River
Start Free

Privacy Policy

Last Updated: April 8, 2026

1. Introduction

River Labs, Inc. ("River," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our AI-powered writing workspace and related applications (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Services.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password, and profile information you provide when registering
  • Content: Documents, files, prompts, and other content you create, upload, or share through our Services
  • Payment Information: Billing name, address, and card details, which are processed and stored by our payment processor (Stripe). We do not store full card numbers
  • Communications: Messages you send to our support team, feedback you submit, and any other communications with us

2.2 Automatically Collected Information

  • Usage Data: Features used, actions taken, documents created, and time spent in the application
  • Device and Technical Information: Browser type and version, operating system, IP address, device identifiers, and referring URLs
  • Log Data: Server logs including access times, pages viewed, and errors encountered
  • Analytics Data: Performance metrics, feature usage patterns, and aggregate behavioral data to improve our Services

3. How We Use Your Information

We use the information we collect for the following purposes and under the following legal bases:

  • Providing our Services (performance of contract): Creating and managing your account, processing transactions, and delivering the features you request
  • Improving our Services (legitimate interest): Analyzing usage patterns, developing new features, troubleshooting technical issues, and optimizing performance
  • Security and fraud prevention (legitimate interest): Detecting, investigating, and preventing unauthorized access, abuse, and fraudulent activity
  • Customer support (performance of contract / legitimate interest): Responding to your inquiries, resolving disputes, and providing technical assistance
  • Legal compliance (legal obligation): Meeting our obligations under applicable law and responding to lawful requests from authorities
  • Marketing communications (consent or legitimate interest): Sending product updates, feature announcements, and promotional content, where permitted. See Section 14 for opt-out options

4. AI and Your Content

We take special care with how we handle your content in relation to our AI features:

  • Your Content Remains Yours: You retain all rights to content you create. We process your content only to provide and operate our Services
  • No AI Training on Your Content: We do not use your documents, drafts, or other personal content to train AI models. Content you submit to AI-powered features is processed in real time to generate responses and is not retained for model training purposes
  • Third-Party AI Providers: To deliver AI-powered features, your prompts and relevant content are transmitted to third-party AI providers, which currently include Anthropic, OpenAI, and other model providers we may use from time to time. These providers process your content under strict data protection agreements and do not use your content to train their models under our agreements with them. The specific provider(s) used may vary depending on the feature and model you select. We encourage you to review the privacy policies of our AI providers, including Anthropic's Privacy Policy and OpenAI's Privacy Policy
  • Secure Processing: Content transmitted to AI providers is encrypted in transit using TLS and at rest using AES-256 encryption

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate our Services, remember your preferences, and understand how you interact with our platform.

5.1 Types of Cookies We Use

  • Essential Cookies: Required for the Services to function. These include authentication tokens and session identifiers. You cannot opt out of these without losing access to our Services
  • Preference Cookies: Store your settings and preferences (e.g., theme, language, editor layout) so we can remember them across sessions
  • Analytics Cookies: Help us understand how users interact with our Services, which features are most used, and where issues arise. We use analytics tools for this purpose
  • Performance Cookies: Monitor application performance, load times, and error rates to help us identify and fix technical issues

5.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a cookie is set. Please note that disabling certain cookies may affect the functionality of our Services. For more information on managing cookies, visit allaboutcookies.org.

5.3 "Do Not Track" Signals

Some browsers offer a "Do Not Track" (DNT) setting that sends a signal to websites you visit indicating that you do not wish to be tracked. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, we do not respond to DNT signals. However, you can manage your cookie preferences as described above and exercise your privacy rights as described in Section 9 of this policy.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • With Your Consent: When you explicitly authorize us to share your information with a specific party
  • Service Providers: With vetted third-party vendors who perform services on our behalf, including payment processing (Stripe), AI processing (Anthropic, OpenAI, and others), cloud hosting (Amazon Web Services), analytics (Mixpanel, Google Analytics), and customer support tools. These providers are bound by data processing agreements and may only use your information to perform services for us
  • Business Transfers: In connection with a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, in which case your information may be transferred as a business asset. We will notify you of any such transfer and the choices you have
  • Legal Requirements: When required by law, court order, or valid legal process, or when we believe disclosure is necessary to protect the rights, property, or safety of River, our users, or the public
  • Aggregated and De-identified Data: Non-personally identifiable, aggregated data that cannot reasonably be used to identify you may be shared for research, analytics, or industry reporting purposes

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Role-based access controls and least-privilege principles
  • Multi-factor authentication requirements for administrative access
  • Employee training on data protection and security practices
  • Incident response procedures and breach notification protocols

However, no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

8. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy. Our general retention periods by data category are:

  • Account and profile data: Retained for the duration of your account, plus up to 30 days after account deletion to allow for account recovery, after which it is deleted or anonymized
  • User-created content (documents, files): Retained while your account is active. Deleted within 30 days of account deletion, unless a longer retention is required by law
  • Payment and billing records: Retained for 7 years from the date of transaction to comply with tax and accounting regulations
  • Usage and analytics data: Retained in identifiable form for up to 24 months, after which it is aggregated or anonymized
  • Support communications: Retained for up to 3 years to assist with ongoing or future support requests
  • Security and audit logs: Retained for up to 12 months for security monitoring and incident response purposes

We may retain certain information longer where required by legal, regulatory, or contractual obligations, or where necessary to resolve disputes or enforce our agreements.

