Privacy Policy

Account Information:

• Name, email address, and password when you create an account
• Company name, workspace name, and business description
• Profile information including display name, avatar, and signature
• Billing information including payment card details (processed by Stripe)
• Team member information when you invite colleagues

Service Configuration:

• Business policies, support workflows, and brand tone preferences
• Knowledge base content including URLs, documents, and text you upload
• Macros, canned responses, and handbook entries you create
• Integration credentials for third-party services (Stripe, Shopify, HubSpot, etc.)
• Custom domain configurations for your help center
• SLA policies and escalation rules

Communications:

• Messages you send to our support team
• Feedback, surveys, and feature requests
• Demo requests and sales inquiries

Usage Data:

• Features accessed, actions taken, and time spent in the application
• Search queries within the knowledge base and help center
• Natural language commands executed and their outcomes
• AI agent interactions and tool usage patterns
• Report views and dashboard interactions

Technical Data:

• IP address, browser type and version, operating system
• Device identifiers and characteristics
• Referring URLs and exit pages
• Date, time, and duration of visits
• Error logs and performance data

When End Users interact with our Customers' support systems powered by Riah AI, we process:

• Conversation content including messages, questions, and responses
• Email addresses and names provided by End Users
• Metadata such as conversation timestamps, channels, and device information
• Customer satisfaction ratings and feedback
• Any custom metadata fields configured by the Customer

Note: The collection and processing of End User data is governed by our Customers' own privacy policies. Customers are responsible for providing appropriate notice and obtaining necessary consents from their End Users.

• Providing, operating, and maintaining the Riah AI platform
• Processing and responding to support requests
• Enabling AI-powered features including intent detection, response generation, and conversation summaries
• Generating vector embeddings of your knowledge base content for semantic search
• Executing automated workflows and routing rules
• Processing payments and managing subscriptions
• Sending transactional emails (account verification, password resets, billing notifications)

• Analyzing usage patterns to improve features and user experience
• Developing new features and capabilities
• Training and improving our AI models (see Section 4 for details)
• Debugging, testing, and fixing issues
• Conducting research and analytics

• Sending product updates, feature announcements, and newsletters (with opt-out)
• Providing customer support and responding to inquiries
• Sending onboarding and educational content
• Notifying you of changes to our terms or policies

• Complying with legal obligations and responding to lawful requests
• Enforcing our Terms of Service and protecting our rights
• Detecting, preventing, and addressing fraud, abuse, or security issues
• Protecting the safety of our users, employees, and the public

• Natural Language Setup: Our AI agents interpret your business description to automatically generate workflows, intents, and macros
• Conversation AI: AI-powered chatbots that detect intent, retrieve relevant knowledge, and generate contextual responses
• Inbox Assistance: AI-generated conversation summaries, suggested replies, and automatic categorization
• Command Interpretation: Natural language commands to modify workflows and system configuration
• Knowledge Processing: Automatic extraction, chunking, and embedding of your documentation

We use OpenAI's API services to power our AI features:

• GPT-4 / GPT-4o: For natural language understanding, response generation, and conversation analysis
• Ada (text-embedding-ada-002): For generating vector embeddings of your knowledge base content

Data sent to OpenAI: When AI features are used, relevant conversation context and knowledge base content may be sent to OpenAI for processing. OpenAI processes this data according to their API data usage policies, which state that API data is not used to train their models.

Our Commitment: We do not use Customer-specific data or End User conversations to train AI models that would be used for other customers. Your data remains isolated and is only used to provide services to you.

We may use aggregated, anonymized, and de-identified data to improve our general AI capabilities and service quality. This data cannot be traced back to any individual Customer or End User.

Our AI systems make automated decisions including:

• Routing conversations to appropriate queues or agents
• Escalating tickets based on detected urgency or complexity
• Triggering workflow actions based on detected intents
• Generating suggested responses for agent review

These automated decisions are designed to assist, not replace, human judgment. Customers maintain full control over their workflow configurations and can disable or modify automated behaviors.

