Privacy Policy

Ravenala operates as a secure conduit between users and third-party AI services/apps, maintaining a strict no-data-storage architecture while prioritizing transparency in data handling practices. This Privacy Policy outlines our operational protocols, compliance frameworks, and user rights management in accordance with global privacy regulations, emphasizing our role as an intermediary rather than data controller.

Information Collection and Processing

Our platform collects minimal metadata required for service functionality, including temporary OAuth tokens, session identifiers, and basic usage metrics (e.g., API request timestamps, error codes). These data points are automatically purged within 72 hours of session termination. We do not store or process personal identifiers, user content, or historical interaction data. Third-party AI providers and apps may collect personal data through our interface under their respective privacy policies. We strongly recommend users review the data practices of each integrated service before authorization.

OAuth Token Management

Authentication via OAuth 2.0 protocols generates temporary access tokens that enable real-time interactions with integrated services. These tokens are:

  1. Encrypted during transmission using TLS 1.3 protocols
  2. Restricted to read-only permissions unless explicitly configured otherwise
  3. Automatically revoked after 60 minutes of inactivity

Token scope limitations prevent access to sensitive user data beyond what's necessary for service functionality. We implement certificate-bound token validation to mitigate token replay attacks.

Third-Party Data Handling

As an intermediary platform, we facilitate data flows between:

  • AI Providers: OpenAI, Anthropic, Perplexity, etc. (content generation)
  • Apps: Google Workspace, Microsoft 365, Slack, etc. (data retrieval)

Each third-party service operates under its own data governance framework. We recommend users:

  1. Review integration-specific permission scopes
  2. Monitor authorized applications through provider dashboards
  3. Utilize native audit logging features of connected services

Security Protocols

Our security architecture employs:

  • Zero-Trust Network Access: All API calls undergo mutual TLS authentication
  • Ephemeral Containers: Session data processed in isolated runtime environments
  • Automated Token Rotation: Refresh tokens invalidated every 24 hours
  • Continuous Vulnerability Scanning: OWASP Top 10 compliance checks hourly Despite these measures, users must maintain strong authentication practices with integrated services, including enabling multi-factor authentication and monitoring access logs.

User Rights and Compliance

Under GDPR/CCPA frameworks, users may:

  1. Audit Authorizations: View active OAuth connections through provider portals
  2. Revoke Access: Terminate platform permissions via integrated service dashboards
  3. Request Deletion: Remove metadata through support@ravenala.com (72h response) We comply with data subject requests by:
  • Purging metadata within 10 business days
  • Providing third-party deletion instructions
  • Issuing confirmation of compliance

Cookies and Tracking Technologies

Our platform uses:

  • Strictly Necessary Cookies: Session maintenance (expire on browser close)
  • Security Cookies: CSRF protection (24h validity) We do not employ analytics cookies, behavioral trackers, or advertising pixels. Browser fingerprinting techniques are explicitly prohibited in our codebase.

Policy Updates and Contact

We will notify users of material policy changes through:

  • Dashboard banners (30 days prior)
  • Email alerts (for active subscribers)
  • Version-controlled policy archives

Contact

Email: privacy@ravenala.ai

Address: 800 Market Street, Wilmington, DE 19801

Effective May 1, 2025