Rival Privacy Policy

Effective Date: January 16, 2026

Rival, Inc. (“Rival,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy describes how we collect, use, share, and protect information in connection with our website, the Rival Marketplace, and related services (collectively, the “Services”).

By using the Services, you agree to this Privacy Policy and the terms described herein. If you do not agree, you should not use the Services.

Scope

This Privacy Policy applies to personal information collected through the Rival website (https://www.rival.io), the Rival Marketplace, and all online tools, software, or related offerings. Please also see our separate Terms of Service, which incorporate by reference this Privacy Policy and which include definitions applicable to this Privacy Policy. Capitalized terms that are not defined in this Privacy Policy have the meaning ascribed to them in the Terms of Service.

Unless otherwise expressly stated, this Privacy Policy does not apply to third-party websites, applications, or integrations not controlled by Rival. Each third party will have its own privacy practices and policies, which you should review before using them.

Information We Collect

Category

Examples of Data Collected

Collection Point

Purpose for Collection and User

Identifiers

We collect:

Full name
Email address
Business address (we do not collect home addresses unless required for billing purposes)
Internet Protocol (IP) address
Account credentials and authentication tokens
Unique device identifiers and session identifiers

Collected when a user:
- Creates an account
- Logs into the platform
- Contacts sales or support
- Subscribes to communications

Collected via registration forms and direct communications
After launch, we will have a verified organization process, where we will require the business address to verify the legitimacy of the organization.

Create and manage user accounts
- Authenticate users and control access
- Communicate about the platform, updates, and support requests
- Associate usage, billing, and permissions with the correct user or organization

Financial Information & Transaction Information

We collect:

Full name
Email address
Business address (we do not collect home addresses unless required for billing purposes)
Internet Protocol (IP) address
Account credentials and authentication tokens
Unique device identifiers and session identifiers

We collect financial information indirectly through our third-party payment processor, Stripe.

This information is collected when users:
- Purchase function executions
- Subscribe to paid plans
- Receive payouts as developers

Process payments and facilitate payouts

Manage subscriptions and invoicing
Maintain financial records and comply with tax and accounting obligations

Geolocation Data

We collect limited general location information derived from IP addresses.

This information is automatically collected when users:

Access the website or platform
Log in or interact with services

Security monitoring and fraud prevention

Platform analytics via Google Analytics
Service optimization

Technical & Device Information

We collect:

IP address, browser type, operating system, device identifiers.

We do not engage in cross-site tracking or track your browsing activities outside of our Platform.

This information is automatically collected when users:

Access the website or platform
Log in or interact with services

Maintain platform security

Detect fraud, abuse, or unauthorized access
Optimize performance and compatibility
Support debugging and incident response

Internet or Network Activity Information

We collect:

Pages viewed, features used, navigation paths, referral sources

Collected through:

cookies, analytics tools, and platform logs during website and app usage

Understand how users interact with the platform

Improve usability, onboarding, and feature design
Measure the effectiveness of content and campaigns

Marketing & Communications Data

Email preferences, campaign interactions

Collected when users:

Opt into communications
Engage with marketing emails or announcements

Send product updates, educational content, and relevant announcements

Measure engagement and improve communications

Professional or Employment-Related Information

We may collect the following information if you voluntarily provide it:

- Job title

- Organization name

- Developer role or function

We do not collect employment history, performance evaluations, or salary information.

Collected during account setup

Collected when requesting enterprise access, demos, or sales conversations

Tailor the platform experience (builder vs buyer vs enterprise admin)

Route inquiries to the appropriate team
Support enterprise governance, permissions, and account management

Inferences

We derive limited inferences from the personal information we collect, including:

- Platform usage patterns (e.g., popular functions, feature utilization)

- Aggregate and anonymized analytics focused on platform performance, not individual profiling. All analytics are aggregated, anonymized, and platform-focused rather than individual-focused.

