Privacy Policy

We collect the following categories of information:

• Account data — name, email address, avatar URL, and organization role. This comes from Google when you sign in with OAuth.
• Organization data — company name, membership list, and the role each member holds.
• Operational records — projects, purchase orders, invoices, payroll runs, expense entries, inventory movements, and BIR/SSS/PhilHealth/ Pag-IBIG-related records that you or your team create inside Ruleer.
• Usage data— request logs, error reports, and feature-usage metrics used to keep the service healthy and improve it over time. We don’t sell this data.
• Device and session — IP address, user agent, and cookie/session tokens required for authentication and CSRF protection.

• Provide the service — authenticate you, render your organization’s data, and run the workflows you configure.
• Billing and support — communicate about your plan, invoices, and any issues you raise.
• Security and abuse prevention — detect suspicious activity, rate-limit bad actors, and preserve audit trails.
• Product improvement — understand which features help teams ship work and which get in the way.
• Legal compliance — retain records where Philippine law (including BIR and labor-related requirements) obliges us to.

We share personal information only with vetted service providers that help us run Ruleer, each under contractual data-protection obligations:

• Google — OAuth sign-in and identity.
• Supabase — managed Postgres database, authentication, and file storage.
• Vercel — application hosting and edge delivery.
• Email provider — transactional email for sign-in confirmations, receipts, and notifications.

We do not sell personal data. We don’t share your records with other tenants, and we enforce tenant isolation at the database level with row-level security.

We use TLS for data in transit and encryption at rest for stored data. Access to production systems is limited to authorized personnel, and every change to operational records leaves an audit trail inside Ruleer. We apply the principle of least privilege to every system that touches your data.

No system is perfectly secure, so we also commit to notifying affected users promptly — and the National Privacy Commission where required — in the event of a breach that could cause real risk to you.

We retain your account and operational data for as long as your organization is active on Ruleer. If you delete your organization, we remove operational records within 30 days, except where Philippine law requires longer retention (for example, BIR recordkeeping rules for books of account and supporting documents).

Backups are encrypted and cycled out on a rolling basis — usually within 35 days of the deletion date.

As a data subject you have the right to:

• Be informed about how we process your data.
• Access the data we hold about you.
• Objectto processing that isn’t necessary for the service or required by law.
• Request erasure or blockingof data that’s inaccurate, outdated, or unlawfully obtained.
• Request rectification of inaccuracies.
• Request data portabilityof information you’ve provided, in a commonly used format.
• File a complaint with the National Privacy Commission.

To exercise any of these rights, email us — see Contact below.

To exercise your rights, request a record, or ask a privacy-related question, reach our Data Protection Officer:

• Email: berlcamp@gmail.com
• Based in: Manila, Philippines

You can also file a complaint with the National Privacy Commission if you believe we’ve mishandled your data.