Skip to content
rumi
πŸ‡ΊπŸ‡Έ English
πŸ‡ΊπŸ‡Έ English πŸ‡°πŸ‡· ν•œκ΅­μ–΄
Try Rumi free

Legal

Privacy Policy

Effective 2026-06-03

This Privacy Policy explains what information Rumi collects when you use the Rumi personal AI agent ("Service") via KakaoTalk, LINE, iMessage, or any other channel, and how we handle it. By using Rumi, you agree to the practices described here.

Notice on AI use. Rumi is a conversational AI system. Your messages are sent to third-party large-language-model providers (Anthropic for response generation; OpenAI for embeddings) to produce Rumi's responses. By using Rumi you are interacting with an AI system, not a human operator.

Operator

Rumi is operated by SHL GROUP LLC, a New Jersey limited liability company (Jersey City, NJ, USA). Contact: help@tryrumi.app.

Privacy Officer / κ°œμΈμ •λ³΄λ³΄ν˜Έμ±…μž„μž: Sunghun Lee (help@tryrumi.app).

What we collect

  • Messages you send to Rumi. Stored so Rumi can respond and remember you across conversations.
  • Channel identity. On KakaoTalk and LINE this is an app-specific user id, not your real-world identity. On iMessage / SMS, your phone number is the channel identity and is necessarily processed to receive and deliver your messages. We do not collect your name or email address unless you tell Rumi yourself.
  • Memories Rumi extracts. Self-contained facts (preferences, neighborhood, people in your life) shared in conversation, used to personalize future replies.
  • Booking & action details, when you ask Rumi to act. To make a reservation, send an email, or watch a flight on your behalf, Rumi processes the details required to do it β€” for example the date, party size, and the name and phone number to put on a reservation. Where you connect a reservation account (e.g. Resy or CatchTable), we store an encrypted session credential for that account so Rumi can act for you, and you can revoke it at any time. We do not store your payment card numbers; any payment is handled by the reservation platform under its own terms.
  • Connected Google data, only when you authorize it. If you connect Gmail / Calendar / Drive, we receive an OAuth grant covering only the scopes for the features you use. Refresh tokens are encrypted at rest with Fernet. Access tokens are never stored. Rumi's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements; we do not use Google user data to train generalized AI models, and we do not sell it or transfer it except to provide the feature you requested.
  • Technical logs. Timestamps, latency, error traces β€” used to operate the Service. No third-party advertising or analytics cookies.

Retention

  • Messages and memories: retained until you delete your account or ask Rumi to forget, plus 30 days for backup expiry.
  • OAuth refresh tokens: retained until you disconnect the integration or delete your account, plus 30 days.
  • Email send audit log: 3 years from the send date (financial records / dispute resolution).
  • Technical logs: 30 days rolling.

How we use it

  • To respond to your messages.
  • To remember you between conversations.
  • To execute actions you've explicitly approved (send an email, add a calendar event, set a reminder).
  • To monitor service quality, debug issues, and prevent abuse.

What we do not do

  • We do not sell your personal information.
  • We do not use your messages to train models other people use.
  • We do not share your Google data beyond what's required to perform the action you authorized.
  • We do not place advertising cookies or run third-party trackers.

Subprocessors & cross-border transfer

Using Rumi involves transferring your data to the following subprocessors. Several are located in the United States; some are located in Japan or Korea depending on the messaging channel. By using the Service you consent to these international transfers, which are necessary to deliver the features you've requested.

  • Anthropic (United States) β€” LLM generation. Items: message text per reply. Purpose: generating Rumi's response. Retention: per Anthropic's API terms (typically 30 days for zero-data-retention API traffic). Per Anthropic's terms, message content is generally not used to train Anthropic's models, with narrow exceptions for explicit user-flagged feedback and safety review of policy violations. We do not provide message content outside the API call.
  • OpenAI (United States) β€” embedding generation. Items: message text. Purpose: memory retrieval. Retention: per OpenAI's API terms.
  • Google Cloud (United States; data hosted in asia-northeast3 / Seoul region) β€” compute + serverless hosting.
  • Supabase (United States; Postgres instance in Seoul region) β€” managed database hosting for messages + memories.
  • LINE Corporation (Japan) β€” message delivery on the LINE channel.
  • Kakao Corp. (South Korea) β€” message delivery on the KakaoTalk channel.
  • Sendblue (United States) β€” message delivery on the iMessage / SMS channel. Items: your phone number and message content.
  • Resend (United States) β€” delivery of transactional emails that Rumi sends at your request. Items: recipient address and email content.
  • Browserbase (United States) β€” a secure cloud browser used, only when you choose to connect CatchTable, to capture your login session. Items: your CatchTable login session.
  • Duffel (United States / United Kingdom) β€” flight search and price watching. Items: route, dates, and cabin class you ask Rumi to watch.
  • Reservation platforms β€” Resy (United States), CatchTable (South Korea) β€” when you ask Rumi to book or cancel, your reservation details and stored account session are transmitted to the relevant platform to complete the action, subject to that platform's own privacy policy.

Your rights

  • Access / correction. Ask Rumi what it remembers about you, and correct it in conversation.
  • Forget specific memories. Tell Rumi to forget something; the corresponding memory record is removed.
  • Delete your account. Email help@tryrumi.app and we delete every message, memory, and OAuth grant within 30 days.
  • Disconnect Google. Revoke Rumi's access at myaccount.google.com/permissions at any time.
  • Stop iMessage / SMS messages. On the iMessage / SMS channel, reply STOP at any time to stop messages; reply HELP for help.
  • Object to cross-border transfer. If you don't want your data transferred to US subprocessors as described above, please discontinue use; the Service can't function without those transfers.

California residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know, the right to delete, the right to correct, the right to limit use and disclosure of sensitive personal information, and the right to opt out of any "sale" or "sharing" of your personal information.

Categories of personal information we collect (CCPA categories): identifiers (your channel user id and, only if you tell us, your name); commercial information (your messages, which may reveal preferences); internet or other electronic network activity (technical logs); inferences (memories Rumi extracts about you).

Categories disclosed to service providers / contractors in the preceding 12 months (CCPA 2026 Β§1798.130 requirement): all of the above, disclosed only to the subprocessors listed in the "Subprocessors & cross-border transfer" section above, strictly to operate the Service on our behalf under contractual restrictions.

We do not sell or share your personal information. We have not done so in the preceding 12 months and have no current plans to. We do not engage in cross-context behavioral advertising.

Automated decision-making. Rumi uses AI to generate conversational responses, but does not make decisions that produce legal or similarly significant effects on you (such as denial of healthcare, financial services, employment, education, or housing). You can always overrule any of Rumi's suggestions and we do not condition any benefit on accepting them.

To exercise any CCPA right, email help@tryrumi.app with subject "CCPA request" β€” we will verify your identity via your messaging channel and respond within 45 days. We will not discriminate against you for exercising any privacy right.

Children

Rumi is not directed at children under 14. If we learn we've inadvertently collected information from a child under 14, we will delete it. Parents who believe their child has used Rumi can contact help@tryrumi.app.

Security

We use industry-standard practices: TLS in transit, Fernet-encrypted refresh tokens at rest, least-privilege IAM on cloud infrastructure. No system is perfectly secure; if you discover a vulnerability please email help@tryrumi.app.

Changes

We may update this policy. Material changes will be announced via the Rumi assistant before they take effect. The "Effective" date at the top reflects the most recent version.

Contact

SHL GROUP LLC
Jersey City, NJ, USA
help@tryrumi.app