← Back to Ridex

Privacy Policy

Last updated: March 21, 2026

This Privacy Policy describes how Ridex Labs Inc. ("Ridex," "we," "us," or "our") collects, uses, discloses, and protects information when you use the Ridex platform ("Service"). We take your privacy seriously — especially because our product is built around securing sensitive infrastructure credentials.

Ridex acts as an intermediary gateway that routes API requests to third-party AI model providers ("Upstream Providers"). This Privacy Policy applies to information we collect directly — it does not govern the data practices of Upstream Providers, which are subject to their own privacy policies.

1. Information We Collect

Account Information

When you register, we collect your email address and a hashed password. We never store plaintext passwords. If you provide a name, we store that as well.

Payment Information

Payments are processed by Stripe. We do not store full card numbers. We receive and store limited billing metadata (last 4 digits, card brand, expiry) returned by Stripe for display and identification purposes.

API Keys and Credentials

Third-party provider keys (e.g., OpenAI, Anthropic, Google) you add to the Service are encrypted at rest using AES-256. They are never stored in plaintext and never included in logs.

SDK and Application Information

When applications integrated with the Ridex SDK interact with our Service, we collect:

  • Application Bundle Identifier (Bundle ID) — used for API key validation and authorization
  • Environment designation (production or development)
  • SDK version identifier (e.g., ridex-swift/1.0.0)
  • Developer-provided tags (optional feature labels and opaque user tags, if supplied by the integrating developer — these are intended to be developer-defined identifiers and should not contain personal information; developers are responsible for ensuring that any tags they pass do not include personal data of their end users)

This data is collected per API request and is used for authorization, analytics, rate limiting, fraud prevention, and service optimization.

Device Attestation and Metadata

For production API keys, the Ridex SDK uses Apple App Attest to cryptographically verify that requests originate from a genuine instance of the developer's application running on a real device. As part of this process, we collect and store:

  • Attestation key identifier — a device-specific cryptographic key ID generated by the device's Secure Enclave, used to verify request authenticity
  • Device model — hardware model identifier (e.g., "iPhone15,2")
  • Operating system version — the OS version running on the device (e.g., "17.4.1")
  • Application version — the version of the integrating application (e.g., "2.1.0")
  • Locale — the device's locale setting (e.g., "en_US")

This information is collected from publicly available device APIs that require no user permissions. It does not include advertising identifiers (IDFA), vendor identifiers (IDFV), precise location, IP-based geolocation, or any data that can identify an individual end user. Device metadata is associated with an attested device record and is visible to the application developer through their Ridex dashboard for the purpose of abuse detection and device management.

Usage and Log Data

We automatically collect information about how you interact with our dashboard and API, including:

  • API request metadata (timestamps, endpoints called, response codes, latency, model used, token counts, cost estimates)
  • Dashboard activity (pages visited, features used, session duration)
  • Log data (IP address, browser type and version, referring pages, access times)

We do not log the content of your AI prompts or responses. The device metadata collected by the SDK (described above) is limited to non-identifying device characteristics available through public APIs — we do not perform device fingerprinting, collect advertising or vendor identifiers, or access any data requiring user permissions.

Communications

If you contact us by email, we retain that correspondence to respond to you and improve the Service.

Information from Third Parties

We may receive information about you from:

  • Stripe: Transaction and payment status information
  • Analytics providers: Aggregated usage data
  • Publicly available sources: Business registration information, when necessary to verify account eligibility

2. What We Do NOT Collect

  • We do not collect personally identifiable information from end users of your applications — device metadata we collect (model, OS version, app version, locale) cannot be used to identify individual users
  • We do not store the content of API requests or responses (prompts and outputs) in persistent storage — content is processed in memory for real-time routing to Upstream Providers and is not written to disk or any persistent data store
  • We do not train any AI models on your data
  • We do not sell, rent, or trade any personal information to third parties
  • We do not use your data for advertising or ad targeting

3. How We Use Your Information

  • To provide, operate, maintain, and improve the Service
  • To authenticate your identity and secure your account
  • To process transactions and manage your account and billing
  • To route API requests to Upstream Providers
  • To display usage analytics and cost breakdowns in your dashboard
  • To monitor usage, enforce rate limits, and manage quotas
  • To detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents — including through device attestation and device metadata analysis
  • To send transactional emails (account confirmation, spend alerts, billing receipts, security alerts, service disruption notices)
  • To provide customer support and respond to your requests
  • To comply with legal obligations and enforce our Terms of Service
  • To generate aggregated, anonymized analytics to improve the Service

We do not sell your personal data. We do not use your data to train AI models.

4. Data Processing as an Intermediary

As an API gateway, Ridex routes your API requests to Upstream Providers using an OpenAI-compatible request format. In performing this function:

  • API request and response content passes through our infrastructure for routing purposes only
  • We log request metadata (timestamps, response codes, latency, model used, token counts) — not the content of prompts or responses — for operational monitoring, debugging, and abuse detection
  • We retain API request metadata for a period of up to 30 days for abuse monitoring, after which it is automatically purged
  • We do not use API request or response content for any purpose other than providing the Service
  • We do not train any AI models on data that passes through the Service. We strive to opt out of model training with Upstream Providers where possible, but we cannot guarantee the data practices of Upstream Providers — you should review each provider's terms independently
  • Once routed to an Upstream Provider, your data is subject to that provider's privacy policy and data practices
  • Ownership rights over outputs may vary by Upstream Provider and their respective terms — we make no representations regarding your ownership of outputs generated by third-party models

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — database and authentication hosting
  • Stripe — payment processing and billing (Stripe's Privacy Policy)
  • Resend — transactional email delivery
  • Vercel — application hosting and edge infrastructure
  • Upstream Providers — API request data is routed to providers such as OpenAI, Anthropic, and Google as necessary to provide the Service. These providers process data according to their own privacy policies

Each of these providers has their own privacy policy and data processing terms. We enter into Data Processing Agreements with sub-processors where required by law. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of any Upstream Provider or third-party service.

