RVVRRVVR

Privacy Policy

Effective: May 11, 2026 · Last Updated: May 11, 2026

RVVR AI (“RVVR,” “we,” “us,” or “our”) is a Colorado-based subsidiary of CM Ventures Inc. This Privacy Policy describes how we collect, use, share, and safeguard information when you visit our website, request access to RVVR Command Center, or use our services (collectively, the “Services”).

This policy is written to address modern data-handling expectations (including the GDPR, the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, and other comparable U.S. state privacy laws) and to explicitly describe how AI/ML systems interact with customer data. For deployments in regulated environments (HIPAA, FedRAMP-aligned, CJIS, etc.) additional contractual terms apply — ask your account contact for the relevant addendum.

1. Information We Collect

We collect three categories of information:

  • Information you provide directly. Name, work email, company, phone number, role, and any message body you submit through our contact, demo-request, or access-request forms. For paid customers this also includes billing contacts and payment method metadata held by our payment processor (we do not store full card numbers).
  • Account & service-usage data. When you use Command Center we collect authentication credentials, organization and team membership, configuration of agents/cohorts/connections, telemetry (model invocations, costs, error rates), audit-log events, and outcomes produced by the agents you run. Connected third-party data (e.g., Gmail messages, S3 objects) is processed only on your instruction and scoped to the credentials you provide.
  • Technical & device data. IP address, browser type, device identifiers, referring URL, pages viewed, timestamps, approximate location derived from IP, and similar log data, collected by us and our analytics providers.

2. How We Use Information

  • To provide, secure, operate, monitor, and improve the Services.
  • To authenticate users, enforce access controls, detect abuse, and investigate security incidents.
  • To respond to inquiries, support requests, and contractual obligations.
  • To send service announcements, security notices, and (with your consent or where permitted by law) marketing communications. You may opt out of marketing at any time via the unsubscribe link in each email or by contacting us.
  • To comply with applicable laws and respond to lawful requests.
  • To create aggregated, de-identified analytics that cannot reasonably be re-associated with you.

3. AI / Model Training

We do not use customer data, prompts, or agent outputs to train foundation models or any general-purpose model that benefits other customers. Customer data is used only to deliver the Services to the originating customer. Inference is performed by the model providers you configure (e.g., OpenAI, Anthropic, Azure OpenAI); the data-handling terms of those providers apply to data you route to them. For providers we offer by default we contractually require zero-retention or short-retention inference and pass those terms through to you. For models you bring (BYO API key) you are responsible for the provider’s terms.

4. How We Share Information

We do not sell personal information and do not share it for cross-context behavioral advertising. We share information only in the following circumstances:

  • Sub-processors. Vetted service providers acting on our behalf under written contracts that limit use to providing the Services to us. Current categories include cloud hosting (Microsoft Azure, including Azure Government for regulated deployments), email delivery, error monitoring, analytics, and payment processing. An up-to-date sub-processor list is available on request and through our Data Processing Addendum (DPA).
  • Within your organization. Members of your team / tenant can see content and audit events you create within their permitted scope, per the role and permission controls you configure.
  • Compliance & safety. When required by law, valid legal process, or to protect the rights, property, or safety of RVVR, our customers, or others.
  • Business transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections.

5. Data Processing Addendum (DPA)

If you are a controller of personal data subject to the GDPR, UK GDPR, or comparable laws, our DPA governs our processing on your behalf and incorporates the EU Standard Contractual Clauses (and the UK IDTA addendum where applicable) for international transfers. Email privacy@rvvr.ai to execute a DPA.

6. International Data Transfers

RVVR is operated from the United States. If you access the Services from outside the U.S., your information will be transferred to, processed in, and stored in the U.S. Where applicable law requires a transfer mechanism (e.g., for EEA, UK, or Swiss personal data) we rely on the EU Standard Contractual Clauses and equivalent instruments, supplemented by encryption in transit and at rest and contractual limits on sub-processor access. Regulated-government workloads can be scoped to Azure Government U.S. regions on request.

7. Security

We use industry-standard administrative, technical, and physical safeguards: TLS in transit, encryption at rest, least-privilege access, audit logging, MFA on administrative access, scoped API keys (reveal-once, SHA-256 stored), HMAC-signed outbound webhooks, and per-cohort isolation of secrets and configuration. No system is perfectly secure; we cannot guarantee absolute security, but we work to maintain a security posture appropriate to the sensitivity of the data we hold.

8. Data Retention

We retain personal information only as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Operational retention defaults today:

  • Account profile & billing records — for the life of the account plus a reasonable tail for tax / legal purposes after account closure.
  • Audit log — routine events ~365 days; sensitive events ~7 years.
  • Outcomes / agent run history — per the retention controls you configure on your account; the default is the active plan’s retention window.
  • Server & security logs — up to 90 days, longer where required for incident investigation.

Aggregated or de-identified data may be retained indefinitely.

9. Cookies and Similar Technologies

We use strictly-necessary cookies for authentication (the auth-session-token andauth-refresh-token httpOnly cookies) and for the security posture of the application. We also use a small number of first-party analytics cookies to understand site usage. You can decline non-essential cookies in your browser settings; declining strictly-necessary cookies will break authenticated areas of the Services.

10. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate personal information.
  • Delete personal information, subject to lawful retention exceptions.
  • Port your personal information in a portable format.
  • Restrict or object to certain processing.
  • Opt out of “sale” or “sharing” for targeted advertising (we do not engage in either).
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your supervisory authority.

Submit a request via privacy@rvvr.ai or through our contact form. We will verify your identity before acting on a request and will respond within the time limits required by applicable law.

11. Third-Party Links

Our Services may link to third-party websites or services we do not control. Their privacy practices are their own; review their policies before sharing personal information.

12. Children’s Privacy

The Services are not directed to children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be announced through the Services or by email. The “Last Updated” date at the top reflects the most recent revision. Continued use of the Services after a change means you accept the updated policy.

14. Contact

Questions, requests, or complaints: privacy@rvvr.ai.
RVVR AI · CM Ventures Inc.
Colorado, USA