R rutt
Home Pricing Blog Docs
Sign in Start Your Trial

Privacy Policy

Last updated: April 10, 2026

1. Introduction

This Privacy Policy explains how Rutt (rutt.io), operated by LemonadeStack ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use our AI brand visibility monitoring platform ("the Service").

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We act as the data controller for the personal data described in this policy.

Contact email: [email protected]

2. What Data We Collect

2.1 Information you provide

  • Account data: Name, email address, and password when you register.
  • Billing data: Company name, billing address, and VAT/tax ID. Payment card details are collected and processed directly by Stripe — we do not store card numbers on our servers.
  • Service configuration: Websites you add, monitoring prompts you create, brand profiles, content you write, and social media account connections.
  • Communications: Messages you send us via email or our contact form.

2.2 Information generated through use

  • Monitoring data: AI model responses, visibility scores, competitor mentions, and source citations generated by querying third-party AI models on your behalf.
  • Analytics data: Traffic statistics, bot crawl events, and engagement metrics for your configured websites.
  • Generated content: Articles, social posts, and media created using the Service's AI-assisted tools.

2.3 Data collected by our tracking script

If you install our JavaScript tracking snippet on your website, it collects the following data from your website's visitors:

  • Page URL and path
  • Timestamp of visit
  • User-agent string (browser and device information)
  • Referrer URL
  • Approximate geographic location derived from IP address

We do not store visitor IP addresses, set cookies, or collect personally identifiable information from your website's visitors. IP addresses are used solely for geographic lookup and immediately discarded.

2.4 Technical data

  • Browser type and version, operating system, and device type when you access the Service.
  • Session cookies strictly necessary for authentication and security.

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under the UK GDPR:

  • Performance of a contract (Article 6(1)(b)): To provide the Service, process payments, and manage your account.
  • Legitimate interests (Article 6(1)(f)): To improve the Service, prevent fraud, ensure security, and send service-related communications. Our legitimate interests do not override your fundamental rights and freedoms.
  • Legal obligation (Article 6(1)(c)): To comply with applicable laws, regulations, and legal processes.
  • Consent (Article 6(1)(a)): Where you have given explicit consent, such as for optional marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and maintain the Service;
  • Process subscription payments and manage billing;
  • Execute AI visibility monitoring queries on your behalf;
  • Generate content and analytics reports;
  • Send transactional emails (account confirmations, billing receipts, trial reminders, weekly reports);
  • Respond to your support enquiries;
  • Detect and prevent fraud, abuse, and security incidents;
  • Improve and develop the Service based on aggregated usage patterns.

5. AI Model Queries

To provide visibility monitoring, we send your configured prompts to third-party AI model providers (including OpenAI, Anthropic, Google, and Perplexity). These queries contain the prompt text you configured — they do not include your personal data, account information, or other customer data.

The AI model responses are stored in our systems to provide you with monitoring data, scores, and analytics. We do not share your monitoring configurations, prompts, or results with other users or third parties.

6. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following categories of third parties, and only to the extent necessary:

  • Stripe — for payment processing. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
  • AI model providers (OpenAI, Anthropic, Google, Perplexity) — to execute monitoring queries. Only prompt text is shared; no personal data is transmitted.
  • Hosting and infrastructure providers — who process data on our behalf under appropriate data processing agreements.
  • Law enforcement or regulatory authorities — where we are legally required to do so, or to protect our rights and safety.

7. International Data Transfers

Your data is primarily stored on servers located in the United Kingdom. However, some third-party services we use (such as AI model providers and Stripe) may process data outside the UK.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:

  • Transfers to countries with a UK adequacy decision;
  • Standard contractual clauses approved by the Information Commissioner's Office (ICO);
  • Other lawful transfer mechanisms under the UK GDPR.

8. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the Service. Specifically:

  • Account and service data: Retained for the duration of your account. Upon account deletion, personal data is removed within 30 days.
  • Billing records: Retained for up to 7 years after your last transaction to comply with HMRC requirements.
  • Monitoring and analytics data: Retained for the duration of your account. Deleted within 30 days of account closure.
  • Support communications: Retained for up to 2 years after resolution.

Aggregated, anonymised data that cannot identify you may be retained indefinitely for analytical and service improvement purposes.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit using TLS;
  • Encryption of sensitive data at rest;
  • Access controls limiting data access to authorised personnel;
  • Regular security reviews and monitoring;
  • Secure payment processing via Stripe (PCI DSS compliant).

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Cookies

Our website uses the following cookies:

  • Essential cookies: Session cookies for authentication and CSRF protection. These are strictly necessary for the Service to function and cannot be disabled.
  • Analytics cookies: We use Google Analytics (GA4) to understand how visitors interact with our marketing pages. You can opt out via your browser settings or the Google Analytics opt-out extension.

Our tracking snippet installed on your websites does not use cookies or track individual visitors.

11. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within one month, as required by law.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes at least 14 days in advance via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first at [email protected].

15. Contact Us

For any questions about this Privacy Policy or how we handle your data, please contact us at [email protected].