Riffed

Privacy Policy

Effective: May 19, 2026  ·  Last updated: May 27, 2026

1. Who we are

Riffed (“we”, “us”, “our”) operates the Riffed mobile application (the “App”), a music-collaboration platform where people record, share, remix, and chat about original music.

  • Company: Riffedit Corp.
  • Mailing address: 100 King Street West, 1 First Canadian Place, Suite 6200, Toronto, ON M5X 1B8, Canada
  • Privacy contact: hello@riffedit.com

If you have any questions about this policy or want to exercise your privacy rights, email the address above. We respond to all verified requests within 30 days.

2. Information we collect

We collect the minimum information needed to run the App, grouped into the categories below.

2.1 Information you give us directly

  • Account credentials — email address, password (stored hashed by our auth provider), or an Apple/Google Sign-In token if you use social login.
  • Profile information — username, display name, biography, avatar image, date of birth (used solely to enforce a 13+ age gate), and self-selected musical preferences (genres, instruments, playing level).
  • User-generated content — audio recordings, video recordings, layers, tutorials, comments, direct messages, message attachments, and reactions you post in the App.
  • Optional location — if you choose to enable location, we store your approximate latitude/longitude to power local-creator discovery and geo-tagged posts. You can disable this at any time in your device settings or your Riffed profile.
  • Group activity — groups you create, join, or are invited to; group messages you send.

2.2 Information we collect automatically

  • Device information — model, operating-system version, app version, language, and time zone.
  • Diagnostics — crash reports, performance traces (frame rate, network latency), and breadcrumbs of in-app actions leading up to errors.
  • Usage analytics — events such as screen views, button taps, and session length.
  • Push notification token — an opaque token issued by Apple or Google so we can deliver push notifications you opted in to.
  • IP address — recorded by our backend and media provider to deliver content, prevent abuse, and meet legal/regulatory requirements.
  • Approximate location derived from IP — used only for fraud prevention and abuse detection; not stored against your account.

2.3 Information we receive from third parties

  • Apple / Google Sign-In — a verified email address and, with your consent, your name.
  • Mux — playback analytics for the videos you upload.
  • App Store / Google Play — in-app purchase receipts and renewal status when you buy a paid tutorial or subscription.
  • Stripe (if you become a paid creator) — identity verification (W-9 / W-8BEN) and payout-status information.

We do not collect health, biometric, financial-account, browsing-history-outside-the-App, or contacts data.

3. How we use your information

  • Create your account, authenticate you, and keep your session secure.
  • Display your profile and content according to your visibility settings (public, group-only, or private).
  • Recommend posts, creators, layers, and groups based on what you follow, like, and remix.
  • Deliver push notifications you have opted into.
  • Process in-app purchases and, when launched, pay creators.
  • Detect, prevent, and address abuse, fraud, and policy violations.
  • Diagnose crashes and improve performance.
  • Comply with legal obligations (tax reporting, lawful requests from authorities).
What we don’t do: we don’t sell your personal information, we don’t use your content to train third-party AI models, we don’t show third-party advertising in the App, and we don’t use device advertising identifiers (IDFA / GAID) for tracking.

4. Third-party processors

We share information with the service providers below strictly to operate the App. Each is bound by a data-processing agreement or equivalent contractual safeguard.

ProcessorWhat we sharePurposeRegion
SupabaseAccount, content, engagement dataDatabase, auth, storage, server-side logicUnited States (us-west-1)
MuxUploaded video/audio, playback IP, device classVideo transcoding, HLS streaming, playbackGlobal CDN, US origin
SentryCrash data, performance traces, user ID, IPError & performance monitoringUnited States
Firebase (Google)Analytics events, push tokens, device IDsAnalytics + push notificationsUnited States
AppleEmail, name (Sign in with Apple), IAP receipts, push tokenAuthentication, payments, push deliveryPer Apple’s policies
GoogleEmail, name, profile picture (Sign in with Google)AuthenticationUnited States
Stripe (planned)Creator identity (W-9 / W-8BEN), bank info, payout amountsCreator payouts via Stripe ConnectUnited States

We may also disclose information when required by law, to comply with a valid legal process, or to protect our rights, property, or safety, or that of our users or the public.

