Legal
Privacy Policy
Effective Date: May 1, 2026 · Rimplo, Inc.
This Privacy Policy describes how Rimplo, Inc. ("Rimplo," "we," "us," or "our") collects, uses, and shares information about you when you use our website, products, and services (collectively, the "Services").
We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is designed to be concise and easy to understand, and describes how we collect, use, and protect your information. We implement privacy-protective practices and provide you with control over your data, including the ability to request complete erasure of your information upon request.
1. Our Role: Data Controller vs. Data Processor
For a B2B SaaS company like Rimplo, it is important to distinguish between the data we control and the data we process on behalf of our customers.
For a B2B SaaS company like Rimplo, it is important to distinguish between the data we control and the data we process on behalf of our customers.
(or "Business" under CCPA)
Data Type
Website & Account Data
Who the Data Belongs To
Website visitors, prospective customers, and direct users of our platform (e.g., billing contacts, account administrators).
Our Responsibility
We determine the purposes and means of processing this data. This entire policy primarily applies to this data.
Data Controller
(or "Service Provider" under CCPA)
Data Type
Customer Data
Who the Data Belongs To
Our customers' end-users, leads, and accounts (e.g., data from Salesforce, Stripe, Intercom).
Our Responsibility
We process this data strictly on behalf of and under the instructions of our customers, who are the Data Controllers.
Data Processor
If you are a customer of a Rimplo customer, please refer to that customer's privacy policy for information on how they handle your data.
If you are a customer of a Rimplo customer, please refer to that customer's privacy policy for information on how they handle your data.
2. Data We Collect (As Data Controller)
We collect information to provide and improve our Services, to communicate with you, and for marketing purposes.
A. Information You Provide to Us
This includes information you voluntarily provide when you sign up for an account, request a demo, or contact us.
Account & Contact Data
Examples
Name, email address, phone number, company name, job title, and password.
Purpose
To create and manage your account, provide access to the Services, and communicate with you.
Legal Basis (GDPR)
Performance of a contract with you.
Billing & Payment Data
Examples
Billing address, payment method details (handled by a third-party payment processor — we do not store full credit card numbers).
Purpose
To process payments and manage subscriptions.
Legal Basis (GDPR)
Performance of a contract with you.
Communication Data
Examples
Records of correspondence when you contact our support or sales teams.
Purpose
To respond to your inquiries and improve our customer service.
Legal Basis (GDPR)
Legitimate interest (improving service quality).
Invitation Data
Examples
Email addresses of invitees, invitation tokens, invitation timestamps, inviter identity.
Purpose
To enable account administrators to invite team members and manage access to the Services.
Legal Basis (GDPR)
Performance of a contract with you.
Uploaded Files
Examples
Files you upload to the platform, including file names and upload timestamps.
Purpose
To provide file storage and sharing functionality within the Services.
Legal Basis (GDPR)
Performance of a contract with you.
AI Chat Data
Examples
Messages you send to our AI assistant, conversation history, and selected AI model preferences.
Purpose
To provide AI-powered analytics, insights, and conversational assistance within the Services.
Legal Basis (GDPR)
Performance of a contract with you.
B. Information Collected Automatically
When you interact with our website or Services, we automatically collect certain information.
Usage Data
Examples
IP address, browser type, operating system, pages viewed, time spent on pages, and referring URLs.
Purpose
To monitor and analyze the performance and usage of our Services, and to ensure security.
Legal Basis (GDPR)
Legitimate interest (maintaining and improving the Services).
Cookies & Session Data
Examples
Session storage for authentication tokens and user preferences. We do not use tracking pixels, third-party analytics services (such as Google Analytics), or cross-site tracking technologies.
Purpose
To remember your preferences and maintain your authenticated session.
Legal Basis (GDPR)
Necessary for the service to function.
Authentication Tokens
Examples
JWT access tokens (15-minute expiration), refresh tokens stored in HTTP-only cookies (7-day expiration), with SameSite cookie policy.
Purpose
To securely authenticate your sessions and maintain login state across the Services.
Legal Basis (GDPR)
Performance of a contract with you.
3. Data We Process on Behalf of Our Customers (Customer Data)
Rimplo's core service involves processing data that our customers feed into the platform via integrations (e.g., Salesforce, HubSpot, Stripe, Google Ads, Notion).
Rimplo's core service involves processing data that our customers feed into the platform via integrations (e.g., Salesforce, HubSpot, Stripe, Google Ads, Notion).
Types of Customer Data:
This data is highly variable but typically includes customer relationship management
(CRM) data, product usage metrics, support ticket history, billing information, and
communication logs.
