Privacy Policy
Last Updated: [EFFECTIVE_DATE] · Effective Date: [EFFECTIVE_DATE]
Summary of Key Points
- We collect professional profile data to power AI-driven matching between founders and builders.
- Your profile text is processed by OpenAI to generate AI embeddings (numerical representations).
- Your data is stored on Supabase servers in the EU (London, UK).
- You can delete your account and all data at any time from Settings.
- We do not sell your personal data to third parties.
- We do not use analytics or tracking cookies.
This Privacy Policy explains how RiseNet ("RiseNet," "we," "us," or "our") collects, uses, processes, shares, and protects your personal data when you use the Service at risenet.io. The term "RiseNet," "we," "us," or "our" refers to RiseNet.
1. Data Controller
The data controller responsible for your personal data is:
If you are in the EU/EEA, you may contact your local data protection authority. In Spain: AEPD (aepd.es). In the UK: ICO (ico.org.uk).
2. Data We Collect
2.1 Account Data
| Data | Description | Legal Basis |
|---|---|---|
| Email address | Used for login, verification, and communications | Contract performance |
| Password (hashed) | Stored by Supabase Auth — we never see your plaintext password | Contract performance |
| Google OAuth profile | Email and Google user ID if you use Google sign-in | Contract performance |
| IP address (registration) | Collected by Supabase Auth for fraud prevention | Legitimate interest |
2.2 Profile & Professional Data
| Data | Description | Legal Basis |
|---|---|---|
| First name, last name | Displayed on your public profile | Contract performance |
| Username | Unique identifier for your public profile URL | Contract performance |
| Country | Used for profile display and regional context | Contract performance |
| User type | "founder" or "builder" — determines matching context | Contract performance |
| Role | Your current or target professional role | Contract performance |
| Sector | Industry or domain (e.g., FinTech, HealthTech) | Contract performance |
| Skills | Up to 20 professional skills | Contract performance |
| Startup stage | Current stage of your project (Idea → Profitable) | Contract performance |
| Availability | Hours per week available for collaboration | Contract performance |
| "About" narrative | 80–1,000 character description of yourself | Contract performance |
| "Looking for" narrative | 80–1,000 character description of your ideal collaborator | Contract performance |
| Profile photo (avatar) | Optional image stored in our storage | Consent (optional) |
2.3 AI-Derived Data — Important
When you complete or update your profile, your professional information is transmitted to OpenAI's API to generate the data described below. OpenAI does not use API-submitted data to train its models by default. OpenAI Privacy Policy →
| AI-Derived Data | Description | Retention |
|---|---|---|
| Profile embedding | A 1,536-dimensional numerical vector representing your professional profile | Deleted on account deletion |
| Looking-for embedding | A 1,536-dimensional numerical vector representing what you seek in collaborators | Deleted on account deletion |
| Match reason | A 2-sentence AI-generated explanation of compatibility between two matched profiles (uses both users' data) | Deleted on account deletion |
| Community name & description | AI-generated community identity based on member profile data | Deleted with community dissolution |
What is sent to OpenAI:Your first name, role, sector, "About" text, skills list, startup stage, availability hours, and "Looking for" text. We do not send your email address, password, or direct messages to OpenAI.
2.4 User-Generated Content
| Content Type | Visibility | Retention |
|---|---|---|
| Posts (project/question/thought) | All platform users | Until deleted by you or removed by moderation |
| Post comments | All platform users | Until deleted by you or removed by moderation |
| Direct messages | Only sender and recipient | Until account deletion |
| Group messages | Community members only | Until account deletion or community dissolution |
2.5 Activity and Usage Data
| Data | Description | Legal Basis |
|---|---|---|
| last_active_at | Timestamp of your last activity (used for archiving inactive accounts) | Legitimate interest |
| Connection requests | Who sent/received requests, with status (pending/accepted/rejected) | Contract performance |
| Match history | Which profiles you were matched with and compatibility scores | Contract performance |
| Post likes | Which posts you have liked | Contract performance |
| Community membership | Communities you belong to, with membership status and similarity score | Contract performance |
| Notification read status | Which notifications you have read | Contract performance |
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Contract performance |
| Displaying your public professional profile to other users | Contract performance |
| Generating AI profile embeddings for matching | Contract performance / Legitimate interest |
| Computing compatibility scores between users | Contract performance |
| Generating AI-written match explanations via GPT-4o-mini | Legitimate interest |
| Forming AI-curated communities through nightly clustering | Legitimate interest |
| Sending notifications about connections, matches, and activity | Contract performance |
| Archiving profiles inactive for more than 30 days | Legitimate interest |
| Enforcing our Terms of Service and Acceptable Use Policy | Legitimate interest |
| Responding to legal requests and preventing harm | Legal obligation |
| Improving the Service using aggregated, de-identified insights | Legitimate interest |
4. AI Processing and Automated Decision-Making
4.1 Automated Matching
RiseNet's core feature involves automated processing of your profile data to generate numerical embeddings, compute compatibility scores, select and rank potential matches, generate AI-written explanations of compatibility, and suggest communities based on profile clustering.
