Privacy Policy

This policy applies to all personal data processed by RivAi Communications Private Limited in connection with our website at riv.ai, our platform products, our marketing communications, and any other service where this policy is referenced.

We operate primarily from India and serve customers globally. Accordingly, this policy is designed to meet the requirements of:

• India - Digital Personal Data Protection Act, 2023 (DPDP Act) and its implementing rules
• European Union / European Economic Area - General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• United Kingdom - UK GDPR as retained under the Data Protection Act 2018
• United States (California) - California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Other applicable national or regional data-protection laws where Riv.ai operates or processes data

If a specific law grants you stronger rights than this policy describes, those rights prevail. Please refer to the "Your Rights" section for jurisdiction-specific entitlements.

Data Controller (GDPR/UK GDPR) · Data Fiduciary (DPDP Act) · Business (CCPA):

For the purposes of the DPDP Act 2023, we are the Data Fiduciary that determines the purpose and means of processing your personal data. Where we process data on behalf of our enterprise customers, we act as a Data Processor under GDPR and a Data Processor under the DPDP Act, and the relevant data processing agreement with that customer governs such processing.

Grievance Officer (DPDP Act): Queries or complaints relating to the handling of your personal data may be directed to our Grievance Officer at sales@rivai.in. We will acknowledge your grievance within 24 hours and endeavour to resolve it within 30 days, as required by applicable law.

We collect personal data in the following categories:

3.1 Information you provide directly

• Contact and account data: name, email address, phone number, company name, job title - collected when you request a demo, create an account, or contact us.
• Communication content: messages, queries, and feedback you send us through our contact forms or support channels.
• Payment and billing data: invoicing details and payment references (full payment-card data is handled by our PCI-DSS-compliant payment processors; we do not store raw card numbers).
• Professional data: information you voluntarily share about your organisation, use cases, or business requirements during onboarding or sales conversations.

3.2 Information collected automatically

• Usage and log data: IP address, browser type, operating system, referring URL, pages visited, time spent, and click events on our website and platform.
• Device identifiers: browser fingerprint, device type, screen resolution, and session identifiers.
• Cookie and tracker data: see Section 9 (Cookies & Tracking) for full details.

3.3 Information from third parties

• Analytics providers: aggregated and anonymised traffic data from services such as Vercel Analytics.
• CRM and lead enrichment tools: publicly available business-card data (company, role, business email) used to contextualise sales conversations.
• Referral partners: name and contact details shared with us by a partner when they refer a prospective customer.

3.4 Special categories of data

We do not intentionally collect special categories of personal data (i.e. health, racial or ethnic origin, religious beliefs, genetic/biometric data, political opinions, sexual orientation) or sensitive personal data as defined under the DPDP Act. If you inadvertently share such data with us, please contact us immediately so we can delete it.

We use your personal data only for the purposes described below:

We will not use your personal data for automated decision-making that produces legal or similarly significant effects without your explicit consent, except where permitted by law.

Depending on your jurisdiction, we rely on the following legal grounds to process your personal data:

Under GDPR / UK GDPR

• Contract (Art. 6(1)(b)): Processing necessary to provide the services you have requested or to take pre-contractual steps.
• Legitimate interests (Art. 6(1)(f)): Marketing to existing customers, fraud prevention, network and information security, and improving our products - where these interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Marketing emails to prospects, non-essential cookies, and any other processing where we have expressly asked for your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with a law, regulation, court order, or government authority.

Under the DPDP Act 2023 (India)

• Consent (Section 6): We obtain your free, specific, informed, unconditional, and unambiguous consent before processing your personal data, unless processing falls within a legitimate use under Section 7.
• Legitimate uses (Section 7): Processing for the purpose of employment, public interest, compliance with law, medical emergencies, and similar grounds as specified by the Central Government.
• Consent may be withdrawn at any time by contacting us at sales@rivai.in. Withdrawal will not affect processing undertaken before the withdrawal.

Under CCPA (California)

We do not sell or share (for cross-context behavioural advertising) your personal information as those terms are defined under the CCPA/CPRA. Where we use personal information for business purposes, those purposes are disclosed in this policy.

We do not sell your personal data. We share it only in the circumstances described below, and only to the extent necessary for the stated purpose.

6.1 Service providers and sub-processors

We engage trusted third-party companies to assist in operating our business, including cloud hosting, analytics, email delivery, CRM, payment processing, and customer support tooling. All such vendors are bound by written data-processing agreements that prohibit them from using your data for their own purposes and require them to implement appropriate security measures.

6.2 Enterprise customers

Where we process personal data on behalf of an enterprise customer using our platform, that customer acts as the data controller or data fiduciary, and our obligations as a processor are governed by a separate Data Processing Agreement.

