Privacy Policy

Effective date: February 9, 2026
Last updated: February 9, 2026

1. Introduction

This Privacy Policy describes how Roset (“we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use our API platform, developer console, hosted portals, and related services (the “Services”). This policy applies to developers who integrate with the Roset API and end users of applications built on Roset.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

2.1 Information You Provide Directly

Account Registration Information:

  • Name and email address
  • Organization name and role
  • Billing information (processed by our payment provider)

Developer Data:

  • API credentials and authentication tokens
  • Configuration settings and preferences
  • Provider keys you supply (BYOK) for third-party extraction services
  • Support communications and feedback

2.2 Information Collected Automatically

API Usage Data:

  • API endpoint requests and responses (status codes, timestamps, response times)
  • Rate limit consumption and throttling events
  • Error logs and debugging information
  • Processing job metadata (file type, page count, provider used, duration)

File and Folder Metadata:

When you or your end users use the Services to manage files, we collect:

  • File names, types, sizes, and folder hierarchy
  • Creation and modification timestamps
  • User IDs associated with file operations
  • Space namespace assignments
  • Variant types and processing status

Important: Roset is a metadata and orchestration control plane. Your files are transmitted to third-party extraction providers (Reducto, Google Gemini, OpenAI Whisper) solely to generate structured outputs (variants). We do not permanently store your original file content — files reside in your chosen storage provider (AWS S3, GCS, Azure Blob Storage, Cloudflare R2, etc.). Processing outputs (variants) are stored by Roset on your behalf and are treated as your data. We do not use your file content or processing outputs to train machine learning models.

Technical and Device Information:

  • IP addresses
  • Browser type and version
  • Operating system
  • Device identifiers
  • Referring URLs and pages visited
  • Geographic location (country/region based on IP)

Cookies and Tracking Technologies:

We use cookies and similar technologies to maintain authenticated sessions, remember preferences, analyze usage patterns, and provide security features. You can control cookies through your browser settings. Disabling cookies may limit functionality.

2.3 Information from Third Parties

Storage Provider Data:

When you connect third-party storage services (S3, GCS, Azure Blob Storage, MinIO, R2, Supabase Storage), we may receive storage bucket names, configurations, access policies, and usage metrics.

Payment Processor Data:

Our payment processor may share transaction information, payment status, and billing disputes. We do not directly store your full credit card number.

Authentication Provider Data:

We use Clerk for authentication. When you sign in (including via Google OAuth), Clerk provides us with your name, email address, and profile information.

3. How We Use Your Information

3.1 To Provide and Maintain Services

  • Authenticate API requests and manage access control
  • Process file transformation operations and route to extraction providers
  • Generate and store variants (markdown, embeddings, metadata, searchable indexes)
  • Generate presigned URLs for uploads and downloads
  • Maintain metadata indexes and caching

3.2 To Improve and Optimize Services

  • Monitor API performance and identify bottlenecks
  • Analyze usage patterns to optimize infrastructure
  • Develop new features and functionality
  • Generate aggregated, anonymized analytics

3.3 To Communicate with You

  • Send service announcements, updates, and security notifications
  • Respond to support requests and inquiries
  • Send billing statements and payment reminders

3.4 For Security and Fraud Prevention

  • Detect and prevent unauthorized access
  • Investigate and respond to security incidents
  • Monitor for API abuse and rate limit violations
  • Comply with legal obligations and enforce our Terms of Service

3.5 For Billing and Payments

  • Process subscription fees and usage-based charges
  • Generate invoices and transaction records
  • Manage payment disputes and refunds

4. How We Share Your Information

4.1 With Your Consent

We may share your information with third parties when you explicitly authorize us to do so.

4.2 Service Providers

We share information with trusted service providers who assist us in operating the Services:

  • Cloud Infrastructure: Cloudflare (Workers, Durable Objects, KV, R2, Queues)
  • Database Hosting: Neon (Postgres)
  • Authentication: Clerk (user authentication and session management)
  • Payment Processing: Polar (subscription billing and payments)
  • Email Services: Resend (transactional emails)
  • Analytics: PostHog (product analytics and usage tracking)
  • Caching: Upstash (Redis)

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.3 Extraction Providers

When you use the transformation pipeline, your files are transmitted to third-party extraction providers (Reducto, OpenAI, Google Gemini, Whisper) using your own API keys (BYOK). These providers process files solely to generate structured outputs. Roset does not control these providers' data handling practices — their respective privacy policies apply to data they process.

