RAGFlow Privacy Policy

Last Updated: 2026-04-23

This Privacy Policy explains how RAGFlow (together with its affiliates, “RAGFlow,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes Personal Data in connection with our websites, apps, documentation, community channels, and other services that link to this Privacy Policy (collectively, the “Services”).

Important: This Privacy Policy generally covers (1) visitors and users of our website and Cloud services, and (2) business contacts (sales/marketing).

When we process Customer Data on behalf of an organization (e.g., as a processor), the processing is governed primarily by our contract and Data Processing Addendum/Agreement (“DPA”) with that Customer, not this Privacy Policy.

1. Who We Are

Controller (typical): For Personal Data we collect for our own purposes (e.g., account administration, billing, website analytics), RAGFlow typically acts as a data controller (or equivalent role under applicable law).
Processor / Service Provider (typical): For Customer Data uploaded to our Cloud services by Customers and their authorized users, RAGFlow typically acts as a data processor (or “service provider” under certain laws), subject to the Customer agreement and DPA.
Contact Information If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

Email: privacy@ragflow.io

We will make reasonable efforts to respond to your request in accordance with applicable data protection laws.

Legal Entity and Registered Address RAGFlow is operated by its legal entity (the “Company”). The registered name and address of the Company will be provided upon request or made available through appropriate official channels where required by applicable law.

2. Scope and Definitions

“Personal Data” means information that identifies or can reasonably be linked to an individual.

“Customer Data” means data (which may include Personal Data) that a Customer or its authorized users upload, submit, transmit, or otherwise make available to the Services.

Self-Hosted Open Source: If you deploy RAGFlow in your own environment (“Self-Hosted”), RAGFlow generally does not receive or process Customer Data from your Self-Hosted instance unless you enable optional features that send data to us (e.g., cloud connectors, telemetry, support logs), or you otherwise provide data to us.

3. Personal Data We Collect

3.1 Information you provide

We may collect Personal Data you provide, such as:

Account and profile information: name, email, username, authentication credentials (hashed), organization name, role/title.
Billing and transactional information: billing contact details, invoices, subscription plan, payment method details (typically processed by a third-party payment provider).
Support and communications: content of messages, tickets, feedback, recordings, and attachments you provide to support.
Events and marketing: registration details for webinars, community events, newsletters, surveys.

3.2 Information collected automatically

We (and authorized third parties) may collect:

Device and usage data: IP address, device identifiers, browser type, OS, language, referring URLs, pages viewed, timestamps, clickstream, and diagnostics.
Cookies and similar technologies: see our Cookie Policy.

3.3 Information from other sources

We may receive Personal Data from:

Business partners (e.g., resellers, referral partners)
Public sources (e.g., professional profiles)
Security providers (e.g., fraud detection)

4. How We Use Personal Data

We may use Personal Data for the following purposes:

4.1 Provide and operate the Services

Create, maintain, and secure accounts
Provide core functionality, customer support, and service communications
Process subscriptions, billing, payments, and account administration

4.2 Improve, develop, and protect the Services

Debug, monitor performance, analyze usage, and improve features
Maintain safety, integrity, and security; prevent abuse and fraud

4.3 Communicate and market (where permitted)

Send product updates, newsletters, and promotional messages (subject to your preferences and applicable law)
Conduct surveys and market research

4.4 Comply with law and enforce agreements

Meet legal obligations and respond to lawful requests
Enforce our Terms of Use and protect rights, property, and safety

We may process Personal Data for other purposes when you consent, where required.

De-identified / Aggregated Data: We may create and use de-identified or aggregated data where permitted by law; such data is generally not subject to this Privacy Policy to the extent it cannot reasonably identify you.

5. Legal Bases (EEA/UK/Switzerland and Similar Jurisdictions)

Where applicable, we rely on one or more legal bases, including:

Contract necessity (to provide Services)
Legitimate interests (to secure and improve Services, prevent fraud)
Consent (e.g., certain cookies/marketing where required)
Legal obligation (e.g., accounting, compliance)

We may share Personal Data with:

6.1 Service providers / subprocessors

Vendors that help us provide the Services (e.g., hosting, analytics, customer support, billing, email delivery) under contractual confidentiality and security obligations.

6.2 Affiliates and corporate group

For internal business purposes consistent with this Policy.

6.3 Business partners

Where you engage with a partner integration, reseller, or event sponsor, we may share relevant information as needed and as permitted by law.

6.4 Legal and safety

To comply with law, protect rights, investigate fraud/security incidents, or respond to lawful requests.

6.5 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

7. International Transfers

We may process and store Personal Data in countries other than where you reside. Where required, we use appropriate safeguards (such as Standard Contractual Clauses or equivalent transfer mechanisms) and may implement supplementary measures.

8. Data Retention

We retain Personal Data for as long as necessary to:

Provide the Services
Comply with legal obligations
Resolve disputes and enforce agreements

Retention periods may vary by data type, context, and legal requirements. We may retain certain data longer where required or permitted by law.

9. Security

We implement reasonable technical and organizational measures designed to protect Personal Data. However, no system is 100% secure; we cannot guarantee absolute security.

10. Your Rights and Choices

Depending on your location, you may have rights such as:

Access, correction, deletion
Restriction or objection
Data portability
Withdraw consent (where processing is based on consent)
Opt out of certain marketing communications

How to exercise rights: email [privacy@ragflow.io].

We may verify your identity and authority. If applicable, you may appeal a decision per local law.

Marketing opt-out: You can unsubscribe via links in emails; you may still receive service-related messages.

11. Third-Party Services and Links

Our Services may link to third-party websites or services. Their privacy practices are governed by their own policies, not ours.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “Last Updated” date. Your continued use of the Services after the change becomes effective means you acknowledge the updated Policy where permitted by law.