Effective Date: March 23, 2026
Risk & Opportunity Radar LLC ("Company," "we," "us," or "our") operates the Radar+ platform at www.roradar.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information and business data when you use our Service.
We are committed to protecting your privacy and handling your data responsibly. This Policy applies to all users of the Service, including administrators, team members, and any individual who accesses the Service on behalf of an organization.
By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Policy, please do not use the Service.
2.1 Account Information. When you create an account, we collect: full name, email address, company name, job title (if provided), password (stored as a salted hash — we never store plaintext passwords), and billing information (processed and stored by Stripe; we do not store full credit card numbers).
2.2 Integration Data. When you connect third-party services through OAuth 2.0 or API keys, we access and collect business data from those services. The specific data depends on the integration:
· Payment platforms (Stripe): subscription data, revenue metrics, customer counts, payment success rates, refund and dispute data, invoice information, plan details
· CRM systems (HubSpot, Salesforce): deal/opportunity data, contact counts, pipeline values, win rates, lead conversion data, ticket information, email engagement metrics, quotes, invoices, and goals
· Accounting software (QuickBooks): profit and loss reports, balance sheet data, accounts receivable/payable, cash flow data, expense categories, revenue trends
· Communication platforms (Slack, Intercom, Zendesk): message volume metrics, response time averages, channel activity statistics, user engagement rates, ticket volumes, CSAT scores. We do not store the content of individual messages — we extract aggregate metrics only.
· Project management (Monday.com, Jira): task/item counts, completion rates, sprint velocities, backlog sizes, team utilization metrics, resolution times
· Analytics platforms (Google Analytics): session counts, user counts, conversion rates, bounce rates, channel attribution, device statistics. We do not collect individual user browsing data — only aggregate analytics.
2.3 Usage Data. We automatically collect information about how you interact with the Service, including: pages visited, features used, dashboards viewed, tools run, time spent on pages, and error events. This data is used to improve the Service and troubleshoot issues.
2.4 Technical Data. We collect technical information including: IP address, browser type and version, operating system, device type, screen resolution, referring URL, and timezone. This data is collected through server logs and, where applicable, cookies.
2.5 Communication Data. If you contact us via email or our support page, we collect the content of your communications and any information you provide.
We use the information we collect exclusively for the following purposes:
(a) Service Delivery: To provide, operate, and maintain the Service, including syncing your data, extracting KPIs, running signal detection algorithms, generating AI insights, and rendering dashboards and reports.
(b) Signal Detection: To analyze your business metrics using our proprietary signal engine, which includes 15 threshold detectors, trend analysis, velocity acceleration detection, cross-metric correlation, compound risk identification, opportunity detection, and leading indicator analysis.
(c) AI-Powered Analysis: To generate natural language insights, recommendations, and summaries using third-party AI models (currently Anthropic's Claude API). Data sent to AI models is processed in real-time and is not retained by the AI provider.
(d) Historical Analysis: To store KPI snapshots over time, enabling trend analysis, baseline calculations, and historical comparison. This data powers features like consecutive decline detection and velocity acceleration alerts.
(e) Notifications: To send you alerts about critical signals, high-priority risks, and important changes detected in your business data. You can configure notification preferences in Settings.
(f) Billing: To process payments, manage subscriptions, and send billing-related communications.
(g) Service Improvement: To analyze usage patterns (in aggregate) to improve features, fix bugs, and develop new capabilities.
(h) Security: To detect, prevent, and address fraud, abuse, security issues, and technical problems.
(i) Legal Compliance: To comply with applicable laws, regulations, and legal processes.
We do not: sell your data to third parties; use your data for advertising; share your business data with other customers; use your data to train AI models that benefit other customers (without your explicit consent); or use your data for any purpose not described in this Policy.
We implement industry-standard security measures to protect your data:
4.1 Encryption at Rest. All OAuth tokens, API keys, and integration credentials are encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode) before storage. Each credential has a unique initialization vector (IV). The encryption key is stored as an environment variable, separate from the application code and database.
4.2 Encryption in Transit. All data transmitted between your browser and our servers, and between our servers and third-party APIs, is encrypted using TLS 1.2 or higher.
4.3 Access Controls. Database access is protected by Row Level Security (RLS) with 35+ policies ensuring that each organization can only query its own data. API routes are protected by authentication middleware that validates user sessions before processing any request.
