Legal

Privacy Policy

Last updated: 10.06.2026

Who we are

Rivendel is the brand and product described in this policy. For anything to do with your data, email team@rivendel.io.

Two kinds of data

Rivendel handles two different kinds of personal data and the law treats them differently.

Data about you, the account holder: your email, your billing details, how you use the product. For this data we are the controller. We decide why and how it is processed and we are the people you take it up with if something goes wrong. This policy covers that data.

Data about your customers: the people who visit the site we run for you, subscribe to your emails, buy your products or message your accounts. For that data you are the controller and we are your processor. We process it only on your instructions, under the Data Processing Agreement that forms part of our terms. Your customers should look to your business's own privacy notice, which the service helps you publish.

The rest of this policy is about data we hold about you.

What data we collect

When you sign up: your email address and password. That is it.

When you pay: our payment processor (Stripe) handles your card details. We never see them. We do receive billing metadata such as the last four digits of your card, your billing country and the amount charged.

When you use the product: the business idea you give us, the instructions you give the AI, files you upload, brand assets, the content the AI produces for you, the websites and campaigns we build for you and the operational data they generate, including visitor numbers, conversion rates, ad spend and email engagement.

Automatically: IP address, browser, device, pages visited, actions taken, timestamps and referring URLs. Standard server and product analytics.

If you contact us: whatever you tell us, plus the message itself so we have a record of the conversation.

We do not knowingly collect data from anyone under 18. If you think we have, tell us and we will delete it.

Why we process it and what gives us the legal right to

Under UK GDPR every use of your data needs a legal basis. We process your data on the basis of contract to run the service for you, covering processing your inputs, generating outputs, taking payment and sending things like password resets and billing notices. We send marketing emails on the basis of consent; you can withdraw that consent any time. We rely on legitimate interest for analytics, fraud prevention, abuse investigations and product improvements. We keep tax and accounting records on the basis of legal obligation, because UK law requires it.

Automated decisions and AI

Rivendel runs on AI. The product makes decisions and generates content on your behalf: what to publish, which ad creatives to test, which keywords to target, what to write in emails. You instructed us to do this when you signed up. You can review, change or stop any of it inside the product. Strategic decisions about your business, such as changing direction or closing a venture, are presented to you and made by you, not by the AI.

We do not use AI to make decisions about you that produce legal effects or that significantly affect you. We do not use it to decide whether to give you the service, what to charge you or how to treat your account. Your data is processed by third-party AI providers (Anthropic, OpenAI) under contracts that prohibit them from using it to train their models.

Who we share data with

We share data with companies that help us run the service: payment processors, hosting and infrastructure providers, AI providers, email and messaging providers, analytics providers, advertising platforms when we run ads on your behalf and customer support tools when you contact us. They process it on our instructions and cannot use it for anything else. We may also share data if we are legally required to, if we are bought or merge with another company, or if we need to protect the service or other users from harm. We do not sell your data.

International transfers

Some of our processors are based in the United States and other countries outside the UK. When we transfer your data abroad we use the safeguards approved by the UK Information Commissioner's Office, normally the International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum.

How long we keep it

Billing and tax records: six years after account closure, because UK tax law requires it.

Account data, meaning your email, password and settings: deleted within 30 days of account closure.

Business and operational data, meaning your inputs, AI outputs, websites we built and campaign data: deleted within 30 days of the end of the export window described in our terms, or sooner if you ask. If you request transfers or exports when you leave, we complete those first. What you take with you is yours; what you leave behind is deleted.

Marketing data: until you unsubscribe or three years of inactivity, whichever comes first.

Support conversations: three years.

Server logs: 90 days.

Your rights

Under UK GDPR you can: see what data we hold about you; get a copy in a portable format; correct anything wrong; have your data deleted, subject to records we are legally required to keep; restrict how we use it; object to processing based on legitimate interest; withdraw consent where consent is the legal basis.

To use any of these, email team@rivendel.io. We will respond within one month. If you think we have got something wrong you can complain to the Information Commissioner's Office at ico.org.uk. We would rather you came to us first so we can fix it.

If you are a customer of a business that runs on Rivendel, send your request to that business. They are the controller of your data and we will help them honour your rights.

Security

We protect your data with encryption in transit and at rest, access controls, regular security reviews and the usual technical and organisational measures. No system is ever completely secure. If we have a breach that affects you we will tell you and the ICO as the law requires.

Changes to this policy

When we change this policy we update the date at the top. If the changes are significant we will email you or tell you in the product before they take effect.