Privacy Policy
What data Relay collects, why, who we share it with, and what you can ask us to do with it. Written in plain English; structured to GDPR.
Who we are
Relay is operated by Relay B.V., a private company registered in the Netherlands (Rotterdam, KvK number pending), trading as tryrelay.tech. When this policy says "we", "us", or "Relay", it means Relay B.V. When it says "you" or "your", it means the person using the Relay service, whether you signed up yourself or your employer signed up on your behalf.
We are the data controller for personal data you provide when you create an account, contact us, or browse our website. We are the data processor for personal data that you upload into the service (meeting transcripts, team member contact details, task content) — your organisation is the controller for that data and instructs us how to handle it.
What data we collect
We collect four categories of data. Nothing else.
- Account data. Your name, work email, password hash (we never store the plaintext), and the OAuth identifier returned by Google, Apple, or Microsoft if you used a social login.
- Workspace content. Meeting transcripts you paste in, the tasks Thomas extracts, your team members' names and email addresses, and the emails Thomas sends and receives on your behalf.
- Telemetry. Aggregate usage metrics — pages visited, features used, errors encountered. We use this to diagnose bugs and prioritise improvements. We do not build advertising profiles.
- Billing data. If you subscribe to a paid plan, our payment processor (Stripe) stores your card details. We never see or store the full card number; we receive only the last four digits and a token to charge you on renewal.
How we use your data
We use your data only to operate the service you signed up for and to keep it secure. Specifically:
- To extract tasks from your meeting transcripts and let Thomas send the outreach emails you authorised.
- To authenticate you, keep your session secure, and let you recover your account.
- To bill you, refund you, and meet our accounting obligations.
- To respond when you contact support, and to send service notices (e.g. a billing receipt, a security alert, a planned outage).
- To diagnose bugs and improve the product. Aggregate telemetry only; we do not look at individual workspace content for product development without your explicit permission.
We do not sell your data, rent it, share it with advertisers, or use it to train third-party AI models.
Lawful basis for processing (GDPR Art. 6)
For each kind of processing we rely on one of the following lawful bases under Article 6 of the GDPR:
- Contract (Art. 6(1)(b)). To deliver the service you signed up for — sending Thomas's emails, storing your tasks, displaying your Command Center.
- Legitimate interest (Art. 6(1)(f)). To keep the service secure, prevent abuse, monitor uptime, and improve the product. We have weighed this against your rights and consider our interest legitimate and proportionate.
- Legal obligation (Art. 6(1)(c)). To keep invoices and accounting records as required by Dutch tax law.
- Consent (Art. 6(1)(a)). For non-essential cookies and any future marketing emails. You can withdraw consent at any time without affecting the lawfulness of prior processing.
Who we share data with
We use a small set of vetted sub-processors to operate the service. We share only the data each one needs to do its job, and only under a data-processing agreement that obliges them to protect it.
- Supabase (USA / EU). Database, authentication, and file storage. Our primary data lives here.
- Anthropic (USA). Powers Thomas's reasoning. We send meeting transcripts and task context as prompts; Anthropic does not train on this data per their commercial terms.
- Resend (USA). Sends and receives Thomas's email. Stores message content for delivery and reply tracking.
- Cloudflare (USA / global). Hosts the application and edge functions; caches static assets.
- Stripe (USA / EU). Processes payments for paid plans.
The current sub-processor list is the authoritative one. We will update this page at least 30 days before adding or replacing a sub-processor; if you have a paid plan, you can object before the change takes effect.
International data transfers
Several of our sub-processors are based in the United States. When your personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism, supplemented by encryption in transit (TLS 1.2+) and at rest (AES-256). Where a sub-processor participates in the EU–US Data Privacy Framework, we rely on that as an additional safeguard.
How long we keep data
We keep your data only as long as we need it for the purpose we collected it.
- Active accounts. Workspace content stays available until you delete it or close the workspace.
- Closed accounts. 30 days after you close your account, all personal data and workspace content is permanently deleted from our production database. Backups age out within a further 60 days.
- Invoices and tax records. 7 years, as required by Dutch tax law.
- Telemetry and logs. 90 days, then irreversibly aggregated.
Your rights under the GDPR
You have the following rights, free of charge, at any time:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Ask us to correct anything inaccurate.
- Erasure. Ask us to delete your personal data, subject to legal retention obligations.
- Portability. Receive your data in a machine-readable format (JSON).
- Restriction. Ask us to stop processing your data while you contest its accuracy or our basis for using it.
- Objection. Object to processing based on our legitimate interest.
- Withdraw consent. Withdraw any consent you previously gave, without affecting prior lawful processing.
- Lodge a complaint. With the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
To exercise any of these rights, email privacy@tryrelay.tech. We respond within 30 days.
How we protect your data
Encryption in transit (TLS 1.2+) and at rest (AES-256). Passwords hashed with bcrypt. Row-level security enforced at the database layer so a workspace can only ever read its own data. Access to production data is limited to the engineers who need it, logged, and reviewed quarterly. We run automated dependency and vulnerability scans on every build.
If we discover a personal-data breach that is likely to result in a risk to your rights, we will notify the Dutch Data Protection Authority within 72 hours and notify affected users without undue delay.
How to reach us
Privacy questions, data-subject requests, and breach notifications all go to privacy@tryrelay.tech. General enquiries: hello@tryrelay.tech.
Postal address: Relay B.V., Rotterdam, Netherlands. We will publish the registered office address once company registration completes.
We do not yet meet the threshold to require a formal Data Protection Officer, but our Head of Engineering is the accountable point of contact for data-protection matters.
Changes to this policy
When we change this policy in a way that affects your rights, we will email account holders at least 14 days before the change takes effect. Minor clarifications and typo fixes are made inline and reflected in the "last updated" date above.