Riffly is a small team building a product that touches LinkedIn profile data and recruiter outreach. We take that seriously. This page is what we'd want to see from any vendor we'd install in our own browser, written without the legalese version.
The short version
What we collect, what we don't
About you (the recruiter / founder / operator using Riffly)
- Your email address and Google sign-in identifier (so you can log in).
- Your subscription state and billing identifiers (managed by Stripe, we never see your card details).
- Generation events, a per-user counter so we can enforce free-tier limits and show your dashboard stats. We log only that a generation happened, not what it said.
- Saved job specs and saved searches you create yourself, plus pitch templates you save. You can delete any of these from the dashboard.
About candidates (the people you draft messages to)
- Their public profile content (name, headline, About, role, recent post you paste in) is sent to our backend so the model can reference it.
- We do not persist candidate profile snapshots, they're dropped after each generation. There is no candidate database. (The drafts you generate ARE retained against your account so you can re-read them, see the privacy policy's data-retention section for the full picture.)
- Generated drafts are cached for up to 4 hours, keyed on a hash of (your user ID + the candidate profile URL + your pitch text), so that re-running the same generation against the same profile inside that window returns the cached result instead of re-billing the LLM. Cache entries auto-purge after 4 hours and are not used for analytics, training, or any other purpose.
- We do not crawl LinkedIn in the background. We do not scrape connections. We never read activity feeds. The extension only sees the profile that's already on your screen.
Where the data lives
Application data (your account, subscription, saved specs/searches) is stored in Supabase, hosted on AWS in us-east-1 (Northern Virginia). EU customers can request data export or deletion at any time, email support@rifflylabs.com.
We use Postgres Row-Level Security so each user can only read their own rows. Service-role writes are confined to our backend.
Sub-processors
The third parties Riffly shares data with, what they do, and where they sit:
| Vendor | What it does | Region | Their certs |
|---|---|---|---|
| Supabase | Postgres database, Auth (Google OAuth), session management | US | SOC 2 Type 2, GDPR-compliant DPA |
| Vercel | Application hosting and serverless functions | US (global edge) | SOC 2 Type 2, ISO 27001 |
| Stripe | Subscription billing | US | PCI DSS Level 1, SOC 1, SOC 2 |
| Resend | Transactional email (digest, install reminders) | US | SOC 2 Type 2 (Resend) + AWS SES underneath |
| LLM API provider | Drafts the message text from profile inputs | US | SOC 2 Type 2, contractual no-training-on-customer-data |
We don't publicly name the LLM provider, none of our direct competitors do, and the choice changes as model quality shifts. Enterprise customers under NDA can request the full provider list and switch our routing if you need a specific vendor.
What we don't do
- We don't sell, rent, or share your data with third parties for advertising.
- We don't train models on your inputs. The LLM provider's contract prohibits training on customer data.
- We don't store candidate profile content beyond a single generation.
- We don't access your LinkedIn account, password, or messages, we only read the page you're already viewing.
- We don't automate sending. Manual copy-paste is the entire point.
Compliance status
Riffly is early-stage. We're transparent about where we are:
| Item | Status | Notes |
|---|---|---|
| GDPR-aligned DPA | Available | Email support and we'll send our standard DPA, customizable for your team. |
| EU-U.S. Data Privacy Framework | In progress · targeted Q3 2026 | Self-certification underway at dataprivacyframework.gov. Standard Contractual Clauses cover EU→US transfers in the meantime; the SCCs are referenced in our privacy policy. |
| Third-party penetration test | On roadmap · targeted Q3 2026 | Independent application + infrastructure pen test. Summary report shareable on request after completion. |
| SOC 2 Type 1 | On roadmap · targeted Q4 2026 | Targeted once paid usage justifies the audit cost (~$25-60K). |
| SOC 2 Type 2 | Targeted Q3 2027 | Requires Type 1 first, plus 6+ months of audited operating window. |
| ISO 27001 | Not before 2027 | Less common in our segment; may pursue alongside SOC 2 Type 2. |
| HIPAA | Out of scope | We don't process health information; not pursuing. |
Account and access
- Sign-in is Google OAuth (no passwords on our side) or magic-link email.
- Session tokens use Supabase JWTs with 1-hour access lifetime and silent refresh, invalidated on sign-out.
- Service-role keys live only on Vercel (server-side) and are rotated on suspected exposure.
- Internal access is limited to the Riffly team (currently very small), every backend write is logged at the database level.
Incident response
If we discover a security incident affecting your data, we'll notify affected accounts within 72 hours of confirmation, including: what happened, what data was involved, what we've done, and what (if anything) you should do.
Vulnerability disclosure & bug bounty
If you find a security issue in Riffly, we want to hear about it. Email security@rifflylabs.com (or support@rifflylabs.com) with the subject "Security disclosure" and as much detail as you can, reproduction steps, affected URL or extension version, your suggested severity. We respond to first-contact within 24 hours weekdays.
What's in scope. The Riffly Chrome extension (chrome.google.com/webstore listing), rifflylabs.com and all subdomains, the API at rifflylabs.com/api/*, and the Supabase auth domain at auth.rifflylabs.com. Anything that affects user data confidentiality, integrity, or availability is in scope.
What's out of scope. Reports based purely on missing security headers without a demonstrated impact. Theoretical CSRF without proof. Open redirects on URLs we don't control. Issues in third-party services (Anthropic, Stripe, Supabase, Vercel, Resend), please report those to the respective vendor first. Anything requiring physical access or social engineering of our team.
Safe harbor. If you're acting in good faith, on accounts you own (or with the explicit consent of the account holder), and you give us a reasonable window to fix before disclosing publicly, we won't pursue legal action against you. We treat reports as confidential and don't share your identity without permission.
Recognition. We don't run a paid bug bounty program yet, the company isn't large enough to justify the program-management overhead. What we do offer:
- Public acknowledgment on this page (with your permission) for any verified, in-scope finding
- A response within 24 hours and a triage decision within 72 hours
- Free Pro tier for the next 12 months for any finding rated Medium or above
- A real human writing back to you, not an auto-acknowledgment template
When we cross 1,000 paying users, we'll move to a real bounty schedule (HackerOne or similar). Until then, this responsible-disclosure framework is what's on offer, we know it's modest; thank you for the patience.
Data deletion
You can request deletion of your account and all associated data at any time by emailing support@rifflylabs.com. We'll process the deletion within 7 days and confirm by email. Backup copies in Supabase's automated backup system age out within 30 days and we never restore from them once a deletion is requested.
Questions
If your procurement, legal, or InfoSec team needs anything not covered here, sub-processor list under NDA, custom DPA terms, security questionnaire, evidence files for any of the controls above, email support@rifflylabs.com. We'll get back within one business day.