Privacy Policy

This policy explains what RayRF collects and why. It covers the rayrf.com website, the RayRF Studio desktop application, and the services connected to them. RayRF is operated by Rayleigh Systems.

1. Who we are

Aspen Erlandsson Brisebois, a sole proprietor doing business as Rayleigh Systems, registered in Ontario, Canada. Contact us about privacy at support@rayrf.com.

2. What we collect and why

2.1 Account

• Email address, and a password hash if you sign up with email and password. Used to create your account, sign you in, and contact you about your subscription.
• An OAuth identifier when you sign in with Google. Used only to link your Google identity to your RayRF account.
• An optional display name if you provide one.

2.2 Billing

• Your Stripe customer ID and invoice history. Used to bill you, show your invoices, and reconcile payments. Card numbers are handled by Stripe and never reach our servers; we may see the card brand and last four digits to display in the dashboard.

2.3 License activations

• A license key per active plan, plus a hashed machine identifier, an optional machine label, and activation timestamps for each machine you activate. Used to enforce the per-plan activation limit listed in the Terms of Service.

2.4 Desktop telemetry

After you sign in, the desktop application sends product-usage telemetry so we can see what features get used, what hardware our users run on, and where the app crashes. Telemetry is opt-in by default in the EU, UK, and EEA, and opt-out elsewhere. You can change it any time under Settings, Anonymous Usage Telemetry, and your choice syncs to your account.

What the desktop app sends:

• Which tabs, panels, dialogs, and calculators you opened, and for how long.
• The kind and outcome of each simulation run (solver backend, precision, quality preset, boundary type, duration, peak memory, throughput, exit reason), with the size described in coarse buckets (total cells, layer count, port count) so the actual geometry, frequencies, and materials are not exposed.
• Hardware and platform: CPU model, vendor, core counts, and AVX support; GPU model, vendor, video memory, driver version, CUDA runtime version, and compute capability; installed RAM with type and speed where reported by the OS; operating system family, version, and architecture; primary monitor resolution, display scaling, locale, and timezone offset.
• Identifiers used to group your events: a per-install random ID, a per-app-session random ID, the app version and release channel, your plan tier, and your account UUID, so we can correlate behavior with plan and honor deletion requests.
• A truncated network address prefix (the /24 portion of an IPv4 address or the /48 portion of an IPv6 address, never the full IP), and the country and region derived from the request.
• Exceptions and crashes by exception class, module, top stack-frame function and line, the operation that was running, and a stack-trace hash. Crashes also include the signal name or exit code and the app uptime at the time of the crash. The exception message text is not sent.

The desktop never sends your project files, geometry, materials, port definitions, mesh details, simulation results, file paths, free-text input, or system identifiers beyond the categories above. Our server rejects all data that does not match the anonymized format described in the “what is sent” list above, so even an application-level error would not expose any design or user data.

2.5 Website analytics

With your consent, we collect first-party analytics on rayrf.com. Three tiers exist, and you can opt in or out of each in the cookie banner or the Cookie preferences link in the footer.

Analytics, first-party (we collect, you can opt in):

• Page views and per-view dwell time and scroll depth, with a visitor and session uuid stored in two first-party cookies.
• Where you arrived from: the referring URL, the host parsed from it, and the UTM source, medium, and campaign query parameters.
• Coarse device context: viewport and screen size, device pixel ratio, browser language, device class (desktop, mobile, tablet, bot, other), and country derived from the request (never the full IP).
• Clicks on elements we tagged for analytics, plus clicks on outbound links (recorded as the destination host). Web Vitals readings, and uncaught JavaScript errors from the page (a truncated error message, source file, line, and column).

