Legal

Privacy Policy

Effective May 2, 2026

Overview

This Privacy Policy describes the personal data Riffly Labs ("Riffly", "we", "our") collects from users of rifflylabs.com and the Riffly Chrome extension, how that data is used, the parties with whom it is shared, and the rights available to you. Region-specific provisions for users in the European Union, the United Kingdom, and California appear below and prevail over the general provisions where applicable.

Data We Collect

In the course of providing the service, Riffly collects the following categories of personal data:

  • LinkedIn profile content. When you click the Riffly icon while viewing a candidate, the visible profile fields are transmitted to our backend so the language model can draft a personalized message. Specifically: name, headline, "About" text (truncated to 1,500 characters), current role and current company, up to eight skills, up to two past roles, and up to three of the most recent posts visible on the page (each truncated to 800 characters). If you also paste a recent post into the extension yourself, that pasted text (up to 1,500 characters) is sent as the priority anchor for the draft. The extension does not access connections, messages, search results, or any LinkedIn data outside the profile in front of you.
  • Account information. Your email address, plan tier, and the billing metadata held by Stripe on our behalf.
  • Authentication state. When you sign in, Riffly's backend issues a Supabase access token (JWT) and refresh token. These are stored locally in chrome.storage.local on your device so you stay signed in across sessions. They are sent in the Authorization header of API requests to our backend; they are never transmitted to any third party. Signing out, or invoking "Delete my account", erases both tokens immediately.
  • Generated drafts. Stored against your account so you can refer back to messages you have created.
  • Usage records. A timestamped row per generation, used for quota enforcement, billing reconciliation, and engineering diagnostics.
  • Anonymous product analytics. Riffly fires fire-and-forget events to PostHog (a third-party analytics provider) when key actions occur in the extension, such as install, sign-in, draft generated, mark sent, mark replied. Pre-sign-in events are keyed against an anonymous install identifier (random UUID) generated locally; once you sign in, events are keyed against your email address so the install can be stitched to your account. Event payloads contain feature flags and counts, never the contents of drafts, profiles, or pitches.

Google User Data (Sign in with Google)

If you authenticate using your Google account, Riffly's handling of Google user data is governed by this section and by the Google API Services User Data Policy, including its Limited Use requirements.

Scopes Requested

Riffly requests three non-sensitive OAuth scopes:

  • openidconfirms the account exists.
  • emailyour primary Google email address.
  • profileyour display name and avatar URL, where set.

Riffly does not request access to Gmail, Google Drive, Google Calendar, Google Contacts, YouTube, location, or any other Google API. No restricted or sensitive scopes are involved at any point.

Use

Google user data is used for three purposes:

  • to identify your Riffly account and link it to your Google email;
  • to authenticate you on subsequent visits via Google's OAuth tokens (Riffly never receives or stores your Google password); and
  • to display your name and avatar within your own dashboard, so you can confirm the correct account is active.

Riffly does not use Google user data for advertising, profiling, or for training generalized artificial intelligence or machine learning models. We do not sell or transfer Google user data to any third party for commercial purposes.

Storage

Google user data is held in our Supabase authentication database, hosted in the United States and encrypted at rest. OAuth refresh tokens are encrypted in transit and at rest. The data is not duplicated into other systems beyond what is necessary to maintain your authenticated session.

Retention

Google user data is retained for the lifetime of your Riffly account. To request deletion of your account, write to support@rifflylabs.com. The account and its associated Google data will be erased within 7 days of receipt (and in any case no later than the 30-day maximum allowed under the Google API Services User Data Policy), subject to legal retention obligations applicable to billing records. You may also revoke Riffly's access at any time from your Google Account at myaccount.google.com/permissions.

Disclosure

Google user data is shared only with Supabase, our authentication sub-processor, and solely for the purpose of hosting your session. It is not transferred to Anthropic, Stripe, Resend, or any other party. Riffly does not sell, rent, or trade Google user data.

Limited Use Compliance

Riffly's use of Google user data is limited to providing or improving user-facing features that are visible and prominent in the application's user experience: signing you in, identifying your account, and displaying your name and avatar in your dashboard. We do not transfer the data except to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets in which the recipient is bound by these same restrictions. Google user data is not used in advertising. Riffly personnel access this data only with your explicit consent for a specific issue, where strictly necessary for security investigations or to comply with a legal obligation, or in aggregated form that does not identify any individual user. This treatment is consistent with the Google API Services User Data Policy.

What We Do Not Collect

Riffly does not crawl LinkedIn or perform background traversal of your network. The extension reads a profile only at the moment you click its icon. We do not set or read third-party cookies, do not perform cross-site tracking, and do not record which LinkedIn pages you visit while not actively using Riffly. Your LinkedIn password and session cookies remain in your browser and are never transmitted to our servers.

Sub-Processors

Riffly relies on a small set of vendors to operate the service. Each is bound by a written data processing agreement that meets the standard set out in Article 28 of the GDPR.

