Privacy Policy

1. Who we are

Rakita (the “Platform”, “we”, “us”) is operated by NOMRA L.LC-FZ, registered at Meydan - Free Zone, The Meydan Hotel, Dubai, United Arab Emirates. For privacy questions, write to [email protected].

2. Information we collect

We collect information in three buckets:

• Account data — email address, display name, password hash (we never store your password in plain text), and any passkeys you register on this device.
• Usage data — chat messages you send to and receive from virtual assistants, documents you upload, and metadata like timestamps, IP address, browser, and the channel (web embed, Slack, WhatsApp, Telegram) the conversation came from.
• Connector data — when you link a third-party service (e.g. Slack workspace, WhatsApp number, Deksis school account, Trendyol seller account, Google or Facebook for sign-in), we receive identifiers and tokens from that service and use them only to perform the action you asked for.

3. How we use it

• To authenticate you and keep your account secure.
• To answer your questions through AI virtuals, including Retrieval-Augmented Generation over documents you upload.
• To send transactional emails (password reset, invitations).
• To debug, monitor reliability, and improve product quality. We do not train AI models on your data.

4. Sub-processors

We use third-party providers to deliver the service. They process your data only on our instructions and under contract:

• Anthropic (via OpenRouter) — large language model inference for chat responses.
• Voyage AI — embeddings used for document similarity search.
• OpenAI / Ollama — optional alternative LLM providers your operator may enable.
• Amazon Web Services (S3, EU) — file storage for uploaded documents.
• Resend — transactional email delivery.
• Sentry — error and performance monitoring.
• Google, Facebook — optional OAuth sign-in providers; we receive only your email and basic profile.

5. Data retention

We retain account data while your account is active. Chat messages and uploaded documents are kept until you (or an organization admin) delete them, or for 6 months after account closure, whichever is sooner. Backup snapshots may persist for up to 30 days after the live data is deleted.

6. Your rights

Under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and, where applicable, the EU General Data Protection Regulation, you have rights to access, correct, delete, restrict, and port your personal data, and to object to certain uses. To exercise any of these, write to [email protected]. We respond within 30 days.

7. Cookies and similar technologies

We set strictly necessary cookies for sign-in (the auth session cookie and a short-lived passkey challenge cookie). We do not use advertising or cross-site tracking cookies.

8. Security

We use HTTPS in transit, hashed passwords (bcrypt), HMAC-signed tokens for password reset and passkey challenges, and least- privilege access to production systems. No system is perfect — if you suspect a security issue, please email [email protected].

9. Changes

We will revise this policy when our practices change. The “Last updated” date above reflects the current version.