GDPR at Ritsu

The General Data Protection Regulation (GDPR) is a European Union law that came into force in 2018. It gives people in the EU, United Kingdom, and the European Economic Area (together with a few other countries that adopt equivalent frameworks) legally-enforceable rights over their personal data.

GDPR applies to Ritsu because we offer our service to people located in the EU / UK, even though we are not a European entity. It is the strongest broadly-applicable privacy law in the world, so if we meet GDPR, we probably meet most other privacy laws too.

“Personal data” under GDPR is any information relating to an identifiable person. That includes obvious things (name, email, IP address) and less obvious things (account preferences, study habits, uploaded content, behavioral patterns).

In plain English:

• We collect only what we need to run the Service. No data hoarding.
• We do not train AI models on your content — not ours, not Google’s (Gemini), not OpenRouter’s. This is our most important privacy promise because it is unique to AI SaaS and the easiest place to violate user trust.
• We do not sell your personal data. We do not share it with advertisers. Ritsu has no ads.
• We respect your rights to access, correct, delete, export, and object. You ask, we deliver.
• We are transparent about our sub-processors (Supabase, Cloudflare, Vercel, Google Gemini, Lemon Squeezy, etc.). Full list in our Privacy Policy §6.
• We notify you within 72 hours if there is a data breach that affects you, in line with GDPR Article 33.
• We are honest about what we do not yet have — no SOC 2 Type II audit, no ISO 27001 certification, no Data Privacy Framework enrollment. Yet. We believe honesty is a stronger signal than claims we cannot back up.

This page is written with GDPR in mind, but the rights and protections below apply whether you are in:

• European Economic Area (EEA): the 27 EU member states plus Norway, Iceland, and Liechtenstein.
• United Kingdom: covered by the UK GDPR (post-Brexit equivalent).
• Switzerland: covered by the Swiss FADP, which aligns with GDPR principles.

If you are outside these jurisdictions, the rights we grant here still apply (we do not use jurisdiction as a filter), though the specific legal framework protecting you differs. California residents should also see Privacy Policy §11 for CCPA/CPRA-specific rights.

Ritsu uses a small set of cloud sub-processors to run the Service. Each one is named, each one is contracted for GDPR-appropriate data handling, and each one is covered by Standard Contractual Clauses (SCCs) for transfers from the EU to the United States.

• Database & authentication — Supabase Inc. Region: US East (EU available on request for paid plans). Transfer: SCCs for EU→US.
• File storage (uploads) — Cloudflare R2. Region: global edge (primary: US). Transfer: SCCs.
• Application hosting — Vercel Inc. Region: United States (global edge). Transfer: SCCs.
• AI inference (primary) — Google (Gemini API). Region: United States. Transfer: SCCs + Google Cloud DPA.
• AI inference (fallback) — OpenRouter Inc. Region: United States. Transfer: SCCs.
• Payment processing (Merchant of Record) — Lemon Squeezy Inc.. Region: United States (Delaware). Transfer: SCCs + MoR-specific terms.
• Transactional email — Resend. Region: United States. Transfer: SCCs.

For the complete and current list, always check Privacy Policy §6.

If you are in the EEA, UK, or Switzerland, you have the following rights. They apply globally on Ritsu, not just inside Europe.

• Access — get a copy of the personal data we hold about you. Exercise: email privacy@ritsu.ai.
• Rectification — correct inaccurate or incomplete data. Exercise: email privacy@ritsu.ai or edit in your account settings.
• Erasure (right to be forgotten) — ask us to delete your data (subject to legal retention like tax records). Exercise: email privacy@ritsu.ai.
• Portability — receive your data in a machine-readable format (JSON). Exercise: email privacy@ritsu.ai.
• Restriction — ask us to pause processing during a dispute. Exercise: email privacy@ritsu.ai.
• Objection — object to processing based on legitimate interests. Exercise: email privacy@ritsu.ai.
• Withdraw consent — revoke any consent you previously gave. Exercise: email privacy@ritsu.ai or adjust account settings.
• Not be subject to solely automated decisions — Ritsu does not make such decisions; see Privacy Policy §7.5.
• Complain — lodge a complaint with your local supervisory authority. Find yours on the EDPB website.

The regulation imposes specific obligations on us as a controller of your personal data. Here is what we do about each.

