Privacy Policy

This Privacy Policy describes how RAPIDLY SOFTWARE LTD. ("Rapidly," "we," "us," or "our") collects, uses, discloses, and protects your personal data when you access or use our website(s), applications, APIs, and related services (the "Services"). This Policy applies to all users, including visitors, registered users, and workspace members.

This Privacy Policy does not cover the practices of third parties we do not own or control, including payment processors (such as Stripe), social login providers, or third-party services integrated with the platform. We encourage you to review the privacy policies of these third parties.

Your use of the Services is also governed by our Terms of Use.

Rapidly Software Ltd. is the data controller for personal data processed in connection with the Services.

Contact:
Rapidly Software Ltd.
Cork, Ireland
Email: [email protected]

If you are a customer of a workspace on Rapidly, the workspace owner is the data controller for the data they collect from you through the Services. Rapidly acts as a data processor on their behalf. Please contact the workspace owner directly for questions about their data practices.

Category	Data Collected	Purpose
Account Data	Name, email address, profile information, login credentials	Account creation, authentication, communication
Payment & Billing Data	Payment card type, last 4 digits, billing address (processed by Stripe)	Payment processing, fraud prevention
Transaction Data	Purchase history, transaction amounts, fees, refund history	Order processing, analytics, dispute resolution
Device & Technical Data	IP address, browser type, operating system, device identifiers, screen resolution	Security, analytics, service optimization
Usage & Analytics Data	Pages visited, features used, click patterns, session duration, referral source	Service improvement, personalization, analytics
Third-Party Platform Data	Email, username, profile information from GitHub, Google, Apple, Microsoft, or Discord (when using social login)	Authentication, profile creation
File Sharing Metadata	Hashed IP addresses of senders/receivers, download counts, channel creation timestamps, file checksums (not file contents)	Abuse prevention, analytics, service operation
Customer/CRM Data	Customer names, emails, billing addresses, external IDs, custom field responses (collected by workspace owners)	Customer management on behalf of workspace owners
Geolocation Data	Approximate location derived from IP address	Security, compliance, analytics

What We Do Not Collect: We do not collect or access the contents of files transferred via peer-to-peer sharing. We do not access the decrypted contents of secret messages. We do not store full payment card numbers (these are handled entirely by Stripe).

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to perform our contract with you (providing the Services, processing payments, managing your account).
• Legitimate Interests: Processing necessary for our legitimate business interests, including fraud prevention, service improvement, security monitoring, and analytics, where these interests are not overridden by your rights.
• Consent: Where you have given explicit consent, such as for marketing communications, non-essential cookies, or optional data collection. You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws, such as tax reporting, responding to legal process, or maintaining legally required records.

Service Providers:

• Cloud hosting and infrastructure providers
• Payment processors (Stripe, Inc.) for transaction processing
• Email delivery services for transactional and notification emails
• Error tracking and monitoring services (Sentry)
• Analytics providers for usage insights
• Security services for malware scanning and threat detection

Workspace Owners: If you interact with a workspace (e.g., as a customer making a purchase), the workspace owner will have access to your transaction data, contact information, and any custom field data you provide.

Other Users: When using peer-to-peer file sharing, your IP address may be visible to the other party. Profile information you choose to make public is visible to other users.

Legal & Safety: We may disclose personal data if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, safety, or property of Rapidly, our users, or the public.

Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to applicable privacy practices.

With Your Consent: We may share your data with other third parties when you have given us explicit consent to do so.

We do not sell your personal data.

The Services are hosted and operated in the United States. If you access the Services from outside the U.S., your personal data will be transferred to and processed in the U.S., where data protection laws may differ from those in your jurisdiction.

Transfer Safeguards. For transfers of personal data from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission;
• The EU-U.S. Data Privacy Framework, where applicable;
• Supplementary security measures including encryption in transit and at rest, access controls, and contractual obligations with sub-processors.

You may request a copy of the applicable transfer mechanism by contacting [email protected].

We use cookies, pixel tags, web beacons, and similar technologies ("Cookies") to operate and improve the Services.

