Relay

Legal

Privacy Policy

How Relay collects, uses, and protects your information.

Last updated: April 5, 2025

The short version: Relay processes data on your behalf to operate the platform. We do not store, view, or retain any media content — recordings, video streams, or audio — generated by your users. That data flows directly to infrastructure you own and control.

1. Who we are

Relay (“we”, “our”, “us”) is a real-time communication infrastructure platform providing managed video rooms, automatic recording, AI content moderation, and related services via a REST API. References to “you” mean the organisation and its authorised users accessing Relay.

For privacy questions, contact us at privacy@relay.dev.

2. Information we collect

Account and organisation data

When you create an account, we collect:

  • Name and email address
  • Organisation name
  • Billing information (processed and stored by Stripe — we never see raw card numbers)
  • API keys (stored as SHA-256 hashes — we cannot recover the plaintext)

Usage and operational data

To operate the platform and calculate billing, we collect:

  • Hall creation and close events (timestamps, configuration)
  • Participant join and leave events (participant ID, display name, duration)
  • Participant-minutes per billing period
  • Moderation flag metadata (type, confidence score, timestamp) — not the underlying video frames
  • API request logs (endpoint, method, status code, latency) — retained for 30 days
  • Webhook delivery attempts and response codes

Technical data

  • IP addresses of API clients (used for rate limiting and abuse prevention)
  • Browser and device information when you access the dashboard
  • Cookies required for dashboard authentication (Supabase session tokens)

What we do NOT collect

Relay is designed as a conduit, not a custodian. We explicitly do not collect:

  • Video or audio streams from your halls
  • Recording files — these are written directly to your S3 bucket
  • Video frames submitted to AI moderation — we receive and forward flag metadata only
  • The content of your users' communications
  • Personal data about your end users beyond what you include in participant_id or display_name fields

3. How we use your information

We use the information we collect to:

  • Provision and operate the Relay platform on your behalf
  • Calculate and invoice usage-based billing (participant-minutes, moderation costs)
  • Detect and prevent abuse, fraud, and violations of our Terms of Service
  • Send transactional emails (account confirmation, invoice receipts, payment failure alerts)
  • Respond to support requests
  • Monitor platform health, diagnose bugs, and improve reliability
  • Comply with legal obligations

We do not sell your data to third parties. We do not use your data to train machine learning models. We do not send marketing communications without your explicit consent.

4. Third-party services

Relay uses the following sub-processors to operate the platform. Each is bound by a data processing agreement:

StripeUnited States

Payment processing and subscription billing

Data shared: Billing contact name, email, payment method details

SupabaseUnited States (AWS us-east-1)

Database and authentication infrastructure

Data shared: Account data, usage records, configuration

LiveKitGlobal edge network

WebRTC media server infrastructure

Data shared: Signalling metadata, room identifiers

Google CloudUnited States

AI content moderation (Video Intelligence API)

Data shared: Video clips submitted for moderation

Upstash / RedisUnited States

Rate limiting and session caching

Data shared: Anonymised request identifiers and counters

5. Data storage and security

Organisation credentials (S3 access keys, database credentials) are encrypted at rest using Supabase Vault. We use AES-256 encryption for data at rest and TLS 1.2+ for all data in transit.

API keys are hashed with SHA-256 and stored as hashes only. We cannot recover a plaintext key.

Row-level security policies on our database ensure that no organisation can access another organisation's data, even in the event of an application-level bug.

We retain operational logs for 30 days. Usage records required for billing are retained for 7 years in accordance with financial record-keeping obligations.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, port, or delete the personal data we hold about you. To exercise any of these rights, email privacy@relay.dev from the address associated with your account.

You can delete your organisation account at any time from Dashboard → Settings → Delete Account. This permanently deletes all account data, API keys, and usage records. Stripe billing history is retained for legal compliance.

7. Cookies

The Relay dashboard uses cookies solely for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

sb-access-token

Supabase authentication session

Duration: 1 hour

sb-refresh-token

Supabase session renewal

Duration: 60 days

8. International data transfers

Relay operates primarily from infrastructure located in the United States. If you are accessing the platform from the European Economic Area, United Kingdom, or Switzerland, your data is transferred to the United States. We rely on Standard Contractual Clauses (SCCs) as the legal basis for such transfers.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify account owners by email at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the revised policy.

10. Contact

For privacy-related enquiries or data subject requests:

Relay Privacy Team

privacy@relay.dev