Product Privacy Policy
Last Updated: Nov 30, 2023
We want you to understand what personal data we collect about you, and how we use and share it. We also want you to know that you can control how your personal data are used by exercising your rights. That’s why we encourage you to read this Privacy Policy (the “Policy”).
“We” or “Rasa” means Rasa Technologies, Inc., Rasa Technologies, GmbH, and our sister companies worldwide.
This Privacy Policy describes how we process personal data as part of the Rasa Products and Services and provides general information on how our Products can be used to process personal data.
About Rasa
Rasa develops software for building, managing, improving, training, and optimizing AI powered text and voice-based assistants (an “AI Assistant”).
In this Privacy Policy, our products licensed following the Commercial Terms are referred to as “Products”. Our Products include Rasa Pro, Rasa Studio, Rasa X/Enterprise, together named the Rasa Platform. We also develop and license software that is subject to Open Source licenses. Rasa Open Source Software is not part of our commercial offering. The term “Rasa Software” means all our software and products, commercial or open source.
We also provide support and managed services to our customers, including but not limited to Rasa software deployment, installation, configuration, training, and optimization of AI Assistants. (Our “Services”). Our commercial offering, the “Rasa Products and Services”, includes the licensing of our Products, and any Services that we provide. Our products are hosted privately by our customers, and we do not process personal data as part of the Products.
The Rasa Products and Services are used by our customers for different use cases, and in different industries. Our customers can take different approaches to how they build, manage, train, and optimize their AI Assistant. To understand how our customers process your personal data, or to exercise your rights regarding your personal data, we suggest that you review our customers' privacy statements and practices.
Scope of the Policy
This Policy applies to Rasa Products and Services. It describes how our Products can be used to process personal data. However, we only access or process your personal data when we provide our Services. For instance, if our customer chooses to deploy our Products on premise, we do not host your personal data and we will only access personal data as part of other Services, such as technical support. This Policy does not apply to our website, Open Source software, and other non-commercial online activities. Click here if you would like to know more about our processing of personal data for such purposes.
The Rasa Products and Services can interact with various third-party services, applications, or technologies, e.g., smart speakers, home automation tools, mobile applications, and customer relationship management software (“Third-Party Services”). We don’t control Third-Party Services. Please make sure that you read their privacy notices to understand how they process your personal data.
This Policy uses a Q&A format, click on each question to learn more on this topic.
Q&A
How to contact us regarding this Policy?
We named a Privacy Officer to oversee the processing of your personal data and manage our privacy compliance program. If you have any questions on this Policy, you would like to exercise your rights, or you have any complaints regarding our processing of your personal data, please reach out to our Privacy Officer.
By email at: privacy@rasa.com
You may also reach out to our Privacy Officer by mail at the following address:
Rasa Technologies, Inc.Attention: Privacy Officer
4 Embarcadero Center, Suite 1400
San Francisco, CA 94111-4164
United States of America
In the EU and the UK, you can reach out to our Data Protection Officer, or to our local representative in each region.
Data Protection Officer
By email at: dpo@rasa.com By mail at:
Rasa Technologies, GmbHAttention: Data Protection Officer
Schönhauser Allee 175
10119 Berlin, Germany
Representatives
In the EU:
By email at: privacy-eu@rasa.com By mail at:
Rasa Technologies, GmbHSchönhauser Allee 175
10119 Berlin, Germany
In the UK:
By email at: privacy-uk@rasa.com By mail at:
Rasa Technologies, LimitedInternational House, 38 Thistle Street
Edinburgh, Scotland, EH2 1EN
What does “personal data” mean?
In this Policy, we use the expression “personal data” to refer to any data which can, alone or in combination with other data, identify an individual. Some of the data referred to in this Policy may not be protected by applicable laws, and you may not be entitled to the same rights regarding such personal data.
When you interact with AI Assistants, the personal data collected can include any messages that you send, gif, emojis, reactions, actions, and voice recordings, and metadata about these data (“User Data”). Our customers configure their own AI Assistants, and decide on how they use and deploy the Rasa Products and Services. The types of personal data that customers can collect with AI Assistants vary. We only access User Data in the way described in this Policy.
What personal data do we collect about you, and for what purposes?
We collect personal data to make the Services available to our customers, based on their instructions. The types of personal data that we can access as part of our Services include User Data, but also other data inputs that are imported, made available, integrated, or used by customers to augment, benchmark or complete the User Data, including data inputs in data lakes, data warehouses, or even from Third-Party Services (together with User Data, the “Data Inputs”). We process User Data and Data Inputs based on our customers’ instructions, such as to assist our customers in training their AI Assistants, within their environments. We also collect personal data to provide services related to our Products such as technical support.
Please refer to our customers’ privacy notices for a better understanding of the personal data that their AI Assistants are collecting based on their uses.
If we process your personal data based on your consent, you have the right to withdraw this consent at any time.
