GDPR Compliance
Last updated: 1 March 2025
Rubo is a Dutch company and GDPR compliance is foundational to how we build and operate our platform — not an afterthought. This page summarises our approach to data protection and your rights as a data subject.
1. Our Roles Under GDPR
Data Controller: Rubo B.V. is the data controller for personal data you provide when creating an account, contacting us, or using our marketing site.
Data Processor: When brokers upload client data or process client communications through the Rubo platform, Rubo acts as a data processor on behalf of the broker (the data controller). We process that data only on the broker's documented instructions and for the purpose of providing the Service.
A Data Processing Agreement (DPA) is available to all Business and Enterprise customers and governs our processing activities as a data processor. View our standard DPA →
2. Data Residency
All primary data storage is in the EU (Frankfurt, Germany) region via Supabase. No personal data is stored outside the EU as part of primary storage.
Where sub-processors based outside the EU process personal data (e.g. for AI inference), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and ensure appropriate supplementary safeguards are in place.
3. Sub-processors
We use the following sub-processors to deliver the Service:
| Provider | Location | Purpose |
|---|---|---|
| Supabase Inc. | EU (Frankfurt, Germany) | Database, authentication, and file storage |
| Anthropic, PBC | United States (SCCs in place) | AI model inference for draft generation |
| Stripe Inc. | United States (SCCs in place) | Payment processing |
| Meta Platforms | United States (SCCs in place) | WhatsApp Business API for message delivery |
| Vercel Inc. | EU region configured | Web application hosting |
4. Security Measures
Technical and organisational measures include:
- TLS 1.2+ encryption for all data in transit.
- AES-256 encryption for data at rest.
- Row-level security (RLS) policies in our database layer.
- Multi-factor authentication enforced for all Rubo staff.
- Role-based access control with least-privilege principles.
- Regular penetration testing and security audits.
- Automated vulnerability scanning in our CI/CD pipeline.
- Incident response and data breach notification procedures.
5. Your Rights
As a data subject, you have the following rights under the GDPR:
Access
Art. 15Request a copy of all personal data we hold about you.
Rectification
Art. 16Ask us to correct inaccurate or incomplete data.
Erasure
Art. 17Request deletion of your personal data where no legal obligation to retain it exists.
Restriction
Art. 18Ask us to limit how we use your data in specific circumstances.
Portability
Art. 20Receive your data in a structured, machine-readable format to transfer elsewhere.
Objection
Art. 21Object to processing based on our legitimate interests.
To exercise any of these rights, email privacy@askrubo.ai. We will respond within 30 calendar days.
6. Data Breach Notification
In the event of a personal data breach, we will notify the Dutch Autoriteit Persoonsgegevens (AP) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms.
7. Data Protection Officer
Rubo has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance programme.
Data Protection OfficerRubo B.V.
Herengracht 182
1016 BS Amsterdam
The Netherlands
Email: dpo@askrubo.ai
8. Supervisory Authority
You have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens, at autoriteitpersoonsgegevens.nl.