  • Anthropic (United States)receives the candidate profile snapshot and your pitch in order to generate drafts. Privacy policy.
  • Stripe (United States)processes subscription payments and stores billing details. Privacy policy.
  • Supabase (United States)provides our database and authentication layer. Privacy policy.
  • Vercel (United States)hosts the website and API endpoints, and provides edge rate limiting. Privacy policy.
  • Resend (United States)delivers transactional email such as digests and install reminders. Privacy policy.
  • PostHog (United States)receives anonymous product-analytics events (install, sign-in, draft generated, mark sent, mark replied) keyed against an install UUID and, post-sign-in, your email. Event payloads never contain message bodies, profile snapshots, or pitches. Privacy policy.

Riffly does not engage data brokers, advertising networks, or analytics resellers. Personal data is not sold, rented, or otherwise made available for marketing or behavioral advertising.

Data Retention

Candidate profile snapshots (the data Riffly extracts from a LinkedIn / GitHub / Wellfound page when you click Generate) are not persistedthey're dropped immediately after each generation completes. There is no candidate database.

Drafts you generate are retained against your Riffly account so you can re-read them, until you delete them or your account. The 4-hour generate-cache (a hash of your user ID + profile URL + pitch text, used to short-circuit duplicate LLM calls inside the same session) auto-purges after 4 hours and is never used for analytics or training.

Authentication tokens stored in your browser's chrome.storage.local persist on your device until you sign out or uninstall the extension. They are not retained on Riffly's servers beyond the duration of an active session.

Anonymous product-analytics events sent to PostHog are retained per PostHog's standard policy (currently 7 years for product-analytics events at the time of writing); see PostHog's privacy policy for the most current retention figures. You may request deletion of all PostHog events keyed to your account by writing to support@rifflylabs.com.

Account records, billing history, and any data subject to legal retention requirements are kept for the duration of your subscription or for the period required by applicable law, whichever is longer.

Security

Communications between the extension, your browser, our backend, and our sub-processors are encrypted in transit using TLS. Stored data is encrypted at rest. Access to production systems is restricted to the personnel responsible for operating them, with access reviewed periodically.

Your Rights

Subject to applicable law, you may at any time:

  • request access to the personal data we hold about you;
  • correct inaccurate or incomplete information;
  • request deletion of your account and the personal data associated with it;
  • restrict or object to specific processing activities;
  • obtain a copy of your data in a structured, commonly used, machine-readable format; and
  • withdraw any consent on which our processing relies.

To exercise any of these rights, write to support@rifflylabs.com. Riffly will respond within 30 days of receipt.

For Users in the European Union, the United Kingdom, and the EEA (GDPR)

Data Controller. Riffly Labs is the data controller for personal data processed through rifflylabs.com and the Riffly Chrome extension. Contact: support@rifflylabs.com.

Legal Bases (Article 6 GDPR). Riffly relies on the following bases for processing personal data:

  • Performance of a contract, for providing the service to which you have subscribed, including drafting, account administration, and billing.
  • Legitimate interests, in operating, securing, and improving Riffly. This basis covers rate limiting, abuse prevention, and debugging. You may object to processing on this basis at any time.
  • Compliance with legal obligations, including tax, accounting, and lawful disclosure requirements.

International Transfers. Our infrastructure vendors are located in the United States. Personal data transferred to the United States is protected by the EU-U.S. Data Privacy Framework where the recipient is certified, and otherwise by the Standard Contractual Clauses adopted by the European Commission, together with such additional safeguards as may be appropriate following the Schrems II analysis.

Right to Lodge a Complaint. If you believe Riffly has processed your personal data unlawfully, you may lodge a complaint with the supervisory authority of your habitual residence. EU and EEA residents can find their authority through the European Data Protection Board. UK residents may contact the Information Commissioner's Office.

Automated Decision-Making. Riffly uses a large language model to draft outreach text on your behalf. This constitutes automated content generation; it is not automated decision-making producing legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. The user reviews each draft and determines whether to send it.

If You Use Riffly to Process Candidate Data (Article 14 GDPR)

If you use Riffly in the course of recruitment, you or your employer act as the data controller in respect of the candidates' personal data, and Riffly acts as your processor. Under Article 14 of the GDPR, the controller is responsible for informing the data subject about the processing within a reasonable period. That notification obligation rests with you. Where your jurisdiction or your employer requires explicit notice, a single line in your outreach is generally sufficient, for example: "This message was drafted using Riffly, which processed your publicly available LinkedIn profile. Reply STOP to be excluded from any further outreach." A standard Data Processing Agreement covering Riffly's role as processor is available on request at support@rifflylabs.com.

For California Residents (CCPA / CPRA)

California residents may request access to the personal information we hold, request its correction or deletion, opt out of any sale or sharing of personal information, and exercise these rights without retaliation. Riffly does not sell or share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act. Verifiable consumer requests should be directed to support@rifflylabs.com and will receive a response within the timelines required by law.

Children

The Riffly service is not directed to anyone under the age of 16, and we do not knowingly collect personal information from children. If you become aware that a child has provided personal data to Riffly, please contact us so we can delete it.

Changes to This Policy

Riffly will update this policy from time to time. Where the changes are material, account holders will be notified by email and the "Effective" date above will be revised. We encourage you to review this page periodically.

Contact

Questions about this policy or about our data practices may be directed to support@rifflylabs.com.