Privacy Policy — RivCut CNC Machining

This Privacy Policy describes how RivCut, Inc. collects, uses, shares, and protects your personal information when you visit our website, create an account, request a quotation, place an order, or otherwise interact with our platform and services. By using RivCut's services, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our services.

1. Information We Collect

We collect information in several ways when you interact with our platform and services:

Account Information

When you create an account or place an order, we collect information you provide directly, including:

Full name and job title
Business name and address
Email address and phone number
Billing and shipping addresses
Payment information (credit card numbers, billing details)
Tax identification numbers, when required for business transactions

Usage Data

We automatically collect information about how you interact with our platform, including:

Pages visited, features used, and actions taken on our website
Quotation requests, order history, and file uploads
Search queries and browsing patterns within the platform
Date, time, and duration of visits
Referring URLs and exit pages

Device and Technical Information

We collect technical information from your device and browser, including:

IP address and approximate geographic location
Browser type, version, and language settings
Operating system and device type
Screen resolution and viewport size
Unique device identifiers

Cookies and Similar Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your browsing activity. See Section 7 for detailed information about our cookie practices.

2. How We Use Your Information

We use the information we collect for the following purposes:

Order Fulfillment and Service Delivery

Processing and fulfilling your orders for CNC machining services
Generating quotations based on your specifications and uploaded files
Managing shipping, delivery, and quality assurance processes
Providing customer support and responding to inquiries

Account Management

Creating and maintaining your user account
Verifying your identity and business credentials
Managing payment processing and invoicing
Enforcing our Terms of Service and other agreements

Communications

Sending order confirmations, shipping notifications, and delivery updates
Providing account-related notices, including security alerts
Sending marketing communications about our services, promotions, and industry updates (with your consent or where permitted by law)
Responding to your requests, feedback, and support tickets

Analytics and Improvement

Analyzing usage patterns to improve our platform, services, and user experience
Conducting internal research and development
Monitoring platform performance and diagnosing technical issues
Generating aggregated, de-identified analytics and reports

Legal Compliance and Protection

Complying with applicable laws, regulations, and legal processes
Detecting, preventing, and addressing fraud, security breaches, and unauthorized activity
Enforcing our contractual rights and protecting our legal interests
Meeting tax, audit, and regulatory reporting requirements

3. Information Sharing

We do not sell your personal information. RivCut does not sell, rent, or trade your personal data to third parties for their marketing purposes.

We may share your information with the following categories of recipients, solely for the purposes described in this policy:

Shipping Carriers

We share your name, shipping address, phone number, and order details with shipping carriers (e.g., UPS, FedEx, freight carriers) as necessary to deliver your orders.

Payment Processors

We share payment information with third-party payment processors to securely process transactions. These processors are contractually obligated to protect your financial data and are prohibited from using it for any purpose other than processing payments on our behalf.

Manufacturing Subcontractors

In some cases, we may share technical specifications and limited contact information with trusted manufacturing subcontractors who assist in fulfilling your orders. These subcontractors are bound by confidentiality agreements and are only permitted to use your information in connection with completing the work.

Professional Advisors

We may share information with our attorneys, accountants, auditors, and insurance providers as needed for legal, tax, and business purposes.

Legal Requirements

We may disclose your information when required to do so by law, regulation, subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is necessary to:

Comply with applicable legal obligations
Protect the rights, property, or safety of RivCut, our customers, or others
Investigate or prevent suspected fraud or illegal activity
Enforce our Terms of Service or other agreements

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your information.

