Privacy Policy
1. Who we are
RiftRec ("we", "us") is the data controller responsible for your personal data when you use our services. We're operated from Finland.
For privacy questions, contact our Data Protection contact at privacy@riftrec.app.
2. What data we collect
Account data (when you register)
| Data | Why | How long |
|---|---|---|
| Email address | Login, account recovery, communication | Until account deletion |
| Password | Authentication (stored as bcrypt hash, never plaintext) | Until account deletion |
| Display name | Identification within the platform | Until account deletion |
| Bio (optional) | Profile customization | Until you remove it |
| Avatar URL (optional) | Profile picture (we don't store the image) | Until you remove it |
Email encryption: We encrypt email addresses at rest using AES-256-GCM, so even if our database were compromised, emails would be unreadable without our encryption key.
Content you upload
| Data | Why | How long |
|---|---|---|
| Video files (clips) | Core service — your gameplay recordings | Until deleted by you, replaced by quota cleanup, or account deleted |
| Voice review recordings | Coaching feature | Until deleted by you or sender/recipient |
| Bookmarks and notes | Coaching annotations on clips | Until deleted |
| Direct messages | Communication with friends | Capped at 50 messages per conversation; older messages auto-deleted |
| Comments on clips | Discussion feature | Until deleted |
Usage data (collected automatically)
| Data | Why | How long |
|---|---|---|
| IP address | Security, rate limiting, abuse prevention | 30 days in access logs |
| Browser type and version | Compatibility, security | 30 days in access logs |
| Pages visited and timestamps | Service operation, debugging | 30 days in access logs |
| Last login time | Account security | Until account deletion |
| Last seen time | Online status indicator for friends | Until account deletion |
Optional data (only if you choose)
| Data | Why |
|---|---|
| Riot Games account info (PUUID, game name, tag line) | Link your in-game profile to your RiftRec account |
| Friend connections | Social features (sharing clips, voice chat) |
| Group memberships | Team-based clip sharing |
| Ratings you give to other users | Coaching reputation system |
3. What we DON'T collect
- We don't track you across websites (no third-party analytics or ad pixels)
- We don't use cookies for advertising (only essential cookies for login sessions)
- We don't collect your real name, address, phone number, or government ID
- We don't access your computer files outside what you explicitly upload
- We don't read your messages — they're stored but only visible to sender and recipient
- We don't sell or share data with advertisers, ever
4. Legal basis for processing (GDPR)
Under the EU General Data Protection Regulation, we process your data on these legal bases:
- Contract (Article 6(1)(b)): Account creation, video hosting, social features — necessary to provide the service you requested.
- Legitimate interests (Article 6(1)(f)): Security, fraud prevention, rate limiting, system administration, abuse handling.
- Consent (Article 6(1)(a)): Optional features like Riot account linking, marketing communications (if any in the future).
- Legal obligation (Article 6(1)(c)): Responding to lawful requests from authorities, preserving evidence in abuse cases.
5. Who we share data with
We share data only with these third parties, and only to the extent necessary:
| Service | What we share | Purpose | Location |
|---|---|---|---|
| Hetzner Online GmbH | All hosted data (encrypted in transit and at rest) | Server hosting, object storage | Helsinki, Finland |
| Paddle.com Market Limited | Email, name, billing info (if you subscribe) | Payment processing | UK / EU |
| Let's Encrypt | Domain name only | Free SSL certificates | USA |
We do not use:
- Google Analytics or any analytics service that profiles users
- Facebook, Twitter, TikTok, or other social media tracking pixels
- Advertising networks
- Third-party comment systems (Disqus, etc.)
6. Where your data is stored
All data is stored at Hetzner's Helsinki, Finland datacenter. This means:
- Your data stays within the EU (subject to GDPR protections)
- Finnish privacy law applies
- EU authorities have jurisdiction over data requests
If we expand to additional regions in the future, we'll update this policy and notify users.
7. Your rights under GDPR
As an EU resident, you have the following rights regarding your personal data:
Right of access (Article 15)
You can request a copy of all data we hold about you. We'll provide it in a machine-readable format (JSON) within 30 days, free of charge.
Right to rectification (Article 16)
You can edit your profile, display name, bio, and other details directly in the app at any time.
Right to erasure / "right to be forgotten" (Article 17)
You can delete your account at any time from the settings page. This permanently removes:
- Your account record
- All clips you uploaded
- All messages you sent
- Your friend connections, ratings, bookmarks, comments
- Your encrypted email and password hash
Note: Backup snapshots may retain traces of your data for up to 30 days after deletion. After that period, all backups containing your data have rotated out.
Right to data portability (Article 20)
You can export your data in JSON format from the settings page or by emailing privacy@riftrec.app.
Right to object (Article 21)
You can object to processing based on legitimate interests by emailing us. We'll stop unless we have compelling legitimate grounds to continue.
Right to restrict processing (Article 18)
You can ask us to stop using your data while we resolve a complaint or correction.
Right to lodge a complaint
If you believe we've violated your privacy rights, you can complain to Finland's data protection authority:
Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman)
Lintulahdenkuja 4, 00530 Helsinki, Finland
Website: tietosuoja.fi
8. Cookies
We use a minimal set of cookies and browser storage:
- Authentication token (localStorage): A JWT that keeps you logged in. Expires after 30 minutes of inactivity.
- Settings (localStorage): Your theme, blur preference, default playback speed, etc. Stored only in your browser.
- Session preferences (sessionStorage): Temporary state like current view.
We don't use tracking cookies, ad cookies, or third-party cookies. No cookie consent banner is required because we only use technically essential storage.
9. Children's privacy
RiftRec is not intended for children under 13. We don't knowingly collect data from anyone under 13. If you're a parent and believe your child has registered, contact us and we'll delete the account.
For users 13–17 (or below the age of majority in your country), we recommend parental supervision. Some features (like voice chat with strangers) may not be appropriate for minors.
10. Data security
We take security seriously. Measures include:
- Encryption in transit: All connections use HTTPS (TLS 1.2 or 1.3)
- Encryption at rest: Email addresses encrypted with AES-256-GCM
- Password hashing: bcrypt with cost factor 12 (industry standard)
- Rate limiting: Per-IP and per-account limits on sensitive endpoints
- Account lockout: 5 failed login attempts locks the account for 10 minutes
- SQL injection prevention: Parameterized queries everywhere
- XSS prevention: Content Security Policy + input sanitization
- Firewall: Only ports 22 (SSH), 80 (HTTP), 443 (HTTPS) exposed
- fail2ban: Automatic IP banning for brute-force attempts
- Regular updates: Operating system and dependencies kept current
11. Data breach notification
If we discover a personal data breach that's likely to result in a high risk to your rights, we'll notify you within 72 hours as required by GDPR Article 34. Notifications will be sent by email and posted prominently on the site.
12. International data transfers
Currently all data stays within the EU. If we add servers in other regions in the future, we'll use Standard Contractual Clauses (SCCs) and other GDPR-compliant transfer mechanisms.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via email and in-app notice at least 14 days before they take effect.
14. Contact us
For privacy questions, data access requests, or to exercise your GDPR rights:
Email: privacy@riftrec.app
Postal address: Available on request via privacy@riftrec.app
Response time: Within 30 days, usually within 7