Privacy Policy

This Privacy Policy describes how Relay (“Relay,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information when you visit our website at relaysop.comor use our standard operating procedures, training, and AI assistant services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

We collect information in three ways: information you give us directly, information your account's administrator gives us about you, and information collected automatically as you use the Service.

2.1 Account information

When you sign up, we collect your name, email address, organization name, and any profile information you provide. We also store an authentication identifier from our identity provider (see §4).

2.2 Billing information

For paid plans, we collect billing contact details. Payment card information is collected and processed by our payment processor (Stripe) and is never stored on our servers. We retain only the last four digits of your card and the card brand so we can show them in your billing settings.

2.3 Customer content

We store the standard operating procedures, workflows, training courses, quiz questions, forms, form submissions, images, videos, and other content you and your team upload or create (“Customer Content”). Customer Content belongs to you; we process it solely to provide the Service.

2.4 Usage data

We log basic usage signals such as pages viewed, features used, browser type, device type, IP address, and timestamps. We use this to keep the Service running, diagnose problems, and understand which features are valued.

2.5 Communications

If you email us or use a contact form, we receive your email address and the contents of your message so we can respond.

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Authenticate users, secure accounts, and prevent fraud or abuse.
• Process payments, send invoices, and manage subscriptions.
• Generate AI-assisted summaries, suggestions, and answers that are scoped to your own Customer Content.
• Communicate with you about updates, security alerts, and support requests.
• Comply with legal obligations and enforce our Terms of Service.
• Improve the Service through aggregated analytics.

We do not sell your personal information. We do not use Customer Content to train third-party AI models.

We rely on a small number of vetted vendors (“sub-processors”) to deliver the Service. Each is bound by a contract that requires them to handle data consistent with this Privacy Policy.

• Clerk — user authentication, session management, organization membership.
• Stripe — payment processing and subscription billing.
• Vercel — application hosting and content delivery.
• Neon — PostgreSQL database hosting for Customer Content and account data.
• Anthropic— AI model provider for the assistant, summary, and Q&A features. Prompts may contain excerpts of your Customer Content; Anthropic processes these on a no-training basis under their commercial terms.
• Sentry — error and performance monitoring. May incidentally include stack-trace context referencing user identifiers.

We may add or change sub-processors over time. Material changes will be reflected in this Privacy Policy.

We use a small set of strictly-necessary cookies to keep you signed in and to remember your preferences (such as dark/light mode and density). We do not use third-party advertising cookies or cross-site tracking pixels. Our authentication provider (Clerk) sets a session cookie on our domain; you can review their cookie practices at clerk.com/legal.

You can disable cookies in your browser, but the Service relies on them to function and will not work correctly with cookies disabled.

We retain account information for as long as your account is active. Customer Content is retained while your subscription is active and for up to 30 days after cancellation, after which it is permanently deleted from our production systems. Backups containing deleted data are rotated and overwritten within 90 days.

Aggregated, de-identified analytics and billing records required for tax and accounting purposes may be retained for longer periods as required by law.

We use industry-standard safeguards to protect your information, including TLS in transit, encryption at rest for the database and file storage, scoped API tokens, least-privilege access controls for our team, and monitoring for anomalous activity. No method of transmission or storage is 100% secure, but we work to protect your information at every layer.

If we become aware of a security incident affecting your personal information, we will notify you and any applicable regulators as required by law.

Depending on where you live, you may have rights regarding your personal information under laws such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

These rights generally include:

• Access — request a copy of the information we hold.
• Correction — ask us to fix information that's wrong.
• Deletion — ask us to delete your account and data.
• Portability — receive your information in a portable format.
• Restriction or objection — limit or object to certain processing.
• Withdrawal of consent — where processing is based on consent.
• Right to non-discrimination — we will not penalize you for exercising any of these rights.

To exercise any of these rights, email us at privacy@relaysop.com. We may need to verify your identity before acting on a request. We will respond within the timeframes required by applicable law.

If you are in Canada and are not satisfied with our response to a privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you reside in Alberta, with the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca).

We are based in Calgary, Alberta, Canada. Our sub-processors operate primarily in Canada, the United States, and the European Union. If you access the Service from outside Canada, your information will be transferred to, stored, and processed in Canada and the other countries where we or our sub-processors operate. Privacy and data-protection laws in those countries may differ from the laws of your country of residence.

When we transfer personal information of EU/UK individuals out of the EU/UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or transfers to countries deemed adequate (Canada is recognized by the European Commission as providing an adequate level of data protection for commercial information).

Relay is intended for use in a workplace setting and is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If the changes are material, we will notify account administrators by email or in-product notice before the change takes effect.

For any questions about this Privacy Policy or our data practices, please email privacy@relaysop.com.