Privacy Policy
Last updated July 13, 2026
This policy explains what personal data Rutba collects, how and why we use it, who we share it with, how we process it using AI, and the choices and rights you have. It applies to the Rutba website, dashboard and API.
1. Who we are
Rutba is an autonomous SEO product operated by Outworx for Web-Design (Sole Establishment), licensed by the Dubai Department of Economy and Tourism (DET) under trade license no. 1556815 (commercial register no. 1348414), based in the Emirate of Dubai, United Arab Emirates. In this policy, "Rutba", "we", "us" and "our" refer to that entity.
For the purposes of the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the EU/UK General Data Protection Regulation where it applies, and comparable laws, Outworx for Web-Design is the controller of the personal data described here. Where we process data on your instructions about your own end users or connected accounts, we act as your processor. You can reach us about privacy at info@outworx.io.
2. Scope of this policy
This policy explains how we handle personal data across the Rutba website, dashboard and API. It covers three broad situations: information about you as an account holder; the third-party data you authorize us to access (such as your Search Console, analytics and CMS); and the content our systems generate and publish on your behalf.
It does not govern the independent practices of the third-party platforms you connect (for example Google, or your CMS), or the AI answer engines that may cite your content. Their handling of data is governed by their own policies.
3. Personal data we collect
We collect the following categories of personal data:
- Account and identity data — your name, email address, password credentials and organization details, handled through our authentication provider when you sign up or sign in.
- Billing data — plan, billing contact and transaction records. Card details are processed by our payment provider; we do not store full card numbers.
- Connected-service data — data you authorize us to access from services you connect, such as Google Search Console, Google Analytics, your CMS, and (where you choose) product or support data. This may include queries, URLs, traffic and engagement metrics, and content.
- Content and configuration — the sites, brand kits, insights, drafts, and articles you create or that Rutba generates for you, and settings such as autonomy mode.
- Usage, device and log data — interactions with the product, IP address, browser and device information, and diagnostic logs used to operate and secure the service.
- Communications — messages you send us, including contact-form submissions and support requests.
4. Connected services and how we use them
Rutba's core function is to mine your first-party data for insights, generate and fact-bind content, publish it to your systems, and track how it performs. To do that, you grant us access to specific third-party accounts, and we act on your behalf within them.
We access connected-service data only to provide these user-facing features — for example reading Search Console and analytics data to surface validated insights, and using CMS credentials to publish or update the articles you approve. We disclose every category of data we access and every action we take on your behalf, and we do not use this data for unrelated purposes.
5. Google user data and Limited Use
Where you connect Google services such as Search Console or Analytics, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:
- We use Google user data only to provide and improve the prominent, user-facing features you request in Rutba (such as insight mining and performance tracking).
- We do not use Google user data for advertising.
- We do not sell Google user data, and we do not transfer it except as needed to provide the service, with your consent, or as required by law.
- We do not use Google user data to train generalized or foundation AI/ML models.
- We do not allow humans to read your Google user data except where you explicitly agree, where necessary for security or to comply with law, or where the data is aggregated and used for internal operations in line with applicable requirements.
6. How we use personal data, and our legal bases
We process personal data for the purposes below. Where the GDPR or a similar regime applies, the corresponding legal basis is shown in brackets.
- To provide the service — mine insights, generate and validate content, publish to your connected platforms, and track rankings and AI citations (performance of our contract with you).
- To operate, secure and improve the product, prevent abuse, and debug issues (our legitimate interests, and compliance with legal obligations).
- To process connections you set up and act within them on your behalf (performance of our contract, and your consent granted at connection time).
- To communicate with you about your account and respond to requests (performance of our contract and our legitimate interests).
- To send optional product updates or marketing, where permitted (your consent, which you may withdraw at any time).
- To comply with legal, tax and regulatory obligations (compliance with a legal obligation).
7. Artificial intelligence processing
Rutba uses large language models to generate and fact-check content. To do this, we send relevant inputs — such as your validated insights, prompts and draft content — to trusted third-party AI providers that run the models on our behalf as subprocessors.
