Privacy Policy

Riveo, Inc. ("Riveo," "we," "our," or "us") operates the Riveo interactive product demo platform, accessible at getriveo.com, and the Riveo Capture Chrome Extension (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, how we protect it, and the rights you have with respect to your personal data.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, do not use the Service.

This Policy applies to: • All visitors to getriveo.com and its subdomains • Registered users of the Riveo platform • Users of the Riveo Capture Chrome Extension • Anyone whose data is processed through demos created on our platform

**2.1 Information You Provide Directly**

Account Registration: When you create an account, we collect your name, email address, and (if applicable) Google OAuth profile information including your display name and profile picture.

Demo Content: Content you create within the Service, including screenshots, step titles, tooltip text, hotspot annotations, and demo configuration settings.

Communications: Messages you send us via email, support tickets, or in-app feedback forms.

**2.2 Information Collected Automatically**

Usage Data: Pages visited, features used, click paths, session duration, and interaction events within the Riveo platform.

Device & Browser Information: Browser type and version, operating system, device type, screen resolution, and language settings.

Log Data: IP address, timestamps, referring URLs, and HTTP request/response data. Log data is retained for up to 90 days.

Cookies & Similar Technologies: See Section 6 for full details.

**2.3 Information Collected via the Chrome Extension**

The Riveo Capture Chrome Extension collects the following data exclusively during an active, user-initiated recording session:

Screenshots: Visual captures of the active browser tab rendered as WebP images. Screenshots are taken only when the user explicitly starts a session and are transmitted directly to your Riveo account.

Click Metadata: CSS selector, element text, aria-label, and viewport-relative click coordinates of the HTML element you interact with. This data is used solely to annotate your demo steps.

Page Metadata: URL, page title, and detected content type (e.g., web app, terminal, IDE, slides) of the captured tab.

Session Authentication: The extension reads the NextAuth session cookie from the getriveo.com domain only, to authenticate uploads to your account. No cookies from any other domain are read, stored, or transmitted.

The extension does NOT: record audio or video, capture keystrokes or form field values, run passively on any page, or access any data outside of an active user-initiated recording session.

We use the information we collect for the following purposes:

**Service Delivery:** To create and manage your account, process and store your demos, authenticate your identity, and provide core product functionality.

**Product Improvement:** To understand how users interact with the Service, identify bugs, prioritize features, and improve the overall user experience. This analysis is performed on aggregated or de-identified data where possible.

**Communications:** To send transactional emails (account confirmations, password resets, demo share notifications), product updates, and — where you have opted in — marketing communications. You may opt out of marketing emails at any time via the unsubscribe link in any such email, consistent with the CAN-SPAM Act of 2003.

**Security & Fraud Prevention:** To detect, investigate, and prevent unauthorized access, abuse, and other harmful activity.

**Legal Compliance:** To comply with applicable law, respond to lawful government requests, enforce our Terms of Service, and protect the rights and safety of Riveo and its users.

**Legal Basis (where applicable):** Where EU/EEA/UK law applies, we process personal data on the basis of: (a) contract performance — to provide the Service you've requested; (b) legitimate interests — for security, fraud prevention, and product improvement; and (c) consent — for optional marketing communications.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

**Service Providers:** We engage trusted third-party service providers who process data on our behalf under binding data processing agreements:

• •Amazon Web Services (AWS) — cloud infrastructure, file storage (S3), and database hosting (RDS)
• •SendGrid (Twilio) — transactional email delivery
• •Sentry — error monitoring and crash reporting (anonymized stack traces)
• •OpenAI / Anthropic — AI-powered tooltip generation (demo content only, not PII; governed by their API data processing terms)
• •LangSmith — AI workflow tracing for internal debugging

**Demo Sharing:** When you publish a demo and share the link, the content of that demo (screenshots and annotations) is accessible to anyone with the link. You control sharing settings from your dashboard.