Supported Integrations:
We currently support data connections with Salesforce, HubSpot, Stripe, Google Ads
and Notion. Each integration uses OAuth 2.0 authentication (with PKCE where applicable)
to securely access your data without storing your login credentials.
Purpose of Processing:
We process this data solely to provide the AI-powered revenue intelligence services to
our customers, such as churn prediction, upsell opportunity identification
and deal acceleration.
Google Ads Data:
Google Ads data accessed through our integration is used solely to provide advertising
analytics and revenue intelligence within the Rimplo platform. This data is not shared with
third parties, used for advertising purposes, or used to train AI models.
How We Protect Sensitive OAuth Credentials
When you connect an integration (such as Google Ads, HubSpot, Salesforce, or Stripe), Rimplo receives an OAuth refresh token that allows us to access your data on your behalf. We apply the following technical and organisational measures to protect these credentials:
When you connect an integration (such as Google Ads, HubSpot, Salesforce, or Stripe), Rimplo receives an OAuth refresh token that allows us to access your data on your behalf. We apply the following technical and organisational measures to protect these credentials:
Encryption at rest (AES-256-GCM): Every OAuth refresh token is encrypted using AES-256-GCM (authenticated encryption) before being written to our database. Each token is encrypted with a randomly generated 12-byte initialisation vector (IV), so identical tokens always produce different ciphertext. A GCM authentication tag is stored alongside each value to detect any tampering.
Encryption key management: The encryption keys used to protect OAuth tokens are stored exclusively in AWS Secrets Manager — never in application code, environment files committed to source control, or the database itself. Keys are retrieved at runtime by our serverless compute layer over an encrypted connection.
No plaintext storage: The raw (plaintext) OAuth token is never written to disk, logged, or stored in any persistent layer. Only the AES-256-GCM encrypted form is persisted.
Encrypted transmission: All communication between your browser, our API servers, third-party OAuth providers, and downstream services occurs exclusively over TLS 1.2 or higher. OAuth tokens are never transmitted over unencrypted channels.
Access control: OAuth credentials are only accessible to authenticated, authorised requests. Our API endpoints require a short-lived JWT access token (15-minute expiry). Database access is restricted to our serverless compute layer within a private AWS VPC — credentials are not exposed to the public internet.
Short-lived credential cache: When our AI inference service needs to access connected data sources, credentials are cached in-memory and in a DynamoDB table with a strict TTL (time-to-live). Cached values expire automatically and are never written to logs.
Deletion on disconnection: When you disconnect an integration, the corresponding encrypted OAuth token is permanently deleted from our database within the same request. No residual credential data is retained after disconnection.
Scope limitation: We request only the minimum OAuth scopes required to deliver the contracted service. For example, Google Ads connections request only the scopes needed for read access to advertising data.
AI Model Training Clause: Rimplo does not use, sell, or share Customer Data to train, retrain, or improve our general AI models or any third-party AI models. All processing is done to provide the contracted service to the specific customer.
AI Model Training Clause: Rimplo does not use, sell, or share Customer Data to train, retrain, or improve our general AI models or any third-party AI models. All processing is done to provide the contracted service to the specific customer.
4. AI and Large Language Model (LLM) Processing
Rimplo uses artificial intelligence to provide revenue intelligence features such as churn prediction, upsell opportunities, and conversational data analysis. Here's how your data interacts with AI systems:
Rimplo uses artificial intelligence to provide revenue intelligence features such as churn prediction, upsell opportunities, and conversational data analysis. Here's how your data interacts with AI systems:
A. How AI Processing Works
AI Assistant:
When you interact with our AI assistant, your messages, conversation history, and
any referenced file contents are processed by large language models to generate
responses.
Data Analysis:
Customer data from connected integrations may be analyzed by AI to generate insights,
predictions, and recommendations.
File Processing:
If you upload files (CSV, JSON, etc.) and reference them in AI conversations, the file
contents are sent to AI providers for analysis.
B. Third-Party AI Providers
We use OpenRouter as an intermediary service to route AI requests to various large language model providers. Depending on your model selection, your data may be processed by:
We use OpenRouter as an intermediary service to route AI requests to various large language model providers. Depending on your model selection, your data may be processed by:
Anthropic
(Claude models)
OpenAI
(GPT models)
(Gemini models)
These providers process your data according to their respective privacy policies and data processing agreements. We do not control how these providers handle data once transmitted.
These providers process your data according to their respective privacy policies and data processing agreements. We do not control how these providers handle data once transmitted.
C. What We Do NOT Do
We do not use your data to train, fine-tune, or improve any AI models (ours or third-party).
