Privacy Policy

Latest Update: October 2025

We want you to understand what personal data we collect, how we use and share it, and how you can exercise your rights. That’s why we encourage you to read this Privacy Policy (“policy”). “We” or “Rasa” means Rasa Technologies Inc., Rasa Technologies GmbH, and our sister companies worldwide.

Scope of the Policy

This policy applies to our services, including our Online Services, Customer-Deployed Products, and our Hosted Trial Environments (together, our “Services”).

• Online Services: These include our public-facing website, accounts and forums, marketing activities, job applications, and related interactions. For example, you may use, access, and interact with our website, create an account on our forum, provide feedback or reviews, respond to job postings, or participate in surveys and events.
• Customer-Deployed Products: These include access to technical support, extension-based applications or browsers, and Conversational AI frameworks deployed within a customer’s infrastructure.
• Hosted Trial Environments: These include proof-of-concept, testing, or demo instances operated by Rasa, such as Rasa Playground, which is provided on a limited-use basis under the Limited Access Terms.

When we provide our Products, our processing of personal data is limited, because most deployment occurs within our customers’ own infrastructure. Customers act as controllers for data collected by their Conversational Assistants and determine how such data is used. Rasa acts as a controller only for the limited personal data it collects directly, such as to provide technical support, trial access, or account management.

We may also include or offer third-party products or services on our site, such as social media plugins (currently YouTube, Twitter, GitHub, LinkedIn, and AngelList). These plugins redirect you to our social media profiles. Please note that these third-party websites have their own privacy policies, and Rasa is not responsible for the content or activities of those sites.

• How to contact us regarding this policy?

We named a Data Protection Officer, and a Privacy Officer to oversee the processing of your personal data and manage our privacy compliance program. If you have any questions on this policy, you would like to exercise your rights, or you have any complaints regarding our processing of your personal data, please reach out to our Privacy Officer.

By email at: [email protected]
Rasa Technologies, Inc.
To the attention of: Privacy Officer
Four Embarcadero Centre
Embarcadero Ctr #1400#
San Francisco, California, 94111
United States of America

In the EU and the UK, you can reach out to our Data Protection Officer, or to our local representative in each region.
Data Protection Officer
By email at: [email protected]
Or by mail at:
Rasa Technologies, GmbH
Attention: Data Protection Officer
Schönhauser Allee 175
10119 Berlin, Germany
Representatives
In the EU:
By email at: [email protected]
Or by mail at:
Rasa Technologies, GmbH
Schönhauser Allee 175
10119 Berlin, Germany
In the UK:
By email at: [email protected]
Or by mail at:
Rasa Technologies, Limited
International House, 38 Thistle Street
Edinburgh, Scotland, EH2 1EN

• What categories of personal data do we collect, and for what purposes?

We collect personal data as a controller for our Online Services and Hosted Services, and we are generally a processor for the personal data that we process in relation to Customer-Deployed Products. If we process your personal data based on your consent, you can always withdraw that consent. To support opt-in and opt-out mechanisms in our Services, we collect consent metadata and technical identifiers.
Below is more information on the specific purposes for which we process your personal data.

• Customer-Deployed Products

When you interact with a conversational assistant built with a Product, the personal data collected may include your messages, emojis, reactions, user actions, voice recordings, and related metadata (“User Data”). Our customers deploy our Products in their own infrastructure, which means that we do not process User Data. In some cases, we may access personal data, or deidentified data:

• Our AI engineers may access personal data made available by our customers while providing their services. We only use such data to perform the services.
• Deidentified data may be included in telemetry, if is activated. If so, we collect limited system and usage data only for the purpose of supporting diagnostic and improving performance.
• In relation to Customer-Deployed Products, as a controller, we collect business contact information to set up accounts, administer licences, manage billing and provide communications.
• Hosted Trial Environments

We offer Hosted Trial Environments through our Online Services or by invitation. These environments are designed for testing Customer-Deployed Products and are not intended for the processing of personal data.

• User Data. We collect conversation logs, prompts, transcripts, and configurations so that you can test the environment. This data may be deidentified and used for research and development, including training and improving our algorithms. We process user data on the basis of our legitimate interests in developing our products and enabling you to test them.
• Usage Data. We collect performance and system logs, such as runtime events, error reports, and crash data. This information is used to monitor security, ensure functionality, and improve stability. It may also be used for anomaly detection, custom alerts, high-traffic monitoring, and the detection of patterns such as prompt injection or data exfiltration attempts. We process usage data based on our legitimate interests in maintaining secure and reliable services.
• Rasa Playground

Rasa Playground is a browser-based environment for designing, configuring, and evaluating conversational assistants. It is a Hosted Trial Environment and not a Customer-Deployed Product. Rasa acts as the controller of the personal data collected through this product.

We collect the personal data necessary to support both anonymous and authenticated sessions:

• Anonymous sessions. You can use Rasa Playground without creating an account. In this case, we collect technical identifiers such as IP address, session IDs (UUID URLs), and browser metadata. If you enable session continuity, a UUID is stored to link activity within that session.
• Authenticated sessions. You may sign in with account credentials (such as an email address) to save projects and session history. In this case, usage data may be linked to your account and license metadata to support debugging and improve product functionality.