5. International data transfers

Our processors operate primarily in the United States. If you access the App from outside the US, your information will be transferred to and processed in the US. We rely on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK and Swiss safeguards with our US sub-processors where applicable.

6. How long we keep your information

  • Account & profile data — retained for as long as your account is active.
  • User-generated content — retained while your account is active and not deleted by you. Deletion is immediate on our database; CDN copies are purged within 30 days.
  • Engagement signals (likes, follows, comments) — retained for up to 24 months for analytics, then aggregated and de-identified.
  • Crash and performance data — retained for 90 days.
  • Analytics events — retained for 14 months.
  • Backups — encrypted backups retained up to 30 days on a rolling basis.

When you delete your account (Settings → Delete Account), we purge your profile, posts, layers, messages, and personal identifiers within 30 days. Data we are legally required to retain (e.g., tax records for paid creators) is kept for the period the law specifies, then deleted.

7. Your rights and choices

Depending on where you live, you have some or all of the following rights:

  • Access — request a copy of the personal information we hold about you.
  • Correction — request that we correct inaccurate information.
  • Deletion — request that we delete your account and personal information.
  • Portability — request a machine-readable export of your data.
  • Restriction / objection — limit how we process your information.
  • Withdraw consent — for any processing based on consent, such as location.

To exercise any of these rights, email hello@riffedit.com from the address associated with your account. We may need to verify your identity before fulfilling the request.

California residents (CCPA / CPRA)

You have the right to know, delete, correct, and limit the use of sensitive information. We do not sell or “share” (as defined under the CPRA) your personal information. We do not knowingly process the personal information of California residents under 16 for cross-context behavioral advertising.

EEA, UK, and Swiss residents (GDPR / UK GDPR)

Our legal bases for processing are (a) performance of a contract (running your account), (b) legitimate interest (security, analytics, recommendations), (c) consent (location, push), and (d) legal obligation (tax, abuse reports). You have the right to lodge a complaint with your local supervisory authority.

Canadian residents (PIPEDA)

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access the personal information we hold about you, request corrections, and withdraw consent for processing. You can also file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

8. Children’s privacy

Riffed is intended for users 13 years of age and older. We enforce this with a server-side date-of-birth check at signup; accounts that report an age under 13 are rejected.

We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with information, please email hello@riffedit.com and we will delete the account.

For users aged 13–17 in jurisdictions that require additional protections (UK, California), we apply heightened safeguards: no targeted advertising, no behavioural profiling for ads, and conservative default privacy settings.

9. Security

  • TLS 1.2+ for all network traffic.
  • Row-level security on every database table — by default, you can only access your own data and data shared with you.
  • Encrypted local storage on-device (AES-encrypted cache; iOS Keychain / Android Keystore for auth tokens).
  • Restricted production access on a need-to-know basis.
  • Continuous error and intrusion monitoring.

No system is perfectly secure. If we become aware of a data breach that affects you, we will notify you in line with applicable law (typically within 72 hours under GDPR).

10. Permissions we request

  • Microphone — required to record audio for posts, layers, and live loops.
  • Camera — required to record video for posts.
  • Photo library — required to attach existing media to posts or set an avatar.
  • Location (precise or coarse) — optional, used only for nearby-creator discovery and geo-tagged posts.
  • Notifications — optional, used to deliver alerts about likes, follows, comments, and messages.

You can revoke any of these permissions at any time in your device’s system settings; revoking will disable the dependent feature but not affect the rest of the App.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you in-app and update the “Last updated” date above. Continued use of the App after a policy change constitutes acceptance of the updated policy.

12. How to contact us

  • Email: hello@riffedit.com
  • Mail: Riffedit Corp., 100 King Street West, 1 First Canadian Place, Suite 6200, Toronto, ON M5X 1B8, Canada
© 2026 Riffedit Corp. All rights reserved.