An overview of how Rosie protects your data β encryption, access controls, data isolation between organizations, and privacy by design.
Beginner Last updated: 2026-03-05Privacy by Design
Rosie is built with privacy as a core principle, not an afterthought. Your data β including your questions, conversation history, and contributed documents β is protected at every layer of the system. The platform is designed so that your organization's data is isolated, encrypted, and accessible only to authorized users.
Data Isolation Between Organizations
Every organization on Rosie operates in its own isolated environment. Your organization's knowledge base, user accounts, conversation history, and analytics are stored separately from other organizations. There is no cross-organization data sharing unless explicitly configured by administrators.
This isolation is enforced at the database level using schema-based separation. Each organization's data lives in its own dedicated schema with independent access controls, ensuring that a request from one organization can never access another organization's data.
Encryption
Your data is encrypted both in transit and at rest:
- In transit β all communication between your browser and Rosie's servers uses HTTPS with TLS encryption. This prevents anyone from intercepting your queries or responses as they travel over the network.
- At rest β data stored in the database, including documents, embeddings, and user records, is encrypted using the storage provider's encryption capabilities. This protects your data even in the event of physical storage compromise.
Access Controls
Rosie enforces access controls at three independent layers to prevent unauthorized access:
- Network edge β requests are validated before reaching the application, ensuring that only authenticated users with sufficient access levels can view protected content
- Application level β the user interface hides features and content that are above your access level
- Backend enforcement β every database operation independently validates your identity and access level before processing
This defence-in-depth approach means that no single point of failure can expose protected data.
What Data Rosie Stores
Rosie stores the following data as part of normal operation:
- Your account information β name, email address, access level, and balance
- Your queries and responses β the questions you ask and the answers Rosie provides
- Session data β conversation history when you use session memory
- Contributed documents β content you upload to the knowledge base
- Transaction records β fees charged and RoC credits earned
- Analytics data β query metrics, source attribution, and usage statistics
What Rosie Does Not Do
Rosie does not:
- Sell your data β your queries, documents, and personal information are never sold to third parties
- Train on your data β your organization's content is not used to train the underlying AI models. Rosie uses your documents for retrieval only, not for model fine-tuning
- Share across organizations β your data is never shared with other organizations unless explicitly configured
- Store API keys insecurely β BYOK API keys are stored encrypted and are never logged or exposed
Your Rights
You can request a full export or deletion of your personal data by contacting your organization's administrator. Administrators can manage data retention policies and respond to data access requests in compliance with applicable privacy regulations.