RuleDesk

Privacy

Privacy Policy

Last updated: April 26, 2026. This is a plain-English summary of what we collect, why, and how we handle it. The defining principle: RuleDesk is the system of record for your deal data — we treat it like our own production data, not like marketing exhaust.

What this policy covers

This policy applies to RuleDesk (the application accessible at this domain) and any direct services we provide. It covers two groups of people:

What we collect

From customer accounts

From buyers (people receiving quotes)

What we do not collect

Why we collect it

How long we keep it

Subprocessors

RuleDesk uses a small number of third-party services to operate. We only share what each one needs to do its job.

VendorPurposeData shared
OpenAI AI-assisted rule authoring, quote drafting, approval briefs, and semantic policy search Seller-entered deal prompts, catalog and bundle names/SKUs, quote totals, rule names, clause text, approval-route labels, and seller justification. Buyer contact email is not sent for approval briefs or policy search. OpenAI does not retain API data for model training.
SMTP / transactional email provider Outbound email (trial reminders, approval links, buyer-facing quote emails) Recipient email + name, subject, body, optional PDF attachment
Cloud hosting Application + database hosting All operational data, encrypted at rest and in transit

A current list of subprocessors is available on request. We will give 30 days' notice before adding any new subprocessor that materially affects how customer data is processed.

Your rights (GDPR / CCPA)

You can:

For a customer workspace, the workspace's CompanyAdmin can act on behalf of the workspace. For buyer-side data captured during quote acceptance, the customer (the seller) is typically the data controller and you should contact them first; we will assist as data processor where applicable.

Security

Cookies

We use a small number of strictly-necessary cookies for sign-in, anti-forgery protection, and tenant routing. We do not use advertising or cross-site tracking cookies. We do not need a cookie banner because we do not set non-essential cookies.

Children's data

RuleDesk is a B2B SaaS tool and is not directed at children under 16. We do not knowingly collect personal data from children.

International transfers

Customer data is hosted in the region you select at signup. EU residency is available on Scale and dedicated tenancies. Where data crosses borders (e.g., when an OpenAI API call is processed in the US), we rely on standard contractual clauses or equivalent safeguards.

Changes to this policy

We will update the "Last updated" date above when this policy changes. For material changes (e.g., new categories of data, new subprocessors that materially expand scope), we will email workspace admins at least 30 days before the change takes effect.

Contact

For privacy or data requests, email privacy@ruledesk.ai. For all other inquiries, see the pricing page or the in-app upgrade screen for direct contact details.