Privacy Policy

Riven AI, Inc. ("Riven", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at riven-ai.dev and use our services (collectively, the "Services").

This policy applies to all users globally, including those in the European Economic Area (EEA), United Kingdom, California, and Brazil. Where applicable, we comply with the GDPR, UK GDPR, CCPA/CPRA, LGPD, and other applicable data protection laws.

We use the information we collect to:

• Provide, maintain, and improve the Services.
• Process transactions and send related notices (receipts, invoices).
• Authenticate users and secure accounts.
• Send transactional emails (password resets, deployment alerts).
• Send marketing communications — only with your explicit opt-in consent, which you may withdraw at any time.
• Analyze usage trends to improve product features.
• Comply with legal obligations and enforce our Terms of Service.
• Detect and prevent fraud, abuse, and security incidents.

What we do not do: We do not sell your personal data. We do not use the code, configurations, agent definitions, files, or other content you upload to the platform to train our own AI models, and we do not share that content with third-party model providers for training. Content you upload is used solely to provide the Services you have requested.

If you are located in the EEA or UK, we process your personal data on the following legal bases:

• Contract: processing necessary to provide the Services you have requested.
• Legitimate interests: analytics, fraud prevention, and product improvement — balanced against your rights.
• Consent: marketing communications and optional analytics cookies.
• Legal obligation: compliance with applicable laws and regulations.

We use essential, analytics, and marketing cookies. You can manage your preferences at any time via our cookie banner or the Cookie Policy page. Essential cookies are strictly necessary for the Services to function and cannot be disabled.

We do not sell your personal data. We share data only with:

• Service providers: cloud infrastructure (AWS), payment processing (Paddle), analytics (PostHog), email delivery (Amazon SES), and error monitoring (Sentry).
• Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to you.
• Legal requirements: when required by law, court order, or governmental authority.
• With your consent: for any other purpose with your explicit consent.

All third-party processors are bound by Data Processing Agreements (DPAs) and may only process data on our documented instructions.

Riven AI is headquartered in the United States. If you are located outside the US, your data may be transferred to and processed in the US and other countries. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other adequacy mechanisms.

We retain your personal data for as long as your account is active or as needed to provide Services. We retain billing records for seven (7) years for legal and tax purposes. Log data is purged after 90 days unless required for ongoing investigations. You may request deletion at any time (see Section 10).

We implement industry-standard technical and organizational measures including TLS 1.2+ in transit, AES-256 at rest, multi-factor authentication, role-based access controls, and ongoing security review. For details on our security program, see our Security page. We do not currently hold formal compliance certifications (SOC 2, ISO 27001, HIPAA). No method of transmission over the Internet is 100% secure.

Depending on your jurisdiction, you may have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
• Restriction: limit how we process your data.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
• Non-discrimination (CCPA): we will not discriminate against you for exercising your rights.

To exercise these rights, email privacy@riven.dev. We will respond within 30 days (45 days for complex requests, with notice). We may verify your identity before fulfilling requests.

The Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

We may update this policy from time to time. We will notify you of material changes via email or a prominent notice on the site at least 30 days before they take effect. Continued use of the Services after changes constitutes acceptance.

For privacy questions or to exercise your rights, contact our Data Protection Officer:

EEA/UK users may also lodge a complaint with your local supervisory authority.