We do not sell or share your AI conversation data for advertising purposes.
We do not store AI conversation history on our servers beyond what is necessary for the current session (conversation history is maintained client-side).
5. How We Share Your Data
We do not sell your personal data (as Data Controller) to third parties. We only share your information in the following circumstances:
We do not sell your personal data (as Data Controller) to third parties. We only share your information in the following circumstances:
With Service Providers (Sub-processors)
We use third-party vendors to perform services on our behalf, such as hosting, payment processing, and analytics. These providers are contractually obligated to protect your data and use it only for the purposes we instruct.
We use third-party vendors to perform services on our behalf, such as hosting, payment processing, and analytics. These providers are contractually obligated to protect your data and use it only for the purposes we instruct.
Our primary sub-processors include:
Amazon Web Services (AWS):
Cloud hosting, file storage (S3), and serverless computing — United States
PostgreSQL Database (AWS RDS):
Primary user account and data storage — United States
ClickHouse Cloud:
Data warehouse for analytics and connector configurations — United States/Europe
Airbyte:
Data orchestration and ETL processing for third-party integrations
OpenRouter:
AI request routing to multiple LLM providers (Anthropic, OpenAI, Google)
Nango:
OAuth authentication management for third-party data integrations
For Legal Reasons
We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Rimplo, or protect the personal safety of users of the Services or the public.
We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Rimplo, or protect the personal safety of users of the Services or the public.
Business Transfers
In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
6. International Data Transfers
Rimplo is a global company. Your data may be stored and processed in any country where we have facilities or where we engage service providers, primarily in the United States and Europe.
Rimplo is a global company. Your data may be stored and processed in any country where we have facilities or where we engage service providers, primarily in the United States and Europe.
Our primary infrastructure is hosted on Amazon Web Services (AWS) in the United States, with analytics data stored on ClickHouse Cloud. If you are accessing our Services from outside the United States, please be aware that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
Our primary infrastructure is hosted on Amazon Web Services (AWS) in the United States, with analytics data stored on ClickHouse Cloud. If you are accessing our Services from outside the United States, please be aware that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
7. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us using the details in Section 10.
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us using the details in Section 10.
Right to Access
Description
The right to request copies of the personal data we hold about you.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Rectification
Description
The right to request that we correct any information you believe is inaccurate or incomplete.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Erasure ('Right to be Forgotten')
Description
The right to request that we erase your personal data, under certain conditions.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Object/Opt-Out
Description
The right to object to our processing of your personal data (e.g., for direct marketing) or to opt-out of the sale or sharing of your personal information. Note: Rimplo does not sell your personal data.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Data Portability
Description
The right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.
Applicable Regulations
GDPR
Right to Non-Discrimination
Description
The right not to be discriminated against for exercising any of your privacy rights.
Applicable Regulations
CCPA/CPRA
Data Erasure on Demand: You have the right to request complete deletion of all your personal data from our systems. Upon receiving a verified erasure request, we will permanently delete your account data, uploaded files, AI conversation references, and any other personal information we hold about you. To request data erasure, please contact us at privacy@rimplo.com with the subject line "Data Erasure Request." We will process your request and confirm deletion within 30 days.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
Retention periods for specific data types:
Account Data:
Retained for the duration of your account plus 3 years after account closure for legal compliance.
Authentication Tokens:
Access tokens expire after 15 minutes; refresh tokens expire after 7 days.
OAuth Credentials:
Retained while the integration is active; deleted upon disconnection.
Invitation Data:
Pending invitations expire after 48 hours; accepted invitation records retained with account data.
Uploaded Files:
Retained until deleted by the user or account closure.
Usage Logs:
Retained for 12 months for security and analytics purposes.
Temporary Session Data:
OAuth session data (PKCE) automatically expires after 10 minutes.
9. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information.
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information.
10. Contact Us
If you have any questions about this Privacy Policy, our data practices, or if you wish to exercise any of your rights, please contact us:
By Email
Contact
privacy@rimplo.com
By Mail
Address
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. We encourage you to review this Privacy Policy periodically for any changes.
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. We encourage you to review this Privacy Policy periodically for any changes.
11. Changes to This Privacy Policy
11. Changes to This Privacy Policy
Revenue intelligence for B2B SaaS teams who can't afford to be surprised.
Product
Legal
© 2026 Rimplo Inc. All rights reserved.


Revenue intelligence for B2B SaaS teams who can't afford to be surprised.
Product
Features
Legal
© 2026 Rimplo Inc. All rights reserved.


