Privacy Policy

The Service is operated by Reservoir Risk Solutions LLC, with principal place of business at 5900 Balcones Drive, STE 100, Austin, Texas 78731, United States. For privacy inquiries, contact info@reservoir-risk-solutions.com.

Depending on your location, privacy law may refer to us as a “controller” or “business” with respect to personal information we determine the purposes and means of processing. This Policy does not create rights beyond what applicable law provides.

We process information in the following categories, depending on how you use the Service:

Account and identity: name, email address, authentication identifiers, and profile or subscription metadata associated with your Supabase-backed account.

Trial period: trial start and end timestamps stored on your profile when you sign up for a platform trial.

Billing and payments: billing contact details, subscription plan identifiers, payment status, and transaction references processed by Stripe. We do not use the Service to collect or store full payment card numbers; card data is handled by Stripe according to its policies.

Support and contact: information you submit when contacting us directly by email (for example, email address and message content).

Product content you provide: technical and commercial inputs you enter or import (including saved cases, scenario and module inputs, optional CSV imports in supported modules, reviewer notes, and team-invitation details such as invitee email addresses).

Product usage analytics (first-party): for signed-in users we log coarse usage events in our database—for example, when a trial starts or expires, when a Monte Carlo run or export is triggered, when a subscription or purchase is recorded, when a resource is downloaded, when a learning video starts, or when a certificate is claimed. Each event is stored with an event name and limited metadata such as module name, plan identifier, product identifier, or resource slug. We do not include saved-case inputs, saved-case outputs, workspace snapshot contents, reviewer notes, descriptions, or other reservoir engineering data in these analytics properties.

Optional in-app feedback (NPS): if you submit an in-app satisfaction score, we store the score (0–10) and any optional comment you choose to include, one response per account.

Resource downloads and marketing attribution: if you request a downloadable resource (such as a worksheet, checklist, or guide), we collect the contact fields you submit (name, email, company) along with the resource you requested and basic marketing attribution—such as UTM parameters and HTTP referrer—to understand how visitors find our materials.

Technical data from use of the site: IP address and basic request metadata as received by our servers and providers (for example, for security, rate limiting, and hosting logs).

We collect information directly from you when you register, sign in, use the application, submit forms, purchase a subscription, invite teammates, or save content in the Service.

We also receive limited information from service providers that power the product—for example, Stripe regarding payment and subscription status, and Supabase as the authentication and database platform we use to run the Service.

We use personal information to: provide, operate, and improve the Service; authenticate users and enforce access controls; process subscriptions and billing; send operational and transactional emails (such as team invitations or account-related messages) through our email delivery provider; measure product adoption and reliability through coarse first-party usage events, in-app feedback (NPS), and resource-download attribution; respond to inquiries; maintain the security and integrity of the Service; comply with legal obligations; and enforce our Terms of Use.

We do not use your saved cases or module inputs to “train” third-party artificial intelligence models for unrelated products. Processing of product content is for delivering the features you use (including collaboration and exports) and for operating the Service.

Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases:

Performance of a contract: processing necessary to provide the Service you request—for example, creating and administering your account, authentication, delivering subscription features, billing references, and operational emails tied to your use.

Legitimate interests: processing necessary for our legitimate interests that are not overridden by your rights—for example, securing the Service, detecting abuse, improving reliability, and understanding aggregated product usage, subject to applicable law and your objection rights where provided.

Legal obligation: processing necessary to comply with applicable law—for example, tax, accounting, or regulatory requirements.

Consent: where we rely on consent (for example, for optional analytics cookies), you may withdraw consent at any time via the cookie preferences on this page or by contacting us; withdrawal does not affect processing before withdrawal where lawful.

We use third-party services that process personal information on our behalf to run the product. The main categories are:

Supabase: authentication and database hosting for accounts, subscription metadata as stored in our application, saved cases, team and sharing features, first-party product usage events, in-app NPS feedback, resource lead records, and related application data.

Stripe: payment processing, billing portal, and subscription lifecycle data Stripe handles under its agreements and privacy policy.

Resend: sending transactional and operational email (for example, team invites and contact-form delivery).

Vercel: hosting and deployment of the web application; Vercel may process technical and log data in connection with serving the site.

Upstash: we use Upstash Redis to store short-lived rate-limit counters keyed in part from client IP addresses or similar request metadata to reduce abuse on API routes.

We do not list every sub-subprocessor those companies may use; their documentation describes their own infrastructure and subprocessors.

Essential cookies and similar technologies: we use these where strictly necessary to operate sign-in, session security, and core application routing (including cookies set in connection with Supabase authentication and application middleware). These are required for the Service to function and are not used for optional analytics; applicable law often permits them without consent.

Local storage / session storage: parts of the application may use browser storage for workspace continuity, UI preferences (such as theme), or short-lived navigation state—for example, restoring a saved case after sign-in. This data stays on your device unless it is also stored in our backend as part of a feature you use.

