Privacy Policy
Last updated: 28 March 2026 · Section summaries are provided for convenience and are not legally binding.
Rippily Limited (“Rippily”, “we”, “us”, “our”) operates the Rippily platform (“Platform”, “Service”). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service.
We are committed to protecting your privacy. We do not use client-side analytics, advertising trackers, or third-party tracking cookies. All usage data is processed server-side under our direct control.
We don't use advertising cookies, third-party trackers, or sell your data. All analytics are server-side.
1. Information We Collect
When you sign up, we collect your email, display name, tagname, and password (stored only as a one-way hash — we never see your actual password). We also store content you create (messages, communities, spaces), payment references via Stripe (never your card number), and session analytics like join times and speak duration. Raw analytics are deleted after 7 days.
1.1 Information You Provide
Account Information: When you create an account, we collect:
- Email address
- Display name
- Password (stored as a one-way cryptographic hash; we never store or have access to your plain-text password)
- Tagname (your public @username)
Profile Information: You may optionally provide:
- Profile picture (avatar)
- Presence preferences (whether other users can see your online status or location within the Platform)
- Notification preferences (sound alerts, push notifications for direct messages)
Content You Create: When you use the Platform, you may create:
- Wave (community) names, descriptions, and settings
- Ripple (space) designs, including backgrounds, interactive elements, scenes, and configurations
- Chat messages, including text, images, and file attachments
- Direct messages to other users
- Poll questions and responses
- Reactions to messages
Payment Information: If you subscribe to a paid plan or purchase a community access plan, payment is processed by Stripe. Rippily does not store your credit card number or banking details. We store:
- Stripe Customer ID (a reference linking your Rippily account to your Stripe payment record)
- Subscription status, tier, and billing interval
- Payment event history (subscription created, renewed, cancelled, or failed)
If you are a Wave owner accepting payments via Stripe Connect, Stripe collects your identity, tax, and banking information directly as part of the Express account onboarding. Rippily does not have access to your full banking details.
Bug Reports: If you submit a bug report through the Platform, we collect the report title, description, the page URL where the issue occurred, and your browser and operating system information.
Waitlist: If you join a waitlist, we collect your email address, name, and the source of your sign-up.
Communication Data: When you contact us, we collect the information you provide, such as your email address and the content of your message.
1.2 Information Collected Automatically
Session Analytics: When you participate in a Ripple (virtual space), we automatically collect:
- Session start and end times
- Duration of audio activity (speak time)
- Zone or area changes within a space
- Message and reaction counts
- Engagement level (a summary of your participation activity during the session)
Raw analytics events are retained for 7 days and then permanently deleted. Aggregated, non-identifying session summaries may be retained longer to provide Wave owners and administrators with community insights.
Community Visits: We record which Waves you visit to support discovery recommendations and community analytics for Wave owners.
Push Notification Subscriptions: If you opt in to push notifications, we store a device endpoint URL and encryption keys necessary to deliver notifications to your device. This data is deleted when you unsubscribe from notifications.
Discovery Data: To power our community discovery features, we calculate:
- Wave activity scores (based on recent sessions and member engagement)
- Trending scores (measuring recent activity relative to historical baselines)
These scores are derived from aggregated, non-personal data.
1.3 Information from Third Parties
Google OAuth: If you choose to sign in with Google, we receive:
- Your Google account identifier
- Display name
- Profile picture URL
- Email address
We do not access your Google contacts, calendar, drive, or any other Google services.
1.4 Guest Participants
When you join a Ripple as a guest (without creating an account), we collect:
- The display name you provide when joining
- Your email address, if the Wave requires it (e.g., to verify against a guest list)
- A locally generated identifier stored in your browser’s local storage to maintain your session
- Session analytics as described in Section 1.2
Guest email addresses provided for guest list verification are checked against the Wave’s whitelist and are not used for marketing or shared beyond the Wave owner. Guest data is not linked to a registered account.
2. How We Use Your Information
We use your data to run the platform, authenticate you, enable real-time communication, and send transactional emails. We never sell your information or use it for advertising. Each purpose has a specific legal basis under GDPR, listed in the table below.
We use your information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service | Performance of contract |
| Authenticate your identity and manage your account | Performance of contract |
| Enable real-time audio, video, and chat communication | Performance of contract |
| Provide session analytics to Wave owners and administrators | Legitimate interest |
| Power community discovery and recommendations | Legitimate interest |
| Send transactional emails (verification, password reset, invitations) | Performance of contract |
| Deliver push notifications (when you opt in) | Consent |
| Enforce our Terms of Service and Community Guidelines | Legitimate interest |
| Prevent fraud, abuse, and security threats | Legitimate interest |
| Respond to your support requests | Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not sell your personal information. We do not use your data for advertising or profiling.