This constitutes automated decision-making under GDPR Article 22. The decisions include: which profiles appear as your potential matches, your compatibility score with other users, and which AI-curated communities you are suggested to join.
4.2 Your Rights Regarding Automated Processing
- Request human review of any automated decision by emailing hi@risenet.io.
- Object to processing — we will evaluate and respond within 30 days.
- Request explanation of how a specific match score was generated.
- Opt out of AI matching by not using the matches feature; decline community suggestions individually in the app.
6. International Data Transfers
Your data is stored on servers in the EU (London, UK — AWS eu-west-2). Some sub-processors are located in the US. OpenAI transfers are governed by OpenAI's Data Processing Agreement and Standard Contractual Clauses (SCCs). Google authentication is governed by Google's applicable terms and SCCs.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (email, auth) | Until account deletion |
| Profile data and AI embeddings | Until account deletion |
| Match history (scores and reasons) | Until account deletion |
| Posts and comments | Until you delete them or your account is deleted |
| Direct messages | Until both sender and recipient accounts are deleted |
| Notifications | Until deleted by you or 12 months after creation |
| Avatar files | Deleted from storage within 30 days of account deletion |
| Waitlist data | 90 days after you create a full account, or upon request |
| Admin audit logs | 2 years |
| Server access logs | 90 days |
Archiving:Accounts inactive for more than 30 days are marked as archived and hidden from discovery. You can reactivate by logging in. Accounts archived for more than 12 months may be scheduled for deletion with 30 days' email notice.
8. Your Rights Under GDPR (EU/EEA Users)
Right of Access (Art. 15)
Obtain a copy of your personal data. Access profile data in Settings. For a full data export (posts, messages, activity), contact hi@risenet.io.
Right to Rectification (Art. 16)
Correct inaccurate data directly in the Settings page. For account data corrections, contact hi@risenet.io.
Right to Erasure (Art. 17)
Delete your account and all associated data via Settings > Account > Delete Account. If you cannot log in, contact hi@risenet.io.
Right to Restriction (Art. 18)
Request that we restrict processing of your data in certain circumstances. Contact hi@risenet.io.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, machine-readable format (JSON). Contact hi@risenet.io.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including automated matching and AI profiling. Contact hi@risenet.io.
Rights re Automated Decisions (Art. 22)
Request human review of automated decisions. See Section 4.2 for details.
To exercise any right, email hi@risenet.io with your registered email and a description of the right you wish to exercise. We respond within 30 days. Rights requests are free of charge.
9. California Privacy Rights (CCPA)
If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the sale of personal information. We do not sell personal information.
Categories of personal information collected: identifiers (email, username, IP), personal information (name, photo), professional information (role, sector, skills), electronic network activity (sessions, login), and inferences (AI embeddings, match scores).
To exercise CCPA rights, contact hi@risenet.io or hi@risenet.io.
10. Security Measures
| Measure | Description |
|---|---|
| Encryption in transit | All data transmitted over HTTPS/TLS |
| Encryption at rest | Managed by Supabase (AES-256) |
| Row Level Security (RLS) | Database-level access controls — users can only access their own data |
| JWT authentication | Validated on every backend API request |
| Rate limiting | Matching: 2/hour; connection requests: 20/hour per user |
| AI input sanitization | HTML tags and null bytes stripped before OpenAI submission |
| Admin audit logging | All admin actions logged with actor, target, and timestamp |
In the event of a breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify affected users without undue delay. Report security vulnerabilities to [SECURITY_EMAIL].
11. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a user is under 18, we will terminate their account and delete their data. To report a concern, contact hi@risenet.io.
13. Changes to This Policy
We may update this Privacy Policy. When we make material changes, we will update the "Last Updated" date, send an email notification, and display a notice in the Service. Continued use of the Service constitutes acceptance of the updated policy.
14. Contact and Data Protection
RiseNet
[COMPANY_ADDRESS]
Data protection: [DPO_EMAIL]
Legal: hi@risenet.io
Security: [SECURITY_EMAIL]
Support: hi@risenet.io