Privacy Policy

Overview

Rhumb (operated by Supertrained Inc.) is a developer tool that scores APIs for AI agent compatibility and provides managed capability execution. We are committed to transparency about what we collect and why.

The short version: we collect what we need to operate the service, we don't sell any of it, and we don't track you across sites.

What we collect

Account data (if you sign up)

When you create an account via GitHub or Google OAuth, we receive and store:

• • Your display name and email address (from your OAuth provider)
• • Your OAuth provider identifier (GitHub user ID or Google sub)
• • A governed API key we generate for your account

We do not receive or store your OAuth provider password. We use the standard OAuth 2.0 authorization code flow with CSRF protection.

Session data

When you sign in, we set a rhumb_session cookie containing a signed JWT token. This cookie is:

• • HttpOnly (not accessible to JavaScript)
• • Secure (only transmitted over HTTPS)
• • SameSite=Lax (not sent on cross-site requests)
• • Valid for 7 days

API and execution data

• API query logs: Search terms, capability execution requests, and timestamps. Authenticated requests are associated with your governed API key.
• Execution records: When you use managed capability execution, we log the capability called, provider used, latency, cost, and success/failure status. We do not log the contents of your request bodies or upstream responses.
• Error logs: Server error logs may contain request metadata (URL, HTTP method, status code) for debugging. These are retained for 30 days.

Payment data

• Stripe: Payment processing is handled by Stripe. We store your Stripe customer ID and transaction records (amounts, dates). We do not store your credit card number or payment method details — those are held by Stripe.
• x402/USDC: For on-chain payments, we record the transaction hash and wallet address used for payment verification. Blockchain transactions are inherently public.

Web analytics

We use Google Analytics 4 and Microsoft Clarity for anonymized usage analytics on rhumb.dev. These tools collect standard web metrics (page views, session duration, device type). Both are configured with IP anonymization enabled.

What we do NOT collect

• • We do not store your OAuth provider password
• • We do not store credit card numbers (Stripe handles payment details)
• • We do not log upstream API request/response bodies from managed executions
• • We do not track you across other websites
• • We do not build advertising profiles or sell data to third parties
• • We do not use your API queries or execution data to train machine learning models

Managed credentials

When you use Rhumb-managed capability execution, we hold API credentials for upstream services on your behalf. These credentials:

• • Are stored in encrypted secret management infrastructure
• • Are never exposed in API responses, logs, or error messages
• • Are used only to execute the specific capability you request
• • Are shared across users of managed capabilities (they are Rhumb's credentials, not per-user credentials)

If you use bring-your-own-key (BYOK) mode, your credentials are passed through to the upstream service in the same request and are not stored by Rhumb. If you use Agent Vault, Rhumb stores an encrypted provider credential scoped to your agent, injects it only at call time, and does not share it across accounts.

How we use your data

Data collected is used to:

• • Authenticate your identity and manage your account
• • Process payments and maintain billing records
• • Execute capability requests on your behalf
• • Enforce budget limits and rate controls
• • Improve search relevance and service coverage
• • Monitor API performance, uptime, and error rates
• • Understand aggregate usage patterns (which capabilities are most used, which services are most queried)

Third-party services

• GitHub / Google — OAuth identity providers. GitHub Privacy / Google Privacy
• Stripe — payment processing. Stripe Privacy Policy
• Google Analytics 4 — anonymized web analytics. Google Privacy Policy
• Microsoft Clarity — session recordings and heatmaps (anonymized). Microsoft Privacy Statement
• Vercel — frontend hosting. Vercel Privacy Policy
• Railway — API hosting. Railway Privacy Policy
• Supabase — database hosting. Supabase Privacy Policy

When using managed capabilities, your requests are proxied through upstream service APIs (e.g., Stripe, GitHub, Twilio, Slack). Each upstream service has its own privacy policy governing data they receive through API calls.

Your rights (GDPR / CCPA)

You have the right to:

• • Access — request a copy of all data associated with your account
• • Correction — request correction of inaccurate data
• • Deletion — request deletion of your account and associated data
• • Opt-out of analytics — disable web analytics by using a browser ad blocker or Do Not Track setting
• • Data portability — request your data in a machine-readable format
• • Non-discrimination — exercising these rights will not affect your service access

For any privacy-related requests, contact privacy@supertrained.ai . We will respond within 30 days.

Data retention

• • Account data: retained while your account is active; deleted within 30 days of account deletion request
• • API query and execution logs: retained for 90 days
• • Error logs: retained for 30 days
• • Billing records: retained for 7 years (tax/legal compliance)
• • Web analytics: per Google Analytics and Microsoft Clarity default retention policies

Children's privacy

Rhumb is a developer tool not intended for use by children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal information, please contact us at privacy@supertrained.ai.

Changes to this policy

We will update this page when our data practices change. For significant changes, we'll note the update in our changelog .

Contact

For privacy-related questions or requests:
privacy@supertrained.ai

Supertrained Inc.
7901 4th St N STE 300
St Petersburg, FL 33702