3. How We Share Your Information
Other users in your communities can see your display name, avatar, and messages. Wave owners see aggregated session analytics. We use Stripe for payments, Cloudflare for storage and bot protection, AWS SES for email, and Google for OAuth — each under a data processing agreement. We never share data with advertisers. Wave owners can also configure webhooks that send event data to external services they choose.
We share your information only in the following circumstances:
3.1 With Other Users
- Your display name, tagname, and avatar are visible to other users in Waves you belong to.
- Your online status and location within the Platform may be visible depending on your presence settings.
- Chat messages and reactions you post are visible to other participants in that Ripple.
- Direct messages are visible only to you and the recipient.
3.2 With Wave Owners
Wave owners and administrators can view aggregated session analytics for their community, including participant names, session durations, and engagement metrics. This data helps community owners understand how their spaces are used.
3.3 With Service Providers
We use the following third-party services to operate the Platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing (platform subscriptions and community access plans) | Email, name, Stripe Customer ID, payment metadata. Card details handled directly by Stripe (PCI DSS compliant). For Wave owners using Stripe Connect: identity, tax ID, and banking information collected by Stripe. |
| Cloudflare (R2) | Media storage and content delivery | Uploaded files (avatars, images, attachments) |
| Cloudflare (Turnstile) | Bot protection on forms | IP address, browser metadata (no tracking cookies) |
| Amazon Web Services (SES) (EU-West-1, Ireland) | Transactional email delivery | Email addresses, email content |
| Resend | Transactional email delivery (backup) | Email addresses, email content |
| OAuth authentication (when you choose to sign in with Google) | Authentication tokens, profile information | |
| Anthropic | Platform administration (bug report triage, content moderation assistance) | Bug report content, user content under review. Not used to train AI models. |
These providers process data on our behalf under data processing agreements. They do not use your data for their own purposes. Real-time audio and video communication is processed on our own self-hosted infrastructure within the EU and is not shared with any third-party service.
3.4 Via Webhooks
Wave owners may configure webhooks that send event data (such as participant join and leave events) to external services of their choosing. When webhooks are enabled for a Wave, participation events — including your display name and email address (if available) — may be shared with the configured external service. Rippily provides the webhook mechanism but does not control or monitor the external services chosen by Wave owners. Wave owners are solely responsible for disclosing their use of webhooks to their community members, for selecting lawful destinations, and for ensuring compliance with applicable privacy laws. Rippily accepts no responsibility for how third-party services handle data received through webhooks configured by Wave owners.
3.5 Legal Requirements
We may disclose your information if required to do so by law, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
4. Cookies and Local Storage
We set one session cookie for login, short-lived cookies for Google sign-in, and a local storage ID for guests. Cloudflare Turnstile sets a session cookie for bot protection on forms. That is the complete list — no advertising cookies, no analytics cookies, no third-party trackers. Because they are all strictly necessary, no cookie consent banner is required.
We use a minimal set of cookies and local storage, strictly necessary for the Service to function. We do not use advertising cookies, analytics cookies, or third-party tracking cookies.
| Name | Type | Purpose | Duration |
|---|---|---|---|
session | HTTP-only cookie | Authentication session token | Session |
| OAuth state cookies | HTTP-only cookies | Secure Google sign-in flow (PKCE) | 10 minutes |
| Guest identifier | Local storage | Maintain guest session continuity | Persistent (browser) |
| Service worker cache | Cache storage | Offline asset caching for performance | Until app update |
| Cloudflare Turnstile | Third-party cookie (Cloudflare) | Bot protection on contact and waitlist forms | Session |
Because every cookie listed above is strictly necessary for the service to function, no cookie consent banner is required under GDPR. We list them here for full transparency.
Because we only use strictly necessary cookies, we do not require a cookie consent banner under GDPR. However, we disclose all cookies here for full transparency.