Legal
Privacy Policy
Effective Date: May 1, 2026 · Rimplo, Inc.
This Privacy Policy describes how Rimplo, Inc. ("Rimplo," "we," "us," or "our") collects, uses, and shares information about you when you use our website, products, and services (collectively, the "Services").
We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is designed to be concise and easy to understand, and describes how we collect, use, and protect your information. We implement privacy-protective practices and provide you with control over your data, including the ability to request complete erasure of your information upon request.
1. Our Role: Data Controller vs. Data Processor
For a B2B SaaS company like Rimplo, it is important to distinguish between the data we control and the data we process on behalf of our customers.
(or "Business" under CCPA)
Data Type
Website & Account Data
Who the Data Belongs To
Website visitors, prospective customers, and direct users of our platform (e.g., billing contacts, account administrators).
Our Responsibility
We determine the purposes and means of processing this data. This entire policy primarily applies to this data.
Data Controller
(or "Service Provider" under CCPA)
Data Type
Customer Data
Who the Data Belongs To
Our customers' end-users, leads, and accounts (e.g., data from Salesforce, Stripe, Intercom).
Our Responsibility
We process this data strictly on behalf of and under the instructions of our customers, who are the Data Controllers.
Data Processor
If you are a customer of a Rimplo customer, please refer to that customer's privacy policy for information on how they handle your data.
2. Data We Collect (As Data Controller)
We collect information to provide and improve our Services, to communicate with you, and for marketing purposes.
A. Information You Provide to Us
This includes information you voluntarily provide when you sign up for an account, request a demo, or contact us.
Account & Contact Data
Examples
Name, email address, phone number, company name, job title, and password.
Purpose
To create and manage your account, provide access to the Services, and communicate with you.
Legal Basis (GDPR)
Performance of a contract with you.
Billing & Payment Data
Examples
Billing address, payment method details (handled by a third-party payment processor — we do not store full credit card numbers).
Purpose
To process payments and manage subscriptions.
Legal Basis (GDPR)
Performance of a contract with you.
Communication Data
Examples
Records of correspondence when you contact our support or sales teams.
Purpose
To respond to your inquiries and improve our customer service.
Legal Basis (GDPR)
Legitimate interest (improving service quality).
Invitation Data
Examples
Email addresses of invitees, invitation tokens, invitation timestamps, inviter identity.
Purpose
To enable account administrators to invite team members and manage access to the Services.
Legal Basis (GDPR)
Performance of a contract with you.
Uploaded Files
Examples
Files you upload to the platform, including file names and upload timestamps.
Purpose
To provide file storage and sharing functionality within the Services.
Legal Basis (GDPR)
Performance of a contract with you.
AI Chat Data
Examples
Messages you send to our AI assistant, conversation history, and selected AI model preferences.
Purpose
To provide AI-powered analytics, insights, and conversational assistance within the Services.
Legal Basis (GDPR)
Performance of a contract with you.
B. Information Collected Automatically
When you interact with our website or Services, we automatically collect certain information.
Usage Data
Examples
IP address, browser type, operating system, pages viewed, time spent on pages, and referring URLs.
Purpose
To monitor and analyze the performance and usage of our Services, and to ensure security.
Legal Basis (GDPR)
Legitimate interest (maintaining and improving the Services).
Cookies & Session Data
Examples
Session storage for authentication tokens and user preferences. We do not use tracking pixels, third-party analytics services (such as Google Analytics), or cross-site tracking technologies.
Purpose
To remember your preferences and maintain your authenticated session.
Legal Basis (GDPR)
Necessary for the service to function.
Authentication Tokens
Examples
JWT access tokens (15-minute expiration), refresh tokens stored in HTTP-only cookies (7-day expiration), with SameSite cookie policy.
Purpose
To securely authenticate your sessions and maintain login state across the Services.
Legal Basis (GDPR)
Performance of a contract with you.
3. Data We Process on Behalf of Our Customers (Customer Data)
Rimplo's core service involves processing data that our customers feed into the platform via integrations (e.g., Salesforce, HubSpot, Stripe, Google Ads, Notion).
Types of Customer Data:
This data is highly variable but typically includes customer relationship management
(CRM) data, product usage metrics, support ticket history, billing information, and
communication logs.
Supported Integrations:
We currently support data connections with Salesforce, HubSpot, Stripe, Google Ads
and Notion. Each integration uses OAuth 2.0 authentication (with PKCE where applicable)
to securely access your data without storing your login credentials.
Purpose of Processing:
We process this data solely to provide the AI-powered revenue intelligence services to
our customers, such as churn prediction, upsell opportunity identification
and deal acceleration.