4.4 Storage Providers You Connect

When you configure connections to third-party storage services, we transmit metadata and access requests to those providers in accordance with your configurations.

4.5 Business Transfers

In connection with any merger, sale of assets, financing, or acquisition, user information may be transferred. You will be notified of any change in ownership or control of your personal information.

4.6 Legal Requirements

We may disclose your information when required by law or in response to:

  • Subpoenas, court orders, or legal process
  • Requests from law enforcement or government agencies
  • Protection of our rights, property, or safety, or that of our users

4.7 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you, including usage statistics and performance benchmarks.

5. Data Retention

5.1 Active Account Data

We retain your account information and Developer Data for as long as your account is active or as needed to provide the Services.

5.2 Deleted Data

When you delete files, folders, or other data through the API or console:

  • Data is removed from production systems within 24 hours
  • Backup copies are retained for 90 days and then permanently deleted
  • Logs containing metadata may be retained for up to 12 months for operational purposes

5.3 Account Termination

Upon account termination:

  • Account data is deactivated immediately
  • Developer Data is permanently deleted within 30 days
  • Billing and transaction records are retained as required by law
  • Aggregated, anonymized analytics may be retained indefinitely

5.4 Legal Hold

We may retain information longer when required by law, litigation hold, or to investigate violations of our Terms of Service.

6. Data Security

6.1 Technical Safeguards

We implement industry-standard security measures to protect your information:

  • Encryption in Transit: All API communications use TLS 1.2 or higher
  • Encryption at Rest: All stored data is encrypted using AES-256
  • Access Controls: Role-based access controls for internal systems
  • Network Security: DDoS protection via Cloudflare, firewall rules, and edge security
  • API Key Security: API keys are SHA-256 hashed before storage; raw keys are never stored

6.2 Your Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your API credentials and provider keys
  • Implementing security measures in your Application
  • Promptly notifying us of any suspected security incidents
  • Using strong passwords and enabling two-factor authentication

6.3 No Guarantee

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from circumstances beyond our reasonable control.

7. Your Rights and Choices

7.1 GDPR Rights (European Economic Area Residents)

If you are located in the EEA, you have the following rights under GDPR:

  • Right to Access: Request a copy of the personal information we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete information
  • Right to Erasure: Request deletion of your personal information
  • Right to Restrict Processing: Request that we limit how we use your information
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to our processing of your information for certain purposes
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent

7.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under CCPA:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the “sale” or “sharing” of personal information (we do not sell personal information)
  • Right to Non-Discrimination: Exercise your rights without discriminatory treatment

7.3 How to Exercise Your Rights

To exercise any of these rights, contact us at support@roset.dev.

We will respond to verified requests within:

  • 30 days for GDPR requests
  • 45 days for CCPA requests (with possible 45-day extension)

7.4 Account Management

You can manage your account information by logging into the Roset console, updating settings via the API, or contacting our support team.

7.5 Marketing Communications

You can opt out of promotional emails by clicking the “unsubscribe” link in emails or updating your preferences in account settings. You cannot opt out of transactional or service-related communications (account notifications, billing, security alerts).

8. International Data Transfers

Roset operates globally using Cloudflare's edge network. Your data may be processed in multiple regions. When we transfer personal information from the EEA to other countries, we rely on:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Explicit Consent: Where you have provided informed consent

9. Children's Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at support@roset.dev, and we will delete such information promptly.

10. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third parties and encourage you to review their privacy policies.

11. Legal Basis for Processing (EEA Residents)

We process your personal information based on the following legal grounds:

  • Contractual Necessity: To perform our contract with you (providing the Services)
  • Legitimate Interests: To improve Services, prevent fraud, and ensure security
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: Where you have provided explicit consent (e.g., marketing communications)

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. You also have the right to lodge a complaint with a data protection supervisory authority in the EEA.

12. California Privacy Disclosures

12.1 Do Not Sell My Personal Information

We do not sell personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.

12.2 Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email, IP address, device IDs
  • Commercial Information: Purchase history, payment information
  • Internet Activity: API usage, browsing behavior, logs
  • Geolocation Data: Approximate location based on IP address
  • Professional Information: Job title, company name

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date, notify you via email, and post a notice on our website. Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.

15. Governing Law

This Privacy Policy is governed by the laws of the State of Qatar.

16. Contact Us

For privacy-related questions or to exercise your rights, contact us at: support@roset.dev

We strive to respond to all privacy inquiries within 2 business days with an initial acknowledgment.