Privacy Policy

Effective date: June 4, 2026  ·  Last updated: June 4, 2026

Rouva ("we", "us", or "our") operates the Rouva service at rouva.io and app.rouva.io. This Privacy Policy explains what data we collect, how we use it, and your rights with respect to that data.

By creating an account or using the Rouva service, you agree to the collection and use of information described in this policy.

1. Information We Collect

Account data — When you sign up, we collect your name and email address.

User preferences — We store account settings including your selected baseline model and whether intelligent routing is enabled. These are used solely to operate the Service.

Third-party API keys — You may optionally store provider API keys (Anthropic, OpenAI) with us. These are encrypted at rest using AES-256 and are never logged or exposed in plaintext.

Rouva gateway API keys — When you generate a Rouva gateway key (prefixed rva_), we store a one-way SHA-256 hash of that key for authentication. The raw key is shown to you once at creation and is not recoverable by us.

Usage data — We log metadata about each request routed through the Rouva gateway: token counts, model used, cost, savings, task type, quality score, AI judge metadata, and message pruning statistics. We do not store the full content of your prompts or responses.

Classifier cache — To improve routing speed, we temporarily cache a SHA-256 hash of your prompt and its classification result for up to 24 hours. No prompt text is stored — only the hash and the resulting task type.

Alert settings — If you configure budget alerts, we store your alert threshold, provider, and the notification email address you specify (which may differ from your account email).

Payment data — We do not currently collect payment information. If billing is introduced, it will be handled by a PCI-compliant third-party processor.

Communications — If you contact us by email, we retain those communications to respond to you.

2. How We Use Your Information

• To operate and improve the Rouva service
• To route your requests to the appropriate AI provider
• To compute spend tracking and savings metrics for your dashboard
• To send transactional emails (welcome, budget alerts) via Resend
• To respond to support requests

We do not sell your personal data or use it to train AI models.

3. Data Storage

Your account data and usage records are stored in a Supabase-managed PostgreSQL database hosted on AWS infrastructure in the United States. Supabase's data processing practices are described at supabase.com/privacy.

API keys are stored as AES-256 encrypted ciphertext. The decryption key is held in a separate environment variable and is never written to the database.

4. Third-Party Services

We share data with the following third parties only to the extent necessary to provide the service:

• Anthropic — Your prompts are forwarded to Anthropic's API when Claude models are selected. Anthropic's privacy policy applies: anthropic.com/legal/privacy.
• OpenAI — Your prompts are forwarded to OpenAI's API when GPT models are selected. OpenAI's privacy policy applies: openai.com/policies/privacy-policy.
• Resend — We use Resend to send transactional emails. Your email address is shared with Resend for this purpose: resend.com/legal/privacy-policy.
• Vercel — Our application is hosted on Vercel. Request logs may be retained by Vercel per their policies: vercel.com/legal/privacy-policy.

We do not share your data with advertisers, data brokers, or any other third parties.

5. Cookies and Tracking

We use only essential cookies for authentication session management (via Supabase Auth). We do not use advertising cookies, tracking pixels, or third-party analytics.

6. Data Retention

Account data and usage records are retained for as long as your account is active. If you delete your account, your personal data and stored API keys will be permanently deleted within 30 days. Anonymized aggregate usage statistics may be retained indefinitely.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate personal data.
• Deletion — Request deletion of your account and associated data.
• Portability — Request an export of your usage data in a machine-readable format.
• Objection — Object to certain processing of your personal data.

To exercise any of these rights, email us at privacy@rouva.io. We will respond within 30 days.

8. Security

We implement industry-standard security measures including TLS in transit, AES-256 encryption for sensitive credentials, and row-level security on our database. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

9. Children's Privacy

Rouva is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@rouva.io.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email when material changes are made. The effective date at the top of this page indicates when the policy was last revised.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights regarding your personal information.

Categories of personal information we collect:

• Identifiers (name, email address)
• Account credentials (encrypted API keys, hashed gateway keys)
• Commercial information (usage data, cost, savings metrics)
• Internet or network activity (request metadata, model routing logs)
• Inferences drawn from usage data (task types, quality scores)

We do not sell or share your personal information. We do not sell, rent, trade, or share your personal information with third parties for cross-context behavioral advertising or any commercial purpose beyond operating the Service.

Your CCPA rights include:

• Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the third parties with whom it has been shared.
• Right to Delete — You may request deletion of your personal information, subject to certain exceptions permitted by law.
• Right to Correct — You may request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing — We do not sell or share personal information, so this right does not apply. However, you may contact us to confirm this at any time.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will receive the same level of service regardless of whether you make a privacy request.
• Right to Limit Use of Sensitive Personal Information — We only use sensitive personal information (API keys) to provide the Service and do not use it for any secondary purpose.

To exercise your California privacy rights, submit a request to privacy@rouva.io with the subject line "California Privacy Request." We will respond within 45 days as required by law. We may need to verify your identity before processing your request.

12. Contact

If you have questions about this Privacy Policy or your data, contact us at:

• Email: privacy@rouva.io
• Website: rouva.io