1. Who we are

Rivoryn Limited (trading as AICVS) is the data controller responsible for your personal data. We are incorporated in Ireland and process all data within the European Union.

• Company: Rivoryn Limited
• Address: Limerick, Ireland
• Email: privacy@aicvs.io
• Website: https://aicvs.io

2. What data we collect

Account data

• Name and email address (collected at registration)
• Password (stored as PBKDF2-SHA256 hash — never in plain text)
• Company name (optional)
• Account preferences and plan tier

Usage data

• Scan results (score, status, findings — not source code)
• Compliance bundle reports you generate
• Timestamps and event logs (login, scan, export)
• IP address (for rate limiting and security — not shared)

Payment data

Payments are processed by Stripe. We store only your Stripe customer ID — we never see or store your full card details. Stripe's Privacy Policy applies to payment processing.

What we do NOT collect

• Your source code (analysed in memory, immediately discarded)
• Health, biometric, or sensitive personal data
• Data from minors under 16

3. How we use your data

Purpose	Data used	Legal basis
Providing the AICVS service	Account data, scan results	Contract performance
Authentication and security	Email, IP, event logs	Legitimate interest
Billing and subscription management	Email, Stripe customer ID	Contract performance
Service improvement (aggregated, anonymous)	Scan statistics	Legitimate interest
Legal compliance and audit	Event logs, audit trail	Legal obligation
Customer support	Email, account data	Contract performance

4. Lawful Basis for Processing (GDPR Article 6)

We process your personal data only where a lawful basis under GDPR Article 6 applies. We rely on the following lawful bases:

• Article 6(1)(b) — Contract: Processing necessary to provide the service you signed up for
• Article 6(1)(c) — Legal obligation: Security audit logs, financial records
• Article 6(1)(f) — Legitimate interest: Fraud prevention, service security, product improvement

5. Your source code — special handling

The SHA-256 hash stored serves as proof that a specific file was scanned at a specific time, without revealing the code's content. This is a core architectural choice — not just a policy.

6. Who we share data with

Recipient	Purpose	Location	Safeguard
Supabase	Database hosting	EU (Frankfurt)	DPA in place
Stripe	Payment processing	USA (EU SCCs)	Standard Contractual Clauses
Render.com	API hosting	EU (Frankfurt)	DPA in place
Vercel	Frontend hosting	EU CDN edge	DPA in place

We do not sell, rent, or trade your personal data. We do not share data with advertisers.

7. How long we keep data

Data type	Retention period	Basis
Account data	Duration of account + 30 days after deletion	Contract
Scan results	24 months (or until you delete them)	Service provision
Compliance bundles	24 months	Service provision
Security audit logs	90 days	Security / legal
Financial records	7 years	Irish tax law
Source code files	0 days — discarded immediately	Privacy by design

8. Your GDPR rights

Under GDPR, you have the following rights. To exercise any of them, email privacy@aicvs.io. We will respond within 30 days.

• Right of access (Art. 15): Request a copy of all personal data we hold about you
• Right to rectification (Art. 16): Correct inaccurate data via Settings → Profile, or by email
• Right to erasure (Art. 17): Delete your account and all associated data via Settings → Danger Zone
• Right to portability (Art. 20): Export your scan history as JSON or CSV
• Right to restriction (Art. 18): Restrict processing while a dispute is resolved
• Right to object (Art. 21): Object to processing based on legitimate interest
• Right to lodge a complaint: With the Data Protection Commission Ireland (DPC)

9. Cookies

We use only essential, functional cookies. No advertising, tracking, or analytics cookies are used.

Cookie	Purpose	Duration
aicvs_session	Maintains your login session (JWT refresh)	30 days
aicvs_prefs	UI preferences (theme, settings)	1 year

We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts.

10. Security measures

• Passwords hashed with PBKDF2-SHA256 (260,000 iterations)
• All data in transit encrypted with TLS 1.3
• JWT tokens expire after 8 hours; refresh tokens rotate on each use
• Rate limiting on all authentication endpoints (brute-force protection)
• Row-level security in Supabase — users can only access their own organisation's data
• Immutable audit log of all data access events
• Source code files never persisted to disk or database

11. International transfers

We primarily process data within the EU. Stripe processes payment data in the USA — this transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).

12. Children's privacy

AICVS is a professional developer tool. We do not knowingly collect data from individuals under 16. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@aicvs.io.

13. Changes to this policy

We will notify registered users by email at least 14 days before any material changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.