// Legal

Privacy Policy

Effective Date: March 21, 2026

Last Updated: March 21, 2026

1. Introduction

RedRooster Technologies Inc. ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the HELM application, website (helm.lanaai.io), and all related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Service, you provide us with:

Full Name Provided during registration
Email Address Used for login, communications, and billing
Password Stored as a one-way bcrypt hash; we never store your plaintext password
AI Preferences Preferred AI provider and model selection
Payment Information Processed by Stripe; we do not store card numbers or CVVs
Account Deletion Feedback Reason and optional feedback if you choose to delete your account

2.2 Information Collected Automatically

When you access the Service, we automatically collect certain information:

IP Address Used for rate limiting, security, and approximate geolocation
User Agent Browser type, operating system, and device information
Country Derived from Cloudflare headers or IP geolocation
Language Preference From your browser's Accept-Language header
Referrer URL The page that directed you to our Service
Page Views & Interactions Pages visited, buttons clicked, scroll depth, and time on page
UTM Parameters Marketing attribution data (source, medium, campaign)

2.3 Usage Data

We track your usage of HELM's features to enforce plan limits and improve the Service:

AI Call Count Number of AI chat, explain, and suggest requests per month
Feature Usage Breakdown of explains, chat messages, and suggestions used
Last Activity Timestamp of your most recent interaction with AI features
Last Login Timestamp of your most recent login

2.4 AI Interaction Data

When you use HELM's AI features (chat, explain, suggest), the content of your queries — including questions, terminal commands, and working directory context — is transmitted to our servers and forwarded to third-party AI providers (currently OpenAI) to generate responses. We do not attach your personal identifying information (name, email) to these AI requests. For BYOK users, queries are sent directly using your own API key.

3. How We Use Your Information

We use the information we collect for the following purposes:

01

Provide and Maintain the Service

Create and manage your account, authenticate access, deliver AI features, and process subscriptions.

02

Process Payments

Manage billing, process subscription charges, and handle refunds through Stripe.

03

Enforce Usage Limits

Track AI call usage against your subscription tier limits and reset counters monthly.

04

Improve the Service

Analyze usage patterns, identify bugs, monitor performance, and develop new features.

05

Security and Fraud Prevention

Rate limiting, bot detection, IP-based throttling, and protection against unauthorized access.

06

Communications

Send password reset emails, billing notifications, and service-related announcements. We do not send marketing emails without your consent.

07

Analytics and Marketing

Understand how users discover and interact with HELM to improve our marketing efforts and user experience.

08

Legal Compliance

Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the following circumstances:

4.1 Third-Party Service Providers

We share data with the following service providers who process information on our behalf:

OpenAI

Data Shared: Your AI queries (questions, terminal commands, working directory context)

Purpose: To generate AI-powered responses, explanations, and suggestions

Note: No personal identifying information (name, email) is included in AI requests

Stripe, Inc.

Data Shared: Name, email address, user ID (as metadata)

Purpose: Payment processing, subscription management, and invoicing

Note: Stripe handles and stores all payment card details; we never see or store your full card number

Google (Analytics, Tag Manager, Ads)

Data Shared: Page views, events, UTM parameters, anonymized user behavior signals

Purpose: Website analytics, marketing attribution, and conversion tracking

Firebase (Google Cloud)

Data Shared: Analytics events, timestamps, page interaction data

Purpose: Server-side analytics event storage and backend services

MongoDB Atlas

Data Shared: All account and usage data

Purpose: Cloud database hosting for the Service

Cloudflare

Data Shared: Web traffic data, IP addresses

Purpose: DNS management, CDN delivery, DDoS protection, and performance optimization

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or a government agency), or if we believe in good faith that such action is necessary to comply with a legal obligation, protect our rights or property, prevent fraud, or ensure the safety of our users.