4. Data Security

We take the security of your personal information seriously and implement a range of technical and organizational measures to protect it, including:

Encryption

All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security)
Payment information is encrypted and processed in compliance with PCI-DSS standards
Sensitive data at rest is encrypted using industry-standard encryption algorithms

Access Controls

Access to personal information is restricted to authorized employees and contractors who require it to perform their job functions
We maintain role-based access controls and audit logs for systems containing personal data
Multi-factor authentication is used for administrative access to critical systems

Employee Training

All employees receive training on data privacy and security practices upon hire and on a recurring basis
Employees are required to acknowledge and adhere to our internal data handling policies
Access to customer data is monitored and reviewed regularly

While we strive to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents and notifying affected users as required by law.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this policy, subject to the following guidelines:

Legal and tax records: Order records, invoices, payment information, and related financial data are retained for a minimum of seven (7) years to comply with federal and state tax, accounting, and regulatory requirements.
Account data: Your account profile, preferences, and associated data are retained for as long as your account remains active. If you request account deletion, we will delete or anonymize your personal data within a reasonable timeframe, except where retention is required by law or for legitimate business purposes.
Usage and analytics data: Aggregated and de-identified usage data may be retained indefinitely for analytics and service improvement purposes.
Communications: Records of customer support interactions and correspondence may be retained for up to three (3) years after the last interaction.

When personal information is no longer needed for any lawful purpose, we will securely delete or irreversibly anonymize it.

6. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

Right to Access

You may request a copy of the personal information we hold about you. We will provide this information in a commonly used, machine-readable format within the timeframe required by applicable law.

Right to Correction

You may request that we correct inaccurate or incomplete personal information. You can also update much of your account information directly through your account settings.

Right to Deletion

You may request that we delete your personal information, subject to certain exceptions. We may retain information as necessary to comply with legal obligations, resolve disputes, enforce our agreements, or where deletion is not technically feasible. Requests for deletion of data subject to the seven-year legal retention period described in Section 5 will be honored after that period expires.

Right to Opt Out of Marketing

You may opt out of receiving marketing communications at any time by:

Clicking the "unsubscribe" link in any marketing email
Updating your communication preferences in your account settings
Contacting us at privacy@rivcut.com

Please note that even after opting out of marketing communications, you will continue to receive transactional messages related to your orders, account, and our legal obligations.

To exercise any of these rights, please contact us at privacy@rivcut.com. We will respond to your request within thirty (30) days, or as required by applicable law. We may ask you to verify your identity before processing your request.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our platform. For a complete list of cookies, their purposes, and retention periods, see our Cookie Policy. For EU visitors we request opt-in consent before loading non-essential cookies. For California and other US visitors we provide a clearly visible opt-out via our cookie banner and the Do Not Sell or Share My Personal Information page.

Third-Party Tracking Tools We Use

We disclose the specific tracking tools active on our site so you can make informed choices:

Google Analytics (properties G-5LJSM9PN7S and G-S1NX9BGPVT) — used to measure traffic, page views, and user flow. IP anonymization is enabled. Only loaded after you grant analytics consent.
RivCut first-party analytics — collects pseudonymous visitor and session IDs stored in localStorage/sessionStorage, along with page views, click events, scroll depth, and aggregated mouse-movement coordinates. Only loaded after you grant analytics consent.
Cloudflare Turnstile — bot protection on signup and quote pages. Processes IP address, browser user-agent, and interaction signals to distinguish humans from bots. Essential for security.
Cloudflare CDN and bot management — sets essential cookies (cf_clearance, __cf_bm) to protect against abuse and deliver the site quickly.
Stripe — payment processor, only loaded on checkout pages. Governed by Stripe's own privacy policy.

We do not currently use advertising, retargeting, or cross-site tracking cookies.

Essential Cookies

These cookies are necessary for the website to function properly. They enable user authentication, session management, security, and your cookie preferences. These cookies cannot be disabled without impacting site functionality.

Analytics Cookies

Analytics cookies help us understand how visitors interact with our site (page views, navigation paths, time on page, click patterns). Analytics data is used to improve performance and usability. We do not sell this data or use it for advertising.

IP Address Logging

We log IP addresses for security, fraud prevention, abuse monitoring, and legal compliance. IP addresses may be used to identify approximate geographic location and to detect unauthorized access or suspicious activity. This logging is essential for site security and is not subject to the optional consent categories.

