Privacy Policy

Last updated: 2026-04-17

1. Introduction

Inkgraph is a product of Rapu Labs Oy ("we", "us", "our"). Inkgraph is a workspace for writers (the "Service"). This Privacy Policy explains how we process personal data under the EU/EEA General Data Protection Regulation (GDPR).

2. Data Controller and Processor Roles

We act as controller for:

  • Account and authentication data
  • Technical and usage data
  • Support communications

We act as processor for:

  • Creative content you upload or create within Inkgraph (notes, scenes, characters, worldbuilding, graphs)

Where we act as processor, we process only on your documented instructions. Contact us to request our standard data processing terms.

3. Information We Collect

  • Account data: name, email address, authentication identifiers.
  • Content data: projects, nodes, scenes, notes, and other creative material you upload or create.
  • Technical data: IP address, device and browser information, timestamps, access logs, error diagnostics.
  • Support data: communications you send us, including feedback and support requests.

4. Legal Bases for Processing

  • Performance of contract (Art. 6(1)(b)): providing and maintaining the Service, storing and indexing your content, managing your account.
  • Legitimate interests (Art. 6(1)(f)): improving and securing the Service, preventing abuse, debugging, responding to support.
  • Legal obligations (Art. 6(1)(c)): complying with applicable laws and lawful requests.

5. How We Use Your Information

  • Provide, operate, and maintain the Service.
  • Index your content for search and graph queries you request.
  • Authenticate users and secure accounts.
  • Communicate updates, respond to inquiries, and provide support.
  • Monitor for and prevent abuse, fraud, and security incidents.
  • Debug issues, improve performance, comply with legal obligations.

We do not use your creative content to train machine-learning models. Embeddings used for in-app search are computed on our servers and are not shared with third parties.

6. Storage and Processing Location

Personal data is stored and processed within the European Union. One sub-processor (authentication) may operate in the United States under the EU-US Data Privacy Framework, which the European Commission has recognised as providing adequate protection.

7. Sub-processors

We use third-party sub-processors to deliver the Service, including providers of:

  • Cloud hosting and infrastructure (EU)
  • Authentication services (Google, EU-US Data Privacy Framework)
  • Transactional email (Resend, EU)

We will notify you of material sub-processor changes via email at least 30 days in advance.

8. Data Retention

  • Account data: for the duration of your account plus 12 months.
  • Creative content: retained while your account is active; deleted or anonymised within 30 days of verified account deletion.
  • Technical logs: 90 days for security monitoring and debugging.
  • Support communications: 24 months from resolution.
  • Backup data: overwritten on a 30-day rolling cycle.

9. Your Rights Under GDPR

  • Access, rectification, and erasure.
  • Restriction of processing and data portability.
  • Objection to processing based on legitimate interests.
  • Withdraw consent where processing relies on consent.

Contact us to exercise rights. We respond within one month (extendable by two months for complex requests) and may verify your identity.

10. Right to Lodge a Complaint

You may lodge a complaint with your local EU/EEA data protection authority. See the EDPB members list.

11. Cookies

We use cookies strictly for authentication and session management. We do not use analytics or advertising cookies.

12. Data Sharing

We do not sell personal data or use it for advertising. We share personal data only with the sub-processors listed above or where required by law.

13. Security

  • Encryption in transit (TLS) and at rest.
  • Role-based, least-privilege access controls.
  • Logging, monitoring, and regular security review.

No method of transmission or storage is completely secure. If you believe your data has been compromised, contact us immediately.

14. Children

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children.

15. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes by email at least 30 days before the changes take effect. Continued use after the effective date constitutes acceptance.

16. Contact

For privacy-related questions or to exercise your rights, contact us at panurapu.ai.

Rapu Labs Oy, Finland.