Google Ads Data:
Google Ads data accessed through our integration is used solely to provide advertising
analytics and revenue intelligence within the Rimplo platform. This data is not shared with
third parties, used for advertising purposes, or used to train AI models.
AI Model Training Clause: Rimplo does not use, sell, or share Customer Data to train, retrain, or improve our general AI models or any third-party AI models. All processing is done to provide the contracted service to the specific customer.
4. AI and Large Language Model (LLM) Processing
Rimplo uses artificial intelligence to provide revenue intelligence features such as churn prediction, upsell opportunities, and conversational data analysis. Here's how your data interacts with AI systems:
A. How AI Processing Works
AI Assistant:
When you interact with our AI assistant, your messages, conversation history, and
any referenced file contents are processed by large language models to generate
responses.
Data Analysis:
Customer data from connected integrations may be analyzed by AI to generate insights,
predictions, and recommendations.
File Processing:
If you upload files (CSV, JSON, etc.) and reference them in AI conversations, the file
contents are sent to AI providers for analysis.
B. Third-Party AI Providers
We use OpenRouter as an intermediary service to route AI requests to various large language model providers. Depending on your model selection, your data may be processed by:
Anthropic
(Claude models)
OpenAI
(GPT models)
(Gemini models)
These providers process your data according to their respective privacy policies and data processing agreements. We do not control how these providers handle data once transmitted.
C. What We Do NOT Do
We do not use your data to train, fine-tune, or improve any AI models (ours or third-party).
We do not sell or share your AI conversation data for advertising purposes.
We do not store AI conversation history on our servers beyond what is necessary for the current session (conversation history is maintained client-side).
5. How We Share Your Data
We do not sell your personal data (as Data Controller) to third parties. We only share your information in the following circumstances:
With Service Providers (Sub-processors)
We use third-party vendors to perform services on our behalf, such as hosting, payment processing, and analytics. These providers are contractually obligated to protect your data and use it only for the purposes we instruct.
Our primary sub-processors include:
Amazon Web Services (AWS):
Cloud hosting, file storage (S3), and serverless computing — United States
PostgreSQL Database (AWS RDS):
Primary user account and data storage — United States
ClickHouse Cloud:
Data warehouse for analytics and connector configurations — United States/Europe
Airbyte:
Data orchestration and ETL processing for third-party integrations
OpenRouter:
AI request routing to multiple LLM providers (Anthropic, OpenAI, Google)
Nango:
OAuth authentication management for third-party data integrations
For Legal Reasons
We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Rimplo, or protect the personal safety of users of the Services or the public.
Business Transfers
In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
6. International Data Transfers
Rimplo is a global company. Your data may be stored and processed in any country where we have facilities or where we engage service providers, primarily in the United States and Europe.
Our primary infrastructure is hosted on Amazon Web Services (AWS) in the United States, with analytics data stored on ClickHouse Cloud. If you are accessing our Services from outside the United States, please be aware that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
7. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us using the details in Section 10.
Right to Access
Description
The right to request copies of the personal data we hold about you.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Rectification
Description
The right to request that we correct any information you believe is inaccurate or incomplete.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Erasure ('Right to be Forgotten')
Description
The right to request that we erase your personal data, under certain conditions.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Object/Opt-Out
Description
The right to object to our processing of your personal data (e.g., for direct marketing) or to opt-out of the sale or sharing of your personal information. Note: Rimplo does not sell your personal data.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Data Portability
Description
The right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.
Applicable Regulations
GDPR
Right to Non-Discrimination
Description
The right not to be discriminated against for exercising any of your privacy rights.
Applicable Regulations
CCPA/CPRA
Data Erasure on Demand: You have the right to request complete deletion of all your personal data from our systems. Upon receiving a verified erasure request, we will permanently delete your account data, uploaded files, AI conversation references, and any other personal information we hold about you. To request data erasure, please contact us at privacy@rimplo.com with the subject line "Data Erasure Request." We will process your request and confirm deletion within 30 days.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
Retention periods for specific data types:
Account Data:
Retained for the duration of your account plus 3 years after account closure for legal compliance.
Authentication Tokens:
Access tokens expire after 15 minutes; refresh tokens expire after 7 days.
OAuth Credentials:
Retained while the integration is active; deleted upon disconnection.
Invitation Data:
Pending invitations expire after 48 hours; accepted invitation records retained with account data.
Uploaded Files:
Retained until deleted by the user or account closure.
Usage Logs:
Retained for 12 months for security and analytics purposes.
Temporary Session Data:
OAuth session data (PKCE) automatically expires after 10 minutes.
9. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. We encourage you to review this Privacy Policy periodically for any changes.
How We Protect Sensitive OAuth Credentials
When you connect an integration (such as Google Ads, HubSpot, Salesforce, or Stripe), Rimplo receives an OAuth refresh token that allows us to access your data on your behalf. We apply the following technical and organisational measures to protect these credentials:
When you connect an integration (such as Google Ads, HubSpot, Salesforce, or Stripe), Rimplo receives an OAuth refresh token that allows us to access your data on your behalf. We apply the following technical and organisational measures to protect these credentials:
Encryption at rest (AES-256-GCM): Every OAuth refresh token is encrypted using AES-256-GCM (authenticated encryption) before being written to our database. Each token is encrypted with a randomly generated 12-byte initialisation vector (IV), so identical tokens always produce different ciphertext. A GCM authentication tag is stored alongside each value to detect any tampering.
Encryption key management: The encryption keys used to protect OAuth tokens are stored exclusively in AWS Secrets Manager — never in application code, environment files committed to source control, or the database itself. Keys are retrieved at runtime by our serverless compute layer over an encrypted connection.
No plaintext storage: The raw (plaintext) OAuth token is never written to disk, logged, or stored in any persistent layer. Only the AES-256-GCM encrypted form is persisted.
Encrypted transmission: All communication between your browser, our API servers, third-party OAuth providers, and downstream services occurs exclusively over TLS 1.2 or higher. OAuth tokens are never transmitted over unencrypted channels.
Access control: OAuth credentials are only accessible to authenticated, authorised requests. Our API endpoints require a short-lived JWT access token (15-minute expiry). Database access is restricted to our serverless compute layer within a private AWS VPC — credentials are not exposed to the public internet.
Short-lived credential cache: When our AI inference service needs to access connected data sources, credentials are cached in-memory and in a DynamoDB table with a strict TTL (time-to-live). Cached values expire automatically and are never written to logs.
Deletion on disconnection: When you disconnect an integration, the corresponding encrypted OAuth token is permanently deleted from our database within the same request. No residual credential data is retained after disconnection.
Scope limitation: We request only the minimum OAuth scopes required to deliver the contracted service. For example, Google Ads connections request only the scopes needed for read access to advertising data.
Legal
Privacy Policy
Effective Date: May 1, 2026 · Rimplo, Inc.
This Privacy Policy describes how Rimplo, Inc. ("Rimplo," "we," "us," or "our") collects, uses, and shares information about you when you use our website, products, and services (collectively, the "Services").
We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is designed to be concise and easy to understand, and describes how we collect, use, and protect your information. We implement privacy-protective practices and provide you with control over your data, including the ability to request complete erasure of your information upon request.
1. Our Role: Data Controller vs. Data Processor
For a B2B SaaS company like Rimplo, it is important to distinguish between the data we control and the data we process on behalf of our customers.
(or "Business" under CCPA)
Data Type
Website & Account Data
Who the Data Belongs To
Website visitors, prospective customers, and direct users of our platform (e.g., billing contacts, account administrators).
Our Responsibility
We determine the purposes and means of processing this data. This entire policy primarily applies to this data.
Data Controller
(or "Service Provider" under CCPA)
Data Type
Customer Data
Who the Data Belongs To
Our customers' end-users, leads, and accounts (e.g., data from Salesforce, Stripe, Intercom).
Our Responsibility
We process this data strictly on behalf of and under the instructions of our customers, who are the Data Controllers.
Data Processor
If you are a customer of a Rimplo customer, please refer to that customer's privacy policy for information on how they handle your data.
2. Data We Collect (As Data Controller)
We collect information to provide and improve our Services, to communicate with you, and for marketing purposes.
A. Information You Provide to Us
This includes information you voluntarily provide when you sign up for an account, request a demo, or contact us.
Account & Contact Data
Examples
Name, email address, phone number, company name, job title, and password.
Purpose
To create and manage your account, provide access to the Services, and communicate with you.
Legal Basis (GDPR)
Performance of a contract with you.
Billing & Payment Data
Examples
Billing address, payment method details (handled by a third-party payment processor — we do not store full credit card numbers).
Purpose
To process payments and manage subscriptions.
Legal Basis (GDPR)
Performance of a contract with you.
Communication Data
Examples
Records of correspondence when you contact our support or sales teams.
Purpose
To respond to your inquiries and improve our customer service.
Legal Basis (GDPR)
Legitimate interest (improving service quality).
Invitation Data
Examples
Email addresses of invitees, invitation tokens, invitation timestamps, inviter identity.