Categories We Do NOT Collect

We do not collect:

Medical or health information
Biometric information (e.g., fingerprints, facial recognition data, voiceprints)
Genetic data
Education information (e.g., transcripts, academic records)
Sensitive characteristics such as race, ethnicity, religious beliefs, or sexual orientation
Contents of private communications (unless you are communicating directly with us for support)
Precise geolocation data such as GPS coordinates.
We do not directly collect or store credit card numbers, bank account information, or other financial account credentials. This information is stored with third-party payment processors.

How We Use Information

Inclusive of the uses described above, we also use personal information for the following purposes:

Purpose

Examples of Use

Service Delivery

Operating and maintaining the Rival Marketplace and related tools

Account Management

Processing transactions, managing authentication, and providing support

Product Improvement

Analyzing usage and troubleshooting performance

Security & Compliance

Preventing fraud, abuse, or unauthorized access; complying with legal obligations

Communications

Sending service notices, feature updates, or promotional materials (opt-out available)

Legal & Business Operations

Enforcing agreements, resolving disputes, and maintaining records

We may also process aggregated, de-identified data for analytics, benchmarking, or research. Rival will only process personal data where it has a lawful basis to do so (e.g., your consent, contract performance, legitimate interests, or legal obligation).

How We Share Information

We only share data as outlined in this Privacy Policy. We may disclose personal information to:

Service Providers and Contractors who perform services on our behalf (hosting, analytics, payment processing, communications, customer support), under written agreements that restrict use to the stated purpose;
Integration Partners where you authorize a connection between Rival and another platform;
Professional Advisors (e.g., auditors, legal counsel) under confidentiality obligations;
Authorities or Regulators when required by law or to protect our rights, users, or the public; and
Successors in connection with a merger, acquisition, or other corporate transaction (with notice where required).

We do not sell or share personal information for cross-context behavioral advertising as defined by applicable state laws.

Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you;
Request correction or deletion of your information;
Restrict or object to certain processing;
Request data portability; and
Opt out of marketing communications.

To exercise these rights, contact privacy@rival.io. We may require verification of your identity before fulfilling requests.

You may also manage cookie preferences through your browser or by using recognized opt-out mechanisms such as the Global Privacy Control (GPC) signal.

Cookies and Tracking Technologies

Cookies are small text files stored on your browser or device when you visit a site. They allow the site to recognize your device, remember preferences, and help us measure how the Services are used. We also use pixels, beacons, local storage, and API event logs that perform similar functions. In this Policy, we refer to all of them collectively as “cookies.”

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we will only use nonessential cookies after you have given valid consent in accordance with the GDPR and the ePrivacy rules. In these regions, nonessential cookies are turned off by default and you can accept all, reject all nonessential cookies, or choose specific categories.

6.1 How We Use Cookies

We group cookies into the following categories:

Type

Purpose

Example Data Processed

Lawful Basis

Strictly Necessary

Enable core functionality such as authentication, security, and load balancing.

Session ID, login token

Legitimate interest / essential for service

Performance & Analytics

Measure site traffic, usage patterns, and feature performance.

Page views, device type, referrer

EEA/UK/Switzerland: Consent.United States and other regions: Legitimate interest / contract, except where applicable law requires consent or optout.

Functional

Remember user preferences such as language, theme, and saved sessions.

UI settings

Consent

Marketing & Advertising

Deliver or measure ads and track engagement across platforms.

Ad clicks, LinkedIn pixel ID

Consent

Development & Debugging

Monitor errors and performance during testing or deployment.

Console logs, environment IDs

EEA/UK/Switzerland: Consent.

United States and other regions: Legitimate interest / contract, except where applicable law requires consent or optout.

