Privacy Policy

Effective Date: February 10, 2026 | Service Provider: Rhoe, LLC-FZ (UAE) | Product: REEN — reen.tech

1. Introduction

This Privacy Policy describes how Rhoe, LLC-FZ (“we”, “us”) collects, uses, stores, and protects your personal data when you use REEN (“the Service”).

We are committed to protecting your privacy and complying with applicable data protection laws, including:

UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
EU General Data Protection Regulation (GDPR) — for users in the European Economic Area
California Consumer Privacy Act (CCPA) — for users in California, USA

2. Data Controller

Rhoe, LLC-FZ

Meydan Free Zone, Dubai, UAE

Email: [email protected]

For GDPR purposes, Rhoe, LLC-FZ is the data controller for personal data processed through the Service.

3. Data We Collect

3.1. Account Data

Data	Purpose	Legal Basis (GDPR)
Username	Account identification	Contract performance
Password (hashed)	Authentication	Contract performance
Email (if provided)	Account recovery, notifications	Consent / Legitimate interest
WebAuthn credentials	Passkey authentication	Contract performance

3.2. User-Generated Content

Data	Purpose	Legal Basis (GDPR)
Plans, tasks, subtasks	Gant project management	Contract performance
Conference messages	AI Conference conversations	Contract performance
Uploaded files	Conference attachments	Contract performance

3.3. Automatically Collected Data

Data	Purpose	Legal Basis (GDPR)
IP address	Security, abuse prevention	Legitimate interest
Request logs	Debugging, security	Legitimate interest
Audit log (actions)	Security, accountability	Legitimate interest

3.4. Data We Do NOT Collect

AI model API keys — never transmitted to or stored by the Service
AI model credentials — remain exclusively on your device
Biometric data — WebAuthn keys are cryptographic, not biometric
Payment data — not applicable (no paid plans currently)
Location data — not collected beyond IP address
Browsing history — not tracked

4. How We Use Your Data

We use your data exclusively for:

Providing the Service — account management, content storage, conference messaging
Security — authentication, abuse prevention, audit logging
Service improvement — aggregated, anonymized usage analytics (e.g., feature adoption rates)
Legal compliance — responding to lawful requests from authorities

We do NOT use your data for:

Training AI models
Advertising or ad targeting
Selling to third parties
Profiling or automated decision-making

5. AI-Specific Data Practices

5.1. Research Mode

Our ARGUS pipeline processes publicly available research papers using AI models operated by us (Rhoe, LLC-FZ) with our own API keys. Your browsing of Research content does not send your data to any AI provider.

5.2. AI Conference

Conference messages (text) are stored on our servers for conversation history.
AI model invocations occur on your device via reen-cli using your API keys.
We never see, store, or process your API keys or the direct API calls to AI providers.
AI-generated responses are received by reen-cli on your device and relayed to our message broker as text.

Important: Third-Party AI Data Flow. When you use AI Conference with reen-cli, your device sends prompts and receives responses directly from the AI provider(s) you choose (e.g., Anthropic, OpenAI, Google), using your own API keys and under your separate agreement with those providers. We do not control, intercept, or intermediate these API calls. However, the text of conference messages (including AI-generated responses) is transmitted to and stored by the Service as part of the conversation history described in this Policy. You are responsible for reviewing and accepting the terms and privacy policies of your chosen AI providers.

5.3. No Training on Your Data

We do not use any user content (plans, tasks, conference messages, uploaded files) to train, fine-tune, or improve AI models. This applies to both our internal pipeline and third-party AI services.

6. Data Storage and Security

6.1. Infrastructure

Hosting: Railway (cloud platform), servers in the United States
Database: PostgreSQL (encrypted at rest)
File storage: Server filesystem with access controls
Message logs: Append-only JSONL format

6.2. Security Measures

Passwords hashed with bcrypt
WebAuthn/FIDO2 for passwordless authentication
API tokens with SHA-256 hashing (only hash stored, original token shown once)
HTTPS/WSS encryption in transit
Row-Level Security (RLS) in PostgreSQL — users can only access their own data
Audit logging of all significant actions

6.3. Data Transfers

Your data may be transferred to and processed in the United States (hosting infrastructure). For EU users, this transfer is conducted under Standard Contractual Clauses (SCCs) as appropriate.

7. Data Retention

Data Type	Retention Period	Deletion
Account data	Until account deletion	Deleted on request
Plans and tasks	Until deleted by user or account deletion	User can delete anytime
Conference messages	Until conference deleted by user or account deletion	User can delete anytime
Audit logs	12 months	Auto-pruned after retention period
Request logs	30 days	Auto-rotated
Uploaded files	Until deleted by user or account deletion	User can delete anytime

After account deletion, all associated data is permanently removed within 30 days. Backup copies (if any) are purged within 90 days.

8. Data Sharing

We do not sell your personal data. We may share data only in these circumstances:

Recipient	Purpose	Data Shared
Railway (hosting)	Infrastructure	Encrypted data at rest
Law enforcement	Legal obligation	As required by UAE law or valid legal process

We do not share data with AI model providers, advertising networks, data brokers, or analytics platforms.

9. Cookies and Local Storage

9.1. What We Use

The Service uses localStorage (not cookies) to store:

Item	Purpose	Duration
`auth_token` (JWT)	Session authentication	Until logout or expiry
UI preferences	Theme, language, sidebar state	Persistent

9.2. What We Do NOT Use

No tracking cookies
No third-party cookies
No analytics cookies (Google Analytics, Mixpanel, etc.)
No advertising pixels or trackers
No fingerprinting

Since we do not use cookies for tracking purposes, cookie consent banners are not required under current regulations. If this changes, we will update this policy.

10. Your Rights

10.1. All Users

You have the right to:

Access your personal data
Export your data (plans, conferences)
Delete your account and all associated data
Correct inaccurate personal data

10.2. EU/EEA Users (GDPR)

In addition to the above, you have the right to:

Data portability — receive your data in a structured, machine-readable format
Restriction — request restriction of processing
Objection — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent
Lodge a complaint — with your local data protection authority

10.3. California Users (CCPA)

You have the right to:

Know what personal information is collected and how it is used
Delete your personal information
Opt-out of sale — we do not sell personal information, so this right is satisfied by default
Non-discrimination — we will not discriminate against you for exercising your rights

10.4. UAE Users (PDPL)

Under the UAE Personal Data Protection Law, you have the right to:

Access and obtain a copy of your personal data
Request correction of inaccurate data
Request deletion of data when no longer necessary
Object to processing in certain circumstances

11. Children’s Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If we discover that a child under 16 has provided personal data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via the Service interface or email (if provided). Your continued use of the Service after changes constitutes acceptance.

13. Contact and Data Requests

For privacy inquiries, data access requests, or to exercise any of your rights:

Email: [email protected]

Company: Rhoe, LLC-FZ

Address: Meydan Free Zone, Dubai, UAE

We will respond to data requests within 30 days (or sooner as required by applicable law).

Last updated: February 12, 2026