Privacy Policy

Rubo B.V. (“Rubo”, “we”, “us”) is a company registered in the Netherlands. We operate the Rubo AI copilot service for insurance and real estate brokers, accessible at askrubo.ai and through the Rubo broker console.

This Privacy Policy explains how we collect, use, store, and share personal data when you use our services. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and the Dutch implementation thereof (UAVG).

If you have any questions about this policy, please contact us at privacy@askrubo.ai.

The data controller for personal data processed through the Rubo platform is:

We collect the following categories of personal data:

• Account data: Name, email address, company name, and phone number when you register.
• Usage data: Log files, IP addresses, browser type, pages visited, and feature usage within the broker console.
• Communication data: Messages sent through the WhatsApp Business API integration, including client queries and AI-drafted responses that brokers review and send.
• Document data: Insurance policy documents, client files, and other materials you upload for AI analysis.
• Payment data: Billing information processed by our payment provider, Stripe. We do not store full card numbers.
• Cookie data: See our Cookie Policy for full details.

We process personal data on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): To provide the Rubo service you have subscribed to.
• Legal obligation (Art. 6(1)(c)): To comply with Dutch and EU law, including anti-money-laundering (Wwft) obligations.
• Legitimate interests (Art. 6(1)(f)): For security, fraud prevention, service improvement, and analytics.
• Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies, where you have given consent.

All personal data is stored within the European Union. We use Supabase (hosted in the EU-Frankfurt region) as our primary database and file storage provider. Our web applications are deployed on Vercel with EU data residency configured.

Communication data processed via the WhatsApp Business API is handled through Meta's infrastructure in accordance with Meta's data processing terms. We use the API solely to enable broker-to-client communication; we do not use this data for advertising purposes.

We share personal data only with:

• Supabase Inc. — database and auth infrastructure (EU Frankfurt region).
• Anthropic, PBC — AI processing for generating draft responses. We have a data processing agreement in place. Data is not used to train Anthropic's models.
• Stripe Inc. — payment processing under a data processing agreement.
• Meta Platforms — WhatsApp Business API for message delivery.
• Legal authorities — when required by applicable law.

We do not sell personal data to third parties.

We retain personal data for as long as your account is active, plus a period of 3 years for legitimate business and legal purposes. Communication and document data may be retained for up to 7 years where required by Dutch financial services regulations.

You may request deletion of your data at any time (see Section 8). Certain data may be retained where we have a legal obligation to do so.

Under the GDPR you have the following rights:

• Right of access (Art. 15): Request a copy of your personal data.
• Right to rectification (Art. 16): Correct inaccurate data.
• Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
• Right to restriction (Art. 18): Restrict processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting lawfulness of prior processing.

To exercise any of these rights, email privacy@askrubo.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), at autoriteitpersoonsgegevens.nl.

We implement appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, AES-256 encryption at rest, role-based access control, and regular security audits.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The current version is always available at askrubo.ai/privacy.