Privacy Policy

Our web server automatically records standard technical access log data each time a device connects to the Website. Such data includes, without limitation: the Internet Protocol (“IP”) address of the connecting device, browser type and version, operating system, any referring URL, the pages or resources requested, and the date and time of the request (collectively, “Access Logs”).

This logging is an inherent and non-optional function of web server software. Royal Softworks does not exercise meaningful control over, nor can it readily circumvent, this server-level logging without impairing the operational security and integrity of the Website. Access Logs are retained for security monitoring and incident investigation purposes only and are not used for commercial profiling. The legal basis for this processing is the Company’s legitimate interest (Article 6(1)(f) GDPR / Article 12 LPDP) in maintaining website security, detecting and investigating suspicious or unauthorised access, and complying with applicable legal obligations.

When you register for a user account on the Website, the following categories of personal data are collected: email address, first name, last name, and a password (stored as a one-way hash by our licensing sub-processor, Keygen.sh — see §5). When you subsequently activate the Company’s desktop software on a machine, the following additional device-level data may be collected: a hardware fingerprint (a non-reversible, pseudonymous identifier derived from device hardware characteristics), a machine display name, the platform designation (e.g., Windows, macOS, Linux), and the IP address of the device at the time of activation.

If you join the Company’s affiliate programme, an additional affiliate code, commission rate, conversion log, and payout ledger are stored against your account. Where you are an administrator or member of a Cloud Service organisation (“org”), your organisation membership, role, and the org’s licence tier are also stored. The legal basis for this processing is the performance of a contract to which the data subject is party (Article 6(1)(b) GDPR).

Royal Softworks does not collect, process, handle, or store any payment card data, bank account information, or other financial credentials. All payment processing is performed exclusively by Paddle.com Inc.(“Paddle”), which acts as the merchant of record for all transactions conducted through the Website. Paddle’s collection and use of payment data is governed solely by Paddle’s own privacy policy and terms of service, over which Royal Softworks exercises no control.

Royal Softworks receives only non-sensitive transactional metadata issued by Paddle (e.g., a Paddle-generated transaction identifier, subscription identifier, and customer identifier) for the limited and sole purpose of verifying completed purchases and provisioning the corresponding software licences.

When you submit an inquiry through the contact form available on the Website, the following personal data may be collected: your email address, first name, last name, company name, and the content of your inquiry message. Such data is transmitted directly to and stored by HubSpot, Inc.(“HubSpot”), the Company’s third-party customer relationship management provider, whose servers for this account are located in the European Union (EU1 region).

The personal data submitted through the contact form will be used primarily to respond to your specific inquiry. If you have expressly and separately consented to the receipt of marketing communications from Royal Softworks at the time of form submission, the Company may additionally use your contact information to send you information regarding its products and services. You may withdraw such consent at any time, without affecting the lawfulness of any processing carried out prior to withdrawal, by contacting us at office@royalsoftworks.com or by using the unsubscribe mechanism included in any such marketing communication. The applicable legal basis is either: the performance of a pre-contractual measure (Article 6(1)(b) GDPR) or consent (Article 6(1)(a) GDPR), as the case may be.

Subject to your prior, freely given, specific, and informed consent, the Website uses Google Analytics, a web analytics service provided by Google LLC(“Google”), to collect anonymised and aggregated data regarding visitor interaction with the Website. This may include: pages and content visited, approximate session duration, device type and browser version, approximate geographic location derived from a truncated (anonymised) IP address, and referral traffic source. IP addresses are anonymised prior to storage. Google Analytics cookies are placed on your device only if you affirmatively grant consent through the cookie consent interface presented upon your first visit to the Website.

The legal basis for this processing is consent (Article 6(1)(a) GDPR). You may withdraw consent at any time by managing your preferences as described in our Cookie Policy.

Please refer to our Cookie Policy for complete information regarding the specific cookies and local storage entries used on the Website, their purpose, duration, and the choices available to you.

Where you use a Cloud Service, the content you actively submit to that Service is stored on Royal Softworks’ infrastructure (or on the infrastructure of the storage sub-processors identified in §5) so that the Service can deliver its functionality. Depending on the Service and the features enabled, this may include: chat messages and conversation history, files you upload for retrieval-augmented generation (“RAG”) or document management, workflow definitions and execution logs, calendar / connector synchronisation data you have opted into, voice transcripts and Text-to-Speech (TTS) request payloads, and the metadata associated with each of the foregoing (timestamps, owning user, owning organisation).

Cloud Service content is scoped to the owning organisation by row-level isolation in our database (each record carries an immutable orgId) and to the owning user by access-control rules enforced at every read and write. Royal Softworks personnel do not routinely access user content; access is limited to support cases you have explicitly opened, audited incident response, and database administration performed under standard operational safeguards. The legal basis for this processing is the performance of a contract to which the data subject is party (Article 6(1)(b) GDPR).

Cloud Services that perform language-model inference operate, at launch, on a “bring your own key” (BYOK) basis. Before you can use chat or RAG features, you (or, for TEAM/ENT tiers, your organisation administrator) must paste an API key for a third-party AI provider — currently Anthropic (Claude) or OpenAI — or configure an endpoint URL for a self-hosted model server (e.g. Ollama, vLLM, LM Studio). The API key is encrypted at rest using AES-256-GCM with a server-held encryption key and is never transmitted back to the browser in plaintext.

When you submit a prompt, the prompt text, attached file excerpts retrieved from your RAG knowledge base, and the model’s response are transmitted to the third-party AI provider whose key you supplied. Royal Softworks does not aggregate, fine-tune on, or train its own models from this content. The provider’s processing of the prompt is governed exclusively by that provider’s own privacy policy, data-handling commitments, and regional data-residency settings, over which Royal Softworks exercises no control. See Anthropic’s Privacy Policy and OpenAI’s Privacy Policy.

Royal Softworks may, in the future, enable a “managed AI” option in which the Company supplies the upstream model capacity using a shared provider key and bills customers in usage-based credits. Until and unless that option is explicitly activated for your account, no inference is performed on Royal Softworks-supplied keys. This Policy will be updated to reflect any change in that arrangement.

Cloud Services support optional integrations (“Connectors”) with third-party services such as Google Workspace, GitHub, Telegram, WhatsApp, calendar providers, and messaging bridges. Where you choose to connect such a service, the OAuth access token, refresh token, account identifier, and any minimal profile metadata returned by the third-party provider are stored encrypted-at-rest against your user record (or, for org-level connectors, against the org record). Tokens are used solely to make API calls on your behalf as you explicitly request through the Service interface. Revoking a Connector through the Service UI deletes the stored token immediately; revoking access in the third-party provider’s own settings will likewise render the stored token unusable.

Where an organisation on the Enterprise tier configures Single Sign-On (SAML 2.0 or OpenID Connect) for its members, the following additional data may be processed: the organisation’s SSO endpoint metadata (issuer URL, certificate, attribute mappings), and, for each end-user authenticating via SSO, the standard claims released by the organisation’s identity provider (typically: email address, display name, group memberships). Royal Softworks does not receive end-user credentials in SSO mode; authentication occurs at the customer’s identity provider and the Service receives only a signed assertion.