Privacy Policy

Effective Date: March 21, 2026

1. Introduction

TopHare Software Studio LLC("Company," "we," "us," or "our"), a Texas limited liability company based in Houston, Texas, operates the Riovis platform available at riovis.com and all related services, applications, APIs, and documentation (collectively, the "Platform").

This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, and protect your personal information when you visit our website, create an account, or use the Platform. It also describes your rights regarding your personal data under applicable privacy laws, including the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Texas Data Privacy and Security Act ("TDPSA"), and the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA").

By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Platform.

For purposes of the GDPR, TopHare Software Studio LLC is the data controller. For purposes of the CCPA/CPRA, we are the "business" that collects and processes your personal information.

2. Information We Collect

We collect information in the following categories when you interact with our Platform:

2.1 Account Information

When you create an account or update your profile, we collect your name, email address, company name, job title, and billing address. If you sign in using Google or Apple, we receive the profile information you authorize those providers to share (typically your name and email address). If you sign in via email magic link, we collect only the email address you provide.

2.2 Payment Information

Payments are processed by Stripe, Inc. We do not store your full credit card number, debit card number, or bank account details on our servers. Stripe collects and processes your payment information directly in accordance with Stripe's Privacy Policy. We receive and store only a truncated card identifier, card type, expiration date, billing address, and transaction history for record-keeping purposes.

2.3 Content You Provide

In the course of using the Platform, you may upload or create content including but not limited to:

Marketing content (email campaigns, social media posts, landing pages, blog drafts, ad copy)
Customer and contact data imported into the Support or Marketing modules
Brand assets (logos, images, brand guidelines, color palettes, tone of voice descriptions)
AI prompts, generation inputs, and generated outputs
Support tickets, notes, and internal communications

2.4 Usage Data

We automatically collect information about how you interact with the Platform, including:

Pages and features visited or used
Actions taken within the Platform (clicks, searches, navigation)
Device information (browser type, operating system, screen resolution)
IP address and approximate geographic location derived from it
Date, time, and duration of sessions
Referring URLs and exit pages

2.5 Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies to authenticate sessions, remember preferences, and collect anonymized usage analytics. See Section 6 ("Cookies and Tracking") for full details.

2.6 Information from Third-Party Integrations

When you connect third-party services to the Platform, we receive data from those services as authorized by you:

Google and Apple Sign-In: Name, email address, and profile identifier.
Shopify: Store information, product catalog, and order data necessary to power marketing and support features.
Meta (Facebook/Instagram): Page and account identifiers, post performance metrics, and publishing permissions you authorize.

We only request the minimum scopes and permissions necessary to deliver the features you enable. You can disconnect integrations at any time from your Platform settings, which will stop future data collection from that service.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Provide and Maintain the Platform

To operate, deliver, and improve the core functionality of the Marketing and Support modules, including AI-powered features such as Riovis Engine, content generation, campaign automation, and customer support tools.

3.2 Process Payments and Manage Subscriptions

To process subscription payments, issue invoices, manage billing cycles, handle upgrades and downgrades, and enforce usage-based limits associated with your pricing tier.

3.3 Send Transactional Communications

To send you essential emails related to your account, billing, security alerts, service disruptions, and Platform changes. These communications are delivered via Resend and are not marketing emails. You cannot opt out of transactional emails while maintaining an active account.

3.4 Provide Customer Support

To respond to your inquiries, troubleshoot issues, and provide technical assistance.

3.5 Improve and Develop New Features

To analyze aggregated and anonymized usage patterns to identify areas for improvement, prioritize feature development, and optimize Platform performance and reliability.

3.6 Detect and Prevent Fraud, Abuse, and Security Incidents

To monitor for unauthorized access, abuse of AI features, terms of service violations, and other potentially harmful activity. This includes maintaining security logs and AI prompt audit trails.

3.7 Comply with Legal Obligations

To fulfill our legal and regulatory obligations, respond to lawful requests from authorities, and establish, exercise, or defend legal claims.

3.8 Generate Anonymized Analytics

We generate anonymized, aggregated analytics to understand Platform usage trends. This data is never sold and is never used for advertising or ad targeting purposes.

4. AI Features and Your Data

The Riovis platform includes AI-powered features such as Riovis Engine, content generation, campaign-to-page automation, and video generation. This section explains how your data interacts with AI systems.

4.1 Third-Party AI Providers

AI features route prompts and inputs to third-party AI providers via their respective APIs. Our current AI sub-processors include:

OpenAI - Text generation, content creation, and natural language processing
Anthropic - Text generation, content creation, and natural language processing
Google Veo - AI-powered video content generation

4.2 No Training on Your Data by Providers

We use API configurations with all third-party AI providers that do not permit those providers to use your data for model training. Your prompts, inputs, and generated outputs are processed solely to return results to you and are not retained by providers for training purposes.

