Privacy Notice

Effective Date: 20 May 2026

This Privacy Notice explains how Rectiva ("we", "us", or "our") collects, uses, and protects personal data of users ("you") in connection with the Rectiva service ("Service").

Beta Notice: Rectiva is currently in open Beta, operated as a one-person independent project. This Notice will be updated with prior notification when the Service moves to general availability.

Region-specific disclosures: California and other U.S. state privacy rights (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, ICDPA, KCDPA, RIDPA) are addressed in Section 13 below.

1. Data Controller

2. Personal Data We Collect

2.1 Data You Provide

• Account data: email address, password (one-way hashed), name or display name, company affiliation (for B2B users)
• Profile data (optional): profile image
• Communications: messages you send to us via email or in-product channels

2.2 Data Collected Automatically

• Device & connection data: IP address, browser type, operating system, device identifiers
• Usage data: pages visited, actions taken, image metadata you submit for review, automated review results
• Cookies and similar technologies: see Section 11

2.3 Data from Third Parties

• Authentication: we currently provide email-and-password authentication only. If we introduce third-party authentication providers in the future, this Notice will be updated before any data is collected from such providers.

2.4 Workspace and Service Operation Data

As a multi-tenant SaaS, we also process the following data in connection with workspace operation:

• Company / workspace data: company name, logo, operating countries, workspace identifiers
• Permission data: user role (Super Admin / Regional Admin / Editor), assigned country, account status
• Invitation data: invitee email, invited role and country, inviter, invitation status, expiration
• Content data: projects, templates, uploaded images, logos, graphics, fonts, legal text, exported outputs
• AI Review data: AI Rules, submitted review images, outcomes (Block / Warning / Passed), Compliance Score, AI Trigger history
• Service logs: feature usage, error logs

We do not process special categories of personal data (Art. 9 GDPR) such as health data, biometric data, political opinions, or religious beliefs.

3. Purposes and Legal Bases (Art. 6 GDPR)

You may object to processing based on legitimate interest at any time. See Section 8 (Your Rights).

4. Recipients and Sub-Processors

We share personal data with the following categories of recipients, each acting as a processor on our behalf under Art. 28 GDPR:

We do not sell personal data, nor do we share it with third parties for cross-context behavioral advertising.

We may also disclose personal data to lawful authorities where required by applicable law, court order, or legal process.

5. International Data Transfers (Chapter V GDPR)

Most sub-processors listed above are located in the United States. Transfers of personal data outside the European Economic Area (EEA) are protected through one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
• EU-U.S. Data Privacy Framework (DPF) where the recipient is certified (effective from 10 July 2023)
• Supplementary measures (encryption in transit and at rest, access controls)

Transferred data may include account data, company / workspace data, role and assigned country information, invitation data, IP address, cookies and access logs, uploaded images and image metadata, AI Review request data and results, and export-related metadata.

For product analytics, Rectiva configures Amplitude to use the EU data region where available. Where personal data is nonetheless processed outside the EEA/UK or accessed by non-EEA entities (e.g., Amplitude, Inc. as a U.S. company), appropriate safeguards such as Standard Contractual Clauses may apply.

You may request a copy of the relevant safeguards by contacting contact@rectiva.io.

6. Retention

We retain personal data only as long as necessary for the purposes set out in Section 3:

Where applicable law requires longer retention (e.g., tax or commercial records), we retain only the data strictly necessary for that purpose and isolate it from active processing.

7. Data Security

We implement appropriate technical and organizational measures (Art. 32 GDPR), including:

• Encryption of data in transit (TLS 1.2 or higher) and at rest
• One-way hashing of passwords using a modern memory-hard algorithm (scrypt)
• Row-level access controls at the database layer
• Defense against common web vulnerabilities (SQL injection, XSS, CSRF)
• Minimization of personnel with access (sole operator model)
• Logging of access to personal data with tamper-evident retention

7.1 Workspace Data Segregation and Access Control

The Service is operated as a multi-tenant SaaS platform. Data belonging to each company / workspace is logically segregated by company identifier (company_id).

Within each workspace, access to user information, projects, templates, assets, AI Rules, and Content Logs is restricted based on the user's role (Super Admin / Regional Admin / Editor) and assigned country. Uploaded files and exported outputs are also managed through workspace-segregated storage paths.

Despite these measures, no system can guarantee absolute security. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and you without undue delay where required (Art. 34 GDPR).

8. Your Rights (Arts. 15–22 GDPR)

You have the following rights with regard to your personal data:

1. Right of access (Art. 15) — obtain confirmation of whether we process your data and a copy of it
2. Right to rectification (Art. 16) — correct inaccurate or incomplete data
3. Right to erasure ("right to be forgotten", Art. 17) — request deletion under specified conditions
4. Right to restriction (Art. 18) — restrict processing under specified conditions
5. Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