. PostHog may collect events such as button clicks, feature usage, and session duration. We have configured PostHog not to capture sensitive keystroke content from your chats. It operates mainly on usage metadata. We may utilize user identifiers or session identifiers in PostHog to correlate usage patterns. Any analytics data is used solely for improving our Service and diagnosing issues. You can opt-out of PostHog analytics by enabling a “Do Not Track” setting in your browser or through an opt-out option in our interface, and we will honor such signals by not sending analytics events. Cookies & Similar Tech: Rhea.Chat uses essential cookies or similar technologies for things like maintaining your login session (so you remain logged in as you navigate) and storing your preferences (e.g., dark mode setting). These are necessary for the Service to function and are not used for tracking. Aside from necessary cookies, we do not use any advertising cookies. As noted, our analytics (Plausible) is cookie-less and PostHog, if used, can be configured to be cookie-less or respect “Do Not Track.” We will clearly inform you if any non-essential cookies are ever introduced and obtain consent if required. Payment Information: If you subscribe to a paid plan, we (through our payment processor Stripe) will collect payment details. Stripe will receive your credit card number, expiration, CVV, billing zip code, and similar data directly – we do not see or store those on our servers. We do store: A record of your transactions (date, amount, currency, plan, and status). The last four digits of your credit card and card type, as provided by Stripe, for display in your account and for reference. Your billing name, address, and email as provided during checkout, for invoicing and tax purposes. Stripe may also store additional data about the payment method and fraud detection data as outlined in Stripe’s privacy policy. We will maintain invoices and payment history as needed for our financial records. Communications: If you sign up for our mailing list or consent to receive marketing emails, we will collect your name and email for sending newsletters or product updates. We also log whether you’ve opted in or out of such communications. Additionally, any support emails or messages you send to us (via email or an in-app chat or support widget) will include your email and whatever information you provide in your inquiry. We do not intentionally collect any special categories of personal data (such as racial or ethnic origin, political opinions, biometric data, health information, etc.) or data about criminal convictions. Please avoid sharing such sensitive personal data in your use of Rhea.Chat. If you choose to input any personal data (yours or others’) into the Service (for example, including someone’s contact info in a prompt to draft an email), you are responsible for ensuring you have the legal right to do so.