If you are curious about how your personal data can be processed, this table should provide you with the information that you need. Remember, each customer is different, so these are just some of the ways in which we can process personal data for our customers, or as part of our Services. We may not process your personal data at all if our customers are hosting our Products on-premises, and it may be a requirement to use our Products in certain cases.
If you are in the EU or UK, our customers are responsible for determining the lawful basis justifying their processing of personal data, and informing you accordingly.
Purpose: To assist our customers to build, train, improve, and optimize AI Assistants
AI Assistants are trained to conduct actions and provide responses using machine learning, which are predictive algorithms, or more commonly referred to as artificial intelligence (“AI”).
Our customers are responsible for training, improving, and optimizing the AI models within their AI Assistants. They use different types of personal data for this purpose based on their needs, such as User Data. From time to time, our customers may give us access to this data to help them train, configure and improve their AI Assistant.
Purpose: To provide technical support
End users can connect to the Support Portal to submit technical support tickets. To process these requests, we collect personal data such as:
- Identification data (e.g., email addresses, IP addresses, phone number)
- Content of the requests (e.g., attachments, screenshots)
- Metadata about the request and the content (e.g., date, time, file extension)
Occasionally, we may need to access personal data either remotely, such as through a remote desktop access, credentials or VPNs, or through secure sharing mechanisms, e.g. SFTP.
Purpose: To perform deployment services
We may access Personal Data, such as User Data, to provide deployment and configuration services to our customers.
How are personal data processed through AI with the Rasa Products and Services?
AI Assistants function based on natural language processing and dialogue management, which are machine learning techniques. Machine learning is a type of AI. Our algorithms are pre-trained with open-source test data, but they need to be trained for specific use cases, and optimized over time.
The predictive algorithms used to operate AI Assistants classify Data Inputs, such as the message that you share with an AI Assistants, based on the perceived intention of the message in order to generate a response. Various techniques such as word analogies and word embedding are used to train and optimize AI Assistants. For instance, if the AI Assistant does not recognize a word used, it may search for similar words, or it may use the context of the sentence to understand what the word means.
You can learn more about our predictive algorithms, and the various ways in which they can be used by our customers, in the Rasa Learning Center. You can even find some videos explaining our algorithms, and techniques leveraging components like transformers that are leveraged in relation to our algorithms.
Our customers can optimize their AI Assistants based on its performance, such as by tracking metrics. They achieve these objectives using various techniques, but we recommend that they follow the principles of conversation-driven development. As part of our Services, we can assist customers who want to optimize their AI Assistants based on their needs. Techniques include reviewing interactions to identify points of failure and annotation.
It is important to know that predictive algorithms will produce outputs that will reflect the training that they received, and the Data Inputs used for this purpose. Poor training may result in biases and discrimination against individuals, inaccurate responses or poor user experience. While we assist our customers by providing them with documentation and Services, if you feel that there are issues with an AI Assistant that you are interacting with, please feel free to reach out to us at privacy@rasa.com and we will conduct an inquiry.
With whom do we share your personal data, and why?
We share your personal data with our sister companies, service providers, based on our customers’ instructions, and as required under the law.
Here are the categories of third parties with whom we can share your personal data. We also provided you with some explanations on why we are sharing your personal data with these third parties. Feel free to reach out if you want to know more!
- Sister Companies. We may share personal data about you between our sister companies to provide our Services, e.g. for technical support.
- Service Providers. We use service providers to provide our Services, such as cloud hosting partners and support ticket systems. Prior to sharing your personal data with service providers, we make sure that we have appropriate contracts with them and that they have reasonable measures in place to protect your personal data.
- Third-Party Services. If our customers use Third-Party Services, they can instruct us to share your personal data with these Third-Party Services, generally by way of application interfaces and integrations. We share personal data based on their instructions, and they are responsible for ensuring that they enter into appropriate agreements with these Third-Party Services.
Although we prefer to keep your personal data confidential, there may be cases when we are forced to disclose your personal data under applicable laws, or when it is required to protect serious interests, such as when someone’s life is threatened. If we share personal data with law enforcement or otherwise for such legal requests, we will first try to let you know, unless we are prevented from doing so by the law or the circumstances, and we will share only the personal data which we are reasonably required to share under the law.
If we sell our assets, or part of our assets, if we enter in a commercial transaction or engage in a corporate restructuring, we may share your personal data, but this Policy will continue to apply to your personal data after any of these commercial transactions.
How do we protect your personal data?
We use secure development methods, vulnerability management and security patch management to mitigate the risks of security breach resulting from the Products. We also provide enhanced vulnerability management through proactive scanning of interdependencies, including by shipping regular patched dockers images for securing our customers’ environments. Our Products include authentication functionalities, such as single sign-on and role-based access controls.
Our customers can also use different training methods to improve their AI Assistants, such as by leveraging tokenization to depersonalize the Data Inputs. These techniques protect the confidentiality of your personal data when training and improving AI Assistants, but we do not control each of our customers’ training methods.
