How we handle your data — no surprises, no small print gotchas. Last updated: January 2026.
We collect only what we need to provide Rubystone. We don't sell your data. We don't share it with advertisers. We use sensible security practices. If you want your data deleted, we'll delete it.
That's the gist. The rest of this page fills in the details.
Account information: Your name, email address, and company details when you sign up. We need this to create your account and communicate with you.
R&D documentation: The narratives, project descriptions, invoices, timesheets, and other materials you upload to Rubystone. This is the core of what we do — we can't help you document your R&D without seeing the documentation.
Usage data: How you interact with Rubystone — which features you use, how long you spend on pages, what Ruby suggests and whether you find it helpful. This helps us improve the product.
Technical data: Browser type, device information, IP address. Standard web stuff that helps us keep the platform running smoothly.
To provide Rubystone: Ruby analyses your R&D documentation to offer suggestions. Your data flows through our AI systems to give you feedback — that's the service.
To improve the product: We use aggregated, anonymised data to understand how people use Rubystone and where we can make it better.
To communicate with you: Service updates, security alerts, and occasional product news. We won't spam you — we hate that too.
Your R&D consultant: If you're working with an R&D tax advisor through Rubystone, they can see your project data. That's kind of the point — they're reviewing your claim.
Service providers: We use trusted third parties for hosting (Vercel), database services (Supabase), authentication, and AI processing (Anthropic). They only access data as needed to provide their services.
Legal requirements: If the law requires us to disclose data, we'll comply. We'll notify you if we can.
Ruby uses AI to review your documentation. Your content is processed by large language models to generate suggestions. We don't use your data to train third-party AI models — your R&D documentation stays yours.
We may use anonymised, aggregated insights to improve Ruby's understanding of R&D documentation patterns, but your specific content isn't shared or used for general model training.
We use industry-standard security practices: encrypted connections, secure authentication, access controls, and regular security reviews. We're not perfect — no one is — but we take this seriously.
If we ever experience a data breach that affects you, we'll notify you promptly.
You can request a copy of your data, ask us to correct inaccuracies, or request deletion of your account and data. Email us at privacy@rubystone.consulting and we'll sort it out.
If you're subject to GDPR or other privacy regulations, we'll respect those requirements.
We keep your data for as long as you have an active account. If you delete your account, we'll delete your data within 30 days, except where we need to retain it for legal or compliance reasons (like financial records).
We may update this policy occasionally. Significant changes will come with notice. The "last updated" date at the top tells you when we last made changes.
Questions about privacy? Contact us at privacy@rubystone.consulting. We're happy to explain anything that isn't clear.