Privacy Policy

Last updated: 2026-04-18 Effective: 2026-04-18

⚠ Draft for legal review. This policy was drafted by the Riffroutr team with AI assistance and is grounded in the application's actual data flows. It has not been reviewed by qualified legal counsel. Do not publish publicly or submit to app stores without a lawyer's review in your operating jurisdiction.

1. Who we are

This Privacy Policy explains how [LEGAL ENTITY NAME] ("Riffroutr", "we", "us", "our") collects, uses, and shares information when you use the Riffroutr mobile application and related services (the "Service"). We are the controller of the personal data processed under this policy.

Contact: privacy@riffroutr.com Business address: [STREET ADDRESS, CITY, POSTAL CODE, COUNTRY]

2. Scope

This policy applies to:

The Riffroutr mobile app on iOS and Android.
The Riffroutr backend services reachable at api.riffroutr.com.
Any related web pages at riffroutr.com.

It does not cover third-party services you may reach through links or integrations; each such service has its own privacy policy.

3. Information we collect

3.1 Information you give us

Category	Examples	Purpose
Account credentials	Email address, password (stored only as a bcrypt hash with 12 rounds)	Authenticate you to your account
Profile	Display name, avatar image, instruments, skill level, genres, city, years playing, social links (Instagram/YouTube/SoundCloud/Spotify/TikTok/website), availability days/times, what you're looking for (band/solo gigs/session work/jam partners/teaching), whether you have transport or a rehearsal space	Populate your public profile and power musician discovery
Visibility preference	Whether your profile is searchable by other users	Controls inclusion in discovery results
Content you create	Bands you create or join, gigs, practices, event responses, ledger entries (shared band expenses and splits), subscription records	Core app functionality

3.2 Information we collect automatically

Category	Examples	Purpose
Authentication tokens	JWT access token (15-minute expiry), refresh token (7-day expiry) — stored in secure device storage (`expo-secure-store`) on your device	Keep you signed in
Usage data	IP address (processed at edge only for rate-limiting; not stored), request timestamps, API endpoints hit	Protect the Service from abuse
Error diagnostics	Stack traces and environment information from crashes or server errors, sampled at 20% in production	Identify and fix bugs. Sent to Sentry (see §5)

3.3 Information we do not collect

We do not collect:

Phone numbers
Precise geolocation (GPS)
Contacts or address book
Camera roll or photos beyond an avatar you upload
Behavioral analytics (we do not run Amplitude, Segment, Firebase Analytics, Mixpanel, PostHog, or similar)
Device advertising identifiers
Any information about people who are not Riffroutr users

4. How we use information

Provide the Service — authenticate you, show your profile to bandmates or (if you opt in via the searchable flag) to other musicians, aggregate your calendar events, manage shared band finances.
Maintain and improve the Service — diagnose errors, monitor uptime, prevent abuse.
Process subscriptions — confirm your entitlement to Supporter or Band tier features by receiving webhook events from RevenueCat.
Communicate with you — send transactional in-app notifications (e.g., a new gig was proposed, a ledger split was assigned). We do not send marketing emails.

We share the minimum data needed with the following sub-processors, all of whom are bound by their own privacy policies and data-processing terms:

Sub-processor	What they receive	Why	Their policy
Railway (infrastructure, US)	All application data stored in our managed Postgres database	Hosts our backend servers and database	https://railway.com/legal/privacy
RevenueCat (subscriptions, US)	Your app-user ID and purchase events (initial purchase, renewal, cancellation, expiration)	Validates your subscription entitlement	https://www.revenuecat.com/privacy
Cloudinary (avatar hosting, US/EU)	Avatar image files you upload (via unsigned upload preset `riffroutr_avatars`)	Stores and resizes profile photos	https://cloudinary.com/privacy
Sentry (error reporting, EU — Frankfurt region)	Error stack traces, environment metadata, sampled request context (we do not deliberately send request bodies or personal data in error reports; accidental inclusion may occur)	Helps us find and fix bugs	https://sentry.io/privacy/
Apple App Store / Google Play (app distribution)	Identifiers they assign during app installation and in-app purchases	Delivers the app and processes purchases	Apple privacy · Google privacy

We do not sell personal data. We do not share personal data with advertisers.