How data is used.

• User data (conversation logs, prompts, transcripts, and configurations) is processed in the same way as other Hosted Trial Environments: to provide the service, allow testing, and support product development.
• Usage data may be linked to identifiers for performance analytics, anomaly detection, or debugging.
• Data analytics and disclosures to third-party providers are only made with your consent.

Cookies and third-party tools.

• To support opt-in/opt-out mechanisms, we collect and link consent metadata to technical identifiers or user accounts.
• Google Analytics is used on an opt-in basis to understand usage and improve performance (e.g., session duration, navigation flows, feature usage). Data is aggregated and not used to directly identify users. If enabled, data may be transmitted to Google servers in the United States under Google’s privacy practices. You can withdraw consent at any time via cookie settings.
• HubSpot may be used, after consent, for marketing attribution, campaigns, and product updates, as described in our Online Services section.
• Online Services

When you use our Online Services, which include our website, accounts and forums, marketing activities, and job applications, we collect personal data to provide you with access, respond to your inquiries, and maintain the security and functionality of our services. If we process your personal data based on your consent, you can withdraw your consent at any times by email at [email protected].

• We collect information you provide to us directly, such as your name, email address, company affiliation, phone number, and job title when you create an account, participate in an event or survey, or apply for a role with us. In the EU/UK, we process this personal data based on your consent.
• To help us respond efficiently, tailor our communications and for business contact prospecting, we may match or enrich that data using third-party sources (e.g., business databases, publicly available professional data from websites, or commercial providers). The enriched information is not used for unrelated marketing or shared outside our organization except with server providers acting on our behalf. In the EU/UK, we process personal data for this purpose on the basis of our legitimate interest.
• This activity may involve profiling and limited automated decision-making, as it uses professional and business information to determine if a contact fits our ideal customer profile and, if so, may automatically trigger follow up communications or scheduling options. These processes are solely to improve efficiency and relevance in B2B interactions and do not produce legal or similarly significant effects.
• We collect and use professional and business contact information, including name, job title, company affiliation, and publicly available contact information obtained from third-party sources or business intelligence tools for prospecting and outreach purposes. We process this information to identify and contact potential customers or partners.
• To process applications to our career opportunities, we collect professional references, contact information and other information related to your application. Any credit or criminal verification requirements will be identified in the job posting. If such verification is required, we will clearly indicate this in advance in the job description. Each job posting should also include a direct link to this privacy policy so applicants can review how their personal data will be handled.
• If you subscribe to our newsletter or other communications, we use your contact details to send you product updates, announcements, or marketing communications. Each communication includes an unsubscribe link that allows you to opt out at any time. You can also manage your preferences by contacting us directly by email at [email protected].
• We collect technical information generated automatically when you interact with our Online Services, including IP addresses, cookie identifiers, timestamps, browser and device metadata, and logs of user activities. This information is used to maintain sessions, ensure security, and improve the performance of our services.
• We use third-party cookies, such as Google Analytics, to understand usage and improve performance (e.g., session duration, navigation flow, feature usage). Click here to learn more about our use of cookies for performance and analytics.
• We also use cookies that collect behaviour data, such as includes cookie identifiers, device and browser metadata, timestamps, navigation history, and interactions with campaigns or forms, to target or retarget business contacts and visitors, such as through LinkedIn. Marketing technologies may track engagement with our website, emails and campaigns. We use tools that may link usage data (e.g., IP or cookies IDs) with professional or business contact details. Data may be used to measure or improve marketing campaigns, or to personalize communications. We collect this personal data based on your consent. Click here to learn how we use tracking technologies for marketing purposes.
• We organize community challenges or contests, such as agent-building competitions, which we promote on our social media channels (including LinkedIn, X, and YouTube) or on community platforms such as Discord or Reddit. P. If you choose to participate, we collect your name, contact details, and submission materials to manage entries, communicate results, and where applicable, announce winners in accordance with local legal requirements. In the EU/UK, we process this data based on your explicit consent.
• In the context of our events, conferences and trade shows, we generally collect participants’ contact information, and any personal information shared with us such as dietary preferences. This includes any participation in our contests. We collect this information based on your consent. We may use this information to contact you for business development purposes and enrich this information with third party sources from commercial databases and public professional information. In the EU/UK, we process personal data for this purpose based on our legitimate interests, as explained above.
• Do we use tracking technologies and for what purpose?

We use cookies and similar technologies as part of our Services. These technologies help ensure our Services function properly, maintain security, remember preferences, support account continuity, and measure usage. They may also support debugging, improve performance, and enable us to deliver relevant marketing.

The categories of cookies we use, with examples and their legal basis, are set out below:

‍

• How can I manage my cookies preferences?