5. Data Retention
Your account data stays until you delete your account. Raw analytics events are automatically purged after 7 days. Messages and content persist until you or the Wave owner removes them. Payment records are kept as long as tax law requires. The table below has the full breakdown by data type.
| Data Type | Retention Period |
|---|---|
| Account information | Until you request account deletion |
| User content (rooms, messages, media) | Until you or the Wave owner deletes it |
| Raw analytics events | 7 days (automatically purged) |
| Aggregated session summaries | Until the associated Wave is deleted |
| Direct messages | Until you or the recipient deletes them |
| Email verification tokens | Until used or expired |
| Password reset tokens | Until used or expired |
| Ban records | Duration of the ban, or until the Wave owner removes it |
| Bug reports | Until resolved and no longer needed for platform improvement |
| Waitlist entries | Until you are admitted to the platform or request removal |
| Payment and subscription records | As required by applicable tax and accounting laws |
6. Your Rights
You can request a copy of your data, ask us to correct it, or ask us to delete it entirely. In the EEA you have full GDPR rights (access, rectification, erasure, portability, objection). In California, CCPA gives you the right to know and delete. Email legal@rippily.com and we will respond within 30 days.
Depending on your location, you may have the following rights regarding your personal data:
6.1 Under GDPR (European Economic Area)
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate personal data.
- Erasure: Request deletion of your personal data (“right to be forgotten”).
- Restriction: Request that we limit how we process your data.
- Portability: Request your data in a structured, commonly used format.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time.
6.2 Under CCPA (California, United States)
- Know: Request information about what personal data we collect and how we use it.
- Delete: Request deletion of your personal data.
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
We do not sell personal information as defined under the CCPA.
6.3 Exercising Your Rights
To exercise any of these rights, contact us at legal@rippily.com. We will respond within 30 days. Where requests are complex or numerous, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons within the initial 30-day period. We may need to verify your identity before processing your request.
If you are in the EEA and feel your data protection rights have not been addressed, you can lodge a complaint with the Data Protection Commission (DPC) in Ireland or your local supervisory authority.
7. Data Security
Passwords are hashed with bcrypt, all traffic is encrypted over HTTPS/TLS, session cookies are HTTP-only to block XSS, and authentication endpoints are rate-limited against brute-force attacks. We also use Content Security Policy headers, HMAC-signed webhooks, and OAuth PKCE for third-party logins.
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords stored using industry-standard one-way hashing (bcrypt)
- HTTP-only, secure session cookies to prevent cross-site scripting attacks
- Encrypted data transmission (HTTPS/TLS) for all communications
- Rate limiting on authentication endpoints to prevent brute-force attacks
- Content Security Policy headers to prevent clickjacking and injection attacks
- HMAC-SHA256 signed webhook payloads
- OAuth PKCE flow for secure third-party authentication
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
8. International Data Transfers
Rippily is based in Ireland and your data is primarily stored within the EEA. When a service provider processes data outside the EEA, we require Standard Contractual Clauses or an adequacy decision to keep it protected.
Rippily Limited is based in Ireland, within the European Economic Area (EEA). Your data is primarily processed and stored within the EEA. Some data may be processed by our service providers in other jurisdictions. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or adequacy decisions.
9. Automated Decision-Making
No algorithm on Rippily decides whether you can access the service or produces legal effects on you. Community discovery rankings use aggregated, non-personal activity data — they do not profile individual users.
In accordance with GDPR Article 22, we inform you that we do not use fully automated decision-making (including profiling) that produces legal effects or similarly significant effects on you. Our community discovery algorithm uses aggregated, non-personal activity data to rank Waves and does not profile individual users. Session engagement levels are informational summaries visible only to Wave owners and administrators and do not affect your access to the Service.
10. Children’s Privacy
Rippily is not for anyone under 16. We do not knowingly collect data from children. If we discover we have, we delete it promptly.
The Service is not directed at children under the age of 16. Under Section 31 of the Irish Data Protection Act 2018, the digital age of consent in Ireland is 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at legal@rippily.com.
11. Changes to This Policy
If we make material changes, we will email you or post a prominent notice on the platform at least 30 days before they take effect. The "Last updated" date at the top always shows the current revision.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Platform at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when this policy was last revised.
12. Contact and Data Protection
The data controller is Rippily Limited, based in Dublin, Ireland. For any data protection questions, email legal@rippily.com. If you are in the EEA and feel your concerns have not been addressed, you can complain to the Irish Data Protection Commission.
The data controller for the purposes of GDPR is Rippily Limited. We have not appointed a Data Protection Officer as we do not meet the threshold requiring one under GDPR Article 37. All data protection enquiries should be directed to:
- Email: legal@rippily.com
- Entity: Rippily Limited
- Address: 4 Castleview Way, Swords, Dublin, K67 TR62, Ireland
If you are in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is:
- Data Protection Commission
- 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
- www.dataprotection.ie