4.3 No Training by Us Without Consent

We do not use your content, prompts, or AI-generated outputs to train our own machine learning models without your explicit written consent. If we ever offer an opt-in program for model improvement, participation will be entirely voluntary and clearly disclosed.

4.4 AI Prompt Log Retention

AI generation prompt logs are retained for a rolling 90-day period for the sole purposes of debugging, quality assurance, and abuse detection. After 90 days, prompt logs are permanently deleted. These logs are accessible only to authorized personnel under strict access controls.

4.5 Riovis Engine Data

The Riovis Engine feature may crawl publicly available information about your brand (such as your website, social media profiles, and public reviews) to build your brand profile. This crawl data is used solely to build and maintain your brand profile and is never shared with other subscribers or used for any purpose unrelated to your account.

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Sub-Processors and Service Providers

We engage third-party sub-processors to help us operate the Platform. Each sub-processor is contractually obligated to protect your data and may only process it for the purposes we specify. Our current sub-processors include:

Amazon Web Services (AWS) - Cloud infrastructure and hosting
Google Cloud Platform (GCP) - Cloud infrastructure, AI services, and data processing
Stripe - Payment processing and subscription management
Resend - Transactional email delivery
OpenAI - AI text generation and content creation
Anthropic - AI text generation and content creation
Google Veo - AI video generation
Meta - Social media publishing and analytics (when you connect your Meta accounts)
Shopify - E-commerce data integration (when you connect your Shopify store)

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, including court orders, subpoenas, or government requests. We will attempt to notify you of such requests unless prohibited by law or court order.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform of any change in ownership or uses of your personal information and your choices regarding your data.

5.4 With Your Consent

We may share your information with third parties when you explicitly authorize us to do so, such as when you enable integrations or authorize data exports.

5.5 We Never Sell Personal Information

TopHare Software Studio LLC does not sell, rent, or lease your personal information to any third party for monetary or other valuable consideration. This applies to all categories of personal information we collect, and we have not sold personal information in the preceding 12 months. We do not "share" personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

6. Cookies and Tracking

6.1 Essential Cookies

These cookies are strictly necessary for the Platform to function. They handle authentication, session management, security tokens (CSRF protection), and your language and display preferences. You cannot opt out of essential cookies without disabling core Platform functionality.

6.2 Analytics Cookies

We use analytics cookies to collect anonymized usage patterns such as page views, feature adoption, and session duration. This data is aggregated and does not identify individual users. Analytics cookies help us understand how the Platform is used so we can improve the experience.

6.3 No Third-Party Advertising Cookies

We do not use third-party advertising or tracking cookies. The Platform does not serve ads, and we do not allow third-party ad networks to place cookies or tracking pixels on our website or application.

6.4 Managing Cookie Preferences

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies may impair Platform functionality. For more information on managing cookies, visit your browser's help documentation.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Account data (name, email, company, profile information): Duration of your active subscription plus 90 days after account closure or termination to allow for reactivation and to resolve any outstanding issues.
Content (marketing materials, customer data, brand assets, support tickets): Duration of your active subscription plus a 30-day export window after account closure during which you may download your data.
Payment records (transaction history, invoices, billing information): 7 years from the date of the transaction, as required by tax and financial reporting obligations.
AI prompt logs (generation inputs, prompts, metadata): 90 days on a rolling basis, after which they are permanently deleted.
Security logs (authentication events, access logs, threat detection records): 12 months from the date of the event.
Anonymized usage data (aggregated analytics that cannot identify individuals): Retained indefinitely, as this data does not constitute personal information.

When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized. You may request early deletion of your data by contacting us at privacy@riovis.com, subject to our legal retention obligations.

8. Your Privacy Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We are committed to honoring these rights regardless of where you reside, to the extent reasonably practicable.

8.1 Rights Under the GDPR (EU/EEA/UK Residents)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

Right of Access - Request a copy of the personal data we hold about you.
Right to Rectification - Request correction of inaccurate or incomplete personal data.
Right to Erasure - Request deletion of your personal data, subject to legal retention requirements.
Right to Restriction of Processing - Request that we limit how we process your data in certain circumstances.
Right to Data Portability - Receive your personal data in a structured, commonly used, machine-readable format.
Right to Object - Object to the processing of your personal data for certain purposes, including direct marketing.
Rights Related to Automated Decision-Making - Request human review of decisions made solely through automated processing that produce legal or similarly significant effects.

Our lawful bases for processing include: performance of a contract (providing the Platform), legitimate interests (security, fraud prevention, and Platform improvement), compliance with legal obligations, and consent (where specifically obtained).

8.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to Know - Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, purposes, and categories of third parties with whom we share it.
Right to Delete - Request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Correct - Request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale or Sharing - We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary, but you may still submit a request for our records.
Right to Limit Use of Sensitive Personal Information - Request that we limit the use of sensitive personal information to what is necessary to provide the Platform.
Right to Non-Discrimination - We will not discriminate against you for exercising any of your CCPA/CPRA rights.

