DashboardSign inStart your trial

Privacy Policy — How Rills Handles Your Data

Last updated:

Introduction

The rills.ai website and the Rills platform are operated by Rills AI, LLC, a limited liability company registered in Delaware, United States ("Rills", "we", "us", or "our"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your data. For users in the European Economic Area (EEA) and the United Kingdom, Rills AI, LLC is the data controller of your personal data.

We believe in transparency. This policy is written in plain language so you can understand exactly how your data is handled. If anything is unclear, please reach out to us at privacy@rills.ai.

Data We Collect

Account Information

When you create a Rills account, we collect your name, email address, and password. Your password is stored using a secure one-way hash and is never kept in plain text.

Workspace Data

When you use Rills, we store the content you create and configure within your workspace. This includes workflow definitions, trigger configurations, execution logs, and any associated content you provide.

Communications

If you contact us — by email, through the website, or on social media — we collect your name, email address, and the content of your message so we can respond and keep a record of the conversation.

Usage Data

We collect usage data such as page views, feature usage, and session recordings to improve the product experience. See the Cookies & Tracking section for details on how we handle this data.

Payment Information

Payment processing is handled by Polar, our merchant of record. We do not store credit card numbers or payment card details on our servers. Polar processes your payment information securely on our behalf.

Sensitive Information

We do not intentionally collect sensitive personal information such as health data, genetic or biometric data, or information about religious beliefs. Please do not send us this kind of information or process it through your workflows.

How We Use Your Data

We use the data we collect to:

  • Provide, maintain, and improve the Rills platform
  • Process and execute your workflows
  • Send transactional emails (account verification, password resets, important service updates)
  • Analyze anonymous usage patterns to improve the product experience
  • Prevent abuse and ensure the security of our platform
  • Comply with legal obligations and enforce our Terms of Service

Legal Bases for Processing

Where a legal basis is required (such as for users in the EEA and UK), we rely on the following bases:

  • Performance of a contract: operating your account, executing your workflows, processing payments, and sending transactional emails.
  • Legitimate interests: securing the platform, preventing abuse and fraud, and analyzing aggregated usage to improve the product.
  • Legal obligation: complying with applicable laws, lawful requests, and legal process.
  • Consent: analytics cookies and session replay, which run only after you accept them. You can withdraw consent at any time.

We do not sell, rent, or lease your personal data. We do not share your data with third parties for their marketing purposes.

AI & Data Processing

Your workflow data is processed by AI models but is never used to train AI models.

Rills uses artificial intelligence to power some workflow features. You choose which AI model powers your workflows. When you use AI-powered capabilities, your workflow definitions, trigger data, and associated content are sent to the model you selected for processing.

AI requests are routed through an AI gateway rather than directly to any single provider. This lets you pick the model best suited to your workflow while we hold one consistent standard across every provider the gateway can reach:

  • No training: requests are served only by providers with verified agreements not to use your data to train, improve, or develop their AI models.
  • Zero retention: your data is processed solely to provide the feature you requested and is not retained by the provider beyond what is necessary to complete the request.
  • Encrypted in transit: all data sent through the gateway is encrypted using HTTPS/TLS.

The specific model provider that handles a given request depends on the model you select, and may change as you switch models, to route around provider outages, or as we add providers. Whichever provider serves a request, the same no-training and zero-retention policy always applies.

Workflow Optimization

Rills analyzes your workspace's own execution and approval history — including with AI models — to suggest improvements to your own workflows, such as prompt edits and confidence threshold adjustments. Suggestions take effect only when you accept them. Only your workspace's data is used: it is never used to improve other customers' workflows and never used to train AI models.

AI Request Logs

To debug and improve AI features, we log AI requests and their responses (including prompt content) to PostHog, our analytics processor. These logs are subject to the same no-training and no-sale commitments as the rest of your data.

Third-Party Processors

We work with a small set of third-party service providers to operate Rills. Each processor only receives the data necessary for its specific function. The current list — who they are, what each one does, and where it processes data — is maintained at rills.ai/subprocessors, which also describes how we notify you before adding a new provider.

For business customers, our Data Processing Agreement makes these commitments contractual, including 30 days' advance notice of new subprocessors and a right to object.

Other Limited Sharing

Beyond the processors above, we may share personal data in a small number of circumstances:

  • Professional advisors: lawyers, accountants, and similar advisors, where necessary for the professional services they provide to us.
  • Legal requirements: where required to comply with applicable law, a valid legal process, or a lawful request from a government authority, or to protect the rights, safety, or property of Rills, our users, or others.
  • Business transactions: in connection with a merger, acquisition, financing, or sale of assets, personal data may be disclosed or transferred as part of the transaction. Any successor remains bound by commitments at least as protective as this policy, and we will notify you of material changes as described in Changes to This Policy.