Managing Your Preferences

You can change your cookie preferences any time via the "Cookie Preferences" link in our footer, or through your browser settings. California residents can also exercise their CCPA rights via our Do Not Sell or Share page.

7a. AI Chat, Automated Quoting, and Model Training

RivCut uses AI-powered systems to provide instant quotes, answer chat questions, and analyze CAD files for manufacturability. We want to be transparent about how your data is processed.

What We Process

Chat transcripts (messages you type into our chat widget or lead-capture forms)
CAD files and technical drawings you upload for quoting or manufacturing
Order history and part specifications used to generate future quotes

How We Use It

AI processing is used to deliver the service you requested (quotes, answers, DFM feedback). We retain chat transcripts and uploaded files only as long as necessary for the service, legal recordkeeping, and quality improvement — see Section 5 for retention periods.

No Third-Party Model Training Without Consent

RivCut does not sell your CAD files, chat transcripts, or quote data. We do not share your proprietary designs with third-party AI providers to train their public models. Our AI vendors (such as Cloudflare Workers AI and payment processors for fraud detection) process data only to perform the contracted service and are contractually prohibited from using it for their own model training.

Your Rights

You can request access to, correction of, or deletion of any AI-processed data by contacting privacy@rivcut.com. California residents have additional rights under CCPA/CPRA described in Section 9.

7b. Security Incident and Data Breach Notification

If we discover a security incident that involves unauthorized access to or acquisition of your personal information, we will:

Notify affected users without unreasonable delay, and no later than thirty (30) days after discovery, consistent with California Civil Code §1798.82 and applicable state laws.
Include in the notice: the nature of the incident, categories of information involved, steps we are taking, and what you can do to protect yourself.
Notify applicable regulators, including the California Attorney General if the incident affects more than 500 California residents.
Cooperate with law enforcement investigations and provide credit monitoring or identity protection services where required.

To report a suspected security issue, email security@rivcut.com. We welcome responsible disclosure from security researchers.

7c. California "Shine the Light" Notice

California Civil Code Section §1798.83 ("Shine the Light") permits California residents to request, once per year, information about the disclosure of personal information to third parties for the third parties' direct marketing purposes. RivCut does not share personal information with third parties for their direct marketing purposes. If this practice ever changes, we will update this policy and honor Shine the Light requests within 30 days. To submit a request, email privacy@rivcut.com with the subject "Shine the Light Request."

8. Children's Privacy

RivCut's services are intended for businesses and individuals who are at least eighteen (18) years of age. We do not knowingly collect, solicit, or maintain personal information from anyone under the age of 18. If we learn that we have collected personal information from a person under 18, we will promptly delete that information.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at privacy@rivcut.com so that we can take appropriate action.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete

You have the right to request deletion of your personal information, subject to certain legal exceptions as described in Section 6.

Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge you different prices, provide a different level of service, or suggest that you will receive a different level of service for exercising your rights.

No Sale of Personal Information

RivCut does not sell personal information as defined under the CCPA/CPRA. We also do not share personal information for cross-context behavioral advertising purposes.

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority, including a signed written authorization or a valid power of attorney.

To submit a CCPA/CPRA request, contact us at privacy@rivcut.com or by mail at the address provided in Section 11. We will verify your identity and respond within forty-five (45) days, as required by law.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Post the updated policy on this page with a revised "Last Updated" date
Notify you by email (sent to the email address associated with your account) or through a prominent notice on our platform
Provide at least thirty (30) days' notice before material changes take effect, where required by law

Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically to stay informed about how we protect your information.

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@rivcut.com
Subject Line: Privacy Policy Inquiry
Mail: RivCut, Inc., Attn: Privacy, San Jose, CA

We will acknowledge your inquiry within five (5) business days and provide a substantive response within thirty (30) days.