We do not use your content or connected data to train generalized or foundation AI models, and we select AI providers that contractually commit not to train their models on the content we submit through their APIs. AI outputs may be inaccurate; our fact-bind gate is a safeguard, not a guarantee, and you remain responsible for reviewing content before you rely on it.
8. Automated processing and autonomy
Depending on the autonomy mode you choose for each site, Rutba may publish content and take related actions automatically. A penalty-risk monitor also evaluates your domain on an ongoing basis. Every automated action is recorded in an audit log and, where marked undoable, can be reversed with one click.
You control the level of automation — supervised (you approve each action), autonomous, or paused — and can change it at any time. Where automated processing would produce legal or similarly significant effects on you, you may object or request human involvement as described under your rights below.
9. How we share personal data
We do not sell personal data. We share it only as follows:
- With subprocessors that help us run the product, under confidentiality and data-protection terms (see the next section).
- With the platforms you connect — for example, publishing your approved content to your CMS necessarily transmits it to that platform.
- For legal reasons — to comply with law, enforce our terms, or protect the rights, safety and security of our users, the public or us.
- In a business transfer — if we are involved in a merger, acquisition or sale of assets, subject to this policy continuing to apply.
10. Subprocessors
We rely on a small set of vetted providers to deliver the service. Categories include:
- Cloud hosting and database — to run the application and store your data.
- Authentication — to manage sign-up, sign-in and account security.
- AI model providers — to generate and fact-check content, under no-training terms.
- Payment processing — to handle billing on paid plans.
- Email and communications — to send transactional and support messages.
- Product analytics and error monitoring — to keep the service reliable.
11. International data transfers
We are based in the Emirate of Dubai, United Arab Emirates, and our providers may process data in other countries. Where we transfer personal data across borders, we do so in line with the transfer requirements of the UAE PDPL and, where applicable, the GDPR — relying on adequacy decisions, appropriate safeguards such as standard contractual clauses, or your explicit consent.
12. Data retention
We keep personal data for as long as your account is active or as needed to provide the service, then delete or anonymize it, unless a longer period is required to meet legal, tax, accounting or security obligations or to resolve disputes. Credentials for connected services are deleted when you disconnect them or close your account.
13. Security and data breaches
We apply technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and holding credentials and access tokens in a dedicated secret store separate from our primary database. No method of transmission or storage is completely secure.
If a personal data breach occurs that is likely to create a risk to your rights, we will notify the competent authority (including the UAE Data Office where required) and affected individuals without undue delay, in accordance with applicable law.
14. Your rights
Subject to applicable law, you have the right to access your personal data; to have it corrected or completed; to have it erased; to restrict or object to certain processing, including automated processing; to receive your data in a portable, machine-readable format; and to withdraw consent at any time without affecting processing already carried out.
If you are in the EEA or UK you may lodge a complaint with your supervisory authority; if you are in the UAE you may complain to the UAE Data Office. If you are a California resident, we do not sell or "share" your personal information for cross-context behavioral advertising, and you may exercise your access and deletion rights. To exercise any right, contact us at info@outworx.io; we may need to verify your identity first.
15. Cookies and similar technologies
We use strictly necessary cookies to run the site and keep you signed in, and we store your theme preference locally in your browser. If we introduce non-essential analytics or marketing cookies, we will ask for your consent where required and provide controls to manage them.
16. Children's privacy
Rutba is a business product not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.
17. Third-party websites and AI engines
The service links to and interacts with third-party platforms, and AI answer engines may cite content we help you publish. We are not responsible for the content or privacy practices of those third parties; please review their policies.
18. Changes to this policy
We may update this policy from time to time. Material changes will be communicated through the product or by email, and the effective date above will be revised.
19. Governing law
This policy is governed by the laws of the Emirate of Dubai and the applicable federal laws of the United Arab Emirates, without prejudice to any mandatory data-protection rights available to you under the laws of your country of residence.
20. Contact
Questions or requests about this policy or your personal data can be sent to info@outworx.io. Rutba is a product of Outworx for Web-Design, the Emirate of Dubai, United Arab Emirates (license no. 1556815).