6.2 Cookies We Commonly Use

Provider

Purpose

Duration

Type

Rival (first-party)

Authentication, session management

Session

Strictly necessary

Stripe

Payment and fraud prevention

Up to 1 year

Strictly necessary

Google Analytics (GA4)

Usage analytics, traffic sources

2 years

Performance

LinkedIn Insights Tag

Marketing and conversion tracking

6 months

Marketing

Plausible (EU)

Anonymous traffic stats

12 months

Analytics

Cloudflare

CDN and load balancing

Session

Strictly necessary

We may update this list periodically as we add or remove integrations.

6.3 Consent

You can manage or withdraw consent at any time by:

Adjusting your browser settings to block or delete cookies;

Using recognized opt-out tools (e.g., YourAdChoices, Network Advertising Initiative);
Enabling Global Privacy Control (GPC) or Do Not Track (DNT) signals — Rival honors these where technically feasible.

If you disable certain cookies, some parts of the Rival platform may not function properly (such as login sessions or saved preferences).

You can change or withdraw your cookie choices at any time by clicking ‘Cookie Settings’ in the site footer or revisiting the banner. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.4 Cookie Retention

We retain cookie data for as long as necessary for the purposes described above. Analytics cookies typically persist for 6–24 months unless you delete them earlier.

Data Security

Rival implements administrative, technical, and physical safeguards consistent with industry standards (including encryption in transit and at rest, access controls, and monitoring). While we take reasonable precautions, no method of transmission over the Internet or electronic storage is completely secure.

If we experience a data breach that poses a risk to your rights or freedoms, we will notify affected users and relevant authorities as required by law.

Data Retention

We retain personal information only as long as necessary to:

Provide the Services and maintain your account;
Comply with legal or accounting obligations; and
Resolve disputes or enforce agreements.

We use the following criteria to determine how long we retain personal information: (a) our relationship with you, such as if there is an open contract or account or a pending transaction or request; (b) legal obligations to retain personal information for certain purposes, such as to maintain transaction records; and (c) other obligations or considerations relating to the retention of data, such as contract requirements, litigation holds, investigations, or statutes of limitation.

When data is no longer needed, it is securely deleted, anonymized, or archived in accordance with our retention policy.

International Transfers

If you access the Services from outside the United States, your information may be transferred to and processed in jurisdictions that may not provide the same level of data protection as your home country. Where required, Rival uses appropriate legal mechanisms such as Standard Contractual Clauses (SCCs) or equivalent safeguards to protect your information.

Developer and Enterprise Accounts

For users operating under an enterprise agreement, the organization’s account owner or administrator may control access, use, and retention of associated user data. Please direct any enterprise-level privacy requests to your organization’s administrator first.

Children's Privacy

The Services are not directed to or intended for children under 16. If we become aware that a child’s information has been collected, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in law or our practices. When updates are material, we will provide notice through the Services or via email before the new terms take effect.

If you have any questions, concerns, or requests regarding this Privacy Policy or Rival’s privacy practices, contact us at:

Rival, Inc.
505 N Angier Ave NE
Atlanta, GA 30308
info@rival.io

Rival Data Processing Addendum (DPA)

Last Updated: January 16, 2026

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service (the “Agreement”) between the customer (“Customer,” “you,” or “your”) and Rival Inc. (“Rival,” “we,” “us,” or “our”). This Addendum applies when Rival processes personal data on behalf of Customer in connection with the Services. The parties agree as follows:

Roles and Scope

1.1 Roles of the Parties.

For purposes of applicable privacy laws (including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 (“UK DPA”), and the California Consumer Privacy Act 2018, as amended by the CPRA (“CCPA”)), Customer acts as the Data Controller (or “Business”), and Rival acts as the Data Processor (or “Service Provider”).

1.2 Scope.

This Addendum governs Rival’s processing of personal data submitted by Customer or its users (“Customer Data”) in connection with providing the Services.

1.3 Records of Processing.

This Addendum governs Rival’s processing of personal data submitted by Customer or its users (“Customer Data”) in connection with providing the Services.

