Privacy Policy
Last updated: 13 May 2026.
This Privacy Policy explains how Raven ("we", "us") collects, uses, and shares personal data when you use the public demo at demo.raven.ravencloak.org. The demo is operated by Jobin Lawrance as an individual, based in India.
Data we collect
- Account profile. When you sign in with Google we receive your email address, name, profile photo, and Google account ID. We do not request additional Google scopes.
- Application data. Workspaces, conversations, messages, and any content you choose to create inside the demo.
- Operational telemetry. IP address, browser user-agent, timestamps, request paths. Used for security, abuse-prevention, and debugging. Held in our log aggregator (OpenObserve) for 30 days then deleted.
- Cookies. Essential session cookies only (SuperTokens authentication and CSRF protection). No advertising or analytics cookies are set on this demo. Cloudflare may set its own anti-abuse cookies on the edge.
Legal basis (GDPR / DPDP)
- Legitimate interest (GDPR Art. 6(1)(f)) — for operating the demo, preventing abuse, and securing user accounts.
- Consent — for any optional cookies; none are currently set on the demo.
- Contract (GDPR Art. 6(1)(b)) — to deliver the requested service when you sign in.
How long we keep your data
Inactive accounts are deleted automatically 30 days after your last sign-in. You receive a warning email and an in-app banner 7 days before deletion. Backups are retained for 30 days (logical dumps) and 14 days (volume snapshots). You can request immediate deletion at any time via the in-app Delete my account control.
Recipients and processors
| Processor | Purpose | Region |
|---|---|---|
| Amazon Web Services (EC2, S3, SSM) | Hosting and backups | ap-south-1 (Mumbai) |
| Cloudflare (Tunnel, Access, Turnstile, DNS) | Edge proxy, anti-bot, login gate | Global anycast |
| Google (OAuth) | Federated sign-in | Global |
| Resend | Transactional email (retention notices, DSAR confirmations) | EU / US |
| LLM provider (Anthropic, OpenAI, or self-hosted) | Generating AI responses | US |
| Razorpay / Hyperswitch (sandbox only on demo) | Payment UI rehearsal | India / Global |
Your rights
- Access / export. Use Account settings → Export my data to download a JSON archive of your data.
- Erasure. Use Account settings → Delete my account. We confirm via email and irreversibly delete within 24 hours.
- Rectification. Edit your profile and content in-app.
- Complain. If you believe your data has been mishandled, email privacy@ravencloak.org or contact your local data-protection authority.
Security
Data is encrypted at rest (AWS-managed AES-256 on EBS and S3) and in transit (TLS via Cloudflare). Access to the host is restricted to AWS Systems Manager — no inbound SSH ports are open.
Changes
We update this policy as the demo evolves. Material changes are announced via an in-app banner at next sign-in.
Contact
Questions? Email privacy@ravencloak.org.