We may disclose information if compelled by law, legal process, or to protect the rights, property, or safety of Riffroutr, our users, or the public.

6. International transfers

Our primary backend infrastructure (Railway) is hosted in the United States. If you are in the European Economic Area, the United Kingdom, or Switzerland, your data will be transferred to and processed in the United States. Where applicable, such transfers rely on Standard Contractual Clauses approved by the European Commission or the sub-processor's Data Privacy Framework certification.

Where GDPR applies, we rely on the following legal bases:

Processing purpose	Legal basis
Creating and maintaining your account; delivering the Service	Performance of a contract (Art. 6(1)(b))
Processing subscription payments and validating entitlement	Performance of a contract (Art. 6(1)(b))
Rate limiting, security, and fraud prevention	Legitimate interests (Art. 6(1)(f)) — protecting the Service
Error reporting via Sentry	Legitimate interests (Art. 6(1)(f)) — maintaining the Service
Any future marketing communications	Consent (Art. 6(1)(a))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

8. Data retention

Account data is retained while your account exists.
Ledger entries may be retained after your account deletion in a form that no longer identifies you (your userId reference removed), because they may be part of another user's or band's financial records.
Authentication tokens expire automatically (15 minutes for access, 7 days for refresh).
Error reports are retained per Sentry's default retention (90 days) and are then deleted.

9. Your rights

Depending on where you live, you may have some or all of the following rights:

Access — ask for a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data. You can also edit most profile fields yourself in the app.
Erasure — ask us to delete your account and associated personal data.
Portability — ask us to provide your data in a machine-readable format.
Restriction / Objection — ask us to pause or restrict certain processing.
Withdrawal of consent — where processing relies on consent, you may withdraw it.
Complaint — lodge a complaint with your local data protection authority. In the EU, a list is at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

To exercise any of these rights, email privacy@riffroutr.com. We will respond within 30 days. We may ask you to verify your identity before acting on a request. We do not charge a fee for standard requests.

Note on scope: In-app self-service deletion and one-click data export are on our development roadmap but are not yet in the app. Until they are available, we process these requests manually via email, typically within 7 business days.

10. Security

We protect your data with:

TLS encryption in transit (Let's Encrypt certificates at the Railway edge).
Password hashing with bcrypt (cost factor 12).
Rate limiting — 10 requests per minute on authentication endpoints, 100 per minute on the rest of the API, per IP.
Helmet security headers on all backend responses.
Short-lived access tokens (15 minutes) with rotating refresh tokens.
Least-privilege access to the production database.

No system is perfectly secure. If you suspect your account has been compromised, email security@riffroutr.com immediately and change your password.

11. Children

Riffroutr is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you learn that a child under 16 has created an account, please contact us at privacy@riffroutr.com and we will delete the account and associated data.

Implementation note: Age-of-consent enforcement is on our roadmap. Today the sign-up form does not ask for date of birth; compliance is based on the Terms of Service prohibiting use by anyone under 16.

12. Cookies and similar technologies

The Riffroutr mobile app does not use web cookies. On device, the app uses expo-secure-store (backed by the iOS Keychain or Android Keystore) to hold your authentication tokens. Our marketing and legal pages at riffroutr.com may use minimal first-party cookies for basic functionality; no tracking cookies are used.

13. Changes to this policy

We may update this policy from time to time. Material changes will be announced in-app and by a notice at the top of this page. The "Last updated" date reflects the most recent version. Your continued use of the Service after an update constitutes acceptance.

14. Contact

General privacy questions: privacy@riffroutr.com
Security vulnerabilities: security@riffroutr.com
Postal: [STREET ADDRESS, CITY, POSTAL CODE, COUNTRY]

If you are in the European Economic Area, the United Kingdom, or Switzerland and believe our processing violates applicable law, you may lodge a complaint with your local supervisory authority.