4.3 Business Transfers

If RedRooster Technologies Inc. is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

5. Cookies and Tracking Technologies

5.1 Session Cookies

We use a session cookie (connect.sid) to maintain your authenticated session. This cookie is:

  • HttpOnly — Not accessible to JavaScript, protecting against XSS attacks
  • Secure — Transmitted only over HTTPS in production
  • Session-scoped — Expires after 24 hours of inactivity

5.2 Analytics Cookies

Third-party analytics services (Google Analytics, Google Tag Manager) may set their own cookies to track user behavior across sessions. These cookies help us understand how users interact with our website.

5.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can configure your browser to refuse all cookies or to indicate when a cookie is being sent. However, disabling session cookies may prevent you from using authenticated features of the Service.

6. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • Password Hashing — Passwords are hashed using bcrypt with 12 salt rounds; we never store plaintext passwords
  • HTTPS/TLS Encryption — All data transmitted between your browser and our servers is encrypted via TLS/SSL
  • HSTS — HTTP Strict Transport Security is enforced with a one-year max-age
  • Content Security Policy — Strict CSP headers prevent cross-site scripting and code injection attacks
  • Rate Limiting — Protection against brute-force attacks and API abuse (100 requests/15 min general, 5 submissions/15 min forms, 50 requests/15 min API)
  • Secure Token Generation — Password reset tokens generated using cryptographically secure random bytes and hashed with SHA-256
  • JWT Authentication — API tokens are signed with a secure secret and expire after 7 days
  • Stripe Webhook Verification — All billing webhooks are verified using Stripe's signature verification
  • DDoS Protection — Cloudflare provides network-level protection against distributed denial-of-service attacks

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data for the following periods:

Account Data Until you delete your account
Usage Data Until you delete your account
Session Cookies 24 hours
Password Reset Tokens 1 hour
Analytics Events Retained in Firebase indefinitely for aggregate analysis
Stripe Billing Records Per Stripe's retention policy and legal/tax requirements
Server Logs Retained per hosting provider (Heroku) policies

When you delete your account, we delete your profile, usage records, session records, and subscription data from our database. We also delete your customer record from Stripe, which removes stored payment methods. However, certain data may persist in analytics systems, server logs, or backups for a limited period, and Stripe may retain certain records as required for legal and tax compliance.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Right to Access

Request a copy of the personal data we hold about you. You can view your account information, usage data, and billing status directly from your dashboard.

Right to Rectification

Update or correct your personal information through your account settings at any time.

Right to Deletion

Delete your account and associated data using the "Delete Account" feature in your settings. This removes your profile, usage history, session records, and Stripe customer data.

Right to Data Portability

Request your data in a structured, commonly used, and machine-readable format.

Right to Object

Object to certain processing of your personal information, including direct marketing.

Right to Restrict Processing

Request that we limit the processing of your personal information under certain circumstances.

To exercise any of these rights, please contact us at info@redroostertec.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete — You may request deletion of your personal information, subject to certain exceptions
  • Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights
  • Right to Opt-Out of Sale — We do not sell personal information. If this practice changes, we will provide a "Do Not Sell My Personal Information" link

To exercise your CCPA rights, contact us at info@redroostertec.com.

10. International Users and GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights. Our legal bases for processing your personal information include:

  • Contract Performance — Processing necessary to provide the Service you requested (account management, AI features, billing)
  • Legitimate Interests — Processing necessary for our legitimate business interests (analytics, security, fraud prevention, service improvement)
  • Consent — Processing based on your explicit consent (marketing communications, optional analytics)
  • Legal Obligation — Processing necessary to comply with applicable laws

Your data may be transferred to and processed in the United States, where our servers and third-party service providers are located. By using the Service, you consent to such transfer. We ensure appropriate safeguards are in place for international data transfers.

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

11. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at info@redroostertec.com.

12. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. At this time, we do not respond to DNT signals. However, you can manage your tracking preferences through your browser's cookie settings and by opting out of third-party analytics services directly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

RedRooster Technologies Inc.

Email: info@redroostertec.com

Website: www.redroostertec.com