9. Your Privacy Rights

Depending on your location, you may have the following rights with respect to your personal information. We will respond to verified requests within 30 days (extendable by an additional 30 days where necessary, with notice).

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Data Portability: Request your data in a structured, machine-readable format
  • Restriction: Request that we limit our processing of your information in certain circumstances
  • Objection: Object to processing based on legitimate interests or for direct marketing purposes
  • Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing
  • Opt-Out of Marketing: Opt out of promotional communications at any time (see Section 14)

To exercise these rights, please contact us at team@rivereditor.com. We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

10. International Data Transfers

River Labs, Inc. is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your country.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): The European Commission-approved standard contractual clauses for data transfers, which are incorporated into our agreements with service providers processing EU personal data
  • Adequacy Decisions: Where the European Commission has determined that a country provides an adequate level of protection

You may request a copy of the relevant transfer mechanism by contacting us at team@rivereditor.com.

11. Children's Privacy

Our Services are not directed to individuals under 18 years of age, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected personal information from a child under 18, please contact us immediately at team@rivereditor.com and we will take prompt steps to delete such information.

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), effective January 1, 2023.

12.1 Your California Rights

  • Right to Know: Know what categories of personal information we collect, use, disclose, and sell (we do not sell)
  • Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information we maintain about you
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Personal Information: Request that we limit the use and disclosure of sensitive personal information (such as precise geolocation, financial data, or health information) to providing the Services
  • Right of Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

12.2 Categories of Personal Information Collected

In the last 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email, IP address)
  • Commercial information (subscription and transaction records)
  • Internet or electronic network activity (usage data, log data)
  • Professional or employment-related information (where voluntarily provided in content)
  • Inferences drawn from the above to create a profile about preferences and behavior

12.3 Exercising Your California Rights

To exercise your California rights, contact us at team@rivereditor.com or use the data controls in your account settings. We will respond to verifiable consumer requests within 45 days. You may designate an authorized agent to make requests on your behalf by providing written authorization.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent legislation grants you additional rights and imposes additional obligations on us.

13.1 Lawful Bases for Processing

We process your personal data under the following lawful bases:

  • Performance of a Contract (Art. 6(1)(b) GDPR): Processing necessary to provide our Services, manage your account, and fulfill our contractual obligations to you
  • Legitimate Interests (Art. 6(1)(f) GDPR): Processing for security, fraud prevention, product improvement, and direct marketing to existing customers, where our interests are not overridden by your fundamental rights
  • Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable law, including financial record-keeping and responses to lawful authority requests
  • Consent (Art. 6(1)(a) GDPR): Processing based on your explicit consent, including certain marketing communications and optional analytics. You may withdraw consent at any time

13.2 Your GDPR Rights

In addition to the rights described in Section 9, EU/EEA/UK residents have the right to:

  • Object to Processing: Object at any time to processing based on legitimate interests, including profiling and direct marketing. Upon objection to direct marketing, we will cease processing immediately
  • Not be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling, that produce significant legal or similarly significant effects
  • Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. For UK residents, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk

We will respond to GDPR rights requests within 30 days. For complex or numerous requests, we may extend this period by an additional 60 days, and will notify you of any extension within the initial 30-day period.

13.3 Data Controller

River Labs, Inc. acts as the data controller for personal data collected through our Services. To contact us regarding GDPR matters, email team@rivereditor.com.

14. Marketing Communications

We may send you product updates, feature announcements, tips, and promotional offers by email. We will only send marketing communications where permitted by applicable law — either with your consent or, for existing customers, based on legitimate interest in informing you about related products and services.

You can opt out of marketing emails at any time by:

  • Clicking the "Unsubscribe" link in any marketing email we send
  • Adjusting your notification preferences in your account settings
  • Contacting us at team@rivereditor.com

Even after opting out of marketing communications, you will continue to receive transactional and administrative emails necessary for the operation of your account (e.g., receipts, security alerts, and policy updates).

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will: (a) update the "Last Updated" date at the top of this page, and (b) where practicable, notify you by email to the address associated with your account at least 30 days before the changes take effect.

Your continued use of our Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using our Services and may request deletion of your account.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

River Labs, Inc.

Email: team@rivereditor.com