Privacy Policy
Last updated: 1 June 2026
1. Who we are
Riveta (“we”, “our”, “us”) operates the website at riveta.co and the Riveta contractor platform. We help local service contractors send estimates, collect signatures, and capture deposits. Questions about this policy: privacy@riveta.co.
2. What personal data we collect and why
Contractors (registered accounts)
- Account data — name, email address, business name, phone number. Used to operate your account and communicate with you.
- Estimate and job data — customer names, addresses, line items, signatures, payment amounts. Required to deliver the service.
- Payment data — processed entirely by Stripe. Riveta never stores card numbers, bank details, or raw payment credentials.
- Usage data — pages visited, features used, error logs. Used to improve the product.
Customers of contractors
When a contractor sends you an estimate via Riveta, we process your name, email address, and IP address solely to deliver the estimate approval experience. We do not use this data for our own marketing and do not sell it.
Marketing site visitors
The marketing site (riveta.co) does not set analytics or advertising cookies. We collect anonymised server-side request logs (IP address, path, timestamp) for security and uptime monitoring. These logs are retained for 30 days.
3. Legal basis for processing (GDPR)
Where GDPR applies, we rely on:
- Contract performance — processing necessary to provide the service you signed up for.
- Legitimate interests — security monitoring, fraud prevention, product improvement.
- Legal obligation — retaining records required by law.
4. How long we keep your data
- Account data: for the life of your account, plus 90 days after deletion.
- Estimate and signature records: 7 years (legal record-keeping requirement).
- Server logs: 30 days.
5. Who we share data with
- Supabase — our database and authentication provider (SOC 2 Type II certified, data hosted in the United States).
- Stripe — payment processing (PCI DSS Level 1 certified).
- Resend — transactional email delivery.
- Vercel / Netlify — hosting and edge infrastructure.
We do not sell personal data. We do not share it with advertising networks or data brokers.
6. Your rights
Depending on where you are, you may have the right to access, correct, delete, or export your personal data, and to object to or restrict processing. To exercise any of these rights, email privacy@riveta.co. We respond within 30 days.
If you are in California, you may also have rights under the CCPA / CPRA, including the right to know, delete, and opt out of the sale of personal information (we do not sell personal information). We honour Global Privacy Control (GPC) signals.
7. Cookies
The marketing site does not use analytics or advertising cookies. The contractor dashboard uses a strictly necessary session cookie to keep you logged in. No consent is required for strictly necessary cookies.
8. Security
All data is encrypted in transit (TLS 1.3) and at rest. The database uses row-level security so each organisation can only access its own records. Payment data is tokenised by Stripe and never touches our servers.
9. Changes to this policy
We will post updates here and, for material changes, notify registered contractors by email at least 14 days in advance.
10. Contact
Data controller: Riveta
Email: privacy@riveta.co