Analytics, behavioral (off by default, explicit opt-in only):

• Per-section engagement totals: for each named section on the page, how long it was visible, how long the pointer hovered over it, how many times it was clicked, and when it first came into view. Capped at thirty named sections per page view. Raw pointer coordinates are not stored; we do not capture the text inside the section or anything you typed.
• Microsoft Clarity, a session-replay and heatmap tool we use alongside our first-party analytics. It records interactions (clicks, scrolls, and a reconstruction of the page built from DOM changes) so we can see where the UI is confusing. Data is processed by Microsoft under their privacy policy. We do not pass your email, name, or account id to Clarity, and Clarity masks form input by default.

Analytics, third-party (off by default, explicit opt-in only):

• Vercel Analytics and Vercel Speed Insights. Data is processed by Vercel under their privacy policy; see the Cookie Policy for the script list.

2.6 Funnel and conversion

• Independent of cookie consent, we record a small set of account-tied events (signup started, signup completed, checkout started, checkout succeeded or failed, trial started or converted, subscription canceled). Used to operate your account and to measure conversion at an aggregate level.

2.7 Support

• If you contact us, we receive your email, the subject and body of your message, any attachment you send, and the conversation history. Used to answer you.

2.8 Cookies

We use a small set of cookies to keep you signed in, remember your sign-in preference, and (only with consent) measure traffic. The full list is in the Cookie Policy.

3. Lawful basis (EU and UK)

• Performance of a contract: account, billing, license issuance and enforcement, support.
• Legitimate interests: fraud prevention, basic site security, desktop telemetry outside the EU and UK. You can object at any time.
• Consent: non-essential cookies, desktop telemetry inside the EU and UK, the behavioral and third-party analytics tiers. You can withdraw consent at any time.
• Legal obligation: keeping billing records for Canadian tax and accounting law.

4. Service providers

We share personal information with the providers below only to the extent needed to run the service. Each provider has its own privacy policy.

• Supabase, for database, authentication, and storage. supabase.com/privacy
• Stripe, for payments and the customer portal. stripe.com/privacy
• Resend, for transactional email. resend.com/legal/privacy-policy
• Vercel, for website hosting, Vercel Analytics, and Vercel Speed Insights. vercel.com/legal/privacy-policy
• Google, for OAuth sign-in, only if you choose to sign in with Google. policies.google.com/privacy
• Microsoft, for Clarity session-replay analytics, only if you opt in to the behavioral analytics tier. privacy.microsoft.com/privacystatement

We do not sell your personal information. We do not share it for cross-context behavioral advertising.

5. Where your data is processed

The service runs on Supabase and Vercel infrastructure, so your data may be processed in Canada, the United States, or other jurisdictions where our providers operate. We use providers that apply standard contractual safeguards for cross-border transfers.

6. Retention

• Account data is kept while your account is active.
• Billing records are kept for seven years to comply with Canadian tax law.
• Raw website and telemetry events are retained for operational analysis, typically no longer than ninety days, after which they are aggregated or deleted. Aggregated data that cannot be linked back to you may be kept indefinitely.
• If you request account deletion, we delete or anonymize your data within thirty days, except where law requires us to keep it.

7. Your rights

Subject to applicable law, you can ask us to show you the data we hold, correct it, delete it, export a copy, restrict or object to certain processing, or withdraw consent. We apply these rights to all users, not only those in the EU or UK. Email support@rayrf.com or use the in-app account-deletion request. We answer within thirty days. If you are not satisfied with our response you can complain to the Office of the Privacy Commissioner of Canada or your local supervisory authority.

8. Children

The service is not directed to anyone under eighteen. If you are under eighteen, please do not provide personal information through the service. If you believe a child has, email support@rayrf.com and we will delete it.

9. Security

We use TLS in transit and rely on encryption at rest provided by Supabase, Stripe, and Vercel for their stores. No system is perfectly secure. If a breach affects your personal information we will notify you and the relevant authorities as required by law.

10. Changes to this Policy

If we make material changes, we will give you at least thirty days notice by email or in-app banner. The date at the top of the page is always the current version.

11. Contact

Questions or requests: support@rayrf.com.

Aspen Erlandsson Brisebois, sole proprietor doing business as Rayleigh Systems, Toronto, Ontario, Canada.