  1. How We Use Your Information

We use the collected information for the following purposes, and we rely on certain legal bases under GDPR for processing (for users in the EEA/UK): Provide and Maintain the Service: We process your account data, chat content, and integration data to deliver Rhea.Chat’s functionality to you. This includes generating AI responses to your prompts (which involves sending your prompt content to the chosen AI model provider), retrieving or updating information from integrated third-party tools when you ask, and displaying your chat history and integration results back to you. Legal basis: Performance of a contract (fulfilling our agreement to provide you the Rhea.Chat service you signed up for). Personalization and Settings: We use information like your preferences, settings, and usage patterns to personalize your experience. Legal basis: Performance of contract (to provide features you expect) and/or legitimate interests in improving user experience. Analytics and Improvements: We analyze usage data and feedback to understand how our Service is used and how we can improve it. This helps us optimize UI/UX, plan new features, and fix bugs. Legal basis: Legitimate interests – it’s in our interest to improve our product and it generally does not override your privacy rights due to the limited and non-identifying nature of the analytics data (and measures like using Plausible without personal data). Voting on AI messages (upvote/downvote) is stored and used only for internal app improvements like ranking model outputs, not for training AI models or sent to providers for such purpose. Communications: Service-related: We use your email to send important administrative or transactional communications. These include confirmations of sign-up, password reset emails, billing receipts, subscription renewal notices, alerts about important changes to the Service, or notifications of security issues. Legal basis: Performance of contract (we need to communicate to manage your account) and legitimate interests (to keep you informed about security, features). Support: If you reach out with a support question, we will use your contact information and any info you provide to respond and resolve your issue. Legal basis: Performance of contract (supporting you as a user of our Service). Marketing: With your consent (where required), we may use your name and email to send you newsletters, offers, or updates about Rhea.Chat features and products. We might also occasionally survey you for feedback or include you in beta invitations. Legal basis: Consent (for EEA, we will only send marketing emails if you’ve opted-in; for existing customers, we may rely on legitimate interest under soft opt-in rules to send product updates related to the service you use, but will always provide an easy unsubscribe option). You can opt out of marketing communications at any time by clicking the “unsubscribe” link in emails or adjusting your account email preferences. Third-Party Integration Actions: When you choose to integrate a third-party service, we use your data strictly to perform the actions you request: If you ask Rhea.Chat to fetch data, we use your stored credentials to request that data from the third-party’s API, then present it to you. We might also temporarily store the retrieved data in memory or cache to form the response. If you ask to create or modify data, we will send the necessary details to the third-party service to perform that action. We do not use data from your third-party accounts for any purpose other than fulfilling your specific requests, maintaining the integration, or analytics on integration usage count. Legal basis: Performance of contract (the user explicitly requests this functionality). Security and Abuse Prevention: We process certain data (like IP addresses, logs, and usage patterns) to secure our Service, detect and prevent fraud or abuse, and to protect the rights and safety of Rhea.Chat, our users, and the public. Examples include: Monitoring login locations and IP addresses to detect suspicious logins. Using CAPTCHA or similar mechanisms if we suspect automated abuse. Analyzing logs to identify mass scraping of data or other rule-breaking behavior. Blacklisting certain IPs or accounts that are linked to malicious activities. Legal basis: Legitimate interests in protecting our platform and users; and legal obligation in some cases (complying with security regulations or law enforcement requests). Compliance with Law: We may process and retain any data as needed to comply with applicable legal obligations. For instance, keeping transaction records for tax audits, or disclosing information as required by law (responding to lawful requests by public authorities, including for national security or law enforcement). Enforcement of Terms and Policies: We use data to investigate and address violations of our Terms of Service or other misuse of the Service. For example, if we receive reports of a user generating disallowed content, we may review that user’s conversation logs to verify and take action. Legal basis: Legitimate interests (to enforce our agreement and maintain a safe platform). Business Transfers: If we are evaluating or undergo a merger, acquisition, reorganization, or asset sale, we may need to use or transfer personal data as part of that process (see Data Sharing below). Legal basis: Legitimate interests (continuity of service through business transitions). We will not use your personal data for entirely new, unrelated purposes without notifying you and obtaining appropriate consent if required. We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects for you, except for basic spam/abuse filtering and the automated processing inherent in AI responses (which you initiate by prompting the AI).

