Privacy policy

Your data, and what we do with it.

Plain English, no legal fog. This page explains what RallyNPS collects, how we use AI, who we share data with, and how to get your data deleted. Every claim here can be checked against our trust page and our code.

Effective 2026-07-04.

Section 1 of 9

What we collect

We keep to the smallest set of data we need to run a survey or poll and report the results.

  • Account details — the email address, and optional phone number, of the people who sign in to run surveys.
  • Contact details you provide — the email address, optional name, and optional phone number of the people you survey, used to deliver the survey, dedupe sends, and honor unsubscribes.
  • Survey responses — the score (0-10 for NPS, or the scale that matches the survey type) and any free-text comment the person chooses to leave.
  • Delivery telemetry — deliveries, opens, bounces, and unsubscribe events reported by our email and SMS providers, so you can see whether a survey reached someone.
  • Timestamps and the survey type — when a survey was sent and answered, and which kind of survey or poll it was.

We do not collect device fingerprints, advertising cookies, cross-site tracking pixels, or demographic guesses.

Section 2 of 9

How AI processes your data

We use AI to score sentiment, pull out themes, flag at-risk customers, and answer questions about your results. Before any comment leaves our servers for an AI provider, it is scrubbed for personal information.

  • Personal information is redacted first. Every free-text comment runs through lib/core/pii.js (redactPII()) before the AI prompt is built. Emails, phone numbers, card-shaped digit runs, and common name patterns are replaced with tokens like [email] and [name]. The function is built to over-redact rather than risk a leak.
  • Non-English comments skip sentiment. If a comment does not read as confident English, we skip the AI call rather than guess.
  • We never log raw prompts or raw AI responses. We store a short hash of the prompt, the model name, token counts, and timing. Nothing else.
  • You can turn AI off. An owner can disable all AI processing for the organization in Settings. When it is off, zero AI calls happen for anyone in that organization.
The full detail, including the AI safety pipeline and provider fallback order, lives on our trust page.
Section 3 of 9

Who we share data with

We do not sell your data and we do not share it for advertising. We do use a short list of vendors to run the service. Each one handles only the data it needs for its job.

Vendor What it does
SendGridDelivers survey emails, sign-in links, and unsubscribe confirmations.
TwilioSends SMS surveys and phone sign-in codes. Never receives response comments.
StripeRuns billing for paid plans. Receives your billing email and plan, never response data.
AnthropicPrimary AI provider (Claude). Receives redacted comment text only.
OpenAIAI fallback, used only if configured and Anthropic is unavailable. The same redaction runs first.
GoogleAI fallback (Gemini), used only if configured and the providers above are unavailable. The same redaction runs first.
RailwayHosts the application and the database.
CloudflareServes the public pages and forwards app traffic.

The trust page keeps the full vendor list, including poll-only mail and phone vendors, with links to each vendor's data agreement.

Section 4 of 9

How long we keep data

  • Contact and response data is kept until your organization deletes it or closes the account. You control it.
  • Unsubscribes are honored per survey. Every survey email has an unsubscribe link. Clicking it stops further emails for that survey, including reminders, and contacts marked unsubscribed are skipped on future sends.
  • Webhook delivery logs are kept 30 days, then deleted.
  • AI prompt hashes are kept for debugging. Raw prompt text and raw AI responses are never stored.
Section 5 of 9

Deleting your data

To delete your organization's contact and response data, email [email protected] and we will process the request. This is the same deletion path shown on our trust page.

Section 6 of 9

Your organization controls its data

Data belongs to the organization that collected it. Every database query filters by organization_id, so one organization can never read another's contacts or responses. This is checked on every code review and pinned by a cross-organization test battery.

Section 7 of 9

Cookies

We use one kind of cookie: a session cookie that keeps you signed in. It is HttpOnly and is not used to track you. We run no advertising trackers and no third-party analytics scripts on our pages. Stripe sets its own cookies on its checkout page to prevent fraud when you upgrade; we do not read them.

Section 8 of 9

Changes to this policy

If we make a material change to this policy, we will email account owners before it takes effect. The effective date at the top of this page always shows the current version.

Section 9 of 9

Contact

Questions about privacy or a data request: [email protected]. We read messages within one business day.

Want the technical detail?

Our trust page shows exactly what we collect, what AI sees, and who we share with, with links into the source code.