Legal

Privacy Policy

How we collect, use, and protect your information.

Last updated: February 18, 2026

RRSTT ("we," "us," or "our") operates the RRSTT web application at rrstt.app. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

Account information

When you create an account, we collect your email address, display name, and optionally a profile avatar. Authentication is handled through Supabase Auth using cookie-based sessions.

Usage data

We collect information about how you use the service, including tasks created, time entries recorded, projects managed, and collaboration activity (comments, assignments, file uploads). This data is necessary to provide the core functionality of the service.

Organization data

If you create or join an organization, we store organization details (name, slug, settings), membership information, and subscription data. Billing is processed through Stripe — we do not store credit card numbers on our servers.

Technical data

We automatically collect standard technical information such as browser type, device type, IP address, and pages visited. This information helps us maintain and improve the service.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the service
  • Process transactions and manage subscriptions
  • Send transactional emails (account verification, password resets, invitation notifications)
  • Respond to support requests
  • Monitor and prevent abuse or unauthorized access
  • Generate aggregated, anonymized analytics to improve the product

We do not sell your personal data. We do not use your data for advertising purposes.

3. Third-Party Services

We use the following third-party services:

  • Supabase — database hosting, authentication, file storage, and real-time infrastructure. Data is stored in Supabase-managed PostgreSQL databases.
  • Stripe — payment processing for subscription billing. Stripe receives your payment information directly and is PCI DSS compliant. See Stripe's Privacy Policy.
  • Vercel — application hosting and edge delivery. See Vercel's Privacy Policy.

4. Data Storage and Security

Your data is stored in Supabase-hosted PostgreSQL databases with row-level security (RLS) enabled on all tables. Data is encrypted in transit using TLS and at rest using AES-256 encryption. Access to data is controlled through role-based permissions at both the project and organization level.

We implement Content Security Policy headers, secure cookie handling, and session management best practices to protect against common web vulnerabilities.

5. Data Retention

We retain your account data for as long as your account is active. Soft-deleted tasks are retained for 30 days before permanent deletion. Session audit logs are retained for the lifetime of the organization. If you delete your account or organization, we will delete your data within 30 days, except where retention is required by law.

6. Your Rights

GDPR (European Economic Area)

If you are located in the EEA, you have the right to:

  • Access your personal data
  • Rectify inaccurate personal data
  • Request erasure of your personal data
  • Restrict or object to processing
  • Data portability — export your data via the organization data export feature (Pro plan) or by contacting hello@rrstt.app
  • Withdraw consent at any time

CCPA (California)

If you are a California resident, you have the right to:

  • Know what personal data we collect and how it is used
  • Request deletion of your personal data
  • Opt out of the sale of personal data (we do not sell your data)
  • Non-discrimination for exercising your rights

7. Cookies

RRSTT uses essential cookies for authentication and session management. These cookies are strictly necessary for the service to function and cannot be disabled. We do not use advertising or analytics cookies. We do not use third-party tracking pixels.

8. Children's Privacy

RRSTT is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the service after changes constitutes acceptance of the revised policy.

10. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Province of British Columbia, Canada.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@rrstt.app.