8.3 Rights Under the Texas TDPSA (Texas Residents)

If you are a Texas resident, you have the following rights under the Texas Data Privacy and Security Act:

Right to Confirm - Confirm whether we are processing your personal data.
Right to Access - Access the personal data we have collected about you.
Right to Correct - Request correction of inaccuracies in your personal data.
Right to Delete - Request deletion of personal data you have provided or that we have collected about you.
Right to Data Portability - Obtain a copy of your personal data in a portable, readily usable format.
Right to Opt-Out - Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

8.4 Rights Under PIPEDA (Canadian Residents)

If you are a Canadian resident, you have the following rights under the Personal Information Protection and Electronic Documents Act:

Right of Access - Request access to the personal information we hold about you and information about how it has been used and disclosed.
Right to Challenge Accuracy - Challenge the accuracy and completeness of your personal information and have it amended as appropriate.

8.5 How to Exercise Your Rights

To exercise any of the rights described above, please submit a request by emailing privacy@riovis.com. Include your full name, the email address associated with your account, and a description of the right(s) you wish to exercise.

Verification Process

To protect your privacy and security, we will verify your identity before fulfilling any request. Verification may include confirming your account email address, matching identifying information you provide against information we already maintain, or requesting additional documentation. If we cannot verify your identity, we may deny the request and will explain why.

Response Timeline

We will acknowledge receipt of your request within 10 business days and provide a substantive response within 30 days (or sooner if required by applicable law, such as 45 days for CCPA/CPRA requests). If we need additional time, we will notify you of the extension and the reason for the delay.

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide signed written authorization from you and may be required to verify their own identity. We may also contact you directly to confirm the request.

9. International Data Transfers

TopHare Software Studio LLC is based in Houston, Texas, United States. Your personal information is primarily processed and stored in the United States.

9.1 EU/UK Transfers

For transfers of personal data from the European Economic Area or the United Kingdom to the United States, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) as the legal transfer mechanism. These clauses are incorporated into our Data Processing Addendum, available upon request or at riovis.com/dpa.

9.2 Canadian Transfers

For transfers of personal information from Canada, we implement contractual protections consistent with the requirements of PIPEDA to ensure your data receives a comparable level of protection.

9.3 Sub-Processor Locations

All of our sub-processors are located in the United States or Canada. We do not transfer personal data to countries outside of North America and Europe. A current list of sub-processors and their locations is available in Section 5.1 of this Policy or upon request.

10. Children’s Privacy

The Riovis platform is a business-to-business (B2B) service designed for use by companies, organizations, and their authorized representatives. The Platform is not directed at, marketed to, or intended for use by individuals under the age of 16.

We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at privacy@riovis.com. If we become aware that we have collected personal information from a child under 16 without verified parental consent, we will take steps to delete that information promptly.

11. Security

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. While no system can guarantee absolute security, our security program includes:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: All stored data is encrypted using AES-256 encryption.
Role-Based Access Control (RBAC): Access to personal data is restricted to authorized personnel on a need-to-know basis, enforced through granular role-based permissions.
Multi-Factor Authentication (MFA): Required for all administrative access to production systems and infrastructure.
WebAuthn Passkey Support: We support FIDO2/WebAuthn passkeys for phishing-resistant authentication.
Vulnerability Assessments and Penetration Testing: Regular security assessments conducted to identify and remediate vulnerabilities.
Incident Response: Documented incident response procedures to detect, contain, and remediate security incidents. In the event of a data breach affecting your personal information, we will notify you and applicable authorities as required by law.
SOC 2-Ready Infrastructure: Our infrastructure is designed and operated in alignment with SOC 2 Type II controls for security, availability, and confidentiality.

If you discover a security vulnerability, please report it responsibly to legal@riovis.com.

12. Third-Party Links

The Platform may contain links to third-party websites, services, or applications that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. The inclusion of a link does not imply endorsement of the linked site or service by TopHare Software Studio LLC.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

Material Changes: For material changes that significantly affect how we collect, use, or share your personal information, we will provide at least 30 days advance notice via email to the address associated with your account and/or a prominent notice on the Platform before the changes take effect.
Non-Material Changes: Minor clarifications or formatting updates may be made without advance notice.
Effective Date: The updated Policy will be posted on our website with a revised "Effective Date" at the top of the document.
Acceptance: Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you must discontinue use of the Platform before the updated Policy takes effect.

We encourage you to review this Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@riovis.com
Legal Inquiries: legal@riovis.com

TopHare Software Studio LLC
Houston, Texas, USA

We aim to respond to all privacy-related inquiries within 10 business days. For formal data subject requests, please refer to Section 8.5 for response timelines and verification procedures.