6.1 Lawful basis for processing (Art. 6)

Every processing activity is mapped to one of these legal bases:

• Contract: to deliver the Service you signed up for (account, subscription, AI generation on your uploads).
• Consent: for optional processing like future product analytics (PostHog) or marketing emails (not yet deployed).
• Legitimate interests: for security monitoring, fraud prevention, Service improvement with aggregated de-identified data. We weigh our interests against yours and document the assessment.
• Legal obligation: tax record retention (7 years), responses to lawful government requests, responses to valid DMCA notices.

See Privacy Policy §4 for the mapping per activity.

6.2 Data minimization (Art. 5(1)(c))

We collect only what we need. Examples:

• We do not collect your phone number, postal address (except if you pay tax in a jurisdiction our payment processor requires it), or date of birth.
• We ask for age at signup to comply with child protection, not for marketing.
• Server logs are kept for 30 days, not forever.

6.3 Purpose limitation (Art. 5(1)(b))

Data collected for one purpose is not re-used for another without a fresh legal basis. Example: your payment email is used for transactional receipts; we do not silently add it to a marketing list.

6.4 Storage limitation (Art. 5(1)(e))

We keep data only as long as we need it. See the Privacy Policy §10 retention table for specifics:

• Active account: retained while you use Ritsu.
• Deleted account: 30 days soft-delete, then hard-delete. Billing records retained 7 years per tax law.
• Server logs: 30 days.
• Backups: 90 days rolling.
• Inactive accounts: notice at 12 months, deletion at 24 months.

6.5 Integrity and confidentiality (Art. 5(1)(f))

Encryption at rest and in transit, Row-Level Security at the database layer, access controls, secret rotation. See Security Policy for the full posture.

6.6 Accountability (Art. 5(2))

We document our processing activities, our lawful bases, our sub-processors, and the contracts that govern them. This page, the Privacy Policy, and the Security Policy together form that documentation.

6.7 Privacy by design (Art. 25)

• Row-Level Security on every user table means one user cannot see another’s data even if our application has a bug.
• We do not AI-train on user content, so AI output cannot leak one user’s data to another’s session.
• Private sessions are private by default; sharing is opt-in per session.

6.8 Breach notification (Art. 33)

If a breach of personal data occurs and it poses a risk to your rights or freedoms, we notify you within 72 hours of discovery. The notification explains what happened, what data was affected, what we have done, and what you should do. We also notify the relevant supervisory authorities as required.

6.9 Data Protection Impact Assessments (Art. 35)

For any high-risk new processing (for example, adding a new AI sub-processor, or introducing a new data category), we conduct a DPIA documenting the risk, mitigations, and decision rationale before launch.

Your data is transferred from the EEA / UK to the United States primarily because most of our sub-processors are US-based. We rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission in June 2021, with each US-based sub-processor.
• UK International Data Transfer Addendum (IDTA) for UK data transfers.
• Swiss-equivalent transfer mechanisms for data from Switzerland.

We also apply supplementary measures beyond SCCs where the Schrems II judgment suggests they are needed:

• End-to-end TLS encryption in transit.
• AES-256 encryption at rest at all data storage layers.
• Strict access controls, MFA on administrative accounts.
• No structured access by non-contracted parties.

Where a sub-processor offers EU-hosted infrastructure on a plan tier we can adopt, we evaluate it. Supabase currently offers EU regions; we may migrate EU-resident data there in the future. When we do, this page will be updated.

8.1 Do you use my data to train AI models?

8.2 Where is my data stored?

Primarily in the United States (Supabase, Cloudflare R2, Vercel, Google Cloud for Gemini). If Supabase’s EU region is available on our plan, certain data (database rows, auth tokens) may be stored in the EU. Uploaded files go to Cloudflare’s global CDN with a designated primary region. For the current mapping see §4 above and the Privacy Policy §6.

8.3 How do I delete my account and my data?

Email privacy@ritsu.ai with your request. We respond within 2 business days with confirmation and process the deletion within 30 days. Your Learning Content is soft-deleted immediately and hard-deleted after 30 days. Billing records are retained for 7 years as required by tax law, then deleted.

A self-serve “delete my account” button is on our roadmap for P1 after launch.

8.4 Do you sell my personal data?

No. We do not sell personal data for monetary consideration. Under California CCPA/CPRA, we also do not “share” your data for cross-context behavioral advertising (Ritsu does not run advertising).

