Privacy Policy
Last updated: April 22, 2026
1. Introduction
Romb (“we”, “us”, “our”) provides a knowledge-capture and retrieval platform for organizations. This Privacy Policy explains how we collect, use, store, and share information when you or your organization uses our service (the “Service”).
We act as a data processor for information your organization connects to Romb (e.g. Jira issues, Confluence pages, Gmail threads, Google Docs, Slack messages) under the instructions of your organization administrator. Your organization is the data controller for that information.
2. Information we collect
Account information. Email address, name, organization membership, and OAuth identity tokens for third-party integrations you authorize.
Connected-source content. When your organization connects a source (Jira, Confluence, Gmail, Google Docs, Slack, etc.), we receive and process content from that source as needed to evaluate whether it contains capturable insights. This may include page bodies, email contents, file contents, and associated metadata.
Usage information. Product events (cards created, searches run, features used) and standard request logs (IP address, user agent, timestamps) for operational and security purposes.
3. How we use Google user data
Romb's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We use Google user data solely to:
- Detect and capture candidate insights from Gmail threads the authenticated user has sent or received.
- Read Google Docs the authenticated user chooses to capture or reference as evidence.
- Deliver push notifications (via Google Pub/Sub) to our backend when new Gmail messages arrive, so we can process them in near real time.
We do not sell Google user data, do not use it for advertising, do not use it to train generalized AI/ML models, and do not allow humans to read it except (a) with the user's explicit consent, (b) for security purposes, (c) to comply with applicable law, or (d) where the data is aggregated and used for internal operations in accordance with the Limited Use requirements.
4. How we use your information
- Operate and improve the Service.
- Generate card drafts, summaries, and knowledge graphs for your organization, using LLM providers under strict Limited Use obligations.
- Provide authentication, authorization, and access control.
- Investigate security incidents and prevent abuse.
- Communicate about the Service (outages, policy changes).
5. Sharing and subprocessors
We share information with the following categories of subprocessors to operate the Service:
- Cloud infrastructure (Supabase, Upstash, Railway)
- OAuth / integration broker (Nango)
- LLM providers (Anthropic, OpenAI) — under Limited Use terms
- Transactional email (Resend)
- Error and performance monitoring (Sentry, PostHog)
We do not sell personal information. We do not share connected- source content with third parties except the subprocessors above as needed to provide the Service.
6. Data retention and deletion
Captured content and derived artifacts (cards, embeddings, concepts) are retained while your organization's account is active. On disconnect of a source or account deletion, we delete raw source content and OAuth tokens within 30 days. Users may request deletion of their account data by emailing support@romb.ai.
7. Security
We encrypt data in transit (TLS 1.2+) and at rest. OAuth tokens are encrypted with application-level keys before storage. Access to production systems is restricted and logged.
8. Your rights
Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Contact support@romb.ai to exercise these rights.
9. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email to account administrators or a prominent notice in the Service.
10. Contact
Questions about this policy: support@romb.ai