Cookies & Tracking

We use two categories of cookies:

  • Essential cookies: Session cookies for authentication (keeping you logged in). These are strictly necessary for the service to function.
  • Analytics cookies: Once you accept analytics cookies, PostHog sets a cookie to maintain session continuity across page loads and enable consent-gated session replay. This helps us understand how users interact with the product so we can improve the experience. Until you accept, no analytics cookie is set and session replay does not run.

Before you accept analytics cookies, our marketing site collects anonymous, cookieless page-view analytics: measurements are held in memory for the current page visit only, with no cookie and no persistent identifier, so separate visits cannot be linked to each other or to you.

Session Replay

We use PostHog session replay to understand how visitors interact with Rills. Replay runs only after you accept analytics cookies, samples a subset of sessions, and masks input fields so we do not record what you type. Additional elements can be marked with a data-ph-mask attribute for extra privacy. You can withdraw consent at any time, which stops recording.

Do Not Track

We honor the Do Not Track (DNT) browser setting. If your browser sends a DNT signal, our analytics tooling does not capture data about your visit, regardless of your cookie choices.

Opting Out

You can withdraw analytics consent at any time, which stops session replay and any further analytics tracking. You can also enable your browser's Do Not Track setting or use a browser extension that blocks PostHog. Session replay will not record before you accept analytics cookies or when tracking is blocked.

International Data Transfers

Rills is a United States company and our servers are located in the United States, as are most of our third-party processors (see the subprocessor list). If you use Rills from the EEA, the UK, or anywhere else outside the US, your personal data is transferred to and processed in the United States.

Data protection laws in the United States may differ from those in your jurisdiction. Regardless of where your data is processed, we protect it as described in this policy, and where applicable law requires safeguards for international transfers, we rely on mechanisms such as standard contractual clauses in our agreements with processors. For customers processing data through their workflows, our Data Processing Agreement incorporates the EU Standard Contractual Clauses; a plain-language overview is at GDPR at Rills.

Data Security

We take the security of your data seriously. Measures we employ include:

  • Encryption in transit: All data transferred between your browser and our servers is encrypted using HTTPS/TLS.
  • Encryption at rest: Your data is stored in encrypted databases.
  • Sandboxed execution: Custom code runs in isolated sandbox environments and cannot access other users' data.
  • Access controls: Multi-tenant architecture ensures your workspace data is isolated from other users.
  • Regular reviews: We conduct regular security reviews of our infrastructure and codebase.

No method of transmitting or storing data is completely secure, so while we work hard to protect your personal data, we cannot guarantee its absolute security.

For more details about our security practices, see our Security page.

Data Retention

  • Account data is retained while your account is active and for 30 days after account deletion, allowing you to recover your account if you change your mind.
  • Workflow execution data (execution logs and run history) is retained for your plan's data retention period, then automatically deleted. Retention periods vary by plan — see our pricing page for the period that applies to your plan.
  • Decision records — the audit trail of who approved or rejected each action — are retained for 365 days on every plan.
  • Security audit logs (sign-ins, permission changes, and similar security events) are retained for 90 days.
  • Anonymous analytics data is aggregated and non-identifiable. It does not contain any personal information and is retained indefinitely for product improvement purposes.

Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your personal data (right to erasure)
  • Restrict or object to certain processing of your personal data
  • Export your data in a portable format (data portability)
  • Withdraw consent at any time where processing is based on consent (such as analytics cookies); withdrawal does not affect processing that happened before you withdrew
  • Close your account by contacting us at privacy@rills.ai

These rights apply to all users regardless of location, including rights provided under the GDPR for users in the European Union.

To exercise any of these rights, please contact us at privacy@rills.ai. We will respond to your request within 30 days. We may need to verify your identity before acting on a request, and in limited cases we may decline a request where the law allows or requires us to — if so, we will tell you why.

If you are in the EEA or the UK, you also have the right to lodge a complaint with your local data protection supervisory authority. We would appreciate the chance to address your concerns first, so please consider contacting us before you do.

Deleting Your Data

To delete your personal data, including any data we received from connected third-party accounts (such as Facebook or Google), email privacy@rills.ai from the email address associated with your account. We will confirm your request and complete the deletion within 30 days.

Disconnecting an integration in your workspace settings also deletes the access tokens we store for that integration.

Children's Privacy

Rills is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us at privacy@rills.ai and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. If we make material changes, we will notify you by email or through an in-app notice before the changes take effect.

Your continued use of Rills after any changes to this policy constitutes your acceptance of the updated terms.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

  • Email: privacy@rills.ai
  • Mail: Rills AI, LLC, 131 Continental Dr, Suite 305, Newark, DE 19713, United States