Privacy Policy

Who we are

Rabt (“Rabt”, “we”, “us”) is a business assistant operated by [LEGAL ENTITY NAME]. This policy explains what data we handle when you use Rabt and why. For any privacy question, contact us at [privacy@yourdomain].

What we access, and why

When you connect an account, you approve specific read-only access. We use it only to build your brief:

• Google or Microsoft sign-in (your name, email address, and profile basics) — to identify your account and sign you in.
• Email, read-only (Gmail or Outlook) — we read your recent messages (sender, subject, date, and snippet) to work out what may need a reply or follow-up. We do not send, modify, label, or delete any message.
• Optional business tools you choose to connect (Zoho Books, QuickBooks, Salla, Shopify, Tap Payments, Tabby, Moyasar, MyFatoorah, Tamara) — read-only access to figures like overdue invoices, bills, orders, and payments, folded into your brief. Each is optional and connected only when you add it.

What we store — and what we don't

We store, in an encrypted database:

• Your account identifier and basic profile (e.g. email address).
• Access and refresh tokens for the accounts you connect — encrypted at rest. These let Rabt rebuild your brief without asking you to sign in every time.

We do not store:

• The contents of your emails. They are fetched, processed in memory to generate your brief, shown to you, and not written to our database.
• The generated brief itself is returned to your browser; it is not retained on our servers.

AI brief generation

To write your brief, a digest of your recent email (and any connected-tool figures) is sent to our AI provider, Anthropic (the Claude API). This content is used only to generate your brief. It is not used to train AI models. Rabt does not train any public AI model on your inbox or workspace data.

Who else processes your data (sub-processors)

We rely on a small set of providers strictly to run the service:

• Google / Microsoft — sign-in and read-only mail access (the accounts you connect).
• Anthropic — generates your brief from the digest described above.
• MongoDB Atlas — encrypted storage of your account ID and tokens.
• Vercel — application hosting.
• Zoho, Intuit (QuickBooks), Salla, Shopify, Tap Payments, Tabby, Moyasar, MyFatoorah, Tamara — only if you connect them.

Usage analytics

During this beta, basic usage events (for example, when a brief is generated) are kept locally in your browser to help us measure whether Rabt is working. We do not currently send this to a third-party analytics service. If that changes, we will update this policy first.

How long we keep things

We keep your account ID and encrypted tokens until you disconnect the account or delete your data, after which they are removed. Email contents are not retained beyond generating your brief.

Your choices

• Disconnect any account at any time from Settings — this removes its stored tokens.
• Request deletion of your data by contacting us at the email above.
• Revoke Rabt's access directly from your Google or Microsoft account security settings.

Security

Access and refresh tokens are encrypted at rest, and your session is protected with a signed, httpOnly cookie. No system is perfectly secure, but we limit what we collect specifically to reduce risk — we keep tokens, not your mail. If something breaks, we record the technical error (the message, where it happened, and a stack trace) in our own server logs to fix it — never your email contents, and never shared with a third party.

Children

Rabt is a tool for businesses and is not directed to anyone under 18.

Changes & contact

We may update this policy as Rabt evolves; the “last updated” date above will change. Questions or requests: [privacy@yourdomain]. Governing law: [JURISDICTION].