Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Password (hashed)
• Authentication provider data (Google, GitHub) if you use social login

1.2 Billing Information

Payment processing is handled by LemonSqueezy. We do not store credit card numbers. We receive:

• Billing name and address
• Transaction history
• Subscription status

1.3 Your Database Data

We host the data you store in your databases ("Your Data"). We do not access, view, or analyze Your Data except:

• To provide the Services (hosting, backups, replication)
• When required by law
• With your explicit permission for support purposes

1.4 Usage Data

We automatically collect:

• IP addresses
• Browser type and version
• Pages visited and features used
• Database metrics (CPU, memory, storage, connections)
• API requests and Terraform operations
• Error logs and performance data

1.5 Cookies

We use essential cookies for:

• Authentication and session management
• Security and fraud prevention

We do not use advertising or tracking cookies.

2. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve the Services
• Process payments and manage subscriptions
• Send transactional emails (welcome, billing, alerts)
• Monitor and ensure service security
• Provide customer support
• Comply with legal obligations
• Detect and prevent abuse

3. How We Share Your Information

We do not sell your personal information. We share information only with:

3.1 Service Providers

• LemonSqueezy: Payment processing
• Auth0: Authentication services
• Hetzner: Infrastructure hosting
• DigitalOcean: Backup storage
• Cloudflare: CDN and security

3.2 Legal Requirements

We may disclose information if required by law, court order, or government request.

3.3 Business Transfers

If Rivestack is acquired or merged, your information may be transferred to the new owner.

4. Data Storage and Security

4.1 Data Location

Your Data is stored in the region you select:

• EU: Falkenstein, Germany (Hetzner)
• US-East: Ashburn, Virginia (Hetzner)

Backups are stored in Frankfurt, Germany (DigitalOcean Spaces).

4.2 Security Measures

We implement industry-standard security measures:

• SSL/TLS encryption for all connections
• Encrypted backups
• Network isolation and firewalls
• Regular security updates
• Access controls and authentication

4.3 Data Retention

• Account data: Retained while your account is active, deleted within 30 days of account closure
• Your Data: Deleted within 30 days of account termination
• Backups: Retained per your subscription tier (7-30 days), then deleted
• Logs: Retained for up to 90 days for security and debugging

5. Your Rights

Depending on your location, you may have the right to:

5.1 Access

Request a copy of the personal information we hold about you.

5.2 Correction

Request correction of inaccurate personal information.

5.3 Deletion

Request deletion of your personal information and account.

5.4 Portability

Request your data in a portable format.

5.5 Objection

Object to certain processing of your personal information.

5.6 Withdraw Consent

Withdraw consent where processing is based on consent.

To exercise these rights, contact us at privacy@rivestack.io.

6. GDPR Compliance (EU Users)

For users in the European Economic Area (EEA):

6.1 Legal Basis

We process your data based on:

• Contract: To provide the Services you subscribed to
• Legitimate Interest: To improve Services and ensure security
• Legal Obligation: To comply with applicable laws
• Consent: Where explicitly provided

6.2 Data Controller

OpsaFlow acts as the Data Controller for account and usage data.

6.3 Data Processor

OpsaFlow acts as the Data Processor for Your Data stored in databases.

6.4 International Transfers

Your data may be transferred to and processed in countries outside the EEA. We ensure appropriate safeguards are in place.

6.5 Supervisory Authority

You have the right to lodge a complaint with your local data protection authority.

7. California Privacy Rights (CCPA)

California residents have additional rights:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information (we do not sell data)
• Right to non-discrimination for exercising privacy rights

To exercise these rights, contact us at privacy@rivestack.io.

8. Children's Privacy

Our Services are not intended for children under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us immediately.

9. Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for their privacy practices.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Services. The "Last Updated" date at the top indicates when the policy was last revised.

11. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights:

Email: privacy@rivestack.io
General inquiries: hello@rivestack.io
Website: rivestack.io