Legal

Privacy Policy

Last updated: 07.05.2026

Who we are

Rivendel is the brand and product described in this policy. We are the data controller for everything described here. That means we decide why and how your data is processed and we are the people you take it up with if something goes wrong. For anything to do with your data, email team@rivendel.io.

What data we collect

When you sign up: your email address and password. That is it.

When you pay: our payment processor (Stripe) handles your card details. We never see them. We do receive billing metadata such as the last four digits of your card, your billing country and the amount charged.

When you use the product: the business idea you give us, the instructions you give the AI, files you upload, brand assets, the content the AI produces for you, the websites and campaigns we build for you and the operational data they generate — including visitor numbers, conversion rates, ad spend, email engagement and similar.

Automatically: IP address, browser, device, pages visited, actions taken, timestamps and referring URLs. Standard server and product analytics.

If you contact us: whatever you tell us, plus the message itself so we have a record of the conversation. We do not knowingly collect data from anyone under 18. If you think we have, tell us and we will delete it.

Why we process it and what gives us the legal right to

Under UK GDPR every use of your data needs a legal basis. We process your data on the basis of contract to run the service for you — covering processing your inputs, generating outputs, taking payment and sending things like password resets and billing notices. We send marketing emails on the basis of consent; you can withdraw that consent any time. We rely on legitimate interest for analytics, fraud prevention, abuse investigations and product improvements. We keep tax and accounting records on the basis of legal obligation, because UK law requires it.

Automated decisions and AI

Rivendel runs on AI. The product makes decisions and generates content on your behalf: what to publish, which ad creatives to test, which keywords to target, what to write in emails. You instructed us to do this when you signed up. You can review, change or stop any of it inside the product.

We do not use AI to make decisions about you that produce legal effects or that significantly affect you. We do not use it to decide whether to give you the service, what to charge you or how to treat your account. Your data is processed by third-party AI providers (Anthropic, OpenAI) under contracts that prohibit them from using it to train their models.

Who we share data with

We share data with companies that help us run the service — payment processors, hosting and infrastructure providers, AI providers, email and messaging providers, analytics providers, advertising platforms when we run ads on your behalf and customer support tools when you contact us. They process it on our instructions and cannot use it for anything else. We may also share data if we are legally required to, if we are bought or merge with another company, or if we need to protect the service or other users from harm. We do not sell your data.

International transfers

Some of our processors are based in the United States and other countries outside the UK. When we transfer your data abroad we use the safeguards approved by the UK Information Commissioner's Office, normally the International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum.

How long we keep it

Billing and tax records: six years after account closure (UK tax law requires it). Account data — your email, password, settings — deleted within 30 days of account closure. Business and operational data — your inputs, AI outputs, websites we built, campaign data — deleted within 30 days of account closure unless you ask us to delete it sooner. Marketing data: until you unsubscribe or three years of inactivity, whichever comes first. Support conversations: three years. Server logs: 90 days.

Your rights

Under UK GDPR you can: see what data we hold about you; get a copy in a portable format; correct anything wrong; have your data deleted, subject to records we are legally required to keep; restrict how we use it; object to processing based on legitimate interest; withdraw consent where consent is the legal basis. To use any of these, email team@rivendel.io. We will respond within one month. If you think we have got something wrong you can complain to the Information Commissioner's Office at ico.org.uk. We would rather you came to us first so we can fix it.

Security

We protect your data with encryption in transit and at rest, access controls, regular security reviews and the usual technical and organisational measures. No system is ever completely secure. If we have a breach that affects you we will tell you and the ICO as the law requires.

Changes to this policy

When we change this policy we update the date at the top. If the changes are significant we will email you or tell you in the product before they take effect.

Build your business
the right way.

Transparent, secure, and autonomous. Start your portfolio today.