Privacy Policy

Last updated: April 3, 2026

Who we are

Riffy is operated by Deep Origins, Inc. (“Riffy,” “we,” or “us”). We are the data controller for the information described in this policy. Questions or requests: privacy@getriffy.com.

What we collect

We collect the minimum we need to run the service. Specifically:

  • Account data — email address, username, display name, password hash, and (if you sign in with Google, Apple, Facebook, or TikTok) a unique identifier and the public profile fields that provider returns. If you choose phone sign-in, Twilio sends you a one-time SMS code and we keep your phone number on file.
  • Usage events — the clips you play, send, favorite, and search for. We use these to power trending, recommendations, your Library, and your personalized For You feed.
  • Purchase records — if you subscribe to Riffy Pro, RevenueCat processes the purchase through Apple App Store or Google Play and shares the receipt + subscription status with us. We never see your card details.
  • Push notification token — if you allow notifications, we store an Expo Push / Firebase Cloud Messaging token tied to your account so we can deliver clip-received and weekly recap notifications you have opted in to.
  • Device + diagnostic data — app version, OS version, anonymized crash reports (via Sentry), and the standard request metadata our API logs (IP address truncated, user-agent). We do not collect precise location.
  • User-created clips — if you create a clip from a song's lyrics, we store the start/end timestamps, the lyric text you selected, and audio metadata so the clip can play back. Clips you publish are visible to other users.

Our iOS Privacy Manifest declares two collected data types — User IDand Other Usage Data — both linked to your identity, both used only for Analytics + App Functionality, neither used for tracking across apps.

Why we use it

Strictly for running the product and improving it:

  • Provide the core Riffy service — sign-in, clip playback, sending, search, library
  • Personalize trending, recommendations, and the For You feed
  • Deliver push notifications you have opted in to
  • Detect abuse, fraud, and content that violates our Terms
  • Measure aggregate product usage to decide what to build next
  • Process subscription payments through Apple or Google

We do not sell your personal information. We do not run third-party advertising and we do not share data with advertisers or data brokers.

Third-party processors

We rely on a small set of vendors who process data on our behalf under data processing agreements:

  • Amazon Web Services — hosting for audio files and database backups (US-East region)
  • Railway — API hosting
  • Vercel — web hosting for getriffy.com
  • Mixpanel — product analytics (events: which clips played, sent, etc., tied to your User ID)
  • RevenueCat — subscription receipt validation + entitlement management
  • Sentry — crash + error reporting
  • Twilio — SMS verification codes for phone sign-in
  • Expo Push / Firebase Cloud Messaging — push notification delivery
  • Anthropic and OpenAIonly if you opt in via Settings → AI Features. Used to power contextual clip suggestions and emoji interpretation. Off by default.

Retention

Account data is retained for as long as your account is active. When you delete your account (in-app: Settings → Delete Account, or email privacy@getriffy.com), personal identifiers are scrubbed within 30 days. Some derived analytics may persist in anonymized form. Sentry error logs are retained for 90 days. Backups roll off within 35 days.

Your rights

You can exercise the following rights at any time:

  • Access — request a copy of the personal data we hold
  • Correct — update profile fields in-app or email us
  • Delete — delete your account in-app or email us
  • Export — request a machine-readable export
  • Opt out — turn off analytics, push notifications, or AI features in Settings

California residents (CCPA/CPRA): you have the right to know, delete, correct, and opt out of any “sale” or “sharing” of personal information. We don't sell or share for cross-context behavioral advertising, but you can still file requests at privacy@getriffy.com.

EU / UK residents (GDPR / UK GDPR): our lawful bases are contract (running the app you signed up for), legitimate interests (fraud prevention, analytics), and consent (push notifications, AI features). You can withdraw consent at any time. You may also lodge a complaint with your supervisory authority.

Children

Riffy is rated 12+ on the App Store. We do not knowingly collect personal data from children under 13 (or under 16 in jurisdictions that apply that threshold). We do not show targeted advertising to anyone, regardless of age. If you are a parent and believe your child created an account, email privacy@getriffy.com and we will delete the account promptly.

Security

We use TLS in transit, encryption at rest on our database and S3 storage, bcrypt password hashing, signed CloudFront URLs for audio (one-hour expiry), and standard IAM scoping for backend access. No system is perfectly secure — if you discover a vulnerability, please email security@getriffy.com.

International transfers

Our infrastructure is in the United States. If you use Riffy from outside the U.S., your data will be transferred to and processed there. For EU/UK users, transfers rely on Standard Contractual Clauses with our processors.

Changes to this policy

We'll update this policy from time to time. Material changes will be announced in the app or by email. The “Last updated” date at the top of this page is the source of truth. Continued use after the date constitutes acceptance.

Contact

Privacy questions, deletion requests, or anything else covered above: privacy@getriffy.com. For general support: support@getriffy.com. For copyright concerns, see our DMCA policy.