Privacy Policy

Rayrift is a developer-first memory and retrieval infrastructure product operated by Natiec Technology LLP, a limited liability partnership registered in India.

Rayrift ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, and protect personal data in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

While these frameworks are referenced explicitly, this policy is intended to reflect our broader commitment to privacy and is designed to align with similar legal and regulatory requirements worldwide in spirit and practice.

1. Information we collect

We collect only what is necessary to operate Rayrift.

a. Information you provide

Account credentials and business-related information required to create and maintain an active Rayrift account (such as name, email address, and authentication details).
Information, content, or data that you upload, submit, or connect to Rayrift through the dashboard, APIs, integrations, or other supported means, including but not limited to documents, URLs, and data sources.

b. Information collected automatically

Usage and interaction data related to the Rayrift dashboard and APIs (such as feature usage, request volumes, and performance metrics).
System logs and metadata collected for security, monitoring, troubleshooting, and debugging purposes.
IP addresses and related network information may be logged or processed where necessary for security, abuse prevention, and operational reliability.

c. Cookies and tracking

Essential cookies required for authentication, session management, and platform security.
We use analytics tools to understand how our website and services are used and to improve functionality and performance.
These analytics tools collect aggregated and anonymized usage data and do not directly identify individual users.
We may aggregate and analyze request, query, and search data processed through our APIs to provide usage insights, analytics, and service improvements. This data is processed in an aggregated manner and is not used to identify individual users.

2. How we use your data

We use personal data to:

Provide and operate the Rayrift service
Authenticate users
Process, index, and retrieve content submitted for use within the service
Improve reliability, performance, and service stability
Communicate service-related and operational updates
Maintain security, prevent abuse, and detect unauthorized activity

We do not sell personal data.

How we do not use your data

We do not use customer data or content to train foundational or general-purpose AI models.
Data and content processed through Rayrift are not sold to third parties.
Any content submitted for processing is not used for training, fine-tuning, or improving models unless explicitly agreed to under a separate, written agreement.
By default, all users are opted out of any data usage beyond providing the service. No action is required to opt out, and such usage is not enabled unless explicitly agreed to in writing under a separate agreement.

3. Legal basis for processing

For personal data relating to Rayrift users, we act as a data controller. For any personal data or content uploaded, submitted, or connected by customers through the Rayrift platform, Rayrift acts as a data processor and processes such data solely on the instructions of the customer. Customers are responsible for ensuring they have the appropriate legal basis, rights, and permissions to upload and process such data using Rayrift.

We process personal data under the following legal bases, where applicable:

Contractual necessity, to provide and operate the Rayrift service
User consent, where explicitly required
Legitimate interests, including service improvement, security, and fraud prevention
Legal obligations under applicable laws

We assume that you have obtained all necessary rights, permissions, and lawful bases to upload, submit, or connect any data to Rayrift for processing. You are solely responsible for ensuring that such data complies with applicable laws and regulations. Rayrift processes customer-provided data strictly on the customer’s instructions and is not responsible for determining the legality of the data or its use. To the extent permitted by law, you agree to indemnify and hold harmless Rayrift from claims arising directly from your failure to obtain the required rights or permissions for data processed through the service.

Any violation of the clause above will result in termination of your account and legal action if necessary.

We may share limited personal data with carefully selected service providers strictly as necessary to operate, maintain, and secure Rayrift. These service providers act as sub-processors and include:

Cloud infrastructure providers, used to host and process the Rayrift platform and customer data
Analytics and monitoring services, used to understand system performance, reliability, and usage trends
Payment processors, used solely to process billing and payments where applicable

We do not share personal data with third parties for their own independent use. Certain limited data may be shared with analytics, marketing, or measurement providers (such as website analytics or conversion tracking tools) solely to understand service usage, measure effectiveness, and improve Rayrift. Such data is processed in accordance with applicable data protection laws and subject to contractual safeguards.

All service providers are contractually bound by data protection agreements and are permitted to process personal data only for the purposes of providing services to Rayrift and in accordance with applicable data protection requirements.

5. Data and content retention

Rayrift applies a cascade deletion process for personal data and customer-provided content. When an account is deleted or a verified request to delete specific data or content is received, such data is immediately marked for deletion and removed from active systems.

Deletion is handled automatically through Rayrift’s systems and does not require manual intervention.
Once deletion is initiated, the data and content are no longer accessible to users, Rayrift employees, or any internal systems used for normal operations.
Residual copies of data may persist for a limited period, typically up to 30–45 days, solely within automated backup, recovery, or compliance systems.
During this period, retained data is isolated, access-restricted, and not processed, viewed, or used for any purpose other than satisfying legal, security, or regulatory requirements.
After this retention window expires, the data and content are permanently deleted in accordance with standard industry practices.

Rayrift does not retain deleted data or content beyond this period except where longer retention is required by applicable law.

6. Data security

We take data security seriously and implements strict measures to protect your personal data and customer-provided content.

Rayrift implements reasonable technical and organizational safeguards designed to protect personal data and customer-provided content against unauthorized access, loss, misuse, alteration, or disclosure. These measures include, but are not limited to, encryption, access controls, monitoring, and secure infrastructure practices.

In the event of a security incident or data breach, Rayrift will take appropriate steps to investigate, contain, and remediate the issue, including implementing additional safeguards to reduce the risk of recurrence. Where required by applicable law, Rayrift will notify affected customers of relevant security incidents within the legally mandated timeframes. In cases of significant or widespread impact, Rayrift may also provide general notice through appropriate public channels.

Security incidents are assessed on a case-by-case basis, and notifications are issued where legally required or where Rayrift determines that notification is necessary due to the severity of the incident.

7. Internal access controls

Rayrift takes data security and access control seriously. Customer-provided data and content processed through the Rayrift platform cannot be accessed by Rayrift employees under any circumstances.

Customer-provided data (provided for processing) is processed exclusively through automated systems and is not readable, reviewed, or accessed by Rayrift personnel.
Rayrift employees do not have access to customer documents, content, memories, prompts, responses, or data submitted for processing.
Limited access to non-content metadata (such as account identifiers, usage metrics, billing status, and system logs) may be granted to authorized personnel solely for operational purposes including customer support, system maintenance, incident response, and service reliability.
Any employee access is governed by strict role-based access controls, least-privilege principles, and internal approval processes.
All access to internal systems is monitored and logged, and unauthorized access is strictly prohibited.

Rayrift’s internal access controls are designed to align with industry-standard security practices and compliance frameworks, including principles commonly associated with SOC 2–type controls.

8. Third-party infrastructure and providers

Rayrift may use third-party infrastructure providers to host, process, and secure data essentially needed to provide the service.

For security reasons, we do not publicly list the specific names of our third-party infrastructure partners.
However, we ensure that all third-party providers we use adhere to strict security and compliance standards, including but not limited to SOC 2 Type II or equivalent certifications.
We maintain strict access controls and contractual agreements with all third-party providers to ensure that your data is processed only in accordance with our instructions and security policies.
Although we rely on third-party infrastructure, Rayrift retains responsibility for the security and privacy of your data in accordance with this policy.

9. International data transfers

Rayrift operates using globally distributed infrastructure. As a result, personal data and customer-provided content may be processed or stored in countries other than your country of residence, including jurisdictions that may have different data protection laws.

Where required by applicable law, Rayrift relies on appropriate legal safeguards to enable such transfers, including standard contractual clauses and other approved transfer mechanisms. These safeguards are designed to ensure that personal data continues to receive an adequate level of protection consistent with applicable data protection requirements, regardless of where it is processed.

10. Children’s data

Rayrift is not intended for use by children under the age of 13, and we do not knowingly collect personal data from children. We take the protection of children’s data seriously, including in our role as a data processor.

Rayrift does not promote or permit children to create accounts on the platform. Users are responsible for ensuring that any data uploaded, submitted, or connected to Rayrift complies with applicable laws and age-related requirements.
As Rayrift operates as a blind data processor for customer-provided content and does not have visibility into or control over the substance of data submitted for processing, we rely on customers to exercise appropriate care and discretion when uploading data. Customers must ensure that such data does not include personal data of children or any other data that they are not legally permitted to process.
If Rayrift becomes aware that personal data of a child has been submitted in violation of applicable laws, we will take appropriate steps to address the issue in accordance with our legal obligations and standard procedures.

Customers are expected to exercise caution by default and implement appropriate safeguards within their own platforms to prevent the submission or processing of children’s data or any other data that they are not legally permitted to handle.

11. Compliance with Data Protection Laws

Rayrift is designed as a business-to-business service. Depending on the context, Rayrift acts either as a data controller (for account and service administration data) or as a data processor (for customer-provided data and content). The rights described below apply in accordance with applicable data protection laws and Rayrift’s role in each context.

Where Rayrift acts as a data controller, individuals located in the EU or EEA have the right to:

Access their personal data
Request correction of inaccurate or incomplete data
Request deletion of personal data
Restrict or object to certain processing activities
Request data portability
Withdraw consent where processing is based on consent

Where Rayrift acts as a data processor, such rights must be exercised through the relevant customer acting as the data controller.

California privacy rights (CCPA / CPRA)

Where applicable, California residents have the right to:

Know what personal data is collected
Access their personal data
Request deletion of personal data
Request correction of inaccurate personal data
Opt out of the sale or sharing of personal data, where applicable

Rayrift does not sell personal data and does not discriminate against individuals for exercising their rights under applicable law.

Customer responsibilities for data subject requests

For customer-provided data, documents, content, or records processed through Rayrift, the customer acts as the data controller and is responsible for identifying the relevant data and initiating deletion or modification requests. Rayrift does not independently review, inspect, or determine the nature of customer-provided data and does not have ownership or control over such data.

For detailed information regarding data deletion mechanisms, please refer to the Data deletion section.

12. Data deletion

Rayrift provides structured mechanisms for requesting the deletion of personal data and customer-provided content.

The preferred and primary method for initiating data deletion is through the Rayrift dashboard, where available. Deletion requests submitted through the dashboard are processed automatically in accordance with our standard cascade deletion process.
If a user is unable to access their account, or if dashboard-based deletion is not available, the customer must contact Rayrift support via the designated support email address to request deletion.
Where access issues exist, Rayrift may first attempt to assist in restoring account access so that the deletion request can be completed through the dashboard.
If deletion must be handled through support, the requester will be required to verify ownership of the account. Requests made on behalf of another individual or organization must be supported by sufficient documentation demonstrating authorization to act on their behalf.
All deletion requests submitted outside the dashboard are reviewed and assessed on a case-by-case basis to prevent unauthorized or fraudulent requests.

Upon successful verification, deletion will be executed in accordance with Rayrift’s standard cascade deletion process. Rayrift may require a reasonable period of time to process and complete deletion requests, consistent with applicable legal requirements and standard industry practices.

13. Changes to this policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We will notify you via the dashboard, email, or other means in the event of a change. It is your responsibility to ensure that your contact information is up to date and that you are reachable.

14. Acceptance of this policy

By continuing to use Rayrift, you acknowledge that you have read this Privacy Policy and agree to be bound by its terms.

15. Contact Information

For privacy-related questions or requests:

Email: contact@rayrift.com

16. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India only without reference to conflict of laws principles and disputes arising in relation hereto shall be subject to the exclusive jurisdiction of the courts of Telangana, India.

Last updated: January 26, 2026