Rolay

AI Consultative Selling Roleplay Trainer

Privacy Policy

Last updated: 2026-04-07

1. Introduction

This Privacy Policy explains how Rolay.app ("Rolay", "we", "us", or "our") collects, uses, stores, and protects personal data when you use the Service.

By using Rolay, you acknowledge that your information may be processed as described in this Privacy Policy.

2. Scope

This Privacy Policy applies to personal data processed through Rolay, including data relating to:

  • account holders
  • organization administrators and members
  • end users of the platform
  • support communications

It does not govern the privacy practices of third-party providers integrated with the Service, including LLM providers such as OpenAI or Azure OpenAI.

3. Data We Collect

We may collect and process the following categories of data:

a. Account and Organization Data

  • name
  • email address
  • organization name
  • account role and permissions
  • authentication-related information

b. Usage Data

  • session activity
  • platform interactions
  • feature usage
  • timestamps
  • technical logs
  • error and diagnostic data

c. User Content

  • roleplay scenarios
  • transcripts
  • evaluations
  • prompts
  • notes
  • configuration data
  • other content submitted through the Service

d. LLM Provider Configuration Data

If your organization configures its own LLM provider, we may process:

  • provider type
  • endpoint information
  • deployment or model configuration
  • encrypted API credentials

API keys entered into Rolay are encrypted at rest and are used only within the context of the organization to which they belong.

e. Communications

  • messages sent to support
  • feedback submissions
  • administrative communications

4. How We Use Personal Data

We use personal data to:

  • provide, operate, and maintain the Service
  • authenticate users and manage access
  • support organization setup and administration
  • enable roleplays, evaluations, and related functionality
  • store user settings and configurations
  • process requests made through configured third-party LLM providers
  • troubleshoot errors, monitor performance, and improve reliability
  • communicate with users about service-related matters
  • enforce our Terms of Service
  • comply with legal obligations

5. Legal Bases for Processing

Where applicable under data protection law, we process personal data on one or more of the following bases:

  • performance of a contract
  • legitimate interests in operating, securing, and improving the Service
  • compliance with legal obligations
  • consent, where required

6. How LLM and Third-Party Provider Data Is Handled

If your organization configures an external LLM provider, requests submitted through Rolay may be transmitted to that provider in order to generate responses, evaluations, or other outputs.

You are responsible for:

  • selecting your provider
  • reviewing that provider's terms and privacy practices
  • determining what data your organization chooses to submit to that provider

Rolay does not use one organization's API credentials for any other organization and does not intentionally share those credentials across customers.

7. Data Sharing

We do not sell personal data.

We may share data only as necessary with:

  • infrastructure, hosting, and technical service providers
  • authentication or email service providers
  • third-party LLM providers configured by your organization
  • legal or regulatory authorities where required by law
  • successors or acquirers in connection with a merger, acquisition, or asset transfer

All such sharing is limited to what is reasonably necessary for the relevant purpose.

8. Data Retention

We retain personal data only for as long as reasonably necessary to:

  • provide the Service
  • maintain operational records
  • comply with legal obligations
  • resolve disputes
  • enforce agreements

Retention periods may vary depending on the type of data, contractual requirements, and legitimate operational needs.

9. Security

We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or disclosure.

These measures may include:

  • encryption of sensitive credentials at rest
  • access controls
  • logging and monitoring
  • secure infrastructure practices

However, no method of storage or transmission is completely secure, and we cannot guarantee absolute security.

10. International Data Transfers

Your data may be processed in countries other than your own, including countries that may have different data protection laws.

Where required, we take reasonable steps to ensure that such transfers are subject to appropriate safeguards.

11. Your Rights

Depending on your location and applicable law, you may have rights including the right to:

  • access your personal data
  • correct inaccurate data
  • request deletion of data
  • object to certain processing
  • request restriction of processing
  • request data portability
  • withdraw consent where processing is based on consent

To exercise such rights, contact us using the details below. We may need to verify your identity before responding.

12. Organization-Controlled Accounts

If you access Rolay through an organization, that organization may control your access, workspace configuration, and associated data. In such cases, the organization may be the primary controller of certain data processed through the Service.

If your account is managed by an organization, privacy requests relating to organization-controlled data may need to be directed to that organization first.

13. Children

Rolay is not intended for children, and we do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be posted on Rolay.app with the revised effective date.

Continued use of the Service after an update constitutes acknowledgment of the revised Privacy Policy.

15. Contact

For privacy-related questions or requests, contact: [email protected]