Legal

Privacy Policy

Last updated: March 28, 2026

Note: This policy is provided for informational purposes. It is not a substitute for advice from a licensed attorney. Users in regulated industries (healthcare, finance, legal, etc.) should consult qualified counsel to ensure their own compliance obligations are met.

1. Who We Are

Rivio ("we," "our," or "us") is an invoicing and payment management platform open to any service professional or small business. Rivio provides tools to create and send invoices, manage clients, accept payments, and track finances — all under each user's own branded workspace.

Rivio is not itself a healthcare provider and does not provide medical services. Users who operate healthcare practices are solely responsible for any HIPAA obligations that apply to their own practice and patient relationships.

For questions about this policy, contact privacy@rivio.app.

2. What Information Rivio Collects

Account information

Name, email address, and password (stored as a one-way hash — never in plain text) when you create an account.

Business profile

Business name, address, phone number, website, and payment handles (e.g. Venmo username, Zelle phone number) that you enter in your workspace settings. This information is used solely to populate invoices sent on your behalf.

Client and billing data

Client names, email addresses, phone numbers, billing addresses, and invoice records (line items, service dates, amounts, payment status) that you enter into the platform. This data is stored in your private workspace and is not accessible to other Rivio accounts.

Payment data

Rivio does not store credit card numbers, bank account numbers, or routing numbers. Online payments are processed by Stripe, Inc. directly. Rivio receives only a payment confirmation and transaction ID from Stripe.

Usage and technical data

Basic server logs (IP address, browser type, pages visited, timestamps) are retained for up to 90 days for security and debugging purposes. Rivio does not use third-party analytics trackers or advertising pixels.

Cookies

Rivio uses a single session authentication cookie set by Supabase to keep you signed in. No advertising, cross-site tracking, or third-party cookies are used.

3. How Rivio Uses Information

Information is used only for the following purposes:

  • Providing and operating the Rivio platform
  • Generating and delivering invoices on your behalf
  • Processing payments through Stripe
  • Sending invoice-related transactional emails via Resend
  • Maintaining platform security and preventing fraud
  • Improving the platform based on aggregated, anonymized usage patterns
  • Complying with legal obligations

Rivio does not sell personal data. Rivio does not use personal data for advertising.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area or United Kingdom, Rivio processes personal data under the following lawful bases:

  • Contract performance — processing your account data and client data is necessary to provide the service you signed up for
  • Legitimate interests — server logs and security monitoring are necessary to protect the platform and its users
  • Legal obligation — retaining certain records as required by law

5. Third-Party Services

Rivio shares the minimum necessary data with the following third-party services to operate the platform:

Supabase

Database hosting and user authentication

Data shared: Account credentials, all stored workspace data

Privacy policy ↗

Stripe

Payment processing

Data shared: Invoice amount, invoice ID, client email for payment

Privacy policy ↗

Resend

Transactional email delivery

Data shared: Recipient email address, invoice content for sending

Privacy policy ↗

No other third parties receive personal data from Rivio.

6. Do Not Track

Rivio honors Do Not Track (DNT) browser signals. Because Rivio does not use cross-site tracking or behavioral advertising, DNT signals have no material effect on your experience — the platform behaves the same regardless of your DNT setting. This disclosure is provided in compliance with the California Online Privacy Protection Act (CalOPPA).

7. Data Security

All data is encrypted in transit (TLS 1.2+) and encrypted at rest in Supabase. Access to your data is enforced at the database level through row-level security policies — your workspace data is cryptographically isolated from all other accounts.

Invoice portal links use 256-bit cryptographically random tokens (generated via Node.js crypto.randomBytes) with a 90-day expiration. Expired links return an error and cannot be replayed.

No security system is 100% guaranteed. In the event of a breach affecting your data, Rivio will notify you by email within 72 hours of discovery, consistent with GDPR Article 33 obligations.

8. Data Retention

Account and workspace data is retained for as long as your account is active. If you delete your account, personal data will be deleted within 30 days, except:

  • Financial records (invoice amounts, payment confirmations) may be retained for up to 7 years to comply with tax and accounting obligations
  • Server security logs are retained for 90 days then automatically purged

9. Your Rights

Depending on your location, you may have the following rights:

  • Access — request a copy of the personal data Rivio holds about you
  • Correction — request correction of inaccurate data (most data can be updated directly in your account settings)
  • Deletion — request deletion of your account and personal data
  • Portability — request an export of your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • California residents (CCPA) — have the right to know what personal information is collected, to delete it, and to opt out of its sale (Rivio does not sell personal information)

To exercise any of these rights, email privacy@rivio.app with your request. Rivio will respond within 30 days.

10. Children's Privacy

Rivio is not directed at individuals under the age of 18 and does not knowingly collect personal information from minors. If you believe a minor has provided information through Rivio, contact privacy@rivio.app and the data will be deleted promptly.

11. Changes to This Policy

Rivio may update this Privacy Policy from time to time. For material changes, notice will be provided by email to the address on your account at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

12. Contact

For privacy-related questions or data requests:

Email: privacy@rivio.app

General support: Contact page