Legal

Privacy Policy

How Simplisik LLC handles data when you use Rivet. Last updated May 17, 2026.

This policy explains what information we collect when you use Rivet, what we do with it, and the rights you have over it. We've tried to write it the way we'd want to read it — plainly, with the specifics where they matter.

1. Who we are

Rivet is a product of Simplisik LLC, a Tennessee limited liability company ("Simplisik," "we," "us," or "our"). When this policy says "Rivet" we mean the platform itself — the marketing site at rivet.sh, the customer dashboard, and the hosting infrastructure that serves customer applications at onrivet.sh and on customer-configured custom domains.

Contact us at legal@rivet.sh for any privacy question, request, or complaint.

2. Scope

This policy covers:

  • Visitors to rivet.sh.
  • People who sign up for an account and use the Rivet dashboard.
  • The personal data Simplisik handles to operate the Rivet platform.

This policy does not cover:

  • End users of customer applications. If you visit an application a Rivet customer has deployed on *.onrivet.sh or a custom domain pointed at Rivet, the operator of that application is responsible for its privacy practices. Their privacy policy governs — not this one. Simplisik processes that data only on the customer's behalf, as a processor.
  • Third-party services you choose to connect to Rivet (e.g., source control hosts, payment processors, analytics providers).

3. Information we collect

Account information

When you sign up, we collect your name, work email, password (stored as a hash, never in plaintext), and the organization you belong to. If you sign in through a third party (e.g., GitHub), we receive the profile fields that provider chooses to share. Providing this information is contractual — not statutory — but without it we cannot create your account or operate the Service for you.

Billing information

Paid plans are billed through Stripe. Stripe collects and processes card data directly; Simplisik stores only the last four digits, card brand, expiration, and a tokenized reference. Stripe's privacy policy applies to the card data itself.

Usage and telemetry

We collect data about how you use Rivet so we can operate, secure, and improve the service: deploy events, build metadata, request and error counts, resource usage, dashboard interactions, IP addresses, user-agent strings, and timestamps.

Customer Content

"Customer Content" means the code, configuration, environment variables, logs, databases, files, and other data you deploy to, store in, or run through Rivet — including any personal data of your end users that your application handles. For Customer Content, Simplisik acts as a processor: we store, transmit, and run it on your instructions, and we do not use it for any other purpose. You are the controller.

Cookies and analytics

We use a strictly-necessary session cookie to keep you signed in and a small set of preference cookies (theme, recently-viewed projects). We use [analytics provider] to understand product usage in aggregate; it is configured to avoid cross-site tracking and we do not use it for advertising. No ad-tech, no cross-context behavioral advertising, no data sales.

Communications

When you email support, request access, or fill out a form, we keep the correspondence so we can respond and reference it later.

4. How we use information

  • Operate the service — provisioning, deploys, billing, dashboards, support.
  • Security and abuse prevention — detect fraud, abuse, violations of our acceptable-use policy, and upstream provider terms.
  • Service communications — incident notices, security advisories, billing receipts, account confirmations. You cannot opt out of these while you have an account.
  • Product improvement — aggregate analytics, error reporting, internal model tuning. We do not train external AI models on Customer Content.
  • Legal compliance — responding to lawful requests, enforcing agreements, defending claims.

We do not sell personal data. We do not "share" it for cross-context behavioral advertising as defined under the California Privacy Rights Act (CPRA).

5. Legal bases (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, our processing relies on these legal bases:

  • Performance of a contract — running the Service you signed up for, billing, support, account administration.
  • Legitimate interests — for the specific interests of (a) keeping the platform secure and detecting and preventing abuse, (b) measuring aggregate product usage so we can improve and prioritize features, (c) protecting our legal rights and the rights of others, and (d) communicating about service-relevant updates to existing Customers. We weigh each of these against your interests and fundamental rights and stop processing if your interests override ours. You may object on grounds relating to your particular situation by emailing legal@rivet.sh.
  • Consent — for optional cookies, optional marketing communications, and other situations where the law requires it. You can withdraw consent at any time, and withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Legal obligation — tax, accounting, and responding to lawful requests from courts and authorities.

