Up to 25% off all subscriptions until 31 May 2026
Riven

Privacy Policy

Last updated: March 2026

Introduction

Riven ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

Information We Collect

We collect information you provide directly to us, including:

  • Email address (when you join our waitlist)
  • Name and contact details (when you create an account)
  • Business information (for tradesperson profiles)
  • Payment information (processed securely by Stripe)

If you use our Making Tax Digital (MTD) feature, we also collect:

  • National Insurance number (NINO) — required to identify you to HMRC when submitting quarterly returns. Stored encrypted using AES-256-GCM.
  • HMRC Business ID — your self-employment business identifier from HMRC's records.
  • HMRC OAuth tokens — access and refresh tokens that authorise Riven to submit returns on your behalf. Stored encrypted using AES-256-GCM and never exposed to your browser.
  • Device context — device identifier, screen dimensions, browser details, and local network IP addresses. Required by HMRC's fraud prevention regulations (Transaction Monitoring) and sent with every HMRC API call. The device identifier is a random UUID stored in your browser's local storage; it cannot identify you personally.

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Send you updates about our launch and product news
  • Process transactions and send related information
  • Respond to your comments, questions, and requests
  • Monitor and analyze trends, usage, and activities
  • Submit Making Tax Digital quarterly updates to HMRC on your behalf (if you have connected your HMRC account)

Making Tax Digital (MTD)

Riven is registered software with HMRC for Making Tax Digital for Income Tax. This section explains how we handle HMRC-related data.

What we store

  • Your NINO, encrypted at rest (AES-256-GCM). It is used solely as a path parameter in HMRC API calls and is never logged or included in error reports.
  • HMRC OAuth tokens, encrypted at rest. Tokens are never returned to your browser.
  • Quarterly submission records including income totals, expense totals, and the HMRC correlation ID (your legal proof of submission).

Data sharing with HMRC

When you submit a quarterly return, we transmit your income and expense figures to HMRC via their API. HMRC's own privacy notice governs how they handle that data. We also send HMRC-mandated fraud prevention headers (device context, IP address, browser details) with every API call, as required by law.

Retention

HMRC requires digital records to be retained for 6 years. Quarterly submission records (income totals, expense totals, and the HMRC correlation ID) are kept for this period and cannot be deleted during that time even on account closure. If you disconnect your HMRC account, all other MTD data (NINO, tokens, obligations cache) is deleted immediately.

Legal basis

We process NINO and HMRC credentials on the basis of contractual necessity — you have asked us to provide an MTD submission service on your behalf. Submission record retention is on the basis of legal obligation (HMRC digital record-keeping requirements under the Finance Act 2021).

Where Your Data Is Processed

Your data is processed and stored on servers located in the United Kingdom and the European Union:

  • Application hosting — Vercel, deployed to the London (LHR1) region within the EU/UK.
  • Database — Supabase, hosted in the EU (London) region.
  • Payment processing — Stripe, which processes data within the EEA.

Your data does not leave the UK/EU for processing or storage. When you use the Making Tax Digital feature, your income and expense figures are transmitted directly to HMRC's UK-based API servers.

Information Sharing

We do not sell your personal information. We may share your information with:

  • Service providers who assist in our operations (e.g., hosting, email)
  • Payment processors (Stripe) for secure payment handling
  • HMRC — income, expense, and fraud prevention data transmitted when you submit a quarterly return
  • Legal authorities when required by law

Data Security

We implement appropriate security measures to protect your personal information. Sensitive data including your NINO and HMRC OAuth tokens are encrypted using AES-256-GCM before being stored. However, no method of transmission over the Internet is 100% secure.

If you believe you have found a security vulnerability, or have concerns about the security of your data, please report it to security@riven.page or visit our security page. We have a documented incident response plan and will acknowledge your report within 24 hours. In the event of a data breach, we will notify HMRC, the ICO, and affected users within 72 hours as required by UK GDPR.

Your Rights

Under GDPR and UK data protection laws, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Object to processing of your data
  • Data portability — you can export your MTD data (submissions, obligations, connection details) from your Tax dashboard at any time
  • Withdraw consent at any time

Cookies

We use essential cookies to ensure our website functions properly. We may use analytics cookies (such as Plausible) to understand how visitors use our site. These do not track personal information.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: hello@riven.page

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.