Product Privacy Policy
Looking for how we handle data on our website? See our website Privacy Policy.
Introduction and scope
This Product Privacy Policy explains how Rig processes data within the Rig product (the "Service"), the AI-powered data context and automation platform. It is separate from our website privacy policy, which covers your interactions with rig.so. Your contracting party and the entity responsible for the Service depends on where you are located: Rig Intelligence Ltd (registered in England and Wales, Companies House no. 17037859) for customers in the UK and EEA, and Rig Intelligence Inc. for customers in the United States. In this policy, "Rig", "we", and "us" refer to the applicable entity. Where you are a customer, your use of the Service is governed by your customer agreement and any data processing agreement (DPA) entered into with Rig; this policy describes our practices and does not replace those agreements.
Our role: controller and processor
For data you connect to or load into the Service, you are the controller and Rig acts as your processor. We process that data only to provide the Service and on your documented instructions, and not for our own purposes. You are responsible for having a lawful basis and any necessary notices or consents for the data you make available to the Service. Rig is the controller for limited account and operational data, such as the email addresses and user IDs of your team members who log in, and usage and diagnostic data, which we process to operate, secure, and support the Service.
What data the Service processes
The categories of data processed depend on what you connect or load. This can include query results, representative sample values, and conversation history generated as you use the Service, and may include personal data within your sources, for example commercial relationship information, marketing and pipeline data, product feedback, and HR or job-application information where you choose to connect such sources. You determine what data the Service can access; this policy does not change the categories you have agreed in your customer agreement.
Deployment models and where your data lives
The Service supports multiple deployment models, and which applies depends on your setup. (1) Connect-your-own-warehouse: where you connect your own data warehouse, your data remains in your environment and Rig processes it transiently (for example, query results and representative sample values) on Rig-controlled infrastructure to deliver the Service, without persistently replicating or hosting your warehouse. (2) Rig-managed ingestion and hosting: where you ask us to ingest and host your data, Rig stores and processes that data on Rig-controlled infrastructure (hosted with AWS in the EU, eu-west-1) under the security controls described below. In both models, processing is limited to what is necessary to provide the Service, and data is deleted or returned on termination in line with your agreement.
How and why we process data
We process data to provide, maintain, and improve the Service for you, to structure your data and surface insights, to deploy, configure, and support your instance, to secure the Service and prevent abuse, and to meet legal obligations. Rig personnel may access your data remotely during deployment, configuration, support, and service delivery, on a least-privilege, need-to-know basis.
Sub-processors
We engage the following third-party sub-processors to provide the Service. They are bound by data-protection obligations equivalent to ours and receive only what they need to perform their function. This list may be updated from time to time as our infrastructure evolves; where your agreement provides for advance notice of new sub-processors, we will follow it.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Hosting and context cache | EU / US |
| Supabase | User accounts and conversation cache | EU |
| Langfuse | LLM traces and reasoning logs | EU |
| Sentry | Error monitoring | EU |
| PostHog | Product analytics (team emails and user IDs) | EU |
| Nango | Authentication and API calls for permitted integrations | US |
Security
We use administrative, technical, and organisational measures appropriate to the risk. Access to data is restricted to authorised Rig personnel on a least-privilege, need-to-know basis under role-based access control, with individual named accounts and multi-factor authentication enforced for administrative and cloud-console access. Data is encrypted in transit using TLS 1.2 or higher and, where held on Rig-controlled infrastructure, at rest using AES-256 (or provider-equivalent). Production infrastructure is hosted with AWS in the EU (eu-west-1) within isolated network environments, with tenant data logically segregated at the account and credential boundary. Production secrets are held in a managed secrets store, changes are deployed through reviewed, version-controlled pipelines, and security-relevant events are logged and monitored. We maintain an incident-response process and notify affected customers of a personal data breach within the period set out in the applicable agreement.
International transfers
Where data is transferred outside the UK or the EEA, for example to a sub-processor in the United States, we put appropriate safeguards in place, such as standard contractual clauses, and act only on documented instructions where required.
Retention and deletion
Data processed on Rig-controlled infrastructure is limited to what is necessary to deliver the Service and is retained only for as long as needed for that purpose or as required by law. On termination of your agreement, we delete or return your data, unless retention is legally required.
Your rights and data-subject requests
Because you are the controller for the data you connect or load, requests from individuals to exercise their rights are generally directed to you, and we will provide reasonable assistance in responding to them as set out in your DPA. If you are in the UK or EEA, you and the individuals whose data you process have rights under the UK GDPR and EU GDPR (including access, correction, deletion, restriction, portability, and objection). If you are in the United States, you may have rights under applicable state privacy laws (such as the right to access, delete, or correct personal information, and to opt out of certain processing). We do not sell personal information.
Changes to this policy
We may update this policy from time to time. We will update the "last updated" date at the top of this policy, and for material changes we will surface a notice or notify customers as appropriate.
Contact
Questions, requests, or complaints about this policy or how the Service processes data can be sent to info[at]rig[dot]so.