Privacy Policy
Last Updated: January 1, 2025
Your Privacy Matters
Core Principle: We NEVER store your actual photos. Only cryptographic hashes and proofs are retained. You maintain full ownership of images. Zero-knowledge architecture protects your sensitive metadata.
1. Introduction
Rial Labs, Inc. ("Rial," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile applications, APIs, SDKs, and related services (collectively, the "Services").
By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.
2. Information We Collect
2.1 Information You Provide
- Account Information: Email address, name, company name (for enterprise users)
- Payment Information: Processed by third-party payment processors (we do not store credit card numbers)
- Support Communications: Messages sent to our support team
2.2 Information We DO NOT Collect
- Your Photos: We NEVER store the actual images you capture or verify
- Photo Content: We do not analyze or store the visual content of your images
- Unencrypted GPS Coordinates: Location data is processed using zero-knowledge proofs
2.3 Cryptographic Data We Collect
- Image Hashes: SHA-256 cryptographic hashes of images (not the images themselves)
- Zero-Knowledge Proofs: Cryptographic proofs of image authenticity
- Merkle Roots: Cryptographic commitments for verification
- Device Attestations: Hardware-backed device authenticity certificates
- Transformation History: Cryptographic records of edits (crop, resize, etc.)
2.4 Automatically Collected Information
- Device Information: Device type, OS version, app version
- Usage Data: API calls, verification requests, error logs
- IP Address: For security and fraud prevention
- Cookies: For session management (website only)
3. How We Use Your Information
3.1 Primary Uses
- Generate and verify cryptographic proofs of image authenticity
- Provide, maintain, and improve our Services
- Process payments and billing
- Respond to customer support requests
- Detect and prevent fraud, abuse, and security threats
3.2 Zero-Knowledge Architecture
Our Services are designed with zero-knowledge principles:
- Proofs are generated on your device
- Original images never leave your device
- GPS coordinates can be verified without revealing exact location
- Timestamps are proven without exposing precise capture time
- You control what metadata is disclosed in verification proofs
3.3 We Do NOT Use Your Information For
- Training AI models on your photos
- Selling or sharing your images with third parties
- Behavioral advertising based on photo content
- Analyzing photo content for commercial purposes
4. Information Sharing and Disclosure
4.1 We Share Information With
- Service Providers: Cloud hosting (AWS), payment processors (Stripe), analytics (minimal, privacy-focused)
- Legal Compliance: When required by law, court order, or government request
- Business Transfers: In the event of a merger, acquisition, or asset sale
4.2 We Do NOT Share
- Your photos or image content (we don't have them)
- Personally identifiable location data
- Verification results without your permission
4.3 Public Blockchain Data
If you use our blockchain attestation features:
- Cryptographic commitments may be published to public blockchains
- These commitments do NOT contain your photos or sensitive metadata
- Commitments are pseudonymous and not linked to your identity
5. Data Retention
5.1 What We Retain
- Cryptographic Proofs: Retained indefinitely for verification purposes
- Image Hashes: Retained for fraud detection and duplicate prevention
- Account Data: Retained while your account is active
- Usage Logs: Retained for 90 days
5.2 Data Deletion
You may request deletion of your account and associated data at any time by contacting privacy@rial.app. Note:
- Deletion may not be possible for data required for legal compliance
- Cryptographic proofs on public blockchains cannot be deleted
- We will delete all personal information within 30 days of request
6. Your Privacy Rights
6.1 GDPR Rights (EU/EEA Users)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing of your personal data
- Restriction: Request restriction of processing
6.2 CCPA Rights (California Users)
- Know: What personal information is collected
- Access: Request a copy of your personal information
- Delete: Request deletion of your personal information
- Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
- Non-Discrimination: Equal service regardless of privacy choices
6.3 Exercising Your Rights
To exercise any of these rights, contact us at privacy@rial.app. We will respond within 30 days.
7. Security
7.1 Security Measures
- End-to-end encryption for data in transit (TLS 1.3)
- Encryption at rest for all stored data (AES-256)
- Hardware-backed key storage (iOS Secure Enclave, Android Keystore)
- Regular security audits and penetration testing
- Principle of least privilege access controls
- Multi-factor authentication for employee access
7.2 Data Breach Notification
In the event of a data breach affecting personal information, we will:
- Notify affected users within 72 hours
- Notify relevant data protection authorities as required
- Provide details on the nature of the breach and remediation steps
8. International Data Transfers
Our Services are operated from the United States. If you are located outside the U.S., your information will be transferred to and processed in the U.S.
For EU/EEA users, we use Standard Contractual Clauses (SCCs) approved by the European Commission to protect your data.
9. Children's Privacy
Our Services are not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we discover we have collected information from a child, we will delete it immediately.
10. Third-Party Services
10.1 Service Providers We Use
- AWS: Cloud hosting and infrastructure
- Stripe: Payment processing
- Plausible Analytics: Privacy-focused website analytics (no cookies, no tracking)
10.2 Third-Party Links
Our website may contain links to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies before providing any information.
11. Cookies and Tracking
11.1 Cookies We Use
- Essential Cookies: Required for authentication and security
- Analytics: Privacy-focused analytics (Plausible, no personal data collected)
11.2 We Do NOT Use
- Third-party advertising cookies
- Cross-site tracking
- Behavioral profiling cookies
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via:
- Email notification to registered users
- In-app notification
- Prominent notice on our website
Continued use of the Services after changes constitutes acceptance of the updated Privacy Policy.
13. Contact Us
For privacy-related questions, requests, or concerns:
Data Protection Officer:
Email: privacy@rial.app
Address: Rial Labs, Inc., [Your Business Address]
EU Representative (GDPR):
[EU Representative Details if applicable]
Data Minimization by Design
Rial is built on the principle of data minimization. We only collect what's absolutely necessary for cryptographic verification and never access the content of your photos. Your privacy is protected by mathematics, not just policy.