If you discover a vulnerability or security issues with the Rasa Software, you can report it at security@rasa.com, we will make an inquiry and take proper actions.
Where do we store your personal data?
Where your personal data is hosted depends on our customers’ configurations. They may host the Products on their private clouds, or on-premises, in their facilities. To provide our Services, such as technical support, your personal data may be transferred to service providers or sister companies located in other jurisdictions, such as in the US.
Before transferring your personal data to other jurisdictions, we enter into contracts with service providers and assess the risks relating to the transfer. Still, when your personal data is transferred outside of the jurisdiction in which you are located, different laws may be applicable to such personal data.
How long do we retain your personal data?
We retain your personal data for as long as required for the purpose for which it was collected, or longer if we are required to do so under applicable laws. Our Customers decide on the retention periods that are appropriate for your personal data. When they terminate their Services with us, we initiate the secure deletion of your personal data from production environments. Back-ups and copies for business continuity may be kept longer, based on automatic retention periods. These copies are encrypted, and access is limited.
What are your personal data rights, and how can you exercise them?
Depending on where you are located and on applicable laws, you benefit from different rights over your personal data. These rights generally include the right to access your personal data, to withdraw your consent, and to modify your personal data when it is inaccurate or outdated.
If you are in the EU or UK, then you may benefit from the rights set for under the General Data Protection Regulation, or its equivalent in the UK (the “GDPR”). These rights may not be applicable in all situations.
We included a summary of these rights in the table below to help you understand the options that you have in relation to your personal data.
| GDPR Rights | Explanations |
|---|---|
| Right to Information | The right to be informed means that you should be able to understand, in clear and plain language, how we process your personal data. If you need more information than what is included in this Product Privacy Policy, you can reach out to us. |
| Right to Data Portability | This right allows you to obtain copies of your personal data in a format that makes it possible to reuse your information in another context or ask us to provide this information to another entity. However, it can only be exercised in certain circumstances, and it cannot affect the rights and freedoms of others. |
| Right to Rectification | The right to rectification aims to ensure that the personal data processed about you is accurate by providing you with the right to have your personal data rectified or completed by means of providing supplementary information. |
| Right to Erasure | Also known as the “right to be forgotten,” this right allows you to request the deletion of your personal data in certain circumstances, such as if it is unlawfully processed. |
| Right to Restriction | When permitted, such as if the processing is unlawful, you can request that the processing of your personal data be restricted. When this right is exercised, the personal data can be stored, but most other actions, such as deletion, will require your authorization. |
| Right to Object | This means that you can object to our processing of personal data, such as when it is based on legitimate interests. |
| Right to Access | This right has different aspects that include the right to know certain information, such as obtaining a confirmation of whether we are processing your personal data, as well as the right to request a copy of the personal data processed about you. |
Under GDPR, you also have the right not to be subjected to a decision based on the automated processing of your personal data. For instance, this right allows you to request a review of the decision by a human if an AI Assistant was used as part of an automated decision-making that adversely affected your rights and freedoms.
If you want to exercise your rights on your User Data, the easiest way to exercise your rights is usually to communicate directly with our customer who is operating the AI Assistant to collect your personal data. Still, you can exercise your rights with us by reaching out to us, however, we may transfer your request to our concerned customer, who will be able to help you.
You can contact us at privacy@rasa.com to exercise your rights, or by mail at the following address:
Rasa Technologies, Inc.Attention: Privacy Officer
4 Embarcadero Center, Suite 1400
San Francisco, CA 94111-4164
United States of America
If you are in the EU or in the UK, you can also contact our Data Protection Officer at dpo@rasa.com to exercise your rights, or by mail at:
Rasa Technologies, GmbHEU Representative
Schönhauser Allee 175
10119 Berlin, Germany
Rasa Technologies, Limited
UK Representative
International House, 38 Thistle Street
Edinburgh, Scotland, EH2 1EN
We may need additional personal data to identify you. We will not use this personal data for any other purposes. We’ll make sure to get back to you within 30 days at most unless you agree to give us more time because your request is complex, or unless we need to respond faster to comply with applicable laws. If we can’t respond to your request, we will explain to you why, and try to find a solution with you.
If you are disappointed with how we handled your request, please let us know and we will try our best to fix it. If you have issues, complaints, or concerns about AI Assistants or the Rasa Software, or even about our processing when performing our Services, you can reach out to us at privacy@rasa.com. We will consider your complaint seriously and conduct an inquiry without revealing your identity, and we will take appropriate action.
Even so, you should know that you have the right to challenge our decision or make complaints to the authorities. If you are in the EU, you can reach out to your local supervisory authority. In the UK, you can reach out to the Information Commissioner’s Office.
Will we update this Policy?
It is important for us to keep you informed of how we process your personal data, and this may require updating this Policy from time to time. We may also have to update this Policy to comply with applicable laws. You can see the latest update date at the beginning of this page. We will try our best to inform you of material changes, and our customers may also inform you by updating their own privacy notice.