Privacy Policy

Version 1.0

Effective date: February 16, 2026

Oak River Studios LLC (d/b/a "Rivera," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services (the "Services").

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, phone number, company name, and billing information when you create an account.
• Business Data: Client information, invoices, projects, documents, and other data you enter into Rivera to manage your business.
• Communications: Messages, support requests, and feedback you send to us.
• E-Signature Data: Documents, signatures, and signing metadata (timestamps, IP addresses) processed through our e-signature features.

1.2 Information Collected Automatically

• Usage Data: Information about how you interact with our platform, including features used, pages visited, and actions taken.
• Device Information: Browser type, operating system, device identifiers, and IP address.
• Log Data: Server logs including access times, pages viewed, and referring URLs.
• Cookies and Tracking: We use cookies and similar technologies to collect information about your browsing activities. See Section 9 for details.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Process transactions and send related information
• Send you technical notices, updates, security alerts, and support messages
• Send promotional communications (with your consent)
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and other illegal activities
• Personalize and improve your experience

3. Third-Party Integrations and OAuth Connections

3.1 Google API Services

Rivera offers optional integrations with Google services, including Google Analytics (GA4) and Google Search Console. When you connect your Google account through Rivera's Settings, we request access to the following data via OAuth 2.0:

• Google Analytics (GA4): Read-only access to your Analytics properties, including website traffic data, session metrics, and audience reports.
• Google Search Console: Read-only access to your verified sites, including search performance data, impressions, clicks, and indexing status.

This data is used solely to display analytics and search performance within your Rivera dashboard. We do not modify your Google Analytics or Search Console configurations.

3.2 Use and Handling of Google Data

Rivera's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data for the purposes described in this policy and as displayed within the Rivera platform.
• We do not use Google user data for advertising, marketing, or any purpose unrelated to providing the Rivera Services.
• We do not sell Google user data to third parties.
• We do not use Google user data to build user profiles for advertising or to serve ads.
• Human access to Google user data is limited to what is necessary for support, debugging, or legal compliance, with your consent where required.

3.3 Token Storage and Revocation

OAuth access tokens and refresh tokens are stored encrypted (AES-256-CBC) in our database. You can disconnect your Google account at any time through Rivera's Settings page, which revokes the stored tokens and removes access. You may also revoke Rivera's access directly from your Google Account permissions page.

3.4 Other Third-Party Integrations

Rivera may offer integrations with additional third-party services (such as QuickBooks, Printful, and others). Each integration uses OAuth 2.0 or equivalent secure authorization. Data accessed through these integrations is used solely to provide the connected features within your Rivera account, stored encrypted, and can be disconnected at any time through Settings.

4. AI Data Processing

4.1 How AI Features Use Your Data

When you use AI-powered features within Rivera (including Lumo, our AI assistant), certain business data necessary for these functions may be processed by approved third-party AI service providers (such as Anthropic) under strict confidentiality and security obligations. Your Data is transmitted securely and is used solely to generate responses within your account. These providers do not retain Your Data beyond the scope of the request and do not use it for their own model training.

4.2 AI Data Boundaries

• We do not use Your Data to train general-purpose AI models shared with other customers.
• AI processing is limited to providing features and services within your account.
• You can opt out of AI-powered features through your account settings where available.

4.3 Aggregated Data for AI Improvement

We may use aggregated, anonymized data (which cannot identify you or your business) to improve our AI systems, develop new features, and generate industry benchmarks. This data is stripped of all personally identifiable information before use.

5. SMS and Text Messages

5.1 Messages from Rivera to You

If you opt in to receive SMS or text messages from Rivera (by providing your phone number during account registration and consenting via checkbox or account settings), you consent to receive automated text messages related to:

• Two-Factor Authentication (2FA): Security verification codes to protect your account
• Account Notifications: Important alerts about your account status, billing, and security
• Service Updates: Critical information about our Services

Message frequency varies based on your account activity and security events. Message and data rates may apply. You can opt out of non-security SMS messages at any time by replying STOP to any message or updating your notification preferences in your account settings. Reply HELP to any message for support, or contact us at [email protected].

5.2 Phone Numbers and Messaging Data

When you or your customers interact with Rivera's messaging features, we collect and store phone numbers and message metadata (timestamps, delivery status, opt-in/opt-out status). Message content sent through business-to-customer and Lumo-initiated messaging is logged for audit and compliance purposes. SMS services are provided by Twilio, Inc. Phone numbers are shared with Twilio solely for message delivery and are subject to Twilio's Privacy Policy.

5.3 Your Customers' Data

If you use Rivera's messaging features to communicate with your customers, you are the data controller for your customers' phone numbers and message content. You are responsible for obtaining proper consent from your customers and complying with applicable privacy and telecommunications laws. Rivera processes this data on your behalf as a data processor.

6. Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following situations:

• Service Providers: With third-party vendors who perform services on our behalf, including:
  • Stripe — Payment processing
  • DigitalOcean — Cloud hosting infrastructure
  • Mailgun — Transactional email delivery
  • Twilio — SMS and voice communications
  • Shippo — Shipping services
  • Cloudflare — CDN and security
  • Anthropic — AI processing for intelligent features
• Legal Requirements: If required by law, regulation, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you have given us permission to share your information
• Agency-Client Relationships: If you use Rivera through an agency, your agency may have access to your account data as part of their management role

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Two-factor authentication options
• Regular security assessments and updates
• Access controls and employee training
• Isolated per-account databases for customer data

7.1 Breach Notification

In the event of a data breach that compromises the security of your personal information, we will notify affected users as required by applicable law. Where required, we will provide notification without unreasonable delay, including a description of the nature of the breach and the steps we are taking in response.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide you services. Upon account termination:

• Your data will be available for export for 30 days following termination
• After the 30-day period, your data will be securely deleted
• We may retain certain data as necessary to comply with legal obligations, resolve disputes, and enforce agreements
• Aggregated, anonymized data may be retained indefinitely

9. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access and receive a copy of your data
• Correct inaccurate or incomplete information
• Request deletion of your personal data
• Object to or restrict processing of your data
• Data portability
• Withdraw consent at any time

To exercise these rights, please contact us at [email protected].

10. Cookies and Tracking

We use cookies and similar tracking technologies to collect information about your browsing activities. Types of cookies we use:

• Essential Cookies: Required for the platform to function (authentication, security, session management). These cannot be disabled.
• Analytics Cookies: Used to understand how visitors interact with our platform. We use Google Analytics (GA4) to collect aggregated usage data such as pages visited, session duration, and traffic sources. Google may use this data in accordance with its own Privacy Policy.
• Marketing and Advertising Cookies: Used to measure the effectiveness of our advertising campaigns and deliver relevant ads. We use Meta Pixel (Facebook) to track conversions and build audiences for advertising purposes. Meta may use this data to serve targeted ads across its platforms. You can manage your Meta ad preferences at Facebook Ad Preferences.
• Preference Cookies: Remember your settings and preferences.

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies (analytics and marketing). Essential cookies are always active as they are required for the platform to function. You can change your cookie preferences at any time through the cookie settings link in our website footer.

We do not respond to Do Not Track (DNT) browser signals, as there is no industry-standard method for honoring them. You can also control cookies through your browser settings.

11. Children's Privacy

Rivera is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us.

12. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located. By using the Services, you consent to the transfer of your information to the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or posting a notice within the Services. Your continued use of the Services after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

Oak River Studios LLC (d/b/a Rivera)
Email: [email protected]
Website: rivera.tech