Automated decision-making and profiling

We do not use your personal data for automated decision-making — including profiling — that produces legal effects concerning you or similarly significantly affects you (GDPR Art. 22). If that ever changes, we will update this policy and, where required, obtain your consent or offer the safeguards the law requires.

Where personal data comes from

We collect personal data directly from you, from your devices when you use the Service, from third parties you authorize (e.g., a single sign-on provider you choose), and — for Customer Content — from the Customer who controls it. For personal data we receive about end users of customer applications hosted on onrivet.sh or custom domains, that data comes from the Customer who deployed the application, and we process it only on the Customer's documented instructions as a processor.

6. Sub-processors and sharing

We use a small set of vendors to deliver the service. They are bound by data-protection terms and only process data on our instructions:

  • InterServer, Inc. — bare-metal compute, networking, and data-center operations. United States.
  • Stripe, Inc. — payment processing. United States.
  • Cloudflare Email & Resend — transactional and support email. United States.
  • Google Analytics — privacy-respecting product analytics. United States.

We may also share information when required by law, to enforce our agreements, to protect rights or safety, or in connection with a merger, acquisition, or asset sale (with notice and continuity of this policy's commitments).

We maintain an up-to-date sub-processor list and notify Customers of material changes with a reasonable opportunity to object. Contact legal@rivet.sh for the current list.

7. International data transfers

Rivet is operated from the United States, and the data we collect is processed there. When personal data of EEA, UK, or Swiss residents is transferred to the U.S. or elsewhere, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) and apply supplementary measures consistent with the Schrems II decision.

8. Data retention

We keep personal data only as long as we need it:

  • Account data — for the life of your account, plus 30 days after deletion to wind down billing, support, and abuse review.
  • Billing records — at least seven years to meet tax and accounting obligations.
  • Customer Content — until you delete it, or 30 days after account termination, whichever comes first. Backups age out within 90 days.
  • Operational logs — typically 30 days. Security logs may be kept longer when needed to investigate an incident.
  • Support correspondence — up to three years after the last interaction.

Legal holds (litigation, regulatory inquiry) override these defaults.

9. Your rights

If you are in the EEA, UK, or Switzerland (GDPR / UK GDPR)

You have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have data erased ("right to be forgotten") where applicable.
  • Restrict or object to certain processing.
  • Receive a portable copy of data you provided.
  • Withdraw consent where processing relied on it.
  • Lodge a complaint with your local supervisory authority.

If you are a California resident (CCPA / CPRA)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights regarding personal information ("PI") we have collected in the preceding 12 months:

  • Right to know the categories and specific pieces of PI we have collected, the sources we collected it from, the business or commercial purposes for collecting it, and the categories of third parties we have disclosed it to.
  • Right to delete PI we have collected about you, subject to statutory exceptions.
  • Right to correct inaccurate PI we maintain about you.
  • Right to limit use and disclosure of sensitive PI. We use sensitive PI only as needed to deliver the Service you requested and for the operational purposes the law allows; we do not use it for inferences about your characteristics. See our affirmations below.
  • Right to opt out of sale and sharing. See affirmation below.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a right.

Categories of PI we collect (CCPA mapping)

  • Identifiers — name, email, account ID, IP address, device identifiers.
  • Customer records (Cal. Civ. Code § 1798.80(e)) — name and billing information.
  • Commercial information — billing history, plan, transaction records.
  • Internet or other electronic network activity — log data, dashboard interactions, API usage.
  • Geolocation — coarse, IP-derived only. We do not collect precise geolocation.
  • Professional or employment-related information — your job title or organization, if you provide it.
  • Inferences — limited internal inferences for product analytics (e.g., "active user"), never for profiling.