You can manage your cookie preferences through your browser, by uninstalling and blocking certain cookies. Click on your browser below to obtain instructions. You can withdraw your consent on the use of cookies at any time by managing your preferences. Certain features may require cookies for security purposes.
●  Google Chrome
●  Firefox
●  Safari
●  Microsoft Edge
●  Opera
●  Brave

• With whom do we share your personal data and why?
• Sister Companies. We may share your personal data with our sister companies when necessary to provide services such as technical support or account management.
• Service Providers. We use service providers to help us run our services, including cloud hosting, analytics, and support systems. For example, we work with Fly.io to host some environments with container-level security.
• Advertising Partners. We may share data collected through cookies and similar technologies with advertising partners to deliver personalized ads, measure campaign performance, and attribute conversions. Our partners include PostHog, HubSpot, LinkedIn, Meta (Ads/Pixel), and Google (Ads/AdSense).
• Performance Partners. We use analytics partners to understand how our services are used and improve product performance. These include Segment, Google Analytics, HubSpot, and PostHog. These tools measure traffic sources, feature usage, and user interactions across our Online Services and Hosted Trial Environments. They are only activated with your opt-in consent. Data collected may include technical identifiers, usage data, and interaction logs, and is used to generate aggregated insights rather than to directly identify you.
• Legal Requests. We may disclose your personal data when required by law or to protect vital interests (e.g., life or safety). If legally allowed, we will notify you of such requests and always limit disclosure to the minimum necessary.
• Business Transfers and Corporate Transactions. If we take part in a merger, acquisition, or restructuring, your personal data may be shared as part of that process. We will continue to protect it in line with this policy.
  
• How do we protect personal data?

We maintain information security program designed to protect personal data and to ensure the confidentiality, integrity, and availability of our systems. Our safeguards include:

• A secure software development lifecycle with security testing, code analysis, and dependency checks to reduce vulnerabilities.
• Logging, detection, and monitoring to identify unusual activity.
• Multi-factor authentication (MFA) for internal systems.
• Protections on public interfaces, including DDoS mitigation, rate limiting, IP filtering, TLS termination, and bot prevention.
• Screening of LLM outputs to reduce risks of prompt injection, PII leakage, offensive content, and malicious links.

If you discover a vulnerability or security issue with our services, please contact us at [email protected]. We review all reports and take appropriate action in line with our responsible disclosure policy.

• Where do we store your personal data?
• Customer-Deployed Products. These are hosted directly by our customers. Please refer to the relevant customer’s privacy notice for details on storage and processing.
• Hosted Services (including Rasa Playground). These are hosted in the European Union. Certain categories of personal data may also be accessed from other countries, including the United Kingdom, where some of our service providers are located.
• Online Services. These are hosted in both the United States and the European Union. Personal data may be accessed in either jurisdiction, or in other locations where our sister companies operate.

When personal data is transferred from one region to another, we apply safeguards designed to provide an appropriate level of protection. This may include executing contracts with recipients that contain data protection commitments.

• How long do we retain your personal data?

In the Hosted Environments, your account is automatically deleted after seven (7) days unless renewed. We will delete your account automatically, but the data related to your conversation assistant may be retained for a longer period.

In Playground, your account and the related data is kept for as long as your account is kept as long as necessary to provide you with access and functionality.

Cookies and tracking technologies are retained either for the duration of a session, up to 24 months. You can clear your browser of cookies, click here to learn how to manage your preference.

We preserve encrypted backups, and system copies solely for business continuity and disaster recovery on automatic retention schedules with access limited to authorized personnel. These copies are not used for any new purpose and are deleted in accordance with those schedules.
What are your personal data rights and how can you exercise them?

Depending on where you are located and on applicable laws, you benefit from different rights over your personal data. These rights generally include the right to access your personal data, to withdraw your consent, and to modify your personal data when it is inaccurate or outdated. In the EU/UK, you have the following rights:

• The right to understand, in clear and plain language, how we process your personal data.
• The right to request copies of your personal data in a reusable format or ask us to transfer it to another entity, subject to certain conditions.
• The right to ask us to correct or complete your personal data to ensure its accuracy.
• The right to request deletion of your personal data in certain circumstances, such as it was unlawfully processed.
• The right to request that we limit the processing of your personal data, so it is stored but not otherwise used without your authorization.
• The right to object to our processing of your personal data when it is based on legitimate interests.
• The right to confirm whether we process your personal data and request a copy of the data we hold about you.
• The right to refuse decisions made solely thought automated processing.

To exercise your rights, you can contact us at the email or address indicated here.

We may ask for additional personal data to confirm your identity when you exercise your rights. This information will not be used for any other purpose. We aim to respond within 30 days of receiving your request, unless the request is complex and you agree to an extension, or unless a faster response is required under applicable law. If we cannot fulfill your request, we will explain the reasons and work with you to find a solution.

If you are not satisfied with how we handled your request, you can contact us at the email or address provided at the beginning of this policy. We will take your complaint seriously, investigate it confidentially, and take appropriate action.

In addition, under EU law you have the right to lodge a complaint with your local data protection authority or to seek a remedy through the courts.

Revision

It is important for us to keep you informed on how we process your personal data, and this may require updating this policy from time to time. We may also have to update this policy to comply with applicable laws. We will inform you of the changes if you are subscribed to a relevant distribution list, or otherwise through a notice on this page. However, we encourage you to visit us often to be informed of the changes.