Privacy Policy

The Service is operated by Reservoir Risk Solutions LLC, with principal place of business in Houston, Texas, United States. For privacy inquiries, contact info@reservoir-risk-solutions.com.

Depending on your location, privacy law may refer to us as a “controller” or “business” with respect to personal information we determine the purposes and means of processing. This Policy does not create rights beyond what applicable law provides.

We process information in the following categories, depending on how you use the Service:

Account and identity: name, email address, authentication identifiers, and profile or subscription metadata associated with your Supabase-backed account.

Billing and payments: billing contact details, subscription plan identifiers, payment status, and transaction references processed by Stripe. We do not use the Service to collect or store full payment card numbers; card data is handled by Stripe according to its policies.

Support and contact: information you submit when contacting us directly by email (for example, email address and message content).

Product content you provide: technical and commercial inputs you enter or import (including saved cases, scenario and module inputs, optional CSV imports in supported modules, reviewer notes, and team-invitation details such as invitee email addresses).

Technical data from use of the site: IP address and basic request metadata as received by our servers and providers (for example, for security, rate limiting, and hosting logs).

We collect information directly from you when you register, sign in, use the application, submit forms, purchase a subscription, invite teammates, or save content in the Service.

We also receive limited information from service providers that power the product—for example, Stripe regarding payment and subscription status, and Supabase as the authentication and database platform we use to run the Service.

We use personal information to: provide, operate, and improve the Service; authenticate users and enforce access controls; process subscriptions and billing; send operational and transactional emails (such as team invitations or account-related messages) through our email delivery provider; respond to inquiries; maintain the security and integrity of the Service; comply with legal obligations; and enforce our Terms of Use.

We do not use your saved cases or module inputs to “train” third-party artificial intelligence models for unrelated products. Processing of product content is for delivering the features you use (including collaboration and exports) and for operating the Service.

We use third-party services that process personal information on our behalf to run the product. The main categories are:

Supabase: authentication and database hosting for accounts, subscription metadata as stored in our application, saved cases, team and sharing features, and related application data.

Stripe: payment processing, billing portal, and subscription lifecycle data Stripe handles under its agreements and privacy policy.

Resend: sending transactional and operational email (for example, team invites and contact-form delivery, depending on configuration).

Vercel: hosting and deployment of the web application; Vercel may process technical and log data in connection with serving the site.

Upstash (optional): if we configure Upstash Redis in your deployment, we use it to store short-lived rate-limit counters keyed in part from client IP addresses (or similar request metadata) to reduce abuse on API routes. If Upstash is not configured, rate limiting may use in-memory counters on individual server instances instead.

We do not list every sub-subprocessor those companies may use; their documentation describes their own infrastructure and subprocessors.

We use cookies and similar technologies as needed for authentication and session management (including cookies set in connection with Supabase sign-in and application middleware).

Parts of the application may use browser local storage or session storage to keep workspace continuity between modules, UI preferences (such as theme), or short-lived navigation state—for example, restoring a saved case after sign-in. This data stays on your device unless it is also stored in our backend as part of a feature you use (such as saved cases).

We use Vercel Web Analytics in the deployed application to collect aggregated, anonymized usage metrics such as page views and referrer data. See Vercel's documentation for details on how this data is processed.

Do Not Track: Some browsers offer a "Do Not Track" (DNT) signal. We do not currently alter our data collection or use practices in response to DNT signals. If a standard is adopted in the future, we will reassess this position.

We retain personal information for as long as your account is active, as needed to provide the Service, and as required to comply with law, resolve disputes, and enforce our agreements.

When you delete content in the product (such as a saved case) or close your account, we will delete or anonymize associated personal information where practicable, subject to backup cycles, legal retention needs, and technical limits.

Stripe, Supabase, Resend, and other providers retain data according to their own retention practices and your interactions with them.

Depending on where you live, you may have the right to request access to, correction of, or deletion of certain personal information we hold, or to object to or restrict certain processing. To make a request, contact us at info@reservoir-risk-solutions.com. We may need to verify your identity before responding.

We will respond within the timeframes required by applicable law where those laws apply. Some requests may be limited by law (for example, if we must retain billing records) or by technical feasibility.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may provide you with additional rights regarding your personal information, including the right to know what personal information we collect, use, and disclose; the right to delete personal information we hold about you, subject to certain exceptions; the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under California law. To exercise your rights, contact us at info@reservoir-risk-solutions.com. We will not discriminate against you for exercising your privacy rights.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you may have rights under applicable data protection law, including the right to access, correct, or erase your personal information; the right to restrict or object to processing; and the right to data portability. Where we rely on legitimate interests as a legal basis for processing, you may object to that processing. To exercise your rights, contact us at info@reservoir-risk-solutions.com. Personal information may be transferred to and processed in the United States and other countries. Where required, we rely on appropriate transfer mechanisms such as standard contractual clauses. If you have unresolved concerns, you may have the right to lodge a complaint with your local data protection authority.

Personal information may be processed in the United States and in other countries where our service providers operate. Those countries may have data-protection laws that differ from those in your home jurisdiction. For details on locations and transfers, see the privacy policies of Supabase, Stripe, Resend, Vercel, and any other provider you interact with directly.

We take reasonable steps to protect personal information from loss, misuse, and unauthorized access, including by relying on established hosting and database providers and common practices for web applications. No method of transmission or storage is completely secure.

The Service is not directed to children under 13 (or the age required by local law for valid consent without parental authorization). We do not knowingly collect personal information from children in that category. If you believe we have collected such information, contact us at info@reservoir-risk-solutions.com and we will take appropriate steps to delete it.

We do not sell your personal information for money. We share personal information only with service providers and platforms described in this Policy (such as Supabase, Stripe, Resend, and Vercel) as needed to operate the Service, and otherwise where required by law or to protect our rights.

We may update this Policy from time to time. We will post the revised version on this page and update the effective date. When practicable, we may highlight material changes through the Service or by email to your account address.

Questions about this Privacy Policy: info@reservoir-risk-solutions.com.