Privacy Policy

This Privacy Policy explains how The Gems Company ("Ruby", "we", "us", or "our") collects, uses, shares, and protects personal information when you visit rubyruby.xyz, join our waitlist, or use Ruby, our AI personal assistant service (together, the "Service"). It also describes the privacy rights available to you and how to exercise them.

Ruby is an AI personal assistant with her own phone number (WhatsApp) and email address. You interact with Ruby by messaging or emailing her, and she helps handle personal life admin — coordinating with people, tracking tasks, preparing briefings, processing documents you send, and, where you authorize it, reaching out to vendors and contacts on your behalf. Because of what Ruby does, she necessarily handles personal information about you and, in some cases, about other people you ask her to interact with. This policy explains how we handle that responsibly.

Please read this policy together with our Terms of Service. By using the Service you acknowledge the practices described here.

1. Who we are

The Service is operated by The Gems Company. For the personal information described in this policy, The Gems Company acts as the data controller (and, under certain frameworks, as a "business"). Where we process information on behalf of and under the instructions of a user — for example, content within your assistant workspace — we act as a processor or service provider for that user.

For any privacy question, request, or complaint, contact us at [email protected]. General and support inquiries can be sent to [email protected].

2. Information we collect

We collect the categories of information below. The exact information depends on whether you are visiting the website, on the waitlist, or actively using Ruby.

2.1 Waitlist and website information

When you submit a waitlist form on the website, we collect the email address you provide and the form source (for example, "hero" or "footer"). For abuse prevention and basic analytics we also store request metadata: an irreversible hash of your connecting IP address, your browser user-agent string, and timestamps. We do not store your raw IP address for the waitlist.

2.2 Account and onboarding information

If you are invited into the beta, we collect information needed to set up and operate your assistant. This may include your name, phone number, email address, preferred language, time zone, and the preferences you share during onboarding (for example, how you like plans made, which vendors you trust, which contacts are sensitive, and what requires your approval before Ruby acts).

2.3 Communications content

When you message Ruby on WhatsApp or email her, we process the content of those communications — text, attachments, and metadata such as sender, timestamps, and message threading identifiers. Ruby maintains a record of your conversations and the tasks, follow-ups, and outcomes derived from them so she can act with context over time.

2.4 Files, images, and documents

When you send Ruby a photo or document — such as a receipt, menu, business card, form, or note — we process its contents to extract structured information (for example, a deadline, a contact, or a line item) and to act on your request.

2.5 Connected account data

If you connect a Google account, Ruby accesses calendar and email data through Google's official OAuth authorization, limited to the scopes you grant. This may include your calendar availability and event details (read access) and the ability to create, update, or manage events on an assistant calendar. See Section 8 for the specific commitments that apply to Google user data.

2.6 Information about other people

To do her job, Ruby stores and processes information about people in your network — contacts, vendors, and recipients of messages she sends on your behalf. This may include their names, phone numbers, email addresses, your relationship to them, and the history of communications Ruby has with them in connection with your requests. You are responsible for ensuring you are permitted to share this information with us (see our Terms of Service).

2.7 Usage and technical information

We automatically collect operational and diagnostic information when you use the Service, such as device and connection metadata, log data, error reports, and information about how features are used. This helps us operate, secure, debug, and improve the Service.

2.8 Cookies and similar technologies

The marketing website uses only essential and basic measurement technologies needed to serve the site and protect the waitlist form. We do not use third-party advertising trackers on the website. Where local law requires consent for non-essential cookies, we will request it.

3. How we use information

We use personal information to:

• operate, provide, and personalize the Service, including running your assistant and acting on your requests;
• understand context across your conversations, preferences, tasks, calendar, and contacts so Ruby can be genuinely useful over time;
• communicate with you about the waitlist, beta eligibility, onboarding, product updates, and support;
• contact third parties (vendors and your contacts) on your behalf, within the scope you authorize and subject to your approval gates;
• maintain safety and security, detect and prevent abuse, fraud, and spam, and enforce our terms;
• debug, monitor, analyze, and improve the Service; and
• comply with legal obligations and respond to lawful requests.

We do not sell your personal information, and we do not use the content of your messages, your connected-account data, or the personal information of your contacts to train third-party generative AI models.

4. AI processing and automated decisions

Ruby is an AI assistant. To understand your requests and generate responses and actions, we send relevant content to large language model providers that act as our processors (see Section 6). These providers process the content to return a result to us and, under our agreements, do not use your content to train their models.

AI outputs can be inaccurate, incomplete, or out of date. Ruby is designed with human-in-the-loop boundaries: sensitive actions — including anything involving money, new vendors, or contacts you have flagged as sensitive — require your explicit approval before Ruby proceeds. We do not use solely automated processing to make decisions that produce legal or similarly significant effects about you without a lawful basis and, where required, appropriate safeguards. You can contact us to request human review of any automated action that materially affects you.