Optional analytics cookies / scripts: we load Vercel Web Analytics only if you accept analytics in our cookie banner or cookie preferences below. If you decline, Vercel Web Analytics is not loaded in your browser.

First-party usage logs (not controlled by the analytics cookie toggle): independently of the cookie choice above, when you are signed in we record coarse product usage events in our own database as described in the “Product usage analytics” bullet under Categories above. These events do not contain saved-case content, workspace snapshot content, or other reservoir engineering data. Where the GDPR or UK GDPR applies, this processing relies on the lawful bases of contract performance and our legitimate interests in measuring product adoption and reliability, subject to your objection rights described in the GDPR section below.

Do Not Track: Some browsers offer a "Do Not Track" (DNT) signal. We do not currently alter our data collection or use practices in response to DNT signals. If a standard is adopted in the future, we will reassess this position. We honor the Global Privacy Control (GPC) signal as an opt-out of the sale and sharing of personal information under California law.

We retain personal information for as long as your account is active, as needed to provide the Service, and as required to comply with law, resolve disputes, and enforce our agreements.

After account cancellation or termination, we generally retain account and product data for up to 30 days to support reactivation requests, billing reconciliation, and operational recovery.

After that period, we delete or anonymize associated personal information where practicable, subject to backup cycles, legal retention obligations, dispute resolution needs, and technical limits. Billing and transaction records may be retained for up to seven (7) years as required by applicable tax and accounting law.

Stripe, Supabase, Resend, and other providers retain data according to their own retention practices and your interactions with them.

Depending on where you live, you may have the right to request access to, correction of, or deletion of certain personal information we hold; to receive a copy of certain information in a portable, machine-readable format (data portability); or to object to or restrict certain processing. To make a request, contact us at info@reservoir-risk-solutions.com. We may need to verify your identity before responding.

We will respond within the timeframes required by applicable law where those laws apply. Some requests may be limited by law (for example, if we must retain billing records) or by technical feasibility.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may provide you with additional rights regarding your personal information, including the right to know what personal information we collect, use, and disclose; the right to delete personal information we hold about you, subject to certain exceptions; the right to correct inaccurate personal information; the right to limit certain uses and disclosures of sensitive personal information where applicable; and the right to opt out of the sale or sharing of personal information (including sharing for cross-context behavioral advertising as defined under California law). We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as defined under California law. To exercise your rights, contact us at info@reservoir-risk-solutions.com. We will not discriminate against you for exercising your privacy rights.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you may have rights under applicable data protection law, including the right to access, correct, or erase your personal information; the right to restrict or object to processing; and the right to data portability. Where we rely on legitimate interests as a legal basis for processing, you may object to that processing. To exercise your rights, contact us at info@reservoir-risk-solutions.com. Personal information may be transferred to and processed in the United States and other countries. Where required, we rely on appropriate transfer mechanisms such as standard contractual clauses. If you have unresolved concerns, you may have the right to lodge a complaint with your local data protection authority.

Article 27 representative: Our processing of personal data of individuals in the European Economic Area and the United Kingdom is limited in scope and risk such that we rely on the Article 27 exemption for occasional processing. If this changes, we will name a representative and update this Policy accordingly. For any data protection queries, contact us at info@reservoir-risk-solutions.com.

Personal information may be processed in the United States and in other countries where our service providers operate. Those countries may have data-protection laws that differ from those in your home jurisdiction. For details on locations and transfers, see the privacy policies of Supabase, Stripe, Resend, Vercel, and any other provider you interact with directly.

Where personal information is transferred from the European Economic Area or the United Kingdom to countries not regarded as providing an adequate level of protection, we implement appropriate safeguards such as the Standard Contractual Clauses (SCCs) approved by the European Commission and/or UK International Data Transfer Addendum / UK IDTA mechanisms as applicable, together with supplementary measures where required.

We take reasonable steps to protect personal information from loss, misuse, and unauthorized access, including by relying on established hosting and database providers and common practices for web applications. No method of transmission or storage is completely secure.

The Service is not directed to children under 13 (or the age required by local law for valid consent without parental authorization). We do not knowingly collect personal information from children in that category. If you believe we have collected such information, contact us at info@reservoir-risk-solutions.com and we will take appropriate steps to delete it.

We do not sell your personal information for money. Under the CPRA, certain disclosures may qualify as “sharing” for cross-context behavioral advertising; we do not share personal information for that purpose as defined under California law. We share personal information only with service providers and platforms described in this Policy (such as Supabase, Stripe, Resend, and Vercel) as needed to operate the Service, subject to appropriate contractual protections where required, and otherwise where required by law or to protect our rights.

We may update this Policy from time to time. We will post the revised version on this page and update the effective date. When practicable, we may highlight material changes through the Service or by email to your account address.

Questions about this Privacy Policy: info@reservoir-risk-solutions.com.