6.3 Business transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change via the contact details we hold or through a prominent notice on our website.

6.4 Legal obligations and safety

We may disclose personal data if required to do so by applicable law, regulation, court order, or government authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Riv.ai, our users, or the public.

6.5 Consent-based sharing

We may share your data with any third party where you have given us explicit consent to do so.

Our primary operations and data storage are located in India. When we transfer personal data to third-party service providers outside India, or when EU/EEA/UK users access our services, we ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs): For transfers to countries without an EU adequacy decision, we rely on the European Commission's approved SCCs (2021/914).
• UK International Data Transfer Agreements (IDTAs): For transfers from the UK.
• DPDP Act cross-border transfer rules: We transfer personal data to countries or territories notified by the Central Government as permissible under Section 16 of the DPDP Act, and we apply appropriate contractual safeguards where required.
• Adequacy decisions: Where a relevant authority (European Commission, UK Information Commissioner's Office) has determined that a destination country ensures an adequate level of protection.

You may request a copy of the specific safeguards applicable to your data transfer by contacting us at sales@rivai.in.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Our general retention periods are:

After the applicable retention period, data is securely deleted or anonymised. Under the DPDP Act, personal data will be erased once the purpose for which it was collected is no longer served and retention is not required by law.

We use cookies and similar technologies to operate and improve our website and platform. Below is a summary of the categories in use:

How to manage cookies: You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling strictly-necessary cookies may impair the functionality of our website. For EU/UK/EEA visitors, we present a consent banner on your first visit; you may update your preferences at any time.

Do Not Track: Some browsers transmit a "Do Not Track" signal. We currently do not alter our data-collection practices in response to such signals, but we will revisit this position as standards evolve.

You have rights over your personal data. The specific rights available to you depend on your jurisdiction. We will respond to all verified requests within 30 days (or sooner where required by law).

Rights under GDPR / UK GDPR (EU, EEA & UK residents)

• Right of access (Art. 15): Obtain a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data where it is no longer necessary, consent has been withdrawn, or we have no other lawful basis to retain it.
• Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format, and transmit it to another controller.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct-marketing purposes at any time.
• Rights related to automated decision-making (Art. 22): Not be subject to decisions based solely on automated processing that produce significant effects, unless you have given explicit consent.
• Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, your national DPA in the EU).

Rights under the DPDP Act 2023 (India residents)

• Right to information (Section 11): Obtain a summary of the personal data we hold about you and how it is being processed.
• Right to correction and erasure (Section 12): Request correction of inaccurate, incomplete, or outdated personal data; request erasure of personal data that is no longer necessary for the purpose it was collected.
• Right of grievance redressal (Section 13): Have grievances addressed within the timeframes prescribed by the DPDP Act. See Section 2 for our Grievance Officer contact.
• Right to nominate (Section 14): Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
• Right to withdraw consent: Withdraw consent at any time for processing based on consent. Withdrawal will not affect the legality of prior processing.
• Right to complain to the Data Protection Board: Lodge a complaint with the Data Protection Board of India if your grievance is not resolved to your satisfaction.

Rights under CCPA / CPRA (California residents)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
• Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale / sharing: We do not sell or share personal information for cross-context behavioural advertising. No opt-out is therefore required, but you may contact us if you have concerns.
• Right to limit use of sensitive personal information: Where applicable, limit our use of sensitive personal information to the purposes specified by law.
• Right to non-discrimination: You will not receive discriminatory treatment for exercising any CCPA right.

How to exercise your rights

Submit your request by email to sales@rivai.in or by calling +91 96544 14464. We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests; however, we reserve the right to charge an administrative fee or decline manifestly unfounded or excessive requests.

Our services are intended for business professionals and are not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. Under the DPDP Act 2023, we do not process personal data of children (under 18) without verifiable parental or guardian consent, and we do not track, behaviorally monitor, or target advertising at children.

If you believe we have inadvertently collected personal data from a child, please contact us immediately at sales@rivai.in and we will delete it promptly.

We implement and maintain appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. These include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest
• Role-based access controls and least-privilege principles
• Regular security assessments and vulnerability scanning
• Secure software development lifecycle practices
• Employee training on data protection and security awareness
• Incident response and breach notification procedures

Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority or Data Protection Board within the timeframes required by applicable law (72 hours under GDPR; as prescribed under the DPDP Act rules).

No method of transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of any credentials used to access our platform.

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or our services. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users by email or through a prominent notice on our website at least 30 days before the change takes effect (for material changes affecting your rights)
• Seek fresh consent where required by law (e.g. where we intend to process data for a new purpose)

Your continued use of our services after the effective date of any update constitutes acceptance of the revised policy to the extent permitted by law. We encourage you to review this page periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our personal data practices, please contact our Grievance Officer / Data Protection contact: