Privacy Policy
How RYHA Technologies collects, uses, protects, shares, retains, and responds to requests concerning personal information.
This policy is a draft that requires review and approval by qualified legal counsel before public launch. It is provided for general information only and does not constitute legal advice. RYHA Technologies may update it from time to time, and only a formally approved published version should be treated as binding.
Scope, Roles, Sources, and Information We Collect
RYHA Technologies ("RYHA", "we", "us", or "our") provides the ryha.dev website and RYHA platform. This draft covers account and organization details, authentication and session records, billing and subscription metadata, project content and artifacts, credentials submitted through the protected credential service, service usage and security events, device and cookie data, waitlist and operational form submissions, support communications, consent records, and privacy requests. Information may come directly from a person, the person’s organization or administrator, use of the service, a configured integration, a checkout, or a service provider. Where the GDPR applies, the approved notice must provide the information required by Articles 13 and 14 in clear and accessible language: the controller and contact details; a data-protection contact where required; purposes and legal bases; categories and sources when data is obtained indirectly; recipients or recipient categories; transfer safeguards; retention periods or criteria; applicable rights and complaint routes; whether information is required and the consequences of not providing it; and meaningful information about covered automated decision-making. That information must be delivered at collection or within the timing required for indirectly obtained data. The final notice must also identify the actual legal entity, countries offered, controller and processor roles, and deployed data flows before public launch.
Purposes, Legal Bases, Disclosures, and Current Provider Roles
RYHA processes information to authenticate users, administer accounts, enforce tenant and approval boundaries, provide requested workflows, meter usage, process payment and billing activity, prevent abuse, secure and improve the service, communicate with customers, operate waitlist and support processes, and meet applicable obligations. The purpose and legal basis for each category and jurisdiction, including consent, contract, legitimate interests, and legal obligations where applicable, must be confirmed by counsel. RYHA does not intend to sell personal information or use customer project content for advertising. Current product evidence supports these limited service descriptions. Clerk is integrated as RYHA’s authentication processor for customer end-user account, verified identity, session, and related authentication data. Supabase stores the authoritative waitlist record and operational form submissions, including contact and job-application fields, together with configured content and administration records; a newly created waitlist record may also trigger a best-effort Clerk waitlist email sync. Cloudflare hosts and delivers the frontend and processes network and request metadata used for edge delivery, abuse prevention, rate limiting, and configured sampled invocation and security telemetry. Dodo Payments provides the hosted payment checkout used by current billing flows and may process checkout, billing, subscription, tax, fraud-prevention, and transaction information. Dodo acts as Merchant of Record only for a transaction whose checkout, buyer terms, order, or executed contract identifies the relevant Dodo entity in that role; this draft does not infer that status for every payment or customer relationship. These descriptions do not claim that a DPA or other contract has been executed, establish every legal role, or replace the approved subprocessor register. Data may also be disclosed to customer-authorized users and configured integrations, approved AI providers and other providers needed for a selected feature, authorities where required by applicable law, or parties to an approved corporate transaction. Only the approved, versioned subprocessor list and executed terms can establish actual recipients, regions, retention, transfer mechanisms, and model-training treatment.
Retention, Security, and International Transfers
Retention must follow the approved data inventory and schedule for each category, including account closure, customer-configured deletion, billing and security records, backups, legal holds, and processor deletion behavior. This draft does not promise a universal period. The repository includes authorization, encryption, audit, redaction, export, and deletion controls; deployed configuration, access review, restore tests, provider terms, and operational evidence must verify those controls before they are described as production guarantees. Personal information may be processed outside a person’s country when an approved service configuration requires it. The final policy and any applicable Data Processing Agreement must identify relevant regions, onward transfers, safeguards, and the legally approved transfer mechanism. A code adapter, public provider policy, or configuration option does not establish that a transfer is lawful or operationally enabled for RYHA.
Rights, California Notices, Children's Privacy, and Contact
Depending on jurisdiction and role, an individual may have rights to know or access information, correct it, request deletion, restrict or object to processing, withdraw consent, receive portable data, opt out of certain uses, limit certain sensitive-information uses, or appeal a decision. RYHA provides authenticated export, deletion, consent, and rights-request workflows in the codebase, but identity checks, authorized-agent handling, response deadlines, exceptions, appeals, and regulator contacts must be operated according to applicable law. Requests and questions can be sent to privacy@ryha.dev. RYHA does not claim that the California Consumer Privacy Act, as amended, applies to every RYHA entity or offering. If it applies, the approved notice at collection and privacy policy must accurately state the categories collected, purposes, retention period or criteria, sources, disclosures, and applicable rights to know, delete, correct, opt out of sale or sharing, limit covered sensitive-information uses, and receive non-discriminatory treatment. Covered notices and request methods must be reviewed under current California rules, and a covered privacy policy must be reviewed and updated at least once every 12 months. The intended service is a general-audience business service and is not directed to children under 13. RYHA does not intend to knowingly solicit personal information online from a child under 13. If RYHA obtains actual knowledge that such information was submitted, it should restrict further use, assess whether verified parental consent or another lawful basis is required, and delete the information when required. The final eligibility age, any teen handling, school or parent workflow, and notices require legal approval and product approval before launch. Material changes should receive a new version and effective date through the approved notice process.