Rivur Chat Privacy Policy

Effective Date: November 8, 2025

1. Scope & Geographic Availability

Rivur Chat (the “Service”) is provided by Rivur Communications Inc. for users located in the United States and Canada. We do not market, offer, or provide Rivur Chat to residents of the European Union / European Economic Area / United Kingdom. If you are located in a jurisdiction where this policy does not apply (e.g., the EU/EEA), you must not use the Service.

2. Overview & Commitment

Rivur Chat is a virtual phone number and encrypted messaging application. We collect only the data necessary to operate the Service, provision virtual numbers, deliver messages, ensure security, and meet legal or carrier obligations. We do not sell your personal information to third parties.

3. Information We Collect

3.1 Account Information: Username, hashed authentication credentials, subscription tier, internal user identifier, and an email address for account management or recovery.

3.2 Virtual Number & Telecom Metadata: Assigned virtual number(s), message routing metadata (timestamps, sender/recipient identifiers, delivery status). This metadata is required to transmit and manage communications. SMS/MMS content (when using carrier networks) is stored encrypted at rest while it remains active on our platform.

3.3 Usage & Diagnostic Telemetry: Limited, non-personal performance metrics (crash events, service uptime indicators). We do not collect precise geolocation or track your IP address for profiling. Transient IP handling may occur at the network edge strictly for session establishment, load balancing, security, or abuse mitigation; we do not persist or profile IP addresses for marketing.

3.4 Payment & Subscription Data: For in-app purchases (Apple / Google / Microsoft), billing information is managed by the respective store under their privacy policies. For web purchases via Stripe, Stripe processes card data directly and provides us with transaction confirmation (tokenized references, last 4 digits, card brand where applicable). We do not store full payment card numbers or CVV.

3.5 Support & Communications: Information you voluntarily provide when contacting us (support requests, feedback). Retained only as long as needed to resolve the request or maintain compliance.

3.6 Security & Abuse Signals: Limited indicators (failed auth attempts, rate-limit triggers, spam/abuse flags) used to protect the platform and users.

4. How We Use Information

• Provision, operate, secure, and improve the Service.
• Assign, recycle, or reclaim virtual numbers (in line with carrier/regulatory rules).
• Authenticate users and enforce access controls.
• Process subscriptions: renewals, status validation, plan changes, and account eligibility.
• Detect, prevent, and respond to fraud, spam, or abuse (e.g., TCPA / CASL compliance support).
• Fulfill legal, regulatory, carrier, or valid law enforcement requirements (see Section 10).
• Provide user-requested support, troubleshooting, and service notices.

5. Legal Bases / Framework (U.S. & Canada)

We operate under U.S. federal/state laws and Canadian laws (including PIPEDA and applicable provincial regulations). Because we do not offer the Service in the EU/EEA, GDPR legal bases are not asserted. Our collection and use are grounded in: (a) performance of a service contract (providing and securing the Service), (b) legitimate interests (fraud prevention, platform integrity), and (c) compliance with legal/telecom obligations.

6. Subscriptions & Purchases

You may purchase subscriptions through app stores (Apple App Store / Google Play / Microsoft Store) or via Stripe on our website. App store purchases are governed by the respective store’s privacy and billing policies. Stripe purchases are governed by Stripe’s privacy policy. We receive only confirmation data required to activate or maintain your subscription.

7. No Sale of Personal Information

We do not sell or rent your personal information. We do not share personal information with third parties for their independent marketing purposes.

8. Limited Third-Party Service Providers

• Payment Processors: Apple, Google, Microsoft, Stripe (process payments; we do not store card data).
• Telecom / Messaging Carriers: Underlying network providers may handle SMS/MMS routing; their handling of data is subject to carrier obligations.
• Cloud / Infrastructure: Secure hosting and redundancy providers; we configure encryption and access controls to limit human access.
• Analytics / Telemetry (Minimal): Internal or privacy-focused tooling for stability and crash handling (no behavioral advertising profiling).

All providers are contractually or policy-bound to handle data only for service delivery and security.

9. Data Security

• Encryption in transit (TLS) and at rest for stored content and metadata (where technically feasible).
• Access controls, least-privilege internal roles, monitoring, and audit trails.
• Abuse/spam mitigation controls (rate limiting, anomaly detection).

No system can guarantee absolute security; you are responsible for device-level security (OS patches, malware protection, lock screens).

10. Law Enforcement & Legal Requests

We respond only to valid, properly served legal process from competent U.S. or Canadian authorities (e.g., subpoenas, court orders, warrants). Where not legally prohibited, we will provide user notice prior to disclosure.