Nature and Purpose of Processing

Rival processes Customer Data solely for the following purposes:

To provide, maintain, and improve the Services;
To support, secure, and troubleshoot Customer accounts;
To detect, prevent, or address security incidents and technical issues;
To comply with applicable law or enforce legal rights;
For any other purpose expressly authorized in writing by Customer.
In the case of Rival’s AI marketplace, to route Customer Data to and from AI models and related functionality as configured by Customer, subject to the restrictions in this Addendum.

Rival shall not use Customer Data to train, retrain, or otherwise improve Rival’s or any third party’s general-purpose machine learning models that are made available to other customers, unless such use is expressly authorized in the Agreement or in a separate written instruction from Customer. Any analytics or benchmarking performed by Rival in respect of the Services shall either (a) rely only on data that has been anonymized in accordance with GDPR standards so that it is no longer personal data; or (b) rely on deidentified information that cannot reasonably be linked to a particular consumer or household, as defined under the CCPA/CPRA.

The types of personal data processed and the categories of data subjects are described in Schedule 1 below.

Customer Responsibilities

Customer is responsible for determining the lawful basis of processing and ensuring its instructions comply with all applicable privacy laws.
Customer must not instruct Rival to process personal data in violation of data-protection laws.
Customer represents that it has obtained all necessary consents or other lawful bases to collect and transfer Customer Data to Rival.

Customer acknowledges that certain third party AI model providers available through the Services may act as independent controllers or separate processors with respect to Customer Data. Where Customer chooses to enable such third party AI models, Customer is responsible for reviewing and accepting the applicable terms with those providers. Rival shall ensure that any such providers that act as sub-processors are bound by data protection terms consistent with this Addendum; where they act as independent controllers, Rival shall disclose this role to Customer in the Documentation or as otherwise agreed in writing.

Roles and Scope

1.1 Roles of the Parties.

This Addendum governs Rival’s processing of personal data submitted by Customer or its users (“Customer Data”) in connection with providing the Services.

1.3 Records of Processing.

This Addendum governs Rival’s processing of personal data submitted by Customer or its users (“Customer Data”) in connection with providing the Services.

Rival's Obligations

Rival agrees to:

4.1 Process only on instructions. Rival will process Customer Data only on documented instructions from Customer, unless required by law.; in such case, Rival shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Rival will promptly notify Customer if it believes an instruction infringes applicable data-protection laws or if Rival is unable to comply with Customer’s instructions.

4.2 Confidentiality. Rival ensures that all personnel authorized to process Customer Data are subject to confidentiality obligations.

4.3 Security. Rival implements appropriate technical and organizational measures to protect Customer Data, including encryption, access controls, and regular testing. Such measures shall be designed to ensure a level of security appropriate to the risk in accordance with GDPR Article 32, including, as appropriate: (a) the pseudonymization and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

4.4 Sub-processors.

Rival may engage sub-processors to assist in providing the Services.
Rival maintains an up-to-date list of sub-processors at https://www.rival.io/subprocessors (or such other URL as Rival may specify) and shall provide Customer with a mechanism to subscribe to notifications of changes to that list.
Rival shall have general written authorization from Customer to engage sub-processors. Rival will notify Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving Customer the opportunity to object to such changes on reasonable and legitimate data protection grounds within thirty (30) days of receiving notice.
Rival will ensure sub-processors are bound by data protection terms imposing data protection obligations that are no less protective than those set out in this Addendum, including obligations required by GDPR Article 28(3) and applicable CCPA/CPRA regulations.
Rival will ensure subprocessors are bound by data protection terms imposing data protection obligations that are no less protective than those set out in this Addendum, including obligations required by GDPR Article 28(3) and applicable CCPA/CPRA regulations.

4.5 Data Subject Requests. Rival will assist Customer in fulfilling data subject rights requests, including rights of access, deletion, rectification, restriction, portability, objection, and opt‑out, as applicable under GDPR, the UK DPA, and CCPA/CPRA, to the extent feasible and legally permitted. Where a data subject or consumer submits a request directly to Rival that relates to Customer Data, Rival shall, where reasonably identifiable, promptly forward such request to Customer and shall not respond to such request except on the documented instructions of Customer or as required by law.