8.5 Do you use my data to show me ads?

No. Ritsu has no advertising. We do not build advertising profiles, we do not share data with ad networks, and we do not use cookies for advertising purposes.

8.6 Are you GDPR-certified?

There is no official “GDPR certification” offered by the European Commission that a company can achieve. GDPR sets obligations; companies demonstrate compliance through their practices, documentation, and audits. Some certifications (ISO 27701, TrustArc, BSI) provide third-party validation of privacy management systems, but GDPR itself is not something you “get certified in.”

Ritsu complies with GDPR. We are not currently third-party audited against ISO 27701 or similar frameworks. When enterprise customer demand justifies the investment, we will pursue one.

8.7 Do you have a Data Protection Officer (DPO)?

At Ritsu’s current size, we are not legally required to appoint a DPO under GDPR Art. 37 (which applies to large-scale processing of sensitive data or public-authority processing). However, the operator of Ritsu functions as the data protection contact and fulfills the DPO responsibilities informally.

For DPO-equivalent communications, email privacy@ritsu.ai. This routes to the operator until a formal DPO is appointed.

8.8 What happens if there is a data breach?

If the breach poses a risk to your rights or freedoms, we notify affected users within 72 hours of discovery, as required by GDPR Art. 33. The notification includes: what happened, when, which data was affected, what we have done, and what you should do. We also notify the competent supervisory authority where required. See Security Policy §9.

8.9 Can my business get a Data Processing Agreement (DPA)?

Yes. If you are a business using Ritsu on behalf of end users (for example, a teacher using Ritsu with students, or a company providing Ritsu to employees), we offer a DPA on request. Email legal@ritsu.ai and we will send our standard DPA template.

At launch, the DPA is offered as a signable PDF on request rather than a public page. As enterprise demand grows, we may publish a self-service DPA signing flow.

8.10 What EU supervisory authority should I complain to?

You may lodge a complaint with the supervisory authority in the country where you live, work, or where the alleged violation occurred. The European Data Protection Board maintains a list of national authorities. You do not need to contact us first to lodge a complaint (though we would prefer you did, so we can try to resolve it directly and faster).

8.11 What about children’s data?

Ritsu is not directed to children under 13. For users aged 13-15 in the EEA (or under the applicable age of digital consent in their country, which varies 13-16 by EU member state), we require verifiable parental consent per GDPR Art. 8. See Privacy Policy §13.

8.12 Can I see a full list of your sub-processors?

Yes. See Privacy Policy §6 for the current list with purposes, regions, and transfer mechanisms. Material changes are communicated via in-app notice or email to active subscribers.

8.13 Is Ritsu on the EU-US Data Privacy Framework (DPF)?

Not currently. We rely on Standard Contractual Clauses for EU→US transfers. DPF enrollment is on our roadmap as we grow; it provides a second layer of transfer protection alongside SCCs and helps with enterprise customer onboarding.

8.14 How often do you update this page?

This page is updated when we change something material about our GDPR posture: new sub-processors, new regions, new rights workflows, new obligations. We mark the update with a new “Last Updated” date.

• Primary contact for GDPR and privacy matters: privacy@ritsu.ai
• DPO-equivalent email: privacy@ritsu.ai (routes to the operator; we do not yet have a formally appointed DPO)
• EU representative under Article 27: not currently appointed. We are evaluating whether Ritsu’s EU data processing volume triggers Art. 27; if required, we will appoint an EU representative and publish their name and contact here.

Postal address for legal notice: [TBD — Contact address pending]

This page is written to be clear and useful, not to be a binding contract. If you need the exact legal terms that govern our processing of your data, read our Privacy Policy and our Terms of Service. If you need legal advice about your specific situation, consult a qualified attorney in your jurisdiction.

Ritsu is an independent service operated by an individual, not a law firm. Nothing on this page constitutes legal advice.

• Privacy Policy — the binding contract on how we handle your data
• Terms of Service — the general terms of using Ritsu
• Security Policy — the controls that protect your data in practice
• DMCA Policy — copyright and content-takedown process
• Refund Policy — when and how we refund paid subscriptions
• Legal Hub — all legal and compliance documents in one place

GDPR is not a finish line. It is a framework we keep meeting as we grow. If you see something on this page that is wrong, out of date, or unclear, please tell us at privacy@ritsu.ai.