Phaedra Solutions · Rubrily
Privacy Policy
Effective: 11 July 2026Last updated: 11 July 2026Version: 1.0
This policy explains how Phaedra Solutions, the company that operates Rubrily, handles personal data for site visitors, prospects and customer account users — what we collect, why, on which legal basis, for how long, and the rights you have over it.
Job candidates: your data is controlled by the employer you applied to, and the Candidate Privacy Notice is written for you.
1. Who we are and what this policy covers
In short: This policy is about our website, marketing and customer accounts. If you applied for a job through Rubrily, the Candidate Privacy Notice is the document for you.
Phaedra Solutions ([CONFIRM: exact registered legal form, e.g. “Phaedra Solutions (Private) Limited”]), a company headquartered in Lahore, Pakistan ([CONFIRM: full registered company address], registration [CONFIRM: company registration number]), operates Rubrily, an AI-first applicant tracking system at rubrily.com andapp.rubrily.com. In this policy, “we”, “us” and “our” mean Phaedra Solutions; “the Service” means Rubrily.
This policy explains how we handle personal data when we decide why and how it is used — in legal terms, when we act as a controller. That covers three groups of people:
- visitors to our websites;
- prospects — people who book a demo, download a template or subscribe to our newsletter; and
- customer account users — people who create and use a Rubrily account on behalf of an organization.
If you are a job candidate, this is not your document. When you apply for a job with an employer that uses Rubrily, that employer controls your data and we process it on the employer’s instructions. The Candidate Privacy Notice explains exactly what happens to candidate data, in plain language.
Questions about anything here: privacy@rubrily.com. We have appointed an internal privacy contact. We have not appointed a statutory Data Protection Officer (none is currently required for our processing). [CONFIRM: DPO requirement re-assessment as processing scales].
2. The data we collect
In short: We collect what you type into our forms, what your account needs to work, and limited technical data. We don't buy data about you.
We collect personal data in five ways:
- Demo requests. Name, work email, company name and team size, plus anything you write in the “what would you like to see” field.
- Template downloads and newsletter. Your email address. The signup text says what you get: the file plus one hiring email a month.
- Customer accounts and billing. Name, work email, organization details, role and permissions, security and audit logs, and — for paid plans — billing details. Payment card numbers are handled by a payment provider, not stored by us ([CONFIRM: payment processor for paid tiers and candidate add-ons]).
- Support. The content of your messages to us and the contact details you use to send them.
- Technical data. Server logs (IP address, user-agent, requested pages, timestamps) kept for security and debugging, and — once our consent banner ships — consent-gated analytics events via PostHog, plus a first-party attribution cookie that remembers which campaign first brought you here. The Cookie Policy lists every cookie with its lifetime.
We do not buy contact lists, enrich profiles from data brokers, or collect data about you from social networks.
3. Why we use your data, and the legal basis for each use
In short: Every use of your data maps to one of the GDPR's lawful bases — mostly performing a contract with you, our legitimate interest in running the business, or your consent.
Under Article 6 GDPR, each use of personal data needs a lawful basis. Here is the complete map:
| What we do | Data | Lawful basis (Art 6(1)) |
|---|---|---|
| Provide and operate the Service for your organization | Account, organization and usage data | (b) contract — the Terms of Service |
| Respond to a demo request and follow up | Demo form data | (b) steps at your request before a contract; then (f) legitimate interest in following up on an inquiry you made |
| Send the template you asked for and the monthly email | Email address | (a) consent — you can unsubscribe any time, and every email has an unsubscribe link |
| Billing, invoicing and tax records | Billing data | (b) contract and (c) legal obligation (tax and accounting law) |
| Keep the sites and Service secure; investigate abuse | Server and security logs | (f) legitimate interest in the security and integrity of the Service |
| Understand how the marketing site is used and which campaigns work | Consent-gated analytics events; first-touch attribution | (a) consent, collected by the cookie banner before any analytics run |
| Improve the Service (aggregate, de-identified usage patterns) | Usage data | (f) legitimate interest in improving the product |
| Establish, exercise or defend legal claims | Whatever is relevant to the claim | (f) legitimate interest in protecting our legal position |
Where we rely on legitimate interests, we have weighed those interests against your rights and use the least data that does the job. You can object to any legitimate-interest processing — see Your rights.
On the marketing and account side there is no solely-automated decision-making that produces legal or similarly significant effects about you (Article 22 GDPR). For how automation works in candidate screening — which the employer controls — see the Candidate Privacy Notice.
4. Cookies and analytics
In short: One attribution cookie and consent-gated analytics — the Cookie Policy has the full table.
The Cookie Policylists every cookie we set, what it does, how long it lives, and how consent and withdrawal work. Analytics cookies never run before you consent, and our analytics configuration respects your browser’s “Do Not Track” signal.
