Privacy Policy

Effective April 29, 2026

Plain summary

We collect your email if you join our waitlist; you can unsubscribe in one click. When you run the RuleSheet Airtable extension, we log each run on our own servers for product integrity. We don't sell or share your data, run advertising, or run marketing trackers.

Who we are

RuleSheet is operated by Inline Tools LLC, a Texas limited liability company (the "Company", "we", "us"). This policy describes what we do with information collected through rulesheet.app before the product is publicly launched.

What we collect

When you submit your email through the waitlist form, we record:

The email address you provide.
A salted SHA-256 hash of your IP address (not the raw IP), so we can detect duplicate abuse without storing identifying network information for legitimate signups.
Your browser's User-Agent string (truncated), used for the same purpose.
The timestamp of the submission.

For abuse-prevention events specifically — rate-limited or failed bot-challenge attempts — we additionally log the raw IP address to short-lived server logs. These logs are not joined to subscriber records.

Why we collect it

Email: to send a single launch announcement and, if you reply, to respond.
Hashed IP and User-Agent: to deter bot signups and abuse via Cloudflare Turnstile and rate limiting.

Internal operator notification

When a new signup is recorded, our system sends a one-time internal email to the Company operator containing your email address, the raw IP of that submission, and the User-Agent string. This is how a small team gets notified of new signups; it is not shared with any third party.

Service providers

We use Cloudflare, Inc. as our infrastructure provider. Cloudflare processes data on our behalf for the following functions:

Hosting the website and API (Cloudflare Workers and D1).
Bot and abuse detection (Cloudflare Turnstile).
Outbound email delivery (Cloudflare Email Routing).
Aggregate, cookieless website analytics (Cloudflare Web Analytics) — page views and referrers only, no cross-site tracking.

Cloudflare may set short-lived security cookies (such as __cf_bm) for bot management. We do not set any first-party tracking cookies.

Retention

Waitlist records are retained until product launch, plus a reasonable period afterward to complete the launch communication. After that, records are either migrated into the product's customer database (if you become a customer) or deleted. You may request earlier deletion at any time.

When you use the RuleSheet Airtable extension

After you install the RuleSheet extension into an Airtable Interface, it processes data from your Airtable base to run the bulk edits you configure. The extension has no access to anything outside the Airtable interface where you install it; Airtable's Custom Extension SDK enforces that boundary.

Data the extension reads from your Airtable base

The extension reads only the table — and optionally the view — you choose in its configuration panel. Within that scope it reads:

Field metadata (names, types, options) of the chosen table.
Record values within the chosen table or view, used to evaluate your filter conditions and to preview proposed edits.
Your Airtable identity as reported by the platform's session in your browser — your user ID, email, and name. Airtable surfaces these to every extension running inside an Interface.

Data we send to our servers when you run a bulk edit

Every bulk-edit run is recorded in an audit log on our servers. This is required for product integrity: it lets us detect bugs that corrupt data, respond to support requests with full context, and pull the product if it ever becomes unsafe. Each run produces one audit-log record containing:

An operation ID (a random UUID generated in your browser).
The Airtable base ID, table ID, and (if used) view ID. These are platform-public identifiers, not secrets.
Your Airtable user ID, email, and name, from the previous step.
The filter conditions you applied (field IDs and the values you typed).
The field updates you applied (field IDs and the values you typed).
The number of records affected and a record-by-record diff of the field values that changed (before and after). Diffs over 5 MB are truncated to the first 50 records to keep the database performant.
The run's outcome — completed, partial failure, or aborted — plus an error message on failure.
The version of the extension you ran.
A salted SHA-256 hash of your IP address (never the raw IP) and the request's Origin header. We use these to investigate abuse, debug failures, and respond to security or support incidents.

Two implications worth flagging before you install: first, the filter and update values you type are stored verbatim — if you filter on or write a field that contains email addresses, names, or other personal data, those exact values are preserved in the audit log. Second, because the before-and-after diffs preserve record values verbatim, the audit log will mirror whatever your records contain. If your base holds regulated personal data — for example health information, payment-card data, or data covered by HIPAA, PCI-DSS, GDPR special categories, or similar regimes — please evaluate whether our data handling fits your obligations before installing RuleSheet on that base.

If multiple collaborators have access to the Airtable Interface where RuleSheet is installed, each run is recorded under the identity of whoever clicked Run — not the person who configured the extension. The audit log will therefore contain one row per run, attributed to the collaborator who performed it.

The extension also performs a quota check (a GET request containing only the base ID) before each run to enforce per-base monthly limits. No record data is sent in that request.

What the extension does not do

No third-party analytics, advertising, or marketing trackers.
No browser fingerprinting or cross-site tracking.
No persistent cookies (the extension runs in Airtable's sandboxed iframe).
No transmission of record data to any party other than Cloudflare, our infrastructure provider.

Where the audit log is stored

The audit log is stored in Cloudflare D1, in Cloudflare's Western North America (WNAM) region in the United States. Read replication is currently disabled, so audit-log records are not copied to any other region. Requests to our endpoints first reach Cloudflare's global edge network at the point of presence closest to you, which forwards them to the WNAM region for processing and storage.

Retention (extension audit log)

Audit-log records are retained for 12 months from the date of the run, after which they are deleted. If a record is part of an active investigation — a support case, a security incident, or a legal hold — we keep it until the investigation is resolved.

You can request earlier deletion of audit-log records associated with a specific Airtable base by emailing hello@rulesheet.app from a base owner's address with the base ID. We may decline a deletion request when we have a documented legal or safety reason to keep the record, and we will tell you when we do.

Your rights

Unsubscribe: every email we send includes a one-click unsubscribe link, which removes you from the waitlist immediately.
Access, correction, deletion: email hello@rulesheet.app from the address you signed up with and we will respond within a reasonable time.
Depending on where you live, you may have additional rights under laws such as the GDPR (EU/UK), CCPA/CPRA (California), or the Texas Data Privacy and Security Act. We honor these rights to the extent they apply.

Children

RuleSheet is a product for businesses. The waitlist is not directed to children under 16, and we do not knowingly collect information from them.

Changes to this policy

If we make material changes, we'll update the effective date above and, where appropriate, notify subscribers by email before the changes take effect.

Contact

Inline Tools LLC
c/o Northwest Registered Agent, LLC
5900 Balcones Drive, Suite 100
Austin, TX 78731
United States
hello@rulesheet.app