Privacy Policy
Last updated: June 2026
1. Data controller
The data controller for your personal data is: Manel Andreu Pérez, independent developer. Contact: https://orxataguy.vercel.app — privacy@raggamon.com
2. Data we collect
Account data: name and email address provided during registration via Clerk Authentication.
Infrastructure credentials: OpenAI/Anthropic API keys, MongoDB connection strings and Supabase credentials. All stored encrypted with AES-256-GCM and never shared with third parties.
Usage data: query logs (question text, model used, tokens, response time) used solely to provide the service.
Technical data: IP address, browser type and session data collected automatically for security and proper operation.
3. Purpose and legal basis
| Purpose | Legal basis |
|---|---|
| User account management | Contract performance (Art. 6.1.b GDPR) |
| RAG service provision | Contract performance (Art. 6.1.b GDPR) |
| Security and fraud prevention | Legitimate interest (Art. 6.1.f GDPR) |
| Legal obligations | Legal obligation (Art. 6.1.c GDPR) |
| Service communications | Legitimate interest (Art. 6.1.f GDPR) |
4. Sub-processors
| Provider | Service | Location |
|---|---|---|
| Clerk | User authentication | USA (SCCs) |
| MongoDB Atlas | Platform database | User's choice |
| Upstash | Rate limiting (Redis) | USA/EU (configurable) |
| Vercel / hosting provider | Application infrastructure | User's choice |
Note: the user's own infrastructure (MongoDB Atlas, Supabase Storage) is their sole responsibility. Raggamon has no access to data stored in it.
5. Data retention
Account data is retained while the account is active. Query logs are retained for a maximum of 90 days. Infrastructure credentials are deleted immediately upon account cancellation.
6. Your rights
Under the GDPR you have the right to access, rectification, erasure, restriction, portability and objection regarding your personal data. To exercise these rights, contact privacy@raggamon.com. You also have the right to lodge a complaint with the competent supervisory authority.
7. Security
Raggamon implements technical and organisational measures including AES-256-GCM encryption for credentials at rest, bcrypt hashing for API keys, HTTPS/TLS communications, and scope-limited JWT tokens.
8. Cookies
Raggamon uses only strictly necessary technical cookies for session authentication (managed by Clerk). No advertising or third-party tracking cookies are used.