Privacy Policy

We collect the following categories of personal data:

• Account information: Email address, first name, last name, display name, bio, country, and avatar.
• Channel data: Channel names, platform type, channel URLs, subscriber counts, niche categories, and verification proof.
• Click and attribution data: IP addresses, device fingerprints, user agents, referrer URLs, geolocation (country and city), and timestamps for each click event.
• Financial data: Earnings amounts, wallet balances, transaction history, payout method details (bank transfer, PayPal, or Wise), and Stripe Connect account information.
• Campaign data: Campaign applications, referral link activity, conversion data, and performance metrics.
• Trust and compliance data: Trust scores, click quality metrics, compliance ratings, and fraud detection flags.

We process your personal data for the following purposes:

• Click attribution: To accurately track clicks and conversions, ensuring promoters are fairly compensated and advertisers receive genuine traffic.
• Fraud prevention: IP addresses and device fingerprints are used to detect click fraud, bot traffic, duplicate clicks, and other abusive behaviour.
• Payout processing: Financial data is required to calculate earnings, process withdrawals, and comply with payment regulations.
• Platform integrity: Trust scores and compliance metrics maintain a healthy marketplace for both advertisers and promoters.
• Legal compliance: We retain certain financial records as required by UK tax law (HMRC).
• Service improvement: Aggregated, anonymised data helps us improve the platform experience.

Legal bases: We process data under contract performance (providing the Rippl service), legitimate interests (fraud prevention, platform security), and legal obligation (tax record-keeping).

We retain personal data only for as long as necessary for the purposes it was collected:

IP addresses and device fingerprints are automatically nullified after 90 days via an automated daily process. The click record itself is retained for attribution purposes, but without identifying network or device information.

We use the following third-party services to operate Rippl. Each processor handles data in accordance with their own privacy policies and our data processing agreements:

• Supabase (database and authentication) — stores account data, click records, earnings, and all platform data. Hosted in the EU.
• Stripe (payment processing) — processes advertiser payments and promoter payouts via Stripe Connect. Stripe is PCI DSS Level 1 certified.
• Vercel (hosting and infrastructure) — hosts the Rippl web application. Serverless functions process API requests.

We do not sell, rent, or share your personal data with any third parties for marketing purposes.

Under the UK General Data Protection Regulation, you have the following rights:

• Right of access (Article 15) — Request a copy of all personal data we hold about you.
• Right to rectification (Article 16) — Request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17) — Request deletion of your personal data, subject to legal retention requirements.
• Right to data portability (Article 20) — Receive your personal data in a structured, commonly used, machine-readable format (JSON).
• Right to object (Article 21) — Object to processing of your personal data based on legitimate interests.
• Right to restrict processing (Article 18) — Request that we limit how we use your data in certain circumstances.

We will respond to all rights requests within 30 days, as required by law.

You can exercise your data rights in two ways:

• In-app: Navigate to Settings → Export My Data to download a complete JSON export of all your personal data. This is available to all logged-in users.
• By email: Send a request to support@mrvltechnologies.com with the subject line "Data Export Request" or "Data Deletion Request". Include your registered email address so we can verify your identity.

For deletion requests, please note that we are legally required to retain financial records for 7 years under UK tax law. In such cases, we will delete all non-financial personal data and anonymise the remaining records.

Rippl uses a minimal cookie policy. We only use cookies that are strictly necessary for the operation of the platform:

• Authentication cookies — Session cookies set by Supabase Auth to keep you logged in. These are first-party, secure, HttpOnly cookies.

We do not use any analytics cookies, advertising cookies, or third-party tracking cookies. We do not use pixel trackers, social media widgets, or any other form of cross-site tracking.

We implement appropriate technical and organisational measures to protect your personal data:

• All data is encrypted in transit (TLS/HTTPS)
• Database access is restricted via Row Level Security (RLS)
• Passwords are hashed using bcrypt via Supabase Auth
• Admin access requires two-factor authentication (TOTP)
• IP addresses and device fingerprints are automatically purged after 90 days
• Payment data is handled exclusively by Stripe (PCI DSS Level 1)

Rippl is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@mrvltechnologies.com and we will delete it promptly.

We may update this privacy policy from time to time. We will notify registered users of material changes via email or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.