Legal

Privacy Policy

Effective May 28, 2026. This policy explains what data Rig collects, why we collect it, who we share it with, and the choices you have. We try to collect as little as we can get away with.

1. Who is responsible

The data controller for the website at rig.infinode.tech and the Rig software is INFINODE (“we”, “us”). For anything privacy-related, write to [email protected].

2. What we collect

Free tier (desktop app)

Nothing. The free tier runs entirely on your machine and does not contact our servers. We do not see your code, your project list, your environment, or any usage telemetry. The four-project limit is enforced locally.

When you create an account

We store the minimum data needed to operate your account:

• your email address (from Google sign-in or email/password signup);
• an internal user identifier provided by Supabase Auth;
• the timestamp your account was created and last updated.

When you buy a licence

• the Paddle transaction ID and Paddle customer ID for the purchase;
• the platform (macOS or Windows) you selected at checkout;
• the licence key we generated for you (used to verify your install and to display on your account dashboard).

We do not see, store, or process your card details. Paddle handles payment information directly.

When you activate a licence

Each time the Rig desktop app verifies a licence (typically on first activation, after reinstall, or after you switch machines) we record:

• the licence ID involved;
• your IP address at the time of the request;
• a machine fingerprint produced by your computer (a SHA-256 hash of a stable machine identifier — never a raw serial number or MAC address);
• the result of the verify attempt (success, conflict, rejected, rate-limited).

These verify events power rate limiting and abuse detection. We do not track ongoing usage; the desktop app does not send us telemetry between verifications.

3. Why we collect it

• To run your account. We need your email and a user ID so you can sign in, recover your password, and manage your licences.
• To deliver your licence. Paddle data plus the generated licence key let us connect your purchase to your account and email the key to the right person.
• To enforce licences fairly. The machine fingerprint binds a key to one machine at a time so honest users can pay once and use it, while abuse patterns get rate-limited or locked out.
• To prevent fraud and abuse. IP addresses and verify results let us spot brute-force attempts and rate-limit them.
• To communicate with you. Transactional emails (purchase, regenerate, resend) are sent through Resend.

4. Legal bases

Under data-protection laws that apply (including the EU and UK GDPR), we rely on these bases:

• Contract — to deliver the software, the licence, and the account features you bought.
• Legitimate interests — rate limiting, fraud prevention, and basic site security.
• Legal obligation — keeping payment records as required by tax law.

5. Third parties we use

These vendors process some of your data on our behalf. We pick services with strong security postures and minimal data appetite.

• Supabase — authentication, database hosting. EU region available; standard contractual clauses cover transfers.
• Paddle — Merchant of Record for payments. Handles your card data, billing address, tax determination, invoicing, and refunds. Paddle’s privacy policy.
• Resend — transactional email delivery (your licence key, password resets).
• Google — only if you choose Google sign-in. Google tells us your email address; we do not request any other scope.
• Vercel — hosting for the website. Logs include IP addresses for short retention windows.

6. Cookies

We use one cookie category only: authentication cookies set by Supabase to keep you signed in. We do not use advertising cookies, analytics cookies, or third-party tracking pixels on this site. The free-tier desktop app does not use cookies at all.

7. How long we keep data

• Account profile: while your account is active. When you delete your account, we delete your profile within 30 days. Some data may persist longer in backups for up to 90 days.
• Licence records: indefinitely while the licence is active. After a refund, the licence is marked refunded but not deleted (we need the record for accounting and for blocking the key from re-verifying).
• Verify events: up to 90 days for rate-limit and abuse-detection purposes, then deleted.
• Payment records: kept as long as required by the tax laws that apply to us (typically 7 years).

8. Your rights

Depending on where you live, you may have the right to:

• access the data we hold about you;
• correct anything that is wrong;
• delete your account and the data we hold about you (we will keep payment records where required by law);
• object to or restrict certain processing;
• data portability — get a machine-readable copy of your data;
• complain to your local data-protection authority.

Email [email protected] to exercise any of these. We respond within 30 days.

9. International transfers

Some of the services above process data outside your country. Where required, we use standard contractual clauses or equivalent safeguards approved by data-protection regulators.

10. Security

Licence keys are stored hashed-or-encrypted at rest in our database; access is restricted to authenticated server processes. Payment data never reaches our servers — it goes from your browser to Paddle directly. Our Ed25519 signing private key sits server-side only and is never shipped to the desktop app or the browser.

11. Children

Rig is not directed at people under 16. If you believe a child has provided personal data, email us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced on the site and reflected in the “Effective” date above.

13. Contact

Privacy questions: [email protected]. Other contact: [email protected].