Privacy Policy

1. Introduction

RIVI ("Company", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the RIVI platform ("Service"). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, password (hashed), and optional firm name. This information is necessary to provide and secure the Service.

Documents and Content

You may upload legal documents, contract templates, and other files. We store this content to provide the Service, including AI-powered analysis and contract generation.

Client Intake Data

When your clients complete intake forms, we collect their responses, uploaded documents, and identifying information (name, email). This data is processed on your behalf and accessible only to you.

Usage Data

We automatically collect technical information such as IP addresses, browser type, pages visited, and feature usage patterns. This data helps us improve the Service and diagnose issues.

3. How We Use Your Information

• Providing and maintaining the Service, including AI-powered features
• Processing and analyzing legal documents on your behalf
• Generating contracts based on your templates and client data
• Sending transactional emails (form submissions, account verification)
• Improving the Service through aggregated, anonymized analytics
• Ensuring security and preventing fraud or abuse
• Complying with legal obligations

4. Third-Party Services and Sub-Processors

The Service is built on third-party providers. Each is listed below with the data it processes and what we represent about its retention. Where we do not yet have a Data Processing Agreement in place with a provider, we say so explicitly.

• Supabase (database, authentication, file storage) — your account data, your form templates, your client-submitted answers and uploaded files, and your generated contracts are stored in Supabase-managed PostgreSQL with row-level security and in private storage buckets. Region and backup retention are configured at the Supabase project level. Data Processing Agreement: status pending; will be linked here once executed.
• OpenAI(AI processing for contract generation, analysis, intake parsing, chat) — when you use any AI feature, the contract text, client answers, and instructions you provide are transmitted to OpenAI's API for processing. Per OpenAI's default policy, API inputs and outputs are retained by OpenAI for up to 30 days for abuse monitoring. OpenAI states that business-tier API content is not used to train their models, but this protection depends on the account's Data Processing Addendum status.Important:Until RIVI's OpenAI account has Zero Data Retention (ZDR) controls approved by OpenAI, content you submit through AI features is retained by OpenAI for up to 30 days. We disclose ZDR status here once it is in effect; you can also ask us in writing.
• Resend — transactional email (form-link notifications to your clients, submission notifications to you). Recipient email address, lawyer/firm name, and form/client name are transmitted. Data Processing Agreement: status pending.
• Upstash — rate-limit counters keyed by user ID or IP. No content is transmitted. Data Processing Agreement: status pending.
• Geoapify — address autocomplete on questionnaires. The address text typed by your client is transmitted to Geoapify's geocoding API. Data Processing Agreement: status pending.
• Vercel — application hosting, including request logs and error traces. Sensitive request content is redacted from logs at the application layer.

5. Data Storage and Security

Your data is stored in secure, encrypted databases. We implement industry-standard security measures including encrypted connections (TLS), row-level security policies restricting data access to authorized users, secure file storage with access controls, and hashed passwords. While we take reasonable measures to protect your data, no method of electronic storage is 100% secure.

6. Data Retention

We retain your account data and uploaded content for as long as your account is active. Upon account deletion, we will remove your personal data and uploaded documents within 30 days, except where retention is required by law. Aggregated, anonymized data that cannot identify you may be retained indefinitely.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate personal data
• Deletion — Request deletion of your personal data and account
• Export — Request a machine-readable copy of your data
• Restriction — Request that we limit processing of your data
• Objection — Object to certain types of processing

To exercise any of these rights, contact us through the platform or at the email address provided in your account settings.

8. Client Data Processing and Lawyer Responsibilities

When your clients submit intake forms or you upload client material, we process that data on your behalf. You are the data controller (and, under the Israel Privacy Protection Law, the database holder) for client data. RIVI acts as a data processor. You are responsible for:

• Ensuring you have a lawful basis to collect, hold, and process your clients' information.
• Informing your clients about how their data will be handled, including the third-party providers listed in Section 4 and the AI processing they will undergo.
• Obtaining explicit, written client consent before submitting client-identifying material to any AI feature of the Service, in accordance with the Israel Bar Association Ethics Committee's May 2024 guidelines on lawyers' use of AI.
• Determining whether your firm's database registration obligations under Section 8 of the Privacy Protection Law are triggered by your use of RIVI, and registering accordingly.
• Notifying your own clients of any incident that affects their data in a manner consistent with your professional confidentiality and notification duties.

RIVI maintains an internal incident-response plan and will notify you without undue delay (and in any event within 72 hours of confirmation) of any incident affecting your data. Your subsequent notification to your own clients remains your responsibility.

8a. Israeli Data Protection Rights

Under Israel's Privacy Protection Law (1981, as amended including Amendment 13, August 2025), you and your clients have rights including: the right to inspect personal data held in a registered database (§13), the right to request correction or deletion of inaccurate data (§14), and the right to object to certain uses of personal data. Requests can be addressed to us at the contact email recorded in your account settings. We will respond within the time period required by applicable law.

9. Cookies and Tracking

We use essential cookies for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled. We do not use advertising cookies or third-party tracking pixels.

10. Data Sharing

We do not sell, rent, or trade your personal data. We only share data with the third-party service providers listed above, and only as necessary to operate the Service. We may disclose data if required by law, legal process, or to protect the rights, property, or safety of our users or the public.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For privacy-related inquiries, please contact us through the platform or at the email address provided in your account settings. Also see our Terms of Service.