rushdb
Sign InGet API Key

Privacy Policy

Effective date: June 17, 2026

This Privacy Policy explains how Collect Software Inc. ("RushDB", "we", "us", or "our") collects, uses, shares, and protects information when you visit rushdb.com, use RushDB Cloud, use app.rushdb.com, interact with the RushDB API, or contact us.

RushDB is developer infrastructure for storing and querying connected application data, graph records, semantic indexes, and agent memory. This policy describes how RushDB handles account data, workspace data, project data, customer content, product telemetry, and billing information.

If you use self-hosted RushDB, you control the infrastructure where your self-hosted instance runs. This policy applies to RushDB-hosted websites and cloud services, not to data processing that happens only inside your own self-hosted deployment.

Who We Are

RushDB is operated by Collect Software Inc.

Contact: hi@rushdb.com

For security or privacy review requests, include your company name, workspace or project context if applicable, and the request type.

Information We Collect

Account information

When you create or use a RushDB account, we may collect:

  • email address or login;
  • first and last name, when provided;
  • password hash for email/password accounts;
  • OAuth identifiers for Google or GitHub login, when you use those login methods;
  • email confirmation, password reset, and account status metadata;
  • account creation, edit, and last activity timestamps.

RushDB does not store your plain-text account password. Passwords are hashed before storage.

Workspace and project information

RushDB Cloud stores information needed to operate workspaces and projects, including:

  • workspace names, member roles, and membership metadata;
  • workspace invitations and invited email addresses;
  • project names, descriptions, status, timestamps, and access lists;
  • API token metadata, including token name, description, scope or access level, expiration, and project association;
  • OAuth client, authorization request, consent, code, and refresh-token metadata for MCP/OAuth flows;
  • connector configuration and status metadata, when connectors are enabled.

API token values are stored encrypted at rest in the platform database. OAuth refresh-token records are stored as hashed token identifiers. OAuth access tokens are time-limited.

Customer content

When you use RushDB Cloud or the RushDB API, you may submit, create, import, query, or delete records, labels, properties, relationships, files, text fields, semantic indexes, relationship suggestions, connector data, and other content inside a project ("Customer Content").

Customer Content may include personal data if you choose to store personal data in RushDB. You are responsible for deciding what Customer Content you submit to the service and for ensuring that you have the rights and legal basis to process it.

RushDB processes Customer Content to provide the service, including:

  • storing and retrieving records;
  • creating and querying relationships;
  • indexing selected fields for search or semantic retrieval;
  • maintaining project ontology and schema metadata;
  • running customer-requested imports, exports, connector workflows, and deletion operations;
  • supporting MCP/OAuth access that you authorize for a project.

Search, embedding, and AI-related processing

RushDB supports optional semantic search, embedding indexes, and relationship suggestions. When these features are configured and used, selected text fields, ontology data, labels, property names, relationship metadata, or query context may be sent to the configured embedding or language-model provider to perform the requested operation.

These features are optional and depend on the project or deployment configuration. In self-hosted deployments, the deployment operator controls the provider configuration.

Billing and usage information

For RushDB Cloud, we process billing and usage information needed to manage plans, limits, subscriptions, invoices, and customer support. This may include:

  • workspace ID and workspace name;
  • account or requester email;
  • plan name and subscription status;
  • Knowledge Unit usage, project counts, and related usage events;
  • billing inquiry messages;
  • checkout and billing portal session information.

RushDB uses a billing service for plan enforcement and subscription workflows. Payment processing may be handled by Stripe. RushDB does not intentionally collect or store full payment card numbers when payments are processed through Stripe.

Website and product analytics

We use website and product analytics to understand how visitors and customers use RushDB, improve the product, measure conversion, and debug user flows. The website uses Google Tag Manager and Google Analytics-style events only after consent where required by our cookie banner and consent mode implementation.

Analytics events may include page views, CTA clicks, documentation clicks, pricing plan clicks, signup-start events, blog interactions, language-switch events, and limited code-copy previews. We avoid intentionally sending sensitive Customer Content in analytics events.

Cookies and local storage

We use cookies and browser storage for authentication, administration sessions, preferences, consent choices, and analytics consent. The website stores cookie consent state in local storage and updates analytics consent based on your choice.

