Privacy policy

RUQA is operated by Curea Inc., a Delaware C-corporation. "RUQA," "we," "us," and "our" refer to the platform and the company that runs it. "You" refers to a workspace owner, member, or visitor.

Contact: privacy@ruqa.ai · Curea Inc., 2261 Market Street #4583, San Francisco, CA 94114

Workspace data — your team members' names, work emails, role/title, and team memberships, supplied by your admin during setup.

Signal data — commits, PRs, issues, AI session metadata (model, tokens, time), and Slack message metadata you've authorized us to ingest. We never read DM contents and never store secrets, env vars, or source code.

Generated outputs — AI-synthesized standups, capability scores, and triangulation flags derived from the signals above.

Account telemetry — IP address, user agent, page views, and click events on the RUQA app and website. We do not sell this data and do not run third-party advertising.

To generate the outputs you signed up for: standups, capability heatmaps, triangulation flags, sandbox evaluations.

To operate, secure, and improve the service. This includes anonymized aggregate analytics on feature usage.

To communicate with you about your workspace (ops, security, billing). We do not send marketing emails to workspace members without explicit opt-in.

We do not log keystrokes. We do not record screens. We do not monitor DMs. We do not track off-hours activity.

We do not sell, rent, or share personal data for advertising or any other commercial purpose.

We do not use your workspace data to train shared/global models. Per-workspace fine-tuning is opt-in only and clearly labeled.

We use a small set of vendors to run RUQA. The current list is published at /subprocessors and updated 30 days before any addition.

All subprocessors sign DPAs with us. EU customer data is processed in EU regions where the subprocessor offers them.

Access, rectification, erasure, portability, and objection. Self-service from the workspace settings; or email privacy@ruqa.ai and we'll respond within 30 days.

GDPR (EU/UK), CCPA (California), and PIPL (China) recognized rights apply. We do not transfer EU data outside Standard Contractual Clauses.

If you're a workspace member (not the owner), some requests must go through your admin. We'll tell you which.

Active workspace data: kept while the workspace is active.

After deletion: 30 days in soft-delete, then hard-deleted from primary storage. Backup tapes purged within 90 days.

Logs and telemetry: 90 days. Aggregated, non-identifying analytics: indefinite.

AES-256 at rest. TLS 1.3 in transit. Per-workspace encryption keys. Vendor SOC 2 / ISO 27001 audits required.

We are SOC 2 Type II in progress (target 2026-Q4). Detailed controls live at /security.

We notify workspace admins 30 days before material changes. Non-material changes (typos, restructuring) are posted with a new "last updated" date.