Riffle
Sign in
Legal

Policies & disclosures

Privacy Policy

Last updated: April 15, 2026

This policy explains what personal data Riffle (“we”) collects when you use riffle.rocks, why we collect it, how we use it, and how you can get rid of it. We try to collect as little as possible.

1. What we collect

We collect only what we need to run the Service:

  • Account data. Your email address (for sign-in) and an optional display name.
  • Subscription data. Whether you have a paid membership, when it was purchased, and when it ends. Payment card details are handled by our payment processor — we never see them.
  • Content you create. Field reports, site suggestions, favorites, and comments.
  • Usage data.Standard server logs (IP address, user agent, timestamps, pages visited) for security and debugging. Retained for 30 days unless we're investigating an incident.
  • Cookies. A session cookie for authentication and (optionally, if you consent in jurisdictions that require it) a privacy-respecting analytics cookie. No third-party ad cookies.

2. What we don't collect

  • Your real name (unless you type it into a field report or your display name).
  • Your phone number.
  • Your home address.
  • Your precise real-time location — ever. The map asks for your device location only if you click “use my location”, and we use it one time to center the map. It's never stored.

3. How we use it

We use the data above to:

  • Sign you in and keep your session secure.
  • Process payments and manage your membership.
  • Show you your own content (favorites, reports, etc.).
  • Detect abuse and keep the Service running.
  • Reply to you when you write in.
  • If you opted in, email you occasional product updates — roughly monthly, never more.

4. Who we share it with

We share personal data only with service providers who need it to operate the Service, under contractual confidentiality:

  • Supabase — database and authentication (hosted in the US).
  • Vercel — application hosting.
  • Lemon Squeezy — payment processing for paid memberships.
  • Resend / Postmark — transactional email (magic links, receipts).

We don't sell your personal data, and we don't share it with advertisers or data brokers. We may disclose data if required by valid legal process, but we'll push back on overbroad requests.

5. How long we keep it

We keep your account data for as long as your account exists, plus up to 30 days after deletion in backups. Contact messages are kept up to 2 years. Server logs are rotated every 30 days.

6. Your rights

You can, at any time:

  • View and edit your profile from your account page.
  • Download a copy of your data (email privacy@riffle.rocks).
  • Delete your account and all associated data — email privacy@riffle.rocks and we'll process it within 7 days.
  • Opt out of product emails from any marketing email we send.

Residents of California, the EU/UK, and other jurisdictions with specific data rights (right to know, right to correct, right to portability) can exercise them by emailing privacy@riffle.rocks. We don't discriminate against anyone for exercising these rights.

7. Children

Riffle isn't directed at children under 13 and we don't knowingly collect their data. If you believe we have, email privacy@riffle.rocks and we'll delete it.

8. Security

We use encryption in transit (TLS), at-rest encryption for our database, and hashed/signed session tokens. No system is perfect — if something happens to your data we'll notify you within 72 hours of becoming aware.

9. International transfers

Our servers are in the United States. If you're using the Service from outside the US, your data will be transferred to and processed in the US.

10. Changes

If we materially change this policy we'll email you and post notice at the top of this page at least 14 days before the change.