  1. How We Share Your Information

We take care to only share your personal data in ways that respect your privacy. We do not sell your personal information to third parties. We only share information in the following circumstances: Third-Party AI Providers: As a core function of Rhea.Chat, when you use an AI model integration, we share the content of your prompts and relevant context with the third-party AI provider’s API in order to obtain a response. We only share what is necessary (usually the conversation text and perhaps an anonymous conversation or session ID). We do not provide these AI providers with your account info like your name or email – only the content needed for the AI to respond. However, please note: The content you send could itself contain personal information, which the AI provider will then process. Each AI provider may store and use the data you send to their model under their own policies (some may retain it for a time to improve their models or for content moderation). We urge you to review the privacy policies of these AI providers to understand how they handle your data: OpenAI – see OpenAI’s Privacy Policy​, Anthropic – see Anthropic’s Privacy Policy​, DeepSeek – see DeepSeek Privacy Policy​, Perplexity AI – see Perplexity’s Privacy Policy​, Together AI – see Together’s Privacy Policy​, Google – see Google Privacy Policy​. Rhea.Chat does not retain or log user requests specifically for analytics unless the user performs voting or similar explicit feedback. Prompts are forwarded directly to the AI provider; Rhea.Chat does not use the content to train AI models, and per your knowledge, your providers do not use it either unless users opt in via their provider agreement. Rhea.Chat acts as an intermediary to facilitate your requests to these services. We have agreements or API terms with each provider to ensure they handle data lawfully. However, once your query is with the provider, it is under their control. If you have concerns about a specific provider’s use of your data, you should avoid selecting that provider in Rhea.Chat. Third-Party Tool Integrations: Similarly, when you connect and use third-party tools through Rhea.Chat, we share data with those third parties as needed: For data retrieval requests: We send the minimal request necessary (which includes your access token and query parameters) to retrieve data. For action requests: If you ask us to create or modify data in a third-party service, we send the relevant details (e.g., event title, time) along with your auth token to that service’s API. In doing so, we are essentially acting on your behalf, and the data flows between Rhea.Chat and the third-party service. Those services will see the data that you instruct us to send (which comes from you or your accounts). They may log those actions according to their own logging practices. We do not give them any more info than needed – generally, they won’t know anything about your Rhea.Chat account, only that an authorized request for your account with them was made via our integration. Each tool integration is subject to its own privacy policy and terms. We encourage you to review those policies on the respective providers’ websites. Service Providers (Processors): We use third-party service providers to perform certain functions on our behalf. These include: Hosting and Infrastructure: Rhea.Chat is hosted on secure servers. These providers store the data on our behalf. We ensure any cloud provider we use complies with strong security standards and, if outside the EU, is subject to appropriate data transfer safeguards (see International Transfers below). Analytics Providers: As mentioned, Plausible and PostHog help us with analytics. Plausible does not receive personal data about you aside from possibly an IP address (which they don’t store long-term). PostHog stores usage analytics data on our controlled servers. In cases where we might use a cloud analytics service, we would ensure data is pseudonymized. Email and Communication Tools: We may use an email delivery service to send out emails (verification emails, notifications, newsletters). This means your name and email address and the content of the email will pass through that service. We only choose email providers with appropriate security and privacy commitments. They act as data processors, only using your info to send emails on our instructions. Payment Processor: As noted, we use Stripe for handling subscription payments. Stripe will process your payment data under their own strict security protocols. They are a data controller for your payment information, but also a processor for us in terms of handling transactions. We share with Stripe the information needed to charge you (amount, plan, your email, etc.) and they inform us of the result. Stripe’s Privacy Policy will apply to the financial info you Error Tracking/Crash Reporting: If we employ tools to monitor errors or crashes in the app, those tools might collect some user identifiers or device info at the moment of an error. This is to help us debug issues. Such services will be configured to minimize any personal data capture (e.g., we’d avoid logging full conversations in an error report). All these service providers are bound by contracts to only process personal data as needed to provide their services to us and not for their own purposes. We carefully vet our vendors for strong privacy practices. We do not permit our service providers to use your personal data for marketing or any purpose other than serving us. Affiliates and Corporate Transactions: We currently do not have corporate affiliates (Rhea.Chat is a product of a sole proprietorship). If in the future Matsurge Mateusz Tylec establishes related entities (e.g., a subsidiary or parent company), we may share data within that corporate family in accordance with this Policy. If there is a business transfer – for example, a merger, acquisition by another company, or sale of all or part of Rhea.Chat’s assets – your information may be transferred to the successor entity as part of that transaction. In such cases, we will ensure the new owner is bound by terms that are at least as protective of your privacy as the terms of this Policy, and we will provide notice to you before your personal data is subject to a different privacy policy. Legal Compliance and Protection: We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: Comply with a legal obligation, legal process, or regulatory request (for example, a lawful subpoena, court order, or search warrant). We will attempt to notify you of requests for your data before disclosing, if allowed by law and practicable. Protect and defend the rights, property, or safety of Rhea.Chat, our customers, or others. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction. Enforce our Terms of Service, investigate potential violations, or cooperate with law enforcement concerning conduct or content we believe may be illegal or as otherwise required or permitted by law. With Your Consent: In cases where we want to share your information for purposes not covered above, we will ask for your consent. For example, if we ever wanted to use a testimonial you provided publicly, we would ask your permission before associating your name/feedback in a public way. We minimize the personal data shared and ensure that any third parties we share with commit to protecting it. Where applicable, we have signed Data Processing Agreements (DPAs) with third-party processors to ensure GDPR compliance.

