Riv.IO is in Early Access — help shape the financial control plane for AI agents. Send feedback

Privacy Policy

Last updated June 30, 2026

This Privacy Policy explains what personal data Riv.IO collects, how we use it, and the rights you have. It is written to align with the Brazilian General Data Protection Law (LGPD) and the EU General Data Protection Regulation (GDPR).

1. Who we are (Controller)

Riv.IO (the “Service”) is the controller of the personal data described here. For data-protection matters you can reach us, including our data protection contact, at christopher.as@outlook.com.br.

Before commercial launch, the registered legal entity and tax registration (CNPJ) operating the Service will be identified here.

2. Data we collect

Account data: your email, name and authentication identifiers managed through our authentication provider, and your organization details.

Onboarding context: optional information you provide during signup (for example country and the platforms you use), stored as profile metadata, together with your acceptance of these terms.

Usage and ledger metadata: records of agent activity you generate — authorization decisions, amounts, currencies, categories and timestamps. We store only a hash of each agent credential (riv_ key), never the secret.

Technical data: limited information needed to operate the Service, such as cookies for session and language preference and basic request metadata.

We do not intentionally collect sensitive personal data, and we do not custody real funds or store payment-card numbers — card data is handled by our payment processor.

3. How we use your data

To provide, secure and improve the Service; to authenticate you; to run the authorization engine and maintain the ledger; to process subscriptions and billing; to communicate about your account and important changes; and to comply with legal obligations.

4. Legal bases

We process personal data on the bases permitted by the LGPD and GDPR, namely: performance of the contract with you (to provide the Service); compliance with legal obligations; our legitimate interests (such as securing and improving the Service); and your consent where required (for example certain communications).

5. Sharing and sub-processors

We do not sell your personal data. We share it with service providers that process data on our behalf under appropriate safeguards, including: Supabase (authentication and database), Stripe (payment processing) and Vercel (hosting). Each acts under its own terms and security commitments.

We may disclose data if required by law or to protect our rights, users or the public.

6. Data retention

We retain account and usage data for as long as your account is active and as needed to provide the Service. Ledger records are designed to be immutable (soft-delete) so the audit trail remains intact; retention windows may depend on your plan.

When data is no longer needed and no legal obligation requires its retention, we delete or anonymize it.

7. Security

We use technical and organizational measures appropriate to the risk, including encryption in transit, hashing of credentials, access controls and audit logging. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

8. International transfers

Our providers may process data in countries other than yours. Where personal data is transferred internationally, we rely on safeguards permitted by the LGPD and GDPR, such as adequacy decisions or standard contractual clauses.

9. Your rights

Subject to applicable law, you have the right to confirm whether we process your data and to access it; to correct incomplete or inaccurate data; to request anonymization, blocking or deletion of unnecessary or excessive data; to data portability; to information about sharing; and to withdraw consent. Under the GDPR you may also object to or restrict certain processing and lodge a complaint with a supervisory authority (in Brazil, the ANPD).

To exercise your rights, contact us at christopher.as@outlook.com.br.

10. Cookies

We use a small number of cookies necessary to operate the Service: authentication/session cookies, a language preference cookie (NEXT_LOCALE) and a “remember me” preference cookie (riv_persist) that controls how long your session lasts. We do not use advertising cookies.

11. Children

The Service is not directed to children and is intended for users who can form a binding contract. We do not knowingly collect data from children.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be signaled by updating the “last updated” date and, where appropriate, through the Service.

13. Contact

For privacy questions or to exercise your rights, contact our data protection point at christopher.as@outlook.com.br.