4.6 Data Breach Notification. Rival will notify Customer without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a personal data breach involving Customer Data and will provide sufficient information for Customer to meet its legal obligations to notify regulators and/or affected data subjects or consumers. Such information shall include, to the extent known to Rival at the time of notification: (a) a description of the nature of the personal data breach, including the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the personal data breach; and (c) the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse effects. Rival shall provide updates as further information becomes available.

4.7 Audit Rights. Rival will make available all information reasonably necessary to demonstrate compliance with this Addendum and will allow audits by Customer or an independent auditor (subject to reasonable notice, scope, and confidentiality).

4.8 Assistance with DPIAs and Consultations. Taking into account the nature of the processing and the information available to Rival, Rival shall provide reasonable assistance to Customer in relation to data protection impact assessments and prior consultations with supervisory authorities that Customer is required to undertake under GDPR Articles 35 and 36 or equivalent provisions of other data protection laws, solely in connection with the Services and the processing of Customer Data.

4.9 Compliance with CCPA/CPRA Obligations. Rival certifies that it understands and shall comply with the restrictions and obligations applicable to “service providers” and “contractors” under the CCPA/CPRA and its implementing regulations, as applicable to Rival’s processing of personal information on behalf of Customer. Rival shall promptly notify Customer if Rival determines that it can no longer meet its obligations under the CCPA/CPRA.

International Transfers

5.1 EEA and UK Transfers. Where Rival transfers Customer Data outside the EEA or UK, it will do so under approved Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR Articles 45–47. For transfers from Customer (as data controller) in the EEA or UK to Rival (as data processor) in a third country not covered by an adequacy decision, the parties hereby agree that the EU SCCs (Controller to Processor) in the form set out in Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), as supplemented by the UK International Data Transfer Addendum (IDTA) where applicable, are incorporated into this Addendum by reference. Where Rival further transfers Customer Data to its subprocessors in third countries, Rival shall ensure that appropriate transfer mechanisms are in place (including, where applicable, Module Three (Processor to Processor) of the SCCs). Rival shall provide reasonable assistance and information requested by Customer to conduct any required transfer impact assessments in connection with such transfers.

5.2 U.S. Data Privacy Laws.
Rival certifies that it will not:

“Sell” or “share” personal information (as defined under the CCPA/CPRA);
Retain, use, or disclose Customer Data for any purpose (including a commercial purpose) other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA/CPRA;
Retain, use, or disclose Customer Data outside the direct business relationship between Rival and Customer; or
Combine Customer Data with personal information obtained from other sources, except as permitted by applicable law (for example, for detecting security incidents or preventing fraud) or as expressly authorized in writing by Customer.
Use Customer Data for purposes other than providing the Services.

Rival shall comply with all applicable portions of the CCPA/CPRA and its implementing regulations in providing the Services.

Data Retention and Deletion

Upon termination or expiration of the Agreement:

Rival will delete or return all Customer Data within a reasonable period (up to 60 days), unless retention is required by law. Where Customer elects return, Rival shall provide Customer Data in a commonly used, machine‑readable format.
Rival may retain backup copies for a limited period solely for security and continuity purposes, provided that such backups are subject to appropriate technical and organizational measures, are not actively processed for any other purpose, and are deleted in accordance with Rival’s documented retention schedules.

Liability

Each party’s liability under this Addendum is subject to the Limitation of Liability set forth in the main Agreement.

Miscellaneous

This Addendum prevails over any conflicting terms in the Agreement regarding data protection.
Nothing in this Addendum limits either party’s obligations under applicable law.
If any provision is invalid, the remaining provisions remain in effect.
This Addendum is governed by the same law and jurisdiction as the main Agreement.

Schedule 1 — Details of Processing