**Business Transfers:** If Riveo is involved in a merger, acquisition, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to such a transfer.

**Legal Requirements:** We may disclose your information if required by law, subpoena, court order, or other governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

**Aggregated Data:** We may share aggregated, de-identified data (e.g., "X% of demos are shared publicly") that cannot reasonably be used to identify any individual.

We retain your personal data for as long as your account is active or as needed to provide the Service.

Account Data: Retained for the duration of your account plus 30 days after deletion to allow for account recovery. After 30 days, account data is permanently deleted from production systems.

Demo Content (screenshots, steps): Retained until you delete the demo or close your account. Deleted demos are purged from storage within 30 days.

Server Logs: Retained for 90 days, then automatically purged.

Backups: Encrypted backups may retain data for up to 90 additional days after deletion from production systems.

You may request deletion of your account and associated data at any time by emailing privacy@getriveo.com or via the account settings page.

We use the following types of cookies:

**Strictly Necessary Cookies:** Required for the Service to function. These include the NextAuth session token (next-auth.session-token or __Secure-next-auth.session-token) used to authenticate your session. These cannot be disabled without breaking the Service.

**Analytics Cookies:** We may use first-party analytics to measure aggregate usage patterns. We do not use Google Analytics, Meta Pixel, or other third-party behavioral advertising trackers.

**Preference Cookies:** Store your settings such as theme preferences or dismissed banners.

You may control cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from using authenticated features of the Service.

The Riveo Capture Chrome Extension does not set any cookies. It reads only the Riveo session cookie from the getriveo.com domain, as described in Section 2.3.

**7.1 California Residents — CCPA / CPRA Rights**

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You have the right to request deletion of personal information we have collected, subject to certain exceptions (e.g., data needed to complete a transaction, detect security incidents, or comply with legal obligations).

Right to Correct: You have the right to request correction of inaccurate personal information.

Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you may email us to confirm.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. We will not deny services, charge different prices, or provide a different level of quality because you exercised your rights.

To submit a CCPA request, email privacy@getriveo.com with the subject line "CCPA Privacy Request." We will respond within 45 days. If we need an extension, we will notify you within the initial 45-day period.

**7.2 All Users**

Access & Portability: You may request a copy of the personal data we hold about you in a machine-readable format.

Correction: You may update your account information at any time via account settings, or by contacting us.

Deletion: You may delete your account via account settings or by emailing privacy@getriveo.com.

Objection / Restriction: You may object to or request restriction of certain processing activities.

To exercise any of these rights, email privacy@getriveo.com. We may need to verify your identity before processing your request.

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 years of age. If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us immediately at privacy@getriveo.com and we will take prompt steps to delete such information.

If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will delete that information from our records within 72 hours.

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• •Encryption in transit: All data transmitted between your browser/extension and our servers uses TLS 1.2 or higher.
• •Encryption at rest: Database and file storage is encrypted at rest using AES-256.
• •Access controls: Production database access is restricted to authenticated services; no direct public access.
• •Authentication: Session tokens are cryptographically signed JWE tokens with configurable expiry.
• •Infrastructure: Hosted on AWS within the us-east-1 region with VPC isolation.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach that affects your rights and freedoms, we will notify affected users as required by applicable law.

The Service may contain links to third-party websites or services not operated by Riveo. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of third-party sites or services.

Riveo is operated in the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: By using the Service, you consent to the transfer of your personal data to the United States. We take steps to ensure that data transfers comply with applicable data protection law, including reliance on Standard Contractual Clauses where required.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• •Update the "Effective Date" at the top of this page
• •Send an email notification to registered users (for material changes)
• •Display a prominent notice within the Service for 30 days

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your account.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Riveo, Inc. Privacy Team Email: privacy@getriveo.com Website: https://getriveo.com

For California residents submitting CCPA requests, please include "CCPA Privacy Request" in the subject line of your email. We will respond within 45 days of receipt of a verifiable consumer request.