Sensitive PI (CPRA)

We collect a password and authentication credentials, which qualify as sensitive PI under § 1798.140(ae)(1)(D). We use them solely to authenticate you and secure your account, and we do not use them to infer characteristics about you. We do not collect government identifiers (SSN, driver's license, passport), precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of your mail/email/text messages (other than ones voluntarily sent to us), genetic data, biometric data for identification, health information, or information about sex life or sexual orientation.

Our affirmations (last 12 months)

  • We have not sold personal information.
  • We have not shared personal information for cross-context behavioral advertising.
  • We have not knowingly sold or shared the personal information of consumers under 16 years of age, and we do not direct the Service to anyone under 16.
  • We do not offer financial incentives in exchange for personal information.

Under California's "Shine the Light" law (Cal. Civ. Code § 1798.83), California residents may also request a list of the personal information we have disclosed to third parties for those parties' direct-marketing purposes. We do not engage in those disclosures.

If you are a resident of another US state with a comprehensive privacy law

Residents of states with comprehensive consumer-privacy statutes — currently including (but not limited to) Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire, New Jersey, Indiana, Maryland, Minnesota, Rhode Island, and Tennessee under the Tennessee Information Protection Act (TIPA) — have rights substantially similar to the California rights above: access, deletion, correction, portability, and opt-out of targeted advertising, sale, and certain profiling. Where your state law gives you a right we don't list here, we will honor it. To exercise any of these rights, email legal@rivet.sh.

How to exercise your rights

Email legal@rivet.sh. We will verify your identity (usually by confirming control of the email address on your account) and respond within 45 days for U.S. state-law requests, or within 30 days for GDPR/UK GDPR requests, with extensions where the law permits and you are notified. There is no charge for reasonable requests. You may designate an authorized agent to act on your behalf, subject to our verification of their authority. If we deny a request, you have the right to appeal it where state law provides one.

10. Security

We protect data in transit with TLS and at rest with industry-standard encryption. Production access is restricted to least-privilege roles, gated by multi-factor authentication, and logged. We maintain a vulnerability-disclosure process and notify affected Customers without undue delay if a security incident materially affects their data, as required by applicable law and our contracts.

No system is perfectly secure. We can describe our controls, but we cannot guarantee that a determined attacker will never succeed.

11. Children

Rivet is built for developers and businesses. The Service is not directed at children. We do not knowingly collect personal information from anyone under 13 in violation of the U.S. Children's Online Privacy Protection Act (COPPA), and we do not knowingly sell or share the personal information of any consumer we know to be under 16, consistent with the CCPA/CPRA. If you believe a child under 13 has provided us personal information, contact legal@rivet.sh and we will delete it.

12. Controller and processor roles

Simplisik is the controller of your account, billing, and product usage data — we decide why and how we process it. For Customer Content (anything you deploy, store, or run on Rivet, including any personal data of your end users), Simplisik is a processor acting on your instructions. Business Customers can request a Data Processing Addendum (DPA) by emailing legal@rivet.sh.

13. Changes to this policy

We will update this page when we change how we handle data. For material changes, we'll post the update at least 30 days before it takes effect and email account owners. Continuing to use Rivet after the effective date means you accept the update.

14. Contact

Privacy questions, rights requests, and complaints: legal@rivet.sh.

EU/UK representative under Article 27. During Rivet's closed beta, the Service is offered to customers in the United States and is not generally marketed to data subjects in the European Economic Area, United Kingdom, or Switzerland. As a result, Simplisik has not yet appointed an Article 27 representative. Before opening signups to EEA/UK/Swiss customers — or earlier on request — we will designate a representative under GDPR Article 27 and UK GDPR Article 27 and update this section with their name and address. EEA/UK residents with questions in the meantime should email legal@rivet.sh; we will respond as if Article 27 applied.