Rift

Privacy Policy

Last updated: May 27, 2026

This Privacy Policy describes how Rift LLC, a Wyoming limited liability company ("Rift," "we," "us," or "our"), collects, uses, and shares personal information about you when you use the Rift platform — the Rift CLI, the Rift Dashboard, the Rift APIs, the public website, and any related services (the "Platform"). For terms governing your use of the Platform, see our Terms of Service.

1. Scope

This Policy applies to information processed by Rift as a data controller. When we process personal information on behalf of a customer organisation (for example, when an organisation's administrator deploys Rift across its repositories), the organisation is the data controller and Rift acts as a data processor under the organisation's instructions.

2. Information We Collect

  • Account information. When you create a Rift account or join a waitlist, we collect your name, email address, organisation name where provided, and authentication credentials. If you sign in via GitHub, Google, or another SSO provider, we receive the basic profile fields you authorise.
  • Usage data. We collect data about your use of the Platform: API requests, Dashboard interactions, feature usage, IP address (transient, used for rate limiting and abuse prevention), browser and device type, and timestamps.
  • AI session metadata. The Rift CLI captures metadata about AI coding sessions in your repositories — agent identifiers, model names, token counts, redacted prompts and transcripts, tool calls, file-edit metadata, and attribution data linking sessions to commits and pull requests. Raw, un-redacted transcripts remain local on the developer's machine by default; only redacted metadata is transmitted to Rift Cloud.
  • Integration data. When you connect Rift to third-party services (such as GitHub, GitLab, Jira, Linear, or your AI provider's admin API), Rift receives data from those services according to the OAuth scopes you authorise — for example, pull-request metadata, issue assignments, billing data, and seat usage.
  • Communications. When you contact us (including via email, the waitlist form, or support channels), we retain a record of the communication and any information you provide.
  • Cookies and similar technologies. Our website uses essential cookies for authentication and a limited number of analytics cookies (subject to consent in jurisdictions where required). See the Cookies section.

3. How We Use Information

We use personal information to:

  • Provide, operate, and improve the Platform.
  • Compute analytics, attribution, cost reconciliation, and forecasts for your organisation.
  • Bill paid customers and manage subscriptions, including via third-party payment processors.
  • Communicate with you about service updates, security alerts, maintenance, and (where you have opted in) product announcements.
  • Detect and prevent fraud, abuse, security incidents, and violations of our Terms of Service.
  • Comply with legal obligations and enforce our agreements.

We do not use Your Content (prompts, transcripts, source-related metadata) to train AI or machine-learning models without your explicit prior consent.

4. Legal Bases (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under applicable data-protection law:

  • Contract. To provide the Platform under our agreement with you.
  • Legitimate interests. To improve and secure the Platform, prevent abuse, and develop new features, with safeguards proportionate to the impact on your rights.
  • Consent. Where required (for example, for non-essential cookies or marketing emails). You can withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation. Where required to comply with laws and regulatory obligations.

5. Sharing

We do not sell personal information. We share information only in the following circumstances:

  • Service providers acting on our instructions. Cloud hosting, error monitoring, email delivery, analytics, and payment processing. These providers are bound by data processing agreements limiting their use of the data.
  • Integrations you authorise. Where you connect a third-party service (such as your AI provider's admin API), Rift exchanges data with that service according to the scopes you grant.
  • Authorities and legal process. Where required by law or to respond to valid legal process, with notice to you where permitted.
  • Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections.

6. Data Retention

  • Account data: retained while your account is active and for 90 days after closure, unless a longer period is required by law.
  • Redacted session metadata in Rift Cloud: retained per the retention policy of your tier (default one year; up to seven years on Enterprise) or until you delete the underlying repository data.
  • Raw transcripts (local): retained on the developer's machine for the period configured in .rift/policies/retention.yaml (default 30 days). Raw transcripts are not synced to Rift Cloud.
  • Audit logs: retained for the period applicable to your tier (default one year; up to seven years on Enterprise) to support compliance obligations.
  • Aggregated, anonymised data: may be retained indefinitely.

7. International Transfers

Rift is operated from the United States. If you are located outside the US, your personal information will be transferred to and processed in the US (and, for certain customers in EU regions when applicable). For transfers of personal information from the EEA, UK, or Switzerland to the US, we rely on the European Commission's Standard Contractual Clauses and implement supplementary safeguards where appropriate. Enterprise customers may request EU data residency, in which case applicable data is hosted in EU regions.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect your information, including TLS 1.3 in transit, envelope encryption with per-organisation keys at rest, customer-managed encryption keys on Enterprise, role-based access control, hash-chained tamper-evident event logs, principle-of-least-privilege internal access, and routine vulnerability scanning. No security measure is perfect; you can report a suspected security issue to ulpian.morina@xrift.io.

9. Your Rights

Depending on where you live, you may have rights with respect to your personal information, including:

  • Access. Receive a copy of the personal information we hold about you.
  • Correction. Have inaccurate or incomplete data corrected.
  • Deletion. Request that we delete your data, subject to legal retention obligations.
  • Portability. Receive your data in a portable, machine-readable format.
  • Objection or restriction. Object to, or ask us to restrict, certain processing.
  • Withdraw consent. Where processing relies on consent.

To exercise these rights, email ulpian.morina@xrift.io. We will respond within 30 days, or sooner where required by law. If you are an EEA or UK resident and believe we have mishandled your data, you can lodge a complaint with your local data-protection authority.

If your data is processed by Rift on behalf of your employer (for example, where your organisation has deployed Rift), please direct your request to your organisation's administrator. We will support our customers in responding to valid requests.

10. Cookies

Our website uses a small number of cookies and similar technologies. Essential cookies are required for authentication and security. Analytics cookies help us understand how the Platform is used; in jurisdictions where required, we collect them only after you have given consent. You can manage cookies through your browser settings; blocking essential cookies may limit your ability to sign in.

11. Children

The Platform is not directed to anyone under the age of 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us and we will promptly delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable advance notice (typically at least 30 days) by email or via the Platform. The "Last updated" date above reflects the most recent revision. Continued use of the Platform after the effective date constitutes your acknowledgement of the updated Policy.

13. Contact

For privacy questions, to exercise the rights above, or to report a privacy incident:

Rift LLC
Attention: Ulpian Morina, Privacy Contact
Wyoming, United States
ulpian.morina@xrift.io