Privacy Policy

Effective: March 13, 2026

1. What We Collect

When you use RVRY, we collect the following information:

Account Information

Email address (from your GitHub profile via authentication)
Display name (from your GitHub profile)
GitHub user identifier (for account linking)

Session Data

Questions you submit to the reasoning engine
Analysis output and harvest results produced by the engine
Session metadata: timestamps, round counts, operation types, status

Usage & Billing Data

Monthly run counts and subscription tier
Stripe customer and subscription identifiers (we do not store credit card numbers or payment details — Stripe handles that directly)

2. How We Use Your Data

To provide the Service — processing your questions, generating analysis, and displaying your session history in the dashboard
To manage your account — authentication, subscription management, and usage tracking
To bill you — processing payments through Stripe based on your subscription tier
To improve the Service — aggregated, anonymized usage metrics (e.g., session counts, feature usage) help us understand how the Service is used. We do not use your session content (questions or outputs) for this purpose
To communicate with you — service announcements, billing notifications, and responses to your inquiries

We do not sell your data. We do not use your session content to train language models or improve the constraint engine.

3. Cookies & Tracking

RVRY uses cookies strictly for authentication. We do not use advertising cookies, analytics trackers, or third-party tracking pixels.

Cookies We Set

rvry_session — an encrypted session token (httpOnly, secure). Contains your user ID and email. Expires after 7 days. Required for the Service to function.
rvry_logged_in — a non-sensitive indicator flag (value: “1”) readable by the marketing site to detect login state. Contains no personal information. Expires after 7 days.

Both cookies are set with the Secure and SameSite=Lax flags. They are scoped to the .rvry.ai domain.

We do not use Google Analytics, Meta Pixel, or any third-party tracking service.

4. Third-Party Services

We share data with the following third parties only as necessary to operate the Service:

Stripe (stripe.com) — processes payments. Receives your email address for billing. Stripe’s handling of your payment information is governed by Stripe’s Privacy Policy.
Supabase (supabase.com) — provides authentication infrastructure. Receives your GitHub credentials during the login flow. RVRY receives only your email and display name.
GitHub (github.com) — identity provider for authentication. We access your public profile information (email, name) through the OAuth flow. We do not access your repositories, code, or other GitHub data.
Cloudflare (cloudflare.com) — hosts the engine infrastructure. May process request metadata (IP addresses, request headers) as part of standard CDN and security operations, governed by Cloudflare’s Privacy Policy.

5. Data Storage & Retention

Your account data and session history are stored on servers hosted by Cloudflare (United States). Data is retained for as long as your account is active.

Upon account deletion, we will delete your personal data and session content within 30 days. Anonymized, aggregated usage statistics may be retained indefinitely.

Billing records may be retained as required by applicable tax and financial reporting laws.

6. Your Rights

Depending on your location, you may have the following rights:

All Users

Access — view the data we hold about you (available in your dashboard)
Deletion — request deletion of your account and associated data
Portability — request an export of your session data

European Economic Area (GDPR)

Right to access, rectify, and erase your personal data
Right to restrict or object to processing
Right to data portability
Right to lodge a complaint with your local data protection authority

Our legal basis for processing is contract performance (providing the Service you signed up for) and legitimate interest (service improvement via anonymized metrics).

California (CCPA/CPRA)

Right to know what personal information we collect and how it is used
Right to delete your personal information
Right to opt out of the sale of personal information — we do not sell your data
Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Security

We use industry-standard security measures to protect your data, including encrypted connections (TLS), secure cookie flags, hashed API tokens, and access controls. Authentication tokens are signed with HS256 and expire after 7 days.

No system is perfectly secure. If you discover a security vulnerability, please report it to [email protected].

8. Children

RVRY is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us with personal information, contact us at [email protected] and we will promptly delete it.

9. Changes

We may update this privacy policy. Material changes will be communicated via the email associated with your account at least 14 days before taking effect. The effective date at the top of this page will be updated accordingly.

Questions about this policy: [email protected]