Types of Cookies We Use:

• Essential Cookies: Required for core functionality such as authentication, security, and session management. These cannot be disabled.
• Functional Cookies: Remember your preferences, language, and display settings across sessions.
• Analytics/Performance Cookies: Help us understand how users interact with the Services, measure performance, and identify areas for improvement. We may use third-party analytics tools for this purpose.

Managing Cookies. You can control cookies through your browser settings. Most browsers allow you to block or delete cookies, but doing so may affect the functionality of the Services. For more information about cookies, visit allaboutcookies.org.

Do Not Track. The Services do not currently respond to "Do Not Track" browser signals, as there is no industry-standard implementation.

We retain personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

Specific Retention Periods:

• Account data: Retained while your account is active and for 30 days after account deletion to allow for recovery.
• Transaction data: Retained for a minimum of 7 years for tax, legal, and compliance purposes.
• File sharing metadata: Hashed IP addresses and session data retained for up to 12 months for abuse prevention.
• Secret messages/files: Automatically deleted upon retrieval or expiration (whichever occurs first). No backup copies are retained.
• Server logs: Retained for up to 90 days for security and debugging purposes.
• Analytics data: Aggregated and anonymized data may be retained indefinitely.

After the applicable retention period, personal data is securely deleted or anonymized.

We implement technical, administrative, and organizational security measures to protect your personal data, including:

• Encryption: TLS 1.2+ for all data in transit. AES-256 encryption for file transfers. Client-side OpenPGP encryption for secret messages.
• Access Controls: Role-based access controls, multi-factor authentication available, least-privilege access for employees and systems.
• Infrastructure Security: Hosted on industry-standard cloud infrastructure with firewalls, intrusion detection, and regular security patching.
• Malware Scanning: All uploaded files are scanned using ClamAV or equivalent antivirus tools.
• Monitoring: Automated security monitoring, structured logging, and anomaly detection.
• Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of data breaches in accordance with applicable law (within 72 hours for GDPR-subject breaches).

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials.

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Restriction: Request that we restrict processing of your personal data in certain circumstances.
• Portability: Request your personal data in a structured, machine-readable format, or request transfer to another controller.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Complaint: Lodge a complaint with your local data protection supervisory authority. A list is available at edpb.europa.eu.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.

California (CCPA/CPRA): If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell;
• Request deletion of your personal information;
• Opt out of the sale or sharing of your personal information (note: we do not sell personal data);
• Non-discrimination for exercising your privacy rights;
• Correct inaccurate personal information; and
• Limit the use of sensitive personal information.

To exercise these rights, contact us at [email protected]. You may also designate an authorized agent to make requests on your behalf.

Nevada: If you are a Nevada resident, you may opt out of the sale of certain personal information by contacting us at [email protected] with the subject line "Nevada Do Not Sell Request."

Other States: If you reside in a state with applicable privacy legislation (Virginia, Colorado, Connecticut, Utah, etc.), you may have additional rights. Contact us to learn more about how your state's laws apply.

The Services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16, we will promptly delete that data. If you believe a child under 16 has provided us with personal data, please contact us immediately at [email protected].

If you are a workspace administrator processing personal data of EU/UK residents through the Services, our Data Processing Agreement (DPA) applies and is incorporated into the Terms of Use. The DPA is compliant with GDPR Article 28 and covers:

• Scope of processing, data categories, and categories of data subjects;
• Processor obligations (instructions, confidentiality, security, data subject rights assistance);
• Sub-processor management with notification and objection rights;
• Technical and organizational security measures;
• Data breach notification (within 48 hours);
• Data deletion or return upon termination;
• Audit and information rights;
• International data transfers with Standard Contractual Clauses (SCCs); and
• UK International Data Transfer Addendum (IDTA) for UK data.

The full DPA is available at rapidly.tech/legal/dpa. For questions, contact [email protected].

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (using the address associated with your account) and/or by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

We encourage you to review this Policy periodically. The "Effective date" at the top of this page indicates when this Policy was last updated.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Rapidly Software Ltd.
Cork, Ireland

General privacy inquiries: [email protected]
Data subject requests: [email protected]
General support: [email protected]