5. Legal bases for processing (EU/UK)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract — to provide the Service you have requested and operate your assistant.
• Consent — for connecting optional integrations (such as your Google account), for processing where you have given permission, and for non-essential cookies where required. You may withdraw consent at any time.
• Legitimate interests — to secure and improve the Service, prevent abuse, and run the waitlist, balanced against your rights and freedoms.
• Legal obligation — to comply with applicable law and lawful requests.

6. How we share information

We share personal information only as described below. We do not sell personal information and we do not share it for cross-context behavioral advertising.

Service providers and subprocessors. We rely on a small set of vendors to run the Service. Each is bound by contractual confidentiality and data-protection obligations and may process information only on our instructions:

• Anthropic — large language model ("Claude") used to power Ruby's understanding and responses.
• Google — Calendar, Gmail, and Maps/Places APIs for connected-account features and place lookups, and Google Cloud for hosting infrastructure.
• Meta Platforms — the WhatsApp messaging channel through which you communicate with Ruby.
• Cloudflare — website hosting, network/tunnel security, and the waitlist database.

At your direction. When you ask Ruby to coordinate with a person or vendor, we share the information necessary to fulfill that request (see Section 7).

Legal and safety. We may disclose information if required by law, regulation, legal process, or governmental request, or where we believe disclosure is reasonably necessary to protect the rights, property, or safety of users, the public, or us.

Business transfers. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to the commitments in this policy.

7. People Ruby contacts on your behalf

A core function of Ruby is reaching out to your contacts and vendors. When she does, she identifies herself as Ruby, an assistant acting on your behalf — she does not impersonate you. We process the recipient's contact details and the content of those communications to coordinate, follow up, and track replies in connection with your request.

You confirm that you have a lawful basis and any necessary permission to provide us with other people's information and to have Ruby contact them. If a contact asks not to be messaged, asks about their data, or requests deletion, they (or you) can write to [email protected] and we will honor applicable requests.

8. Connected accounts and Google user data

Connecting a Google account is optional and uses Google's official OAuth flow. Ruby requests only the scopes needed for the features you use, and you can revoke access at any time from your Google Account security settings or by contacting us.

Ruby's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically, Google user data is used only to provide and improve the user-facing features you request; is not sold; is not used for advertising; is not transferred to others except as necessary to provide or improve those features, to comply with law, or as part of a business transfer with appropriate notice; and humans do not read this data unless we have your consent, it is necessary for security or to comply with law, or the data has been aggregated and de-identified.

9. International data transfers

We operate internationally and our service providers may process information in countries other than where you live, including the United States and Israel. Where we transfer personal information across borders, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions (Israel benefits from an EU adequacy decision), or other lawful transfer mechanisms. You may contact us for more information about the safeguards we use.

10. Data retention and deletion

We keep personal information for as long as needed to provide the Service and for the purposes described in this policy, then delete or de-identify it. In practice:

• Waitlist records are kept while we evaluate and operate the beta, and deleted on request or when no longer needed.
• Account and assistant data (preferences, tasks, contacts, communication history, memory) is kept while your account is active so Ruby can act with context.
• After account closure, we delete or de-identify your assistant data within a reasonable period unless a longer period is required to comply with law, resolve disputes, or enforce our agreements.

Some records — such as soft-deleted entries retained for integrity and an append-only audit log — are kept in a restricted form for security, accountability, and legal compliance. You can request deletion as described in Section 12.

11. Security

We use administrative, technical, and organizational measures designed to protect personal information, including encryption in transit, encryption of sensitive credentials (such as connected-account tokens) at rest, access controls, per-user data isolation, and an append-only audit log of sensitive actions. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by law.

12. Your privacy rights

Subject to your location and applicable law, you may have the right to access, correct, delete, or receive a portable copy of your personal information; to object to or restrict certain processing; and to withdraw consent. To exercise any right, email [email protected]. We will verify your request and respond within the timeframe required by law. You will not be discriminated against for exercising your rights.

13. Regional disclosures

13.1 European Economic Area and United Kingdom

If you are in the EEA or UK, you have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your local supervisory authority. Our legal bases are described in Section 5. Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

13.2 United States (including California)

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA, and we do not use sensitive personal information for purposes that would require a right to limit. California residents (and residents of other US states with comparable laws) may request to know, access, correct, and delete personal information, and may designate an authorized agent to make a request. We honor these rights regardless of state of residence.

13.3 Israel

If you are in Israel, you have rights under the Protection of Privacy Law, 5741-1981, including the right to review information we hold about you and to request its correction or deletion. You may contact us at [email protected], and you may also contact the Israeli Privacy Protection Authority.

14. Children's privacy

The Service is intended for adults and is not directed to children. We do not knowingly collect personal information from anyone under 18 (or under 16 where a lower threshold applies under local law). If you believe a child has provided us personal information, contact us and we will delete it.

15. Changes to this policy

We may update this policy as the Service evolves. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.

16. How to contact us

For privacy questions, requests, or complaints, contact The Gems Company at [email protected]. For general support, email [email protected]. If you are not satisfied with our response, you may have the right to contact your local data protection or privacy authority.