Privacy Policy
Last updated: 2026-05-30
This policy explains what data RivlWatch collects, why, and the rights you have over it. We've written it to be read, not to hide behind. RivlWatch serves customers in the EU and is designed to align with the GDPR.
Who we are
RivlWatch (“RivlWatch”, “we”, “us”) is a competitor-intelligence service for performance marketers, operated by IYC GROUP LLC, a Wyoming (USA) limited liability company registered at 75 E 3rd St, Sheridan, WY 82801. For any privacy question or to exercise your rights, contact us at privacy@rivlwatch.com. For general support, use support@rivlwatch.com.
For the purposes of EU data-protection law, IYC GROUP LLC is the data controller for the personal data described in this policy.
What data we collect
We deliberately collect as little as possible. Specifically:
- Account data — your email address and a securely hashed password (we never store your password in plain text). Optionally a display name.
- Billing data — handled by our payment processor, Stripe. We store a Stripe customer reference and your current plan/subscription status. We do not see, receive, or store your full card number — Stripe does.
- Product usage — which competitors you track, your saved reports, and per-cycle usage counters (audits run, deep analyses used) so we can enforce plan limits and operate the service.
- Technical logs — standard server logs (IP address, timestamp, request path) used for security, rate-limiting and debugging, retained for a limited period.
The competitor data we read
RivlWatch's entire value comes from public data. When you audit or track a competitor, we read:
- The Meta (Facebook) Ad Library — ads brands are legally required to make public.
- EU Digital Services Act (DSA) transparency disclosures that Meta is legally required to publish, including the reach and broad audience breakdown of ads.
- Public Shopify storefront data — product, price and availability information that any visitor to the store can see.
We do not access private accounts, scrape data behind a login, or buy personal data. We read the public record and structure it. If a competitor you track is an individual rather than a brand, only information they have already made public through these channels is processed.
To keep a stable historical record (ad creatives expire from Meta's CDN within days), we store copies of the public ad media — images and videos — that brands run. If you are a rights holder and believe content should be removed, email legal@rivlwatch.com with the details and we will action a valid takedown request.
Why we process your data (legal bases)
- To perform our contract with you — creating your account, running audits, tracking the stores you choose, and enforcing your plan limits.
- Legitimate interests — keeping the service secure, preventing abuse, and improving the product, balanced against your rights.
- Legal obligations — retaining records (e.g. invoices) where the law requires it.
- Consent — where we ever rely on it (for example, optional product emails), you can withdraw it at any time.
Who we share data with
We do not sell your personal data. We share it only with the sub-processors we need to run RivlWatch. Where data is processed outside the EEA we rely on appropriate safeguards such as Standard Contractual Clauses.
- Stripe — payment processing and subscription billing.
- Vercel — application hosting and serverless compute.
- Neon — primary PostgreSQL database.
- Hetzner — background worker & analytics infrastructure.
- Cloudflare (R2) — storage of the public competitor ad media we archive.
- Resend — transactional email delivery.
- ScrapeCreators — retrieval of public ad-library & social data.
- Google (Gemini) and Anthropic (Claude) — AI analysis of the public competitor creatives you ask us to audit. We send the public ad content being analysed, not your account credentials.
- Sentry — error monitoring (when enabled); configured not to send personal data by default.
How long we keep it
We keep your account data for as long as your account is active. If you close your account, we delete or anonymise your personal data within a reasonable period, except where we must retain certain records (such as billing records) to meet legal obligations. Technical logs are retained only for a limited period.
Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Erase your data ("right to be forgotten"), subject to legal retention requirements.
- Restrict or object to certain processing.
- Data portability — receive your data in a portable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data-protection authority.
To exercise any of these, email privacy@rivlwatch.com and we will respond within the timeframe the law requires.
Security
Passwords are stored hashed, payment data is handled by Stripe, and access to production data is restricted. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your data.
Cookies & advertising
We use cookies that are necessary to keep you signed in and operate the service (such as your session). We also use third-party advertising and analytics technologies — the Meta (Facebook/Instagram), TikTok, and Google (Google Ads & Google Analytics 4) pixels — to measure how our marketing performs. These set their own cookies and may receive limited information about your visit and purchase, including a hashed (irreversible) version of your email, solely to attribute and de-duplicate conversions. You can opt out through your browser settings and the ad-preference controls of each platform.
Changes to this policy
We may update this policy as the product evolves. When we do, we'll change the “Last updated” date above and, for material changes, take reasonable steps to let you know.