Privacy Policy

Last updated: April 13, 2026

Rubick ("we", "our", or "us") operates the Rubick Chrome Extension and backend API (collectively, the "Service"). This policy explains what data we collect, why, and how we protect it.

1. What We Collect

• Google account information — email address and Google user ID, obtained via Google OAuth when you sign in.
• Google Drive file contents — text extracted from files in the folders you explicitly select for indexing (Google Docs, Sheets, Slides, PDF, Word, Excel). We do not access files outside the selected folders.
• Notion page contents — text from Notion pages you connect to the Service.
• Search queries — text you type in ChatGPT, Claude, or Gemini is intercepted locally by the Chrome Extension solely to retrieve relevant context from your indexed documents. Queries are sent to our API over HTTPS and are not stored.
• Usage events — anonymized product analytics (e.g., sync completed, context retrieved) sent to PostHog. No personally identifiable content is included.

2. How We Use Your Data

• To index your documents and enable semantic search over them.
• To enrich your AI prompts with relevant context from your own knowledge base.
• To authenticate you and associate your data with your organization.
• To improve the Service through anonymized usage analytics.

We do not sell your data. We do not use your document contents for any purpose other than providing the Service to you.

3. Data Storage

• Document text and vector embeddings are stored in a PostgreSQL database hosted on Railway (US region).
• Google OAuth refresh tokens are stored encrypted in the same database to enable background sync.
• Embeddings are generated via the OpenAI API (text-embedding-3-small). Document chunks are sent to OpenAI solely for embedding generation and are subject to OpenAI's privacy policy.

4. Data Retention

Your indexed documents and embeddings are retained as long as your account is active. You can delete all your data at any time by disconnecting your Google account from the extension popup. Upon deletion, all documents, chunks, and embeddings associated with your account are permanently removed.

5. Third-Party Services

• Google APIs — for authentication and Drive file access. Subject to Google's Privacy Policy.
• OpenAI — for generating vector embeddings. Subject to OpenAI's Privacy Policy.
• PostHog — for anonymized product analytics. Subject to PostHog's Privacy Policy.
• Railway — cloud infrastructure provider. Subject to Railway's Privacy Policy.

6. Chrome Extension Permissions

The Rubick Chrome Extension requests the following permissions:

• storage — to save your authentication token locally on your device.
• tabs — to open the Google sign-in flow in a new tab.
• scripting / host permissions for chatgpt.com, claude.ai, gemini.google.com — to inject context into AI chat interfaces. The extension reads the text you type only to perform a semantic search against your own indexed documents.

7. Security

All data is transmitted over HTTPS. API access requires a signed JWT token. We do not log query content. Access to production infrastructure is restricted to authorized personnel only.

8. Children's Privacy

The Service is intended for business use and is not directed at children under 13. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this policy as the Service evolves. Material changes will be communicated via the extension or email. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

Questions about this policy? Email us at privacy@rubick.ai