11. Data Retention & Deletion

• Operational metadata: Retained only as long as needed for active service, fraud prevention, and regulatory / carrier compliance.
• Encrypted message content: Retained consistent with service functionality; user-deleted encrypted content is purged from active systems promptly and removed from backups within 30 days.
• SMS/MMS content: Stored encrypted while needed for delivery or user visibility; purged per lifecycle rules or user deletion.
• Telemetry & logs: Detailed logs minimized and typically reduced or summarized within 60 days.
• Account deletion: Initiated via the in-app delete function. All personal data (account, numbers, message content, preferences) is scheduled for purge and fully removed (including from backup archives) within 30 days.

12. Your Privacy Rights

United States (Selected State Privacy Frameworks - e.g., CA/CO/VA/CT/UT): To the extent applicable, you may have rights to request access, deletion, correction, and to know whether we disclose categories of personal information. Because we do not sell personal information or use it for targeted advertising, opt-out of sale/targeted advertising does not apply. You may submit rights requests via our Contact form.

Canada (PIPEDA / Provincial Analogues): You have rights to access, correct, or withdraw consent (where consent is the lawful basis) for personal information under our control, subject to legal limits. We will explain any denial of a request where legally permissible.

How to Exercise: Submit a request through our contact form. We will verify identity (e.g., by account login challenge) before acting. A response will be provided within the timelines required by applicable law.

13. Children’s Privacy

The Service is not directed to children under 13 (U.S. COPPA) or under the age of consent in Canada (typically under 13; provincial nuances may apply). We do not knowingly collect data from children. If you believe a child has provided data, contact us for removal.

14. Cookies & Tracking

The core app does not use third-party advertising trackers. The website may use strictly necessary or functional cookies for session continuity and security. We avoid behavioral advertising tracking. You can adjust browser settings to manage cookies (doing so may limit functionality).

15. No IP / Location Profiling

We do not profile users based on IP or geolocation for marketing. Transient network data may be processed ephemerally for routing, security filtering, and fraud prevention only.

16. Account Deletion Process

Use the in-app account deletion feature. We queue associated data for purge; full removal including backup eradication occurs within 30 days except data we are legally required to retain (minimized to what is strictly necessary).

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in technology, legal requirements, or service features. Material changes will be posted here with a revised Effective Date. Continued use after the Effective Date constitutes acceptance.

18. Contact Us

Privacy Inquiries / Rights Requests: Contact Form

We will respond within legally required timeframes and provide clarification where requests cannot be fulfilled.

19. Summary Assurance

We are committed to data minimization, encryption, user control, and transparent retention/deletion practices. Thank you for trusting Rivur Chat.

20. California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to:

• Know the categories of personal information collected, sources, business purposes, and categories of third parties with whom it is disclosed.
• Access (request a copy of) specific personal information we maintain about you.
• Request correction of inaccurate personal information.
• Request deletion of personal information (subject to legal and service-related exceptions).
• Know if we "sell" or "share" personal information. We do not sell or share personal information for cross-context behavioral advertising.
• Limit use of sensitive personal information (we do not collect sensitive categories beyond basic authentication and subscription attributes).
• Be free from discrimination for exercising privacy rights.

Categories Collected (12-Month Lookback): Identifiers (username, virtual number), account/subscription data, limited internet/electronic activity (basic telemetry), commercial information (subscription plan), and security/abuse signals. We do not collect precise geolocation, biometric identifiers, or protected class characteristics.

Submission of Requests: Use our contact form. We will verify your identity (e.g., authentication challenge). Authorized agents must provide proof of authority.

Retention Disclosure: We retain data only as described in Section 11. Upon verified deletion requests, we remove data unless retained for security, fraud prevention, legal compliance, or service integrity.

21. Quebec Residents (Law 25)

For residents of Quebec, Canada:

• Right to be informed of personal information collection and purposes (outlined above).
• Right to access and obtain copies of personal information.
• Right to request rectification of inaccurate or incomplete information.
• Right to withdraw consent where consent is the basis (may affect service functionality).
• Right to portability where regulations specify (applies to certain structured electronic formats when technically feasible).
• Enhanced transparency over cross-border data transfers. Data may be stored or processed in secure facilities in the United States or Canada. We assess vendors for privacy and security safeguards.
• Prompt breach notification as required by Quebec law if an incident presents a risk of serious harm.
• Children under 14: parental consent is required for collection; we do not target or knowingly collect data from such users.

Privacy Officer: Requests can be directed via the contact form; they will be routed to our designated privacy officer. We respond within statutory timeframes.

Cross-Border Transfers: Safeguards include encryption, contractual restrictions, and access controls ensuring data is handled solely for service provision and security.