Privacy Policy

Last updated: May 3, 2026

This is the privacy policy for Rivvie. It's short and specific. If anything is unclear, reply to any Rivvie email — it goes straight to the founder.

What we collect

When you sign up

• Email address.
• Password — stored only as a bcrypt hash. We never see the plaintext.

When you use Rivvie

• The competitor URLs you add as sources, and an optional CSS selector you scope them to.
• Snapshots of those public pages: their text content and a SHA-256 hash for change detection.
• AI-generated summaries of changes Rivvie detects.
• On Team plan: digest recipient email addresses you add, your Slack incoming-webhook URL.

When you pay

• Stripe handles your card details directly. We never see them.
• We store: your Stripe customer ID, subscription ID, plan, status, and renewal date.

What we don't collect

• Payment card numbers, expiries, or CVCs.
• Browser fingerprints, device IDs, or third-party tracking pixels.
• Anything from pages outside the watchlist you've explicitly configured.
• Cross-site analytics. Rivvie loads no third-party JavaScript.

Third parties we send data to

• Stripe — when you start checkout or open the billing portal. Subject to Stripe's privacy policy.
• Anthropic — diffs of public competitor pages, for AI summarization. We don't send your email or other personal data. Subject to Anthropic's privacy policy.
• Your SMTP / email provider — your email address and the body of any email Rivvie sends you (welcome, verification, daily digest).
• Railway — our hosting and Postgres provider. Your data resides in their US data centers. Subject to Railway's privacy policy.

Cookies

One cookie: a session cookie that keeps you logged in. It's httpOnly, secure in production, and SameSite=Lax. We don't use any other cookies, and we don't run any third-party analytics or tracking scripts.

How long we keep your data

• Account data — until you delete your account.
• Snapshots and detected changes — kept while the source is active. When you delete a source, its full history is deleted with it.
• Email digests sent to you — we don't archive these. Once delivered, they exist only in your inbox.

Your rights

• You can delete your account at any time. Deletion removes all associated data — sources, snapshots, changes, digest recipients, Slack URL, Stripe customer reference.
• You can request an export of your data via email — see Contact below.
• If you're in the EU/UK, you have rights under GDPR (access, rectification, erasure, portability, objection). If you're in California, you have rights under CCPA. We honor these requests; email us with your request.

Where your data lives

Rivvie is hosted on Railway. Your account data resides in their US data centers. AI summarization calls hit Anthropic's API, which may serve from US or EU regions depending on routing.

Children

Rivvie isn't designed for users under 13, and we don't knowingly collect data from children.

Security

• Passwords stored as bcrypt hashes (cost factor 12).
• HTTPS everywhere, enforced by HSTS headers.
• Email verification required before adding sources, to limit bot signups.
• Strict Content-Security-Policy preventing inline scripts and external script execution.
• Stripe webhook signatures verified against your endpoint secret on every event.

Changes to this policy

If we update this policy, we'll change the "Last updated" date at the top. If a change materially affects how we collect or use your data, we'll notify you by email.

Contact

Reply to any Rivvie email — they go straight to the founder. For data-rights requests (access, deletion, export, opt-out), include "Privacy" in the subject line.