← Back

Privacy Policy

Last updated: June 4, 2026

1. Introduction

Romb (“we”, “us”, “our”) provides a knowledge-capture and retrieval platform for organizations. This Privacy Policy explains how we collect, use, store, and share information when you or your organization uses our service (the “Service”).

We act as a data processor for information your organization connects to Romb (e.g. Jira issues, Confluence pages, Gmail threads, Google Docs, Slack messages) under the instructions of your organization administrator. Your organization is the data controller for that information.

2. Information we collect

Account information. Email address, name, organization membership, and OAuth connection identifiers or status for third-party integrations you authorize.

Connected-source content. When your organization connects a source (Jira, Confluence, Gmail, Google Docs, Slack, etc.), we receive and process content from that source as needed to evaluate whether it contains capturable insights. This may include page bodies, email contents, file contents, and associated metadata.

Usage information. Product events (cards created, searches run, features used) and standard request logs (IP address, user agent, timestamps) for operational and security purposes.

3. How we use Google user data

Romb's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google user data solely to:

  • Detect and capture candidate insights from Gmail threads the authenticated user has sent or received.
  • Poll and list Google Drive changes for files the authenticated user can access so Romb can identify candidate work artifacts, such as finalized or shared documents.
  • Export Google Workspace files or download supported Drive files to read candidate file content for knowledge-card drafts, summaries, and evidence.
  • Deliver push notifications (via Google Pub/Sub) to our backend when new Gmail messages arrive, so we can process them in near real time.

We do not sell Google user data, do not use it for advertising, do not use it to train generalized AI/ML models, and do not allow humans to read it except (a) with the user's explicit consent, (b) for security purposes, (c) to comply with applicable law, or (d) where the data is aggregated and used for internal operations in accordance with the Limited Use requirements.

4. How we use your information

  • Operate and improve the Service.
  • Generate card drafts, summaries, and knowledge graphs for your organization, using LLM providers under strict Limited Use obligations.
  • Provide authentication, authorization, and access control.
  • Investigate security incidents and prevent abuse.
  • Communicate about the Service (outages, policy changes).

5. Sharing and subprocessors

We share information with the following categories of subprocessors to operate the Service:

  • Cloud infrastructure (AWS, Upstash)
  • OAuth / integration broker (Nango)
  • LLM providers (Anthropic, OpenAI) — under Limited Use terms
  • Error and performance monitoring (Sentry, PostHog)

We do not sell personal information. We do not share connected- source content with third parties except the subprocessors above as needed to provide the Service.

6. Data retention and deletion

Captured content and derived artifacts (cards, embeddings, concepts) are retained while your organization's account is active. When you disconnect a source, we revoke the upstream OAuth connection and stop new collection from that source. Users may request deletion of account data by emailing support@romb.ai; we process those requests subject to legal, security, and operational retention requirements. User-scoped content, profile data, and personal integration mappings can be removed or anonymized; some shared organization-level artifacts and external provider account deletion steps may require manual handling under your design-partner terms.

7. Security

We encrypt data in transit (TLS 1.2+) and at rest. Personal OAuth credentials are handled through secure integration infrastructure such as Nango or encrypted connection storage, depending on the integration. Access to production systems is restricted and logged.

8. Your rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Contact support@romb.ai to exercise these rights.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to account administrators or a prominent notice in the Service.

10. Contact

Questions about this policy: support@romb.ai