4.4 Infrastructure Security. The Service is hosted on Vercel (frontend and API) and Supabase (database and authentication). Both providers maintain SOC 2 Type II compliance, encrypt data at rest, and provide automated backups. Our database is hosted in secure, access-controlled data centers.
4.5 Authentication. User authentication is managed by Supabase Auth, which supports email/password authentication with bcrypt password hashing, email verification via OTP codes, and optional multi-factor authentication (TOTP).
4.6 Security Headers. The Service implements security headers including X-Frame-Options (DENY), HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and X-Content-Type-Options (nosniff).
4.7 Rate Limiting. API endpoints are protected by rate limiting to prevent abuse and denial-of-service attacks.
4.8 Credential Handling. All sensitive configuration values (API keys, client secrets, encryption keys) are stored as environment variables on Vercel and are never committed to source code, logged to console, or exposed to the browser.
4.9 Incident Response. In the event of a data breach, we will: (a) investigate the scope and impact within 24 hours; (b) notify affected users within 72 hours of confirmation; (c) notify applicable regulatory authorities as required by law; and (d) take immediate steps to contain and remediate the breach.
We use the following third-party services to operate the Service. Each processes data on our behalf in accordance with their own privacy policies and our data processing agreements:
· Supabase (database, authentication, storage) — processes account data and business metrics
· Vercel (hosting, serverless functions, edge network) — processes API requests and serves the application
· Stripe (payment processing) — processes billing and payment information
· Anthropic (AI analysis via Claude API) — processes business data excerpts for AI-generated insights (data is not retained by Anthropic beyond the API request)
· Resend (transactional email) — processes email addresses for sending alerts, notifications, and account communications
We only share the minimum data necessary with each sub-processor to perform their specific function. We do not share your complete business data with any sub-processor except as specifically described above.
6.1 Active Accounts. We retain your data for as long as your account is active and as needed to provide the Service. KPI snapshots are retained to enable historical trend analysis and baseline calculations.
6.2 Account Deletion. Upon account deletion (requested via Settings or email to info@roradar.com), we will: (a) delete your profile, workspace, and account data within 7 days; (b) delete all integration credentials immediately; (c) delete all KPI snapshots, signals, and business data within 30 days; (d) remove your data from backups within 90 days.
6.3 Integration Disconnection. When you disconnect an integration, we immediately delete the stored credentials and revoke access tokens (where supported by the provider). KPI data previously synced may be retained for historical analysis unless you request deletion.
6.4 Aggregated Data. We may retain anonymized, aggregated data that cannot be traced back to you or your organization for product improvement and analytics purposes. This data does not contain any personal information or identifiable business metrics.
Depending on your location and applicable law, you may have the following rights regarding your personal information:
(a) Access: You may request a copy of the personal information we hold about you.
(b) Correction: You may request correction of inaccurate or incomplete personal information.
(c) Deletion: You may request deletion of your personal information and business data.
(d) Export: You may request an export of your data in a machine-readable format.
(e) Restriction: You may request that we restrict processing of your personal information.
(f) Objection: You may object to processing of your personal information for certain purposes.
(g) Portability: You may request transfer of your data to another service.
(h) Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
(i) Opt-Out of Communications: You may opt out of non-essential communications through Settings or by clicking "unsubscribe" in any email.
To exercise any of these rights, contact us at info@roradar.com. We will respond to your request within 30 days.
8.1 Essential Cookies. We use essential cookies for authentication and session management. These are required for the Service to function and cannot be disabled.
8.2 Analytics. We may use privacy-respecting analytics to understand how the Service is used in aggregate. We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies.
8.3 No Third-Party Advertising. We do not display advertisements in the Service and do not share data with advertising networks.
The Service is hosted in the United States. If you are accessing the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws.
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at info@roradar.com.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including: the right to know what personal information we collect and how it is used; the right to request deletion of your personal information; the right to opt-out of the sale of personal information (we do not sell personal information); and the right to non-discrimination for exercising your privacy rights.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR), including those listed in Section 7 above. Our legal basis for processing your data includes: performance of a contract (providing the Service), legitimate interests (improving the Service and ensuring security), and consent (where applicable). You may lodge a complaint with your local data protection authority.
We may update this Privacy Policy from time to time. Material changes will be communicated to you via email at least 30 days before taking effect. The "Last Updated" date at the top of this page indicates when the Policy was last revised. We encourage you to review this Policy periodically.
For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
Risk & Opportunity Radar LLC
Privacy Team
Email: info@roradar.com
Website: www.roradar.com
For general support: info@roradar.com