5. Who receives your data
In short: Our vetted service providers (listed on one page), professional advisers when needed, and authorities only when the law requires it. We never sell personal data.
We share personal data only with:
- Subprocessors and service providersthat host and operate the Service under contract with us. The complete, maintained list — with each provider’s function, location and transfer mechanism — is at rubrily.com/subprocessors.
- Professional advisers (lawyers, accountants, auditors) under confidentiality, where we need their advice.
- Authorities, if a law, court order or binding request requires it. We review every request and disclose the minimum required.
- A buyer or successor, if we are ever part of a merger, acquisition or asset sale — with notice to you and this policy continuing to apply.
We do not sell personal data. We do not share it for advertising.
6. International transfers
In short: We are based in Pakistan and use providers in other countries. Transfers from the EU/UK are protected by Standard Contractual Clauses.
We are headquartered in Lahore, Pakistan, and our service providers operate in other countries, including the United States. When personal data protected by the GDPR or UK GDPR leaves the EU/EEA or the UK, we protect it with the European Commission’s Standard Contractual Clauses (2021/914) — and the UK Addendum where UK data is involved — plus any additional technical measures a transfer assessment calls for.
We are not certified under the EU–US Data Privacy Framework and make no claim to it; our transfer tool is the SCCs. The subprocessor list shows the location and transfer mechanism per provider.
Not yet appointed. If you are in the EU/EEA, contact privacy@rubrily.com and we will route your request. [CONFIRM: appoint or formally waive an EU (Art 27 GDPR) representative before EU enterprise sales]
Not yet appointed. If you are in the UK, contact privacy@rubrily.com and we will route your request. [CONFIRM: appoint or formally waive a UK (Art 27 UK GDPR) representative]
7. How long we keep data
In short: As short as we can justify. Each category has a schedule, and candidate data follows the employer's schedule, not ours.
| Data category | Retention |
|---|---|
| Demo requests and sales inquiries | 24 months after our last interaction with you (default — confirm) |
| Template downloads and newsletter subscription | Until you unsubscribe; we then keep your address on a suppression list so we do not email you again (default — confirm) |
| Customer account data | Life of the account, then export window (30 days) and deletion within 30 days (default — confirm) |
| Billing records | 7 years, where required for tax and accounting law (default — confirm) |
| Support conversations | 24 months after the ticket closes (default — confirm) |
| Server and security logs | up to 90 days (default — confirm) |
| Analytics data (PostHog, once enabled) | 12 months (default — confirm) |
| Candidate data processed for employers | Set by the employer that controls it (see the Candidate Privacy Notice and the DPA) — not by this policy |
When a retention period ends, we delete or irreversibly de-identify the data. Backups roll off on their own schedule shortly after.
8. Your rights
In short: Access, correction, deletion, restriction, portability, objection — email privacy@ and we act on it. No charge, no run-around.
If the GDPR or UK GDPR applies to you, you have the right to access the personal data we hold about you (Art 15), correct it (Art 16), have it deleted (Art 17), restrict how we use it (Art 18), receive it in a portable format (Art 20), and object to processing based on legitimate interests (Art 21). Where processing rests on consent, you can withdraw consent at any time, without affecting what happened before withdrawal.
To exercise any right, email privacy@rubrily.com. We may need to verify you are who you say you are; we respond within one month (extendable by two months for complex requests, and we will tell you if so). Exercising your rights is free.
You also have the right to complain to a data protection supervisory authority — in the EU, the authority of your member state; in the UK, the ICO. We would appreciate the chance to resolve your concern first, but you do not need our permission to complain.
If your request concerns candidate data, the employer you applied to controls it — the Candidate Privacy Notice explains the fastest route, and we assist the employer with these requests under our DPA.
9. Children
In short: Our sites and Service are for work — not for children.
Our websites and the Service are directed at businesses and working professionals, not at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has given us personal data, contact privacy@rubrily.com and we will delete it.
10. Security
In short: Tenant isolation, role-based access and the rest of our security posture live on the security page and in the DPA's Annex II.
The measures protecting your data — per-organization tenant isolation with row-level security, role-based access control, candidate consent gates, in-product erasure workflows and PII-scrubbed shared reports — are described on our security page and, in contractual form, in Annex II of the DPA. If you find a vulnerability, email legal@rubrily.com and we will respond quickly.
11. Changes to this policy
In short: We date every version, and material changes get real notice — not a silent edit.
When we change this policy, we update the “last updated” date and the version number above. For material changes we give prominent notice on the site — and email account owners — before the change takes effect. Earlier versions are available on request from privacy@rubrily.com.
Contact
Phaedra Solutions ([CONFIRM: exact registered legal form, e.g. “Phaedra Solutions (Private) Limited”]), Lahore, Pakistan · [CONFIRM: full registered company address]
Privacy: privacy@rubrily.com · Legal: legal@rubrily.com · General: contact@rubrily.com