Purpose
To enable account administrators to invite team members and manage access to the Services.
Legal Basis (GDPR)
Performance of a contract with you.
Uploaded Files
Examples
Files you upload to the platform, including file names and upload timestamps.
Purpose
To provide file storage and sharing functionality within the Services.
Legal Basis (GDPR)
Performance of a contract with you.
AI Chat Data
Examples
Messages you send to our AI assistant, conversation history, and selected AI model preferences.
Purpose
To provide AI-powered analytics, insights, and conversational assistance within the Services.
Legal Basis (GDPR)
Performance of a contract with you.
B. Information Collected Automatically
When you interact with our website or Services, we automatically collect certain information.
Usage Data
Examples
IP address, browser type, operating system, pages viewed, time spent on pages, and referring URLs.
Purpose
To monitor and analyze the performance and usage of our Services, and to ensure security.
Legal Basis (GDPR)
Legitimate interest (maintaining and improving the Services).
Cookies & Session Data
Examples
Session storage for authentication tokens and user preferences. We do not use tracking pixels, third-party analytics services (such as Google Analytics), or cross-site tracking technologies.
Purpose
To remember your preferences and maintain your authenticated session.
Legal Basis (GDPR)
Necessary for the service to function.
Authentication Tokens
Examples
JWT access tokens (15-minute expiration), refresh tokens stored in HTTP-only cookies (7-day expiration), with SameSite cookie policy.
Purpose
To securely authenticate your sessions and maintain login state across the Services.
Legal Basis (GDPR)
Performance of a contract with you.
3. Data We Process on Behalf of Our Customers (Customer Data)
Rimplo's core service involves processing data that our customers feed into the platform via integrations (e.g., Salesforce, HubSpot, Stripe, Google Ads, Notion).
Types of Customer Data:
This data is highly variable but typically includes customer relationship management
(CRM) data, product usage metrics, support ticket history, billing information, and
communication logs.
Supported Integrations:
We currently support data connections with Salesforce, HubSpot, Stripe, Google Ads
and Notion. Each integration uses OAuth 2.0 authentication (with PKCE where applicable)
to securely access your data without storing your login credentials.
Purpose of Processing:
We process this data solely to provide the AI-powered revenue intelligence services to
our customers, such as churn prediction, upsell opportunity identification
and deal acceleration.
Google Ads Data:
Google Ads data accessed through our integration is used solely to provide advertising
analytics and revenue intelligence within the Rimplo platform. This data is not shared with
third parties, used for advertising purposes, or used to train AI models.
AI Model Training Clause: Rimplo does not use, sell, or share Customer Data to train, retrain, or improve our general AI models or any third-party AI models. All processing is done to provide the contracted service to the specific customer.
4. AI and Large Language Model (LLM) Processing
Rimplo uses artificial intelligence to provide revenue intelligence features such as churn prediction, upsell opportunities, and conversational data analysis. Here's how your data interacts with AI systems:
A. How AI Processing Works
AI Assistant:
When you interact with our AI assistant, your messages, conversation history, and
any referenced file contents are processed by large language models to generate
responses.
Data Analysis:
Customer data from connected integrations may be analyzed by AI to generate insights,
predictions, and recommendations.
File Processing:
If you upload files (CSV, JSON, etc.) and reference them in AI conversations, the file
contents are sent to AI providers for analysis.
B. Third-Party AI Providers
We use OpenRouter as an intermediary service to route AI requests to various large language model providers. Depending on your model selection, your data may be processed by:
Anthropic
(Claude models)
OpenAI
(GPT models)
(Gemini models)
These providers process your data according to their respective privacy policies and data processing agreements. We do not control how these providers handle data once transmitted.
C. What We Do NOT Do
We do not use your data to train, fine-tune, or improve any AI models (ours or third-party).
We do not sell or share your AI conversation data for advertising purposes.
We do not store AI conversation history on our servers beyond what is necessary for the current session (conversation history is maintained client-side).
5. How We Share Your Data
We do not sell your personal data (as Data Controller) to third parties. We only share your information in the following circumstances:
With Service Providers (Sub-processors)
We use third-party vendors to perform services on our behalf, such as hosting, payment processing, and analytics. These providers are contractually obligated to protect your data and use it only for the purposes we instruct.
Our primary sub-processors include:
Amazon Web Services (AWS):
Cloud hosting, file storage (S3), and serverless computing — United States
PostgreSQL Database (AWS RDS):
Primary user account and data storage — United States
ClickHouse Cloud:
Data warehouse for analytics and connector configurations — United States/Europe
Airbyte:
Data orchestration and ETL processing for third-party integrations
OpenRouter:
AI request routing to multiple LLM providers (Anthropic, OpenAI, Google)
Nango:
OAuth authentication management for third-party data integrations
For Legal Reasons
We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Rimplo, or protect the personal safety of users of the Services or the public.