  1. International Data Transfers

Rhea.Chat is operated from Poland (EU), and we store all primary user data on servers located in Europe. This means that if you are an EU/EEA user, your data is handled within the EEA under EU data protection laws. However, some of the third parties we integrate with or use (especially the AI model providers and some tool providers) are located outside of the EEA, such as in the United States or other countries. Consequently: When you interact with OpenAI, Anthropic, DeepSeek, Perplexity, Together AI, Google, or other non-EU AI providers through Rhea.Chat, your prompt data will be transferred to and processed in the United States or the country where that provider’s servers are located. Whenever we transfer personal data out of the European Economic Area (EEA) or your home jurisdiction, we will ensure appropriate safeguards are in place to protect it, as required by GDPR and similar laws. These safeguards may include: Standard Contractual Clauses (SCCs): We have SCCs in place in our agreements with non-EU service providers where applicable, obligating them to protect EU personal data according to EU standards. Adequacy Decisions: If data is transferred to a country that the European Commission has deemed provides adequate protection (e.g., countries in the EEA, or others with adequacy decisions), we rely on that. International Frameworks: Where relevant, if a U.S. entity is certified under the EU-U.S. Data Privacy Framework (or Swiss-U.S. framework), we may rely on that certification for transfers. Consent for Specific Transfers: In cases where an integration inherently involves sending data to a third country (like using an AI model in a country without adequacy), your use of that integration (i.e., your instruction to send data to that model) may be considered as an explicit consent to that particular transfer. You have the choice to not use providers you’re not comfortable sending data to. We will provide further information on cross-border transfer mechanisms upon request. Despite the data protection laws that may differ in other countries, we will treat your personal data in line with this Privacy Policy and, if you are in the EU/EEA, in accordance with the GDPR’s requirements for transfers.

  1. Data Security

We take security measures seriously to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include: Encryption: All communications between your browser and Rhea.Chat are encrypted via TLS/SSL. Sensitive data (such as access tokens, API keys, and passwords) is encrypted at rest in our database. Access Controls: We restrict access to personal data to authorized personnel who need to know that information in order to operate, develop, or support the Service. All staff and contractors are bound by confidentiality obligations. Administrative access to systems with personal data is protected by strong authentication (e.g., multi-factor authentication) and logging. Isolation and Backups: User data is logically segregated to prevent one user from accessing another’s information. Regular backups are performed to ensure data is not lost; backups are encrypted and stored securely. Backup retention is time-limited and they are purged according to a schedule. Monitoring and Protection: We monitor our systems for possible vulnerabilities and attacks. We utilize firewalls and may employ automated security scanning. If we detect suspicious activity, we investigate and respond. We also keep our software and dependencies updated to patch security issues. For payments, we rely on Stripe which is PCI-DSS compliant. Audit and Testing: We periodically review our security policies and practices. We may run penetration tests or use third-party security audit services to identify and fix potential weaknesses. We also support responsible disclosure – if you discover a vulnerability, please inform us and we will act promptly. Data Minimization: We aim to collect only what we need. By keeping the scope of data minimal, we reduce the risk exposure. For instance, we don’t ask for unnecessary personal details. Training: We educate ourselves on privacy and security best practices. Although we are a small team, we ensure that anyone handling user data is aware of their data protection responsibilities. However, no system can be 100% secure. We cannot guarantee absolute security of information, especially given the involvement of third-party networks (the internet, external AI APIs, etc.). In the event of a data breach that affects your personal data, we will notify you and the appropriate authorities as required by law. To help maintain security: Keep your account credentials safe. Use a strong, unique password and do not share it. Notify us immediately if you suspect any unauthorized access to your account or API integrations. Understand that emails or communications purporting to be from Rhea.Chat will never ask for your password. Be wary of phishing.

