Privacy Policy

Last revised: August 16, 2025

This Privacy Policy explains how Ragility Inc. ("Ragility", "we", "us", "our") collects, uses, discloses, and protects information in connection with Alloy (the "Service"), including our website at alloy.site and related tools, APIs, and services. This policy is for transparency only and is not legal advice.

1. Who we are & scope

  • Controller: Ragility Inc. (United States)
  • Brand / Product: Alloy (alloy.site)
  • Contact (privacy): [email protected]
  • Postal address: 2261 Market Street STE 85742, San Francisco, CA 94114, USA
  • Coverage: This policy applies to your use of Alloy's website, tools, and associated services.

If we appoint an EU/UK representative under GDPR/UK GDPR Art. 27, we will update this page with their details.

2. TL;DR

  • Most non‑PDF tools run entirely in your browser; your files do not leave your device.
  • PDF/Word operations (e.g., compression, conversion) are performed server‑side via our API proxy. Files are streamed to our EU processing service, kept only for the duration of the operation, and then deleted by default.
  • We use essential cookies for authentication and security. Analytics (Amplitude EU, Google Analytics/gtag) are optional and used with consent where required.
  • We support OTP email and Google OAuth. If you sign in with Google, we obtain your email and basic profile (per requested scopes: openid, email, profile).
  • We do not sell personal information. Sharing is limited to service providers that help us operate Alloy.

3. What data we collect & sources

A. Information you provide

  • Account / Auth: email address, sign‑in method (OTP or Google), email verification status.
  • Support & feedback: messages you send us.
  • Preferences: tool options you select.

B. Files you process

  • Client‑side tools (default for non‑PDF): processed locally in your browser; no upload to our servers.
  • Server‑side PDF/Word: files are transmitted to our EU processing service solely to complete the requested job; then deleted.

C. Automatically collected

  • Log data: IP address, device/browser details, timestamps, request metadata, error diagnostics (for security and reliability).
  • Analytics (optional): event data about feature usage, coarse geolocation (derived from IP), and session identifiers. Collected only where permitted by law and/or your consent.

D. Third‑party sources (only if you choose them)

  • Google OAuth: email and basic profile info, as permitted by your Google settings.

4. How and why we use information (purposes & legal bases)

PurposeExamplesLegal basis (GDPR/UK GDPR)
Provide and operate the ServiceRun tools, process files (client‑ or server‑side), maintain sessionsContract (Art. 6(1)(b))
Security and abuse preventionPrevent fraud/abuse, troubleshoot, ensure availabilityLegitimate interests (Art. 6(1)(f)); Legal obligation where applicable
Product improvementDebug performance, understand feature usage (analytics where allowed)Legitimate interests or Consent (Art. 6(1)(a)) for non‑essential analytics
CommunicationsOTP emails, support replies, service noticesContract / Legitimate interests
Marketing (optional)Product updates/newslettersConsent (and withdrawal anytime)

We do not use your files for training models or unrelated purposes.

5. Cookies & similar technologies

  • Strictly necessary cookies: session/authentication, security. Operate without consent where permitted.
  • Analytics/measurement (optional): Amplitude (EU) and Google Analytics/gtag to understand usage. We request consent where required and you can decline.
  • Your controls: you can manage cookies in your browser settings and (where shown) our consent banner. Some features may not work without essential cookies.

We can provide a separate Cookie Policy with full details on cookie names, providers, and lifetimes.

6. Disclosures to third parties

We do not sell personal information. We share with service providers that process data on our behalf:

  • Hosting & edge: Railway (app hosting), Cloudflare (CDN, DDoS protection)
  • PDF/Word processing: EU‑based processing service operated on third‑party infrastructure
  • Authentication & email: Google (OAuth), Resend (transactional email)
  • Analytics: Amplitude (EU), Google Analytics/gtag (measurement/attribution)
  • Payments: Stripe (if/when paid features are used)
  • Professional advisors/authorities: only as necessary for legal, accounting, or regulatory reasons

We require providers to use information only to deliver their services to us and to implement appropriate safeguards.

7. International transfers

  • Where: Server‑side file processing happens in the EU; other systems/providers may operate in the United States or other countries.
  • Safeguards: For EEA/UK personal data we use appropriate transfer mechanisms (e.g., Standard Contractual Clauses) and technical/organizational measures proportionate to risk.

8. Retention

  • Files (server‑side PDF/Word): retained only as long as needed to complete the operation; then deleted by default.
  • Client‑side tools: files are never uploaded to us.
  • Account/usage data: kept while your account is active and as needed for security, troubleshooting, legal obligations, and legitimate business needs. We periodically review and delete or anonymize data that is no longer necessary.

9. Security

We use measures such as TLS in transit, access controls, least‑privilege practices, and monitoring. No method is 100% secure, but we work to protect data against unauthorized access, alteration, and loss.

10. Marketing

We may send product updates or newsletters only with your consent (where required). You can unsubscribe at any time via the email footer or by contacting us at [email protected].

11. Your rights

Depending on your location, you may have the right to access, correct, delete, restrict, object, and port certain data, and to withdraw consent where processing is based on consent. We will respond within one month (or as allowed by law). To exercise rights, contact [email protected].

California (CCPA/CPRA)

We do not sell personal information, nor do we share it for cross‑context behavioral advertising by default. California residents may request access, correction, and deletion and may limit use of sensitive personal information where applicable.

12. Children's privacy

Alloy is not directed to children under 16, and we do not knowingly collect personal information from children.

13. Third‑party links

Our site may link to third‑party websites or services (e.g., Google for sign‑in). Their privacy practices are governed by their policies.

14. Changes to this Policy

We may update this policy to reflect changes to our practices or the law. We will post updates with a new effective date and provide additional notice where required.

15. Contact & complaints

Ragility Inc.
Email: [email protected]
Postal: 2261 Market Street STE 85742, San Francisco, CA 94114, USA

If you are in the EEA/UK, you also have the right to lodge a complaint with your local data protection authority. We will add our EU/UK representative details here if appointed.

16. Roles & definitions (informative)

  • Controller / Processor: We act as controller for account/site data and as processor for server‑side file operations you initiate.
  • Personal data: information relating to an identified or identifiable natural person.
  • Service providers: third parties processing information on our behalf under contract.

Questions about these terms? Contact us at [email protected]