Business Transfers
In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
6. International Data Transfers
Rimplo is a global company. Your data may be stored and processed in any country where we have facilities or where we engage service providers, primarily in the United States and Europe.
Our primary infrastructure is hosted on Amazon Web Services (AWS) in the United States, with analytics data stored on ClickHouse Cloud. If you are accessing our Services from outside the United States, please be aware that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
7. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us using the details in Section 10.
Right to Access
Description
The right to request copies of the personal data we hold about you.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Rectification
Description
The right to request that we correct any information you believe is inaccurate or incomplete.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Erasure ('Right to be Forgotten')
Description
The right to request that we erase your personal data, under certain conditions.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Object/Opt-Out
Description
The right to object to our processing of your personal data (e.g., for direct marketing) or to opt-out of the sale or sharing of your personal information. Note: Rimplo does not sell your personal data.
Applicable Regulations
GDPR, CCPA/CPRA
Right to Data Portability
Description
The right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.
Applicable Regulations
GDPR
Right to Non-Discrimination
Description
The right not to be discriminated against for exercising any of your privacy rights.
Applicable Regulations
CCPA/CPRA
Data Erasure on Demand: You have the right to request complete deletion of all your personal data from our systems. Upon receiving a verified erasure request, we will permanently delete your account data, uploaded files, AI conversation references, and any other personal information we hold about you. To request data erasure, please contact us at privacy@rimplo.com with the subject line "Data Erasure Request." We will process your request and confirm deletion within 30 days.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
Retention periods for specific data types:
Account Data:
Retained for the duration of your account plus 3 years after account closure for legal compliance.
Authentication Tokens:
Access tokens expire after 15 minutes; refresh tokens expire after 7 days.
OAuth Credentials:
Retained while the integration is active; deleted upon disconnection.
Invitation Data:
Pending invitations expire after 48 hours; accepted invitation records retained with account data.
Uploaded Files:
Retained until deleted by the user or account closure.
Usage Logs:
Retained for 12 months for security and analytics purposes.
Temporary Session Data:
OAuth session data (PKCE) automatically expires after 10 minutes.
9. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. We encourage you to review this Privacy Policy periodically for any changes.
How We Protect Sensitive OAuth Credentials
When you connect an integration (such as Google Ads, HubSpot, Salesforce, or Stripe), Rimplo receives an OAuth refresh token that allows us to access your data on your behalf. We apply the following technical and organisational measures to protect these credentials:
When you connect an integration (such as Google Ads, HubSpot, Salesforce, or Stripe), Rimplo receives an OAuth refresh token that allows us to access your data on your behalf. We apply the following technical and organisational measures to protect these credentials:
Encryption at rest (AES-256-GCM): Every OAuth refresh token is encrypted using AES-256-GCM (authenticated encryption) before being written to our database. Each token is encrypted with a randomly generated 12-byte initialisation vector (IV), so identical tokens always produce different ciphertext. A GCM authentication tag is stored alongside each value to detect any tampering.
Encryption key management: The encryption keys used to protect OAuth tokens are stored exclusively in AWS Secrets Manager — never in application code, environment files committed to source control, or the database itself. Keys are retrieved at runtime by our serverless compute layer over an encrypted connection.
No plaintext storage: The raw (plaintext) OAuth token is never written to disk, logged, or stored in any persistent layer. Only the AES-256-GCM encrypted form is persisted.
Encrypted transmission: All communication between your browser, our API servers, third-party OAuth providers, and downstream services occurs exclusively over TLS 1.2 or higher. OAuth tokens are never transmitted over unencrypted channels.
Access control: OAuth credentials are only accessible to authenticated, authorised requests. Our API endpoints require a short-lived JWT access token (15-minute expiry). Database access is restricted to our serverless compute layer within a private AWS VPC — credentials are not exposed to the public internet.
Short-lived credential cache: When our AI inference service needs to access connected data sources, credentials are cached in-memory and in a DynamoDB table with a strict TTL (time-to-live). Cached values expire automatically and are never written to logs.
Deletion on disconnection: When you disconnect an integration, the corresponding encrypted OAuth token is permanently deleted from our database within the same request. No residual credential data is retained after disconnection.
Scope limitation: We request only the minimum OAuth scopes required to deliver the contracted service. For example, Google Ads connections request only the scopes needed for read access to advertising data.