  1. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Specifically: Account Data: Your account information (name, email, etc.) and content (chat history, integration setups) are retained for as long as you have an active account. If you delete your account, we will initiate deletion of this data. Inactive free accounts may be purged after a prolonged period of inactivity (with notice as described in Terms). We may retain certain minimal account records thereafter if needed for legitimate purposes (e.g., record that an account existed to prevent fraud or to honor opt-out requests). User messages are stored in the database only for providing chat history and context. Feedback (votes) is optional and stored separately. Chat History: We store your conversation transcripts to provide you the service (so you can scroll up or come back later to view them). You can delete individual conversations or messages via the interface; when you do so, we will delete those from our active databases. Residual copies might remain briefly in backups. If you want all your chat history removed, you can delete your account, which will remove associated chats from active storage. We do not otherwise purge chat history on a schedule, except if an account is deleted or as needed to manage storage (we might in the future offer auto-deletion settings or limit history length for performance, which we would communicate). Third-Party Data: Data fetched from third-party tools is generally not stored separately beyond your chat history (where it might appear as part of conversation context). We don’t maintain separate databases of your third-party account data. Any tokens/credentials for integrations remain until you remove the integration or delete your account, at which point we delete those tokens from our systems (revoking our access). If an OAuth token expires or is revoked, we may remove it from our records. Analytics Data: Analytics logs (like server logs, Plausible aggregates, PostHog events) are kept for varying durations. Server logs that include IP addresses are typically rotated and deleted after a few weeks to a few months (exact retention might vary, but we aim to not keep raw logs longer than necessary). Plausible’s data retention is typically 24 months by design. PostHog event data we keep may be in aggregate form; if any personal identifiers were captured, we would either delete or anonymize them after we no longer need them. We continuously evaluate the necessity of older analytics data. Transactional Records: If you are a paid user, we will retain financial transaction records (invoices, payment history) as long as required by tax law (which can be up to 5-10 years in some jurisdictions). This is limited to billing info and not your usage data. Communications: Copies of business communications (support emails, etc.) may be kept for a period (e.g., 2 years) to allow us to reference past interactions if you reach out again, and to improve our support. If such communications contain personal data that you want removed, let us know. Backup Retention: Our backups are typically retained for a short interval (e.g., 30 days) for disaster recovery. Thus, even after deletion from active systems, data may persist in encrypted backups for that period before being overwritten. We ensure backups are protected and eventually destroyed securely. Legal Holds: If we are under a legal obligation to retain data (e.g., due to a subpoena or litigation hold), or if retention is advisable to defend our legal rights, we will retain the data as needed beyond our standard retention period until that obligation is lifted. When we no longer have a legitimate reason to retain your personal data, we will either delete it or anonymize it (so it can no longer be associated with you). For example, we might aggregate or anonymize usage data for statistical purposes (so it’s no longer personal data) and retain that indefinitely to track long-term trends, without identifying individuals.

