Privacy Policy
Last updated: 30 April 2026
Rivlr is operated by Webgro Ltd ("we"). This policy explains what personal data we collect, why, and what rights you have. We comply with the UK GDPR and Data Protection Act 2018.
Data Controller
Webgro Ltd is the data controller for personal data processed through the Service. Contact: support@rivlr.app.
What We Collect
| Category | What | Why | Legal basis |
|---|---|---|---|
| Account | Email, password hash, name (optional) | To identify you and provide the Service | Contract |
| Billing | Stripe customer ID, billing address, VAT number, last 4 of card | To take payment and issue invoices | Contract / Legal obligation (tax) |
| Operational | IP address, user agent, browser logs | Security, fraud prevention, debugging | Legitimate interest |
| Tracked URLs | The URLs and notes you add | To provide the tracking service | Contract |
| Notification settings | Email addresses you've configured for alerts | To send the alerts you've requested | Contract |
What We Don't Collect
- We don't use third-party advertising or analytics trackers.
- We don't sell or rent personal data.
- We don't profile users for marketing purposes.
Sub-Processors
We rely on the following sub-processors to deliver the Service:
- Vercel Inc. · application hosting (US/EU)
- Neon Inc. · database hosting (EU-West)
- Stripe Payments UK Ltd · payment processing (UK)
- Resend Inc. · transactional email delivery (US)
Each processes personal data on our behalf under appropriate data processing agreements with standard contractual clauses where data leaves the UK/EEA.
Data Retention
- Account data: kept while your account is active, plus 30 days after termination, then deleted (except where retention is required by law, e.g. tax records).
- Tracked URLs and observation history: kept while your account is active. On free plans we may delete observations older than 90 days. On paid plans, indefinitely until you cancel.
- Billing records: 7 years (UK statutory tax retention).
- Logs: typically 30 days.
Your Rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion ("right to be forgotten").
- Restrict or object to processing.
- Receive your data in a portable format.
- Lodge a complaint with the Information Commissioner's Office (ICO).
To exercise any of these, email support@rivlr.app. We'll respond within 30 days.
Cookies
We use a small number of strictly necessary cookies (session and theme preference). We don't use analytics or advertising cookies by default. See our Cookie Policy for details.
International Transfers
Some sub-processors are based outside the UK/EEA (notably Vercel and Resend in the US). Where this happens, we use standard contractual clauses approved by the UK Information Commissioner's Office to protect your data.
Security
We use TLS for all traffic, encrypted databases at rest, and principle-of-least-privilege access for our team. No system is 100% secure; if we detect a breach affecting your data we'll notify you within 72 hours per UK GDPR.
Changes
We may update this policy. Material changes are notified by email at least 14 days in advance.
Contact
Privacy questions: support@rivlr.app
This policy is a template. Have it reviewed by a solicitor or privacy professional before relying on it in production.