6. Data Sharing and Disclosure

We may share information only in the following circumstances:

  • Upstream Providers: API request data is routed to Upstream Providers as necessary to provide the Service
  • Service Providers: With third-party vendors listed in Section 5, bound by confidentiality and data processing agreements
  • Legal Requirements: When required by law, regulation, legal process, or enforceable governmental request, including to meet Canadian law enforcement requirements
  • Protection of Rights: When we believe disclosure is necessary to protect the rights, property, or safety of Ridex Labs Inc., our users, or the public
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with notice to affected users
  • With Your Consent: When you explicitly authorize us to share information
  • Aggregated/Anonymized Data: We may share aggregated or anonymized data that cannot reasonably be used to identify you

7. Data Retention

  • Account information: Retained for as long as your account is active. Following account termination (without a deletion request), account information is retained for up to 90 days for administrative and legal purposes and then deleted, unless retention is required by applicable law
  • Request logs: Retained according to your plan: 7 days on Free, 90 days on Pro, and 1 year on Team
  • API request metadata: Retained for up to 30 days for abuse monitoring, then automatically purged
  • SDK and application information (Bundle ID, tags): Retained in aggregate form and purged within 90 days
  • Device attestation records: Retained for as long as the associated gateway key exists. When a device is revoked or deleted by the developer, or when the gateway key is revoked, attestation records and associated device metadata are deleted within 30 days
  • Payment records: Retained as required by applicable tax and accounting laws
  • Security logs: Retained for up to 12 months for fraud prevention and security purposes
  • Third-party provider keys: Deleted within 30 days of account termination or key removal

You may request deletion of your account and associated personal data at any time by contacting us. Upon receiving a verified deletion request, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or legal compliance).

8. Security

We use industry-standard practices to protect your data, including:

  • TLS encryption in transit and AES-256 encryption at rest for stored credentials
  • Access controls limiting who on our team can access production data
  • Regular security assessments and monitoring
  • Incident response procedures

However, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge that you provide information at your own risk.

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada as required under PIPEDA. We will notify affected users within 72 hours of becoming aware of a qualifying breach. We will also maintain records of all breaches of security safeguards as required by law.

9. Your Rights

General Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate or incomplete personal information
  • Request deletion of your personal information
  • Object to or restrict certain processing of your personal information
  • Withdraw consent where processing is based on consent
  • Export your personal information in a structured, commonly used, machine-readable format (data portability)
  • Opt out of non-essential communications
  • Lodge a complaint with a supervisory authority

Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Know what personal information we hold about you and how it is used
  • Access your personal information and request corrections
  • Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
  • File a complaint with the Office of the Privacy Commissioner of Canada

European Economic Area (EEA) and UK Users

If you are located in the EEA or the United Kingdom, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

  • Contract Performance: Processing necessary to provide the Service you have requested (account management, API request routing, billing)
  • Legitimate Interest: Processing necessary for our legitimate business interests (fraud prevention, security, service improvement, analytics), balanced against your rights and interests
  • Consent: Where you have given explicit consent (marketing communications, optional data sharing)
  • Legal Obligation: Processing necessary to comply with applicable laws and regulations

You may lodge a complaint with your local data protection authority if you believe we have violated your rights under the GDPR. If we are required to appoint a representative in the EEA or UK under GDPR Article 27, we will publish the representative's contact information on our website.

Exercising Your Rights

To exercise any of these rights, email us at support@getridex.com. We will respond to verified requests within 30 days. For complex or numerous requests, we may extend this period by up to an additional 60 days, with prior notice to you explaining the reason for the extension. We may request additional information to verify your identity before processing your request.

10. Cookies and Tracking Technologies

Our website and dashboard use cookies and similar technologies for:

  • Essential cookies: Authentication, security, and session management
  • Functional cookies: User preferences and settings
  • Analytics cookies: Aggregated usage data to improve the Service

We do not use tracking or advertising cookies. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn we have collected personal information from a child under 18, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at support@getridex.com.

12. International Data Transfers

Ridex Labs Inc. is based in Ontario, Canada. Your information may be transferred to and processed in Canada and other countries where our service providers and Upstream Providers operate, including the United States.

When we transfer personal information outside of Canada, we ensure appropriate safeguards are in place in accordance with applicable data protection laws, including PIPEDA. For transfers of personal data from the European Economic Area or the United Kingdom, we rely on the European Commission's adequacy decision for Canada (where applicable) and, where necessary, Standard Contractual Clauses (SCCs) approved by the European Commission. By using the Service, you acknowledge and consent to the transfer of your information to Canada and other jurisdictions as described in this Privacy Policy.

13. Electronic Communications (CASL)

In accordance with Canada's Anti-Spam Legislation (CASL), we will only send you commercial electronic messages (such as product updates, promotional content, or newsletters) with your express or implied consent. You may withdraw consent and unsubscribe from commercial messages at any time by using the unsubscribe link in any email or by contacting us at support@getridex.com.

Service-related communications (such as account notifications, security alerts, spend alerts, billing receipts, and service disruption notices) are transactional in nature and are not subject to CASL consent requirements.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect and by updating the "Last Updated" date on this page. Your continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy. If you do not agree with the changes, you should discontinue use of the Service.

15. Contact

Questions or concerns about your privacy? Contact us at support@getridex.com.

Ridex Labs Inc.
Ontario, Canada

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.