  1. Your Rights and Choices

Depending on your location and subject to applicable law, you have certain rights regarding the personal data we hold about you. We are committed to honoring these rights. These include: Access: You have the right to request a copy of the personal data we hold about you and to obtain information about how we process it. Most of your basic data is available in your account profile and your chat contents in the app itself. For a complete report or specific data not available through the app, contact us and we will provide it, typically electronically. (For EU users, this is your right of access under GDPR). Rectification: You have the right to ask us to correct or update any inaccurate or incomplete personal information. You can correct some of this through your account settings (e.g., update your name or email). For other corrections, contact us. We especially encourage you to keep your contact information current. Deletion (Right to be Forgotten): You have the right to request deletion of your personal data. For example, you can delete your account via settings, which will remove personal data and chat logs as described above. If for some reason you cannot do so, contact us and we can remove your data manually. Note that we may retain certain information as required by law or for legitimate business purposes (as noted in retention section). If you request deletion, we’ll also notify third-party processors to delete the data they hold on our behalf where applicable. Restriction of Processing: You can ask us to restrict processing of your data in certain circumstances – for instance, if you contest the accuracy of data, we may limit processing while verifying; or if you object to our legitimate interest processing, we may pause processing until we consider if our interests override yours. Data Portability: You have the right to obtain a copy of certain data in a structured, commonly used, machine-readable format that you can transmit to another service. For example, you might request an export of your chat history or account information. We will provide such exports to the extent required by law (GDPR mandates this for data you provided and data generated by your activities, where technically feasible). Objection: If we process your information based on legitimate interests, you have the right to object to that processing on grounds relating to your situation. If you object, we will evaluate whether our legitimate interests in processing or legal obligations override your interests, rights, and freedoms. Where we rely on legitimate interest for marketing, you have an absolute right to object and opt-out (we will always honor an unsubscribe). Withdraw Consent: Where we rely on your consent for processing (for example, for sending marketing emails if you gave consent, or for processing sensitive data you provided), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that happened prior to withdrawal. For marketing, simply use the unsubscribe link or contact us to be removed. For any other consent, contact us to withdraw. Automated Decision-Making: Rhea.Chat does not make any legally significant decisions about you purely by automated means. If that changes, you would have rights not to be subject to such decisions in certain cases. Outputs from AI in your chat are at your own initiation and not decisions by us about you. Complaint to Supervisory Authority: If you are in the EU/EEA or certain other jurisdictions, you have the right to lodge a complaint with a data protection supervisory authority if you believe our processing of your personal data violates the law. For example, in Poland you can contact the President of the Personal Data Protection Office (UODO). We would appreciate the chance to address your concerns directly first, so please consider reaching out to us. To exercise any of these rights, please contact us at privacy@rhea.chat with your request. For security, we may need to verify your identity (for instance, by confirming you control the email associated with your account or asking for certain info) before fulfilling the request. We will respond to requests within one month, or inform you if we need more time (up to an additional two months for complex requests). There are some limitations to these rights. For example, if fulfilling your request would reveal personal data about another person, we may need to redact certain information. Also, some rights may not apply depending on your jurisdiction (for instance, the GDPR rights listed above apply to EU users; California residents have a similar but not identical set of rights under CCPA/CPRA). Your Choices: Profile Information: You can review and update much of your personal data by logging into your account settings. Communication Preferences: You can opt out of marketing emails at any time by using the unsubscribe link or contacting us. You will still receive transactional or service messages (like important account or security notifications) as these are not subject to opt-out. Integration Permissions: You have control over which third-party accounts are linked. You can revoke Rhea.Chat’s access to any integration at any time via our dashboard or the third party’s account settings. Upon revocation, we will stop accessing that service and delete stored tokens. Cookies/Tracking: As mentioned, our use of cookies is minimal. But you can set your browser to refuse cookies or notify you when a cookie is set. Note that refusing essential cookies (like for login) may impact functionality. For analytics, enabling “Do Not Track” will opt you out of PostHog tracking on our site. Do Not Sell (for California residents): We do not sell personal data. If you are a California resident, you can still send a Do Not Sell request for assurance. We treat global privacy control (GPC) signals as opt-outs of sale/sharing, though we don’t do those anyway.