We engage trusted third-party companies to perform services on our behalf:

• Cloud Infrastructure: Vercel (hosting), Supabase (database)
• AI Processing: OpenAI (language models and embeddings)
• Payment Processing: Stripe (billing and subscriptions)
• Email Services: Resend (transactional and marketing emails)
• Analytics: Google Analytics, Microsoft Clarity (usage analytics)

These providers are bound by contractual obligations to protect your data.

When you connect third-party integrations (Stripe, Shopify, HubSpot, etc.), data may be shared with those services according to your configuration. You control what integrations are enabled and what data flows through them.

We may disclose information if required by law or if we believe disclosure is necessary to:

• Comply with applicable laws, regulations, or legal process
• Respond to lawful requests from public authorities
• Protect our rights, privacy, safety, or property
• Enforce our Terms of Service

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

We may share information with third parties when you explicitly authorize us to do so.

We process Customer Data only according to Customer's documented instructions as configured in the Service, and as necessary to provide the Service.

We use sub-processors as listed in Section 5.1. We maintain an up-to-date list and will notify Customers of any new sub-processors with an opportunity to object.

We implement appropriate technical and organizational measures as described in Section 7.

We will assist Customers in responding to requests from End Users exercising their data protection rights, to the extent legally permitted and technically feasible.

Upon termination or expiration of the Service, we will delete or return all Customer Data within 30 days, except as required by law or as necessary for legitimate business purposes (such as resolving disputes).

Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with data protection obligations.

• Encryption in Transit: All data transmitted to and from our services is encrypted using TLS 1.3
• Encryption at Rest: Database encryption using AES-256
• Access Controls: Role-based access controls and principle of least privilege
• Authentication: Secure authentication via Supabase Auth with support for SSO (Scale plan)
• Secret Management: Integration credentials and API keys are encrypted and stored separately
• Network Security: Firewalls, DDoS protection, and network isolation

• Employee background checks and confidentiality agreements
• Security awareness training for all team members
• Incident response procedures and breach notification protocols
• Regular security assessments and code reviews

• SOC 2 Type II certification (in progress)
• GDPR compliant data processing
• Regular penetration testing and vulnerability assessments

In the event of a data breach affecting your information, we will notify you and relevant authorities in accordance with applicable laws, typically within 72 hours of becoming aware of the breach.

We retain your account information for as long as your account is active. After account deletion, we retain certain information for up to 30 days for operational purposes, and longer where required by law or legitimate business interests (such as tax records retained for 7 years).

• Default Retention: 90 days for conversation history and message content
• Configurable: Customers on Growth and Scale plans can configure custom retention periods
• Metadata: Aggregated analytics and metadata may be retained longer

Knowledge base content and embeddings are retained while your account is active and deleted within 30 days of account termination or content removal.

• Application Logs: 90 days
• Security Logs: 1 year
• Aggregated Analytics: Indefinitely (anonymized)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limitation of processing
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests or for direct marketing
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge Complaint: File a complaint with your local data protection authority

California residents have the right to:

• Know: What personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-Out: We do not sell personal information, but you may opt out of targeted advertising
• Non-Discrimination: We will not discriminate against you for exercising your rights

Through your account settings, you can:

• Update your profile and contact information
• Manage email preferences and opt out of marketing communications
• Configure data retention settings (on applicable plans)
• Export your data
• Delete your account

To exercise your rights, please contact us at hello@riahai.com. We will respond to verified requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

• Essential Cookies: Required for the Service to function (authentication, security, preferences). Cannot be disabled.
• Analytics Cookies: Help us understand how users interact with our Service (Google Analytics, Microsoft Clarity). Can be disabled.
• Functional Cookies: Remember your preferences and settings.

• Google Analytics: Usage analytics and conversion tracking
• Microsoft Clarity: Session recordings and heatmaps (excludes sensitive data entry)

You can manage cookies through your browser settings. Note that disabling cookies may affect the functionality of our Service.