RIVLET

Legal

Privacy Policy

Rivlet AI · rivlet.ai · Last updated: June 2026

Adapted from Automattic's Privacy Policy (CC-BY-SA 4.0).

The short version

Your voice, audio, and training data never leave your device. All model training and inference runs entirely in your browser via WebAssembly. We never receive, store, or process your audio. The only personal data we hold is what you give us to create an account or request early access.

Who we are

Rivlet AI operates rivlet.ai, a platform for building and running on-device AI classifiers, based in Berkeley, California. Contact us at hello@rivlet.io.

Our principles: collect only what we need; never sell your personal information; never access your audio or training data; full transparency about what we collect and why.

Information we collect

We only collect information we have a reason to collect — to provide our service, communicate with you, or keep things running.

Information you provide directly

  • Early-access form: email, name, what you want to build, X/Twitter handle or LinkedIn URL, and optionally role or company.
  • Account sign-in: email address and, if you register a passkey, the public-key credential generated by your device. Your private passkey never leaves your device.

Information collected automatically

  • Session cookie: a token to keep you signed in. This is the only cookie we set. No analytics, advertising, or third-party tracking cookies.
  • Server logs: our hosting provider (Vercel) collects standard web server logs including IP address and browser type. We do not use these for profiling.

What we do not collect: audio, voice recordings, or training data. None of that ever reaches our servers. Model weights are only stored if you explicitly publish a model to the marketplace — see below.

In-browser model training

When you train or run a model on this site, everything happens locally in your browser using the Rivlet WebAssembly runtime. Your microphone audio, recordings, and training data are processed entirely on your device — never transmitted to our servers. We have no technical means to observe what you say or train.

Models you create are saved to your browser's local storage on your device by default — we do not store them. If you choose to publish a model to the marketplace, the trained model weights are uploaded to and stored on our servers so that others can download and use them. The audio or data you used to train that model is not uploaded — only the resulting weights. You can remove a published model at any time, which will delete the stored weights.

How and why we use information

  • To provide our service: manage your account, grant early-access, keep you signed in.
  • To communicate with you: send magic-link sign-in emails and transactional messages. Contact you about your application or Rivlet updates. You can opt out of marketing messages at any time by emailing us.
  • To protect the service: detect and prevent abuse, fraud, or security incidents.

We do not sell your data, share it with advertisers, run behavioral analytics, or use anything you do on the site to train shared AI models.

Sharing information

  • Service providers: we use Neon (Postgres, hosted on AWS in the US), Vercel (hosting), and Resend (transactional email). These are our only third-party processors.
  • Legal requirements: we may disclose information if required by law, subpoena, or valid legal process.
  • Business transfers: in a merger or acquisition, user information may be transferred, with this policy continuing to apply.
  • With your consent: we may share information in other cases with your explicit consent.

Cookies

We use exactly one cookie: authjs.session-token (or __Secure-authjs.session-token over HTTPS), set when you sign in. It is an essential cookie required for authentication, expires after 30 days of inactivity, and can be cleared by signing out. No analytics or advertising cookies are set.

How long we keep information

We retain account information for as long as your account is active. Early-access form submissions are retained to manage the beta program. You can request deletion at any time. We will delete or anonymize your information when it is no longer needed.

Security

All data in transit is protected by HTTPS. Passwords are never stored — we use passkeys and magic-link emails. While no online service is 100% secure, we take reasonable measures to protect your information.

Your rights

You have the right to access, correct, or delete your personal data. Email hello@rivlet.io and we will respond within 30 days.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, to request deletion, and to opt out of any sale. We do not sell personal information. Email hello@rivlet.io with the subject “California Privacy Request.”

EEA/UK residents: To the extent EU or UK data protection law applies, you may have additional rights including the right to object to processing, data portability, and the right to lodge a complaint with a supervisory authority. Our legal basis for processing is performance of our service agreement and our legitimate interest in operating the service.

Children

The service is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. Contact us if you believe we have done so inadvertently and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. We will note the date at the top. Material changes will be communicated by email to registered users before taking effect.

Contact

Questions, requests, or concerns: hello@rivlet.io