  1. Children’s Privacy

Rhea.Chat is not intended for children under 16 years of age. We do not knowingly collect personal information from anyone under 16. If you are under 16, you must not use or attempt to register an account for Rhea.Chat. If we learn that we have inadvertently collected personal data from a child under 16 (or under the applicable age of consent in your jurisdiction), we will take steps to delete that information promptly. Parents or guardians who believe that we might have any information from or about a child under the age of 16 may contact us to request deletion. Specifically, if a user falsely claims to be 16 or older and an account is created, once discovered (through age verification, report, or our own investigation) we will suspend or terminate the account and purge associated personal data from our records. For users between 16 and 18 (or the age of majority in their location), our Service is available, but if you are a minor, we advise you to use Rhea.Chat with parental guidance, especially in terms of understanding privacy and safe use of AI and internet tools. We encourage families to discuss their members’ use of AI and online services and to be aware of the content and tools accessible to children.

  1. International Users and Compliance

While Rhea.Chat is operated from the EU, we welcome users from around the world. We strive to comply with privacy laws applicable to our users, including: GDPR (EU/EEA and UK): We adhere to GDPR principles of lawfulness, transparency, minimization, etc. The details in this Policy aim to meet GDPR’s information requirements. EU users have the rights detailed above. We have appointed Matsurge Mateusz Tylec as the data controller (contact info provided). Given our size, we do not have a dedicated EU Data Protection Officer (DPO) at this time, but privacy inquiries are handled with high priority by our team. California (CCPA/CPRA): Although as a small business we may not meet thresholds that mandate CCPA compliance, we voluntarily extend similar rights to California residents. California users can request to know what personal data we have collected about them, to delete personal data (with the same exceptions as CCPA), and to know about our data practices (which are described throughout this Policy). We do not share personal data for cross-context behavioral advertising, nor do we sell personal data, as those terms are defined. California residents can designate an authorized agent to make requests on their behalf. We will not discriminate against you for exercising any privacy rights. Other U.S. States: We also aim to respect privacy rights granted by laws in other states (such as the Virginia CDPA, Colorado Privacy Act, etc.). In general, our practices of providing access, deletion, etc., cover these requirements. Canada: We handle personal data of Canadian users in compliance with Canada’s PIPEDA. We would seek consent before any new use of data beyond the scope of this privacy policy. Canadian users have similar rights to access and correction. Our servers in Europe means your data is transferred internationally; by using the service you consent to this transfer. Australia, New Zealand, Brazil, and other countries: We also aim to abide by applicable privacy principles (for example, Australia’s APPs, Brazil’s LGPD, etc.) to the extent they apply. This includes giving users rights to access and correct info and providing transparency and security. Cross-Border Data: As noted, if you use the Service from outside the EU, you are transferring data to the EU (where we host) and onward to any integration endpoints (like U.S. for many AI providers). We rely on your consent and necessary processing for providing the service as the basis for these transfers when local law requires that (e.g., some countries require consent for exporting personal data). By using Rhea.Chat, you consent to your data being processed in and transferred to other countries as described. If you have any questions about how we handle data in your jurisdiction, or want to exercise any local law rights not explicitly covered, please contact us. We are open to accommodating requests to the extent feasible and legally required.

  1. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will: Post the updated policy on this page with a new “Last updated” date. If the changes are material, we will provide a more prominent notice (e.g., on our website homepage or via email notification to registered users). Material changes might include, for example, using personal data for new purposes not previously identified, or changes in who we share data with that would be of importance to users. If required by law, we will obtain your consent for certain changes (for instance, if a change would require new consent under GDPR). Please review this Policy periodically to stay informed about how we are protecting your information. Your continued use of Rhea.Chat after any changes to this Privacy Policy constitutes your acceptance of the updated terms (to the extent permitted by law). If you do not agree to the changes, you should stop using the Service and may delete your account. Older versions of this Privacy Policy can be provided upon request for your reference.

  1. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: Data Controller: Matsurge Mateusz Tylec Address: Dąbie 47, 39-311 Dąbie, Poland

Email: mateusz@mateusztylec.com We will respond to privacy-related inquiries as soon as possible, generally within 30 days. If you contact us by mail, please also provide an email or return address for us to reply.