Privacy Policy

Rivolq LLC ("Rivolq," "we," "our," or "us") operates the Rivolq facility asset management and risk intelligence platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you use the Service, our websites, our mobile and desktop applications, and any related APIs.

This Policy is written to satisfy disclosure obligations under, among other laws, the EU and UK General Data Protection Regulations (GDPR / UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other US state privacy statutes that apply to us, and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).

For most personal data processed through the Service, our customer (the organization that subscribes to Rivolq) is the data controller (or, under CCPA, the business), and Rivolq is the processor (or service provider). For our own websites, marketing, and account administration, Rivolq is the controller. Section 14 explains how to exercise rights against the right party.

This Policy applies to:

• Customer administrators, technicians, engineers, and other authorized users of the Service;
• Maintenance requesters (tenants, occupants, and building users who submit requests through a customer's request portal);
• Vendors and contractors whose contact details are entered into a customer's workspace;
• Visitors to rivolq.com and related marketing properties; and
• People who contact us for sales or support.

3.1Account and Identity Data

Name, business email, password (stored only as a bcrypt hash — we never store plain-text passwords), organization name, role and permissions, language, timezone, currency, date format, theme preference, notification preferences, and session timeout preference.

3.2Authentication and Security Data

Failed login attempts, account lockout state, last login IP and timestamp, password reset and email verification codes, TOTP (authenticator app) secrets, WebAuthn / passkey public keys and metadata, session device name, operating system, browser user-agent, IP-derived country, and (for organizations configured for SSO) the SAML attributes or OAuth identifiers returned by your identity provider.

3.3Facility, Asset, and Operations Data

Facility names, addresses, geographic coordinates (latitude/longitude), zones, floors, locations, assets (equipment type, install date, replacement cost, manufacturer, model, serial number, condition), work orders, preventive maintenance schedules, inspections, meter readings, downtime events, attachments and floor plans, and the relationships between any of the above. This information is owned by the customer; Rivolq processes it only to provide and improve the Service.

3.4Vendor and Contact Data

Contact information for third-party vendors, contractors, and facility managers that a customer enters into the workspace (typically name, email, phone, and company). Customers are responsible for the lawful basis to share this information with us.

3.5Maintenance Request Data

When tenants or occupants submit requests through a customer's public request portal, we collect the request details together with whatever contact information the requester provides — typically name, email (optional), and phone (optional). Submissions are scoped to the customer's organization and are not visible to other customers.

3.6File Uploads and Photos

Photos taken or uploaded through the web or mobile app (for example, photos of an asset attached to a work order), PDF floor plans, digital twin 3D models, signed completion records, and other documents you choose to attach. Files inherit the access scope of the record they are attached to. Where the mobile app captures a photo, geolocation EXIF metadata may be present in the image if your device records it; we do not separately extract or process it.

3.7Device, Session, and Usage Data

IP address, user-agent, device identifiers (for the Rivolq mobile app, an Expo install ID and an Expo push notification token), pages and features used, request timestamps, and similar telemetry. We derive an approximate country from IP for fraud-prevention and audit purposes using a locally hosted MaxMind GeoLite2 database.

3.8Audit and Activity Logs

We record user identifier, action, affected resource type and ID, IP address, user-agent, and timestamp for authentication events and changes made through the Service. These logs are used for security, compliance, and customer-facing audit-trail features.

3.9AI Interaction Data

When you use Facility Intelligence and other AI-assisted features, we send the prompt — which may include the facility, asset, and work-order data that you choose to reference, together with your free-text question — to our AI sub-processor (Anthropic) for processing. We log the user ID, organization, model used, endpoint, prompt and completion token counts, latency, and cost. Section 5 describes this in more detail.

3.10Billing Data

Plan tier, plan status, trial end date, organization billing email, and usage counters (number of facilities, assets, users, AI tokens consumed). If Rivolq later offers self-serve payment through a payments sub-processor, cardholder data will be collected and stored by that sub-processor — Rivolq would receive only a customer identifier, last four digits, brand, and subscription status. Rivolq does not store full card numbers, CVCs, or bank account numbers.