For more detail, see our Cookie Policy at https://rushdb.com/cookie-policy.

Communications

If you contact us, request support, submit a billing inquiry, report a security issue, join a waitlist, or respond to our emails, we process the contact details and message content you provide.

How We Use Information

We use information to:

  • provide, operate, secure, and improve RushDB;
  • create and authenticate accounts;
  • manage workspaces, projects, roles, tokens, OAuth consents, and access control;
  • process Customer Content according to your API, dashboard, connector, or MCP/OAuth instructions;
  • provide billing, plan, usage, support, and administrative workflows;
  • send account, security, billing, product, and service communications;
  • detect, prevent, and investigate abuse, fraud, security incidents, and service misuse;
  • comply with legal obligations and enforce our Terms of Service;
  • analyze website and product usage, subject to consent where required.

Legal Bases for Processing

Where GDPR or similar law applies, our legal bases may include:

  • contract necessity, to provide RushDB Cloud and related services;
  • legitimate interests, such as securing the service, preventing abuse, improving the product, and communicating with customers;
  • consent, such as for optional analytics cookies or marketing communications where consent is required;
  • legal obligation, where we must retain or disclose information to comply with applicable law.

For Customer Content, RushDB usually acts as a processor or service provider on behalf of the customer. The customer is responsible for determining the lawful basis for the Customer Content they submit to RushDB.

How We Share Information

We do not sell Customer Content.

We may share information with:

  • infrastructure, hosting, database, monitoring, analytics, email, authentication, billing, payment, and support providers used to operate RushDB;
  • OAuth providers such as Google or GitHub, when you choose those login methods;
  • payment processors such as Stripe, when you use paid RushDB Cloud plans;
  • embedding or language-model providers, only when optional project features that require those providers are configured and used;
  • professional advisors, auditors, or legal counsel where necessary;
  • authorities, courts, or other parties where required by law or necessary to protect rights, safety, security, or service integrity;
  • successors in connection with a merger, acquisition, financing, reorganization, or sale of assets.

Current subprocessor details can be shared with customers during security or procurement review.

International Data Transfers

RushDB may process information in the United States and other countries where we or our service providers operate. If personal data from the European Economic Area, United Kingdom, or Switzerland is transferred internationally, we use appropriate transfer mechanisms where required, such as standard contractual clauses or equivalent safeguards.

Retention

We retain information for as long as needed to provide RushDB, comply with legal obligations, resolve disputes, enforce agreements, prevent abuse, and maintain security.

General retention practices include:

  • account, workspace, project, access, billing, and support records are retained while the account or workspace is active and for a reasonable period afterward;
  • Customer Content is retained until deleted by the customer, the project or workspace is deleted, or retention is otherwise required for legal, security, backup, or operational reasons;
  • expired OAuth authorization requests, codes, refresh tokens, and related temporary records are periodically cleaned up;
  • backups may retain deleted information for a limited period before normal backup expiration;
  • legal, tax, billing, fraud-prevention, and security records may be retained longer where required or reasonably necessary.

Customer Controls

Depending on your account, plan, and deployment mode, you may be able to:

  • access and update account information;
  • create, update, export, and delete Customer Content through the dashboard, API, SDK, or MCP tools;
  • create and revoke API tokens;
  • authorize and revoke OAuth/MCP consents;
  • manage workspace members and invitations;
  • delete projects or request workspace/account deletion.

If you need assistance with data export, deletion, access, correction, or privacy review, contact hi@rushdb.com.

Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, export, restrict, object to processing, or withdraw consent for personal data. You may also have the right to complain to a data protection authority.

If your personal data is contained in Customer Content controlled by a RushDB customer, we may refer your request to that customer or process the request on their instructions.

Security

RushDB uses technical and organizational measures designed to protect information, including access controls, encrypted transport, password hashing, token protection, project/workspace access checks, backups, and security review processes.

No system is perfectly secure. You are responsible for using strong credentials, protecting API keys and OAuth grants, limiting Customer Content to data you are authorized to process, and configuring self-hosted deployments securely.

Children

RushDB is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, contact us so we can review and delete it where appropriate.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and provide notice where required by law.

Contact

Collect Software Inc.

Email: hi@rushdb.com

Website: https://rushdb.com