How Rubberfit collects, uses, and protects your data. Effective 2026-05-13.
Rubberfit is operated by Arc & Anchor, a Nevada-based software firm. When you use the application at rubberfit.app or any of its subdomains, Arc & Anchor is the controller of the personal data described in this policy. You can reach us at legal@rubberfit.app (privacy questions) or security@rubberfit.app (security questionnaires).
We use this data to deliver and operate the application, send transactional email (magic links, billing receipts, password resets), respond to support and security questions, bill your subscription, prevent abuse, and meet legal obligations. We do not use customer data to train models. We do not sell or rent data to third parties.
| Vendor | Purpose | Region |
|---|---|---|
| Vercel | Web hosting + Fluid Compute | U.S. (iad1) |
| Supabase | Postgres database, Auth, Storage | U.S. (us-east-1) |
| AWS | Underlying compute and storage for Supabase | U.S. (us-east-1) |
| Resend | Transactional email | U.S. |
| Stripe | Subscription billing and payment processing | U.S. |
| Cloudflare | DNS for rubberfit.app and subdomains | Global |
All sub-processors publish their own SOC 2 reports. No customer data leaves the U.S.
We use a session cookie and a refresh cookie to keep you logged in. Both are HttpOnly, Secure, and SameSite=Lax. We do not use third-party advertising cookies on the application. Marketing pages may set a cookieless analytics identifier via Vercel Analytics.
| Class | Window |
|---|---|
| Active inventory, jobs, customers, cut history | While the workspace is active |
| Admin audit log | Indefinite — required for compliance |
| Notifications | 90 days |
| Email transcripts at Resend | 30 days |
| Vercel access logs | 30 days |
| Supabase database logs | 7 days |
When a workspace is deleted, all associated workspace content is removed within 30 days. Audit-log entries that reference a deleted user are anonymized so the audit chain remains intact.
You can request a full data export from Settings → Data → Export inside the application, or by emailing legal@rubberfit.app. You can request hard deletion of your workspace and all associated personal data by the same email; we complete the deletion within 30 days. If you are a California resident, you have the rights granted under the CCPA, including the right to know, the right to delete, and the right to non-discrimination for exercising those rights. We do not sell personal information.
The technical controls behind this policy — Postgres RLS, six-role RBAC, audit log, signed-URL document sharing, encryption at rest — are documented at /security and in the docs site under docs.rubberfit.app/security/posture.
We will update this policy when we change the underlying practices. The “Effective” date at the top reflects the version currently in force. Material changes will be announced by email to workspace owners and noted on the application sign-in page.
legal@rubberfit.app · Arc & Anchor · Las Vegas, NV, USA.