3.11Marketing and Support Data

If you contact us, submit a form, or join a mailing list, we collect the information you provide (name, email, company, message body) and any unsubscribe preferences. Support cases — including any attachments — are stored in the Service and retained per Section 9.

3.12Information We Do Not Intentionally Collect

We do not seek and ask customers not to upload special-category data under GDPR Article 9 (such as health, biometric, racial, religious, or trade-union data), government identifiers, full payment card numbers, or children's data. If you become aware that such data has been uploaded, please contact privacy@rivolq.com.

We use personal information for the purposes set out below. Under GDPR/UK GDPR, the lawful basis is shown in brackets.

• Provide, authenticate, and operate the Service [contract; Art. 6(1)(b)]
• Compute risk assessments, failure probabilities, and financial exposure estimates using deterministic statistical models [contract]
• Generate work orders, schedules, reports, and the Decision Ledger audit trail [contract]
• Send transactional emails (password reset, verification, work order assignment, status changes, support, billing) [contract]
• Monitor security, prevent abuse, investigate incidents, and maintain audit logs [legal obligation; legitimate interests — securing our service]
• Honor data-subject and privacy-rights requests [legal obligation]
• Bill customers and manage subscriptions [contract]
• Improve the Service — bug fixing, performance, and reliability work using telemetry and aggregated metrics [legitimate interests — operating and improving a B2B service]
• Send service announcements and, where you have opted in, marketing communications [legitimate interests / consent where required]
• Comply with legal obligations and respond to lawful requests [legal obligation]

We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not use customer facility, asset, work-order, or AI-prompt data to train generalized AI models, and we do not authorize our sub-processors to do so on data they receive from us.

Rivolq's risk intelligence engine uses deterministic algorithms (Weibull survival analysis, Monte Carlo simulation, consequence modeling). No large language model participates in any risk calculation.

The Facility Intelligence assistant and other AI-assisted features send prompts to Anthropic's Claude API. Prompts may include facility and asset summaries that you choose to reference, your free-text question, and context about your role and organization. We use Anthropic under their commercial API terms, which do not permit Anthropic to train their generally available models on data submitted to the API. Where an organization configures its own Anthropic, OpenAI, or Azure OpenAI key under our "bring-your-own-key" option, that key is encrypted at rest and used only to call that provider for the requesting organization.

Risk assessments and AI-generated recommendations are decision support, not professional engineering advice or legally binding determinations, and they are not used to make automated decisions that produce legal effects on natural persons within the meaning of GDPR Article 22.

We share personal information with:

• Sub-processors — vendors that process data on our behalf to operate the Service. Our current list is maintained in our Data Processing Agreement (Annex III) and on the Trust Center. We require sub-processors to provide protections at least as protective as those in our DPA.
• Other users in your organization — data is visible to other authorized users in your customer's workspace according to roles and permissions configured by that customer.
• At your direction — for example, when you trigger an export, share a link, or enable an integration.
• Professional advisors — auditors, lawyers, and accountants under confidentiality.
• Legal and safety — when we have a good-faith belief that disclosure is required by law, subpoena, court order, or to protect rights, property, or safety. Where legally permitted, we will notify the affected customer first.
• Corporate transactions — in the context of a merger, acquisition, financing, or sale of assets. The receiving party will be bound by terms at least as protective as this Policy.

We do not share customer facility data, asset data, or risk assessments with other customers or third parties for any purpose other than providing the Service to the customer that owns the data.

Rivolq is established in the United States and currently hosts production data with US-based infrastructure providers. If you access the Service from outside the United States, personal information will be transferred to and processed in the United States.

Where we transfer personal data of individuals located in the European Economic Area, the United Kingdom, or Switzerland to the United States or another country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914), the UK International Data Transfer Addendum, and, for Switzerland, the Swiss Federal Data Protection and Information Commissioner addendum, as applicable. These are incorporated by reference into our Data Processing Agreement.

We maintain administrative, technical, and organizational security measures designed to protect personal information, including:

• TLS 1.2 or higher in transit and encryption at rest as provided by our underlying infrastructure (PostgreSQL on Heroku, object storage on Supabase);
• Passwords hashed with bcrypt; sensitive secrets (AI provider keys, MFA seeds where stored) encrypted at the application layer;
• Multi-factor authentication available to all users (TOTP and WebAuthn / passkeys); SSO via Google, Microsoft Entra ID, and SAML for enterprise customers;
• Session-based authentication with httpOnly, Secure, SameSite cookies on the web and short-lived bearer tokens with refresh tokens on mobile;
• Role-based access control and multi-tenant isolation enforced at both the application layer and PostgreSQL row-level security;
• Rate limiting on authentication endpoints and CAPTCHA (Cloudflare Turnstile) on sensitive flows;
• CSRF, clickjacking, and other security-relevant HTTP response headers;
• Centralized audit logging of authentication and administrative events with tamper-resistant rotation;
• Error and performance monitoring through Sentry;
• An ongoing SOC 2 readiness program (we are not currently SOC 2 certified — see the Trust Center for the current status of our compliance roadmap).

No method of transmission or storage is perfectly secure. We promptly investigate and respond to suspected incidents and notify affected customers without undue delay and no later than 72 hours after confirming a personal-data breach, as set out in our DPA.

We retain personal information for as long as needed to provide the Service and for the periods set out below, unless a longer or shorter period is required by law or by written agreement with a customer. Customers may configure retention policies for their workspace within these defaults.

On termination, customers may export their data for 30 days. After that period, customer content is deleted within an additional 30 days, except where retention is required by law or where audit logs are retained for up to 12 months for security purposes. See Section 10 of the DPA for full deletion mechanics.

Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal information, to withdraw consent, and to lodge a complaint with a supervisory authority. You also have the right not to be discriminated against for exercising these rights.

10.1If your data is in a customer's workspace

That customer is the controller. Please direct your request to that customer first. Rivolq, acting as processor, will assist the customer in responding within the timelines required by law.

10.2If Rivolq is the controller (websites, marketing, account administration)

Contact privacy@rivolq.com. We will verify your identity in a reasonable, proportionate manner before acting on your request and will respond within the timelines required by applicable law (typically 30 days under GDPR / UK GDPR; 45 days under CCPA, extendable once).

10.3California (CCPA/CPRA)

California residents have the right to know, delete, correct, limit use of sensitive personal information, and opt out of sale or sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising. Categories of personal information we collect and the purposes for collection are described in Sections 3 and 4. We retain personal information for the periods described in Section 9. You may also designate an authorized agent in writing to make a request on your behalf.

10.4Europe and the UK (GDPR / UK GDPR)

In addition to the rights above, EEA, UK, and Swiss residents may lodge a complaint with their national supervisory authority. We are not currently required to designate a representative under Article 27; if that changes, we will update this Policy.

10.5Canada (PIPEDA)

Canadian residents may request access to and correction of their personal information. Complaints regarding our handling of personal information may be directed to the Office of the Privacy Commissioner of Canada.

The Service uses a small number of strictly necessary cookies and browser-local storage items:

• A signed, httpOnly session cookie (rivolq_session) to keep you signed in;
• A CSRF protection token;
• Browser localStorage for non-sensitive preferences such as theme, timezone, currency, and notification settings; and
• Browser sessionStorage used to recover from interrupted code-bundle loads.

We do not use advertising cookies, third-party analytics cookies, or cross-site tracking. The mobile app uses Expo SecureStore for the biometric-preference flag and on-device SQLite for offline work queues; no biometric template ever leaves your device.

The Service is intended for use in the course of business by individuals who are at least 18 years old. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact privacy@rivolq.com and we will delete it. The Service is not designed for use in K-12 educational contexts and we have not implemented FERPA / COPPA controls; customers should not configure the Service to collect data from students.

We may update this Privacy Policy from time to time. Material changes will be announced through the Service or by email at least 30 days before they take effect. The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance.

For privacy questions, to exercise a right, or to request our list of sub-processors, contact:

Rivolq LLC
Attn: Privacy
Monroe, Louisiana
Email: privacy@rivolq.com
Security disclosures: security@rivolq.com

If you are unable to resolve a concern directly with us, you may lodge a complaint with your data protection supervisory authority (in the EEA, UK, or Switzerland) or, in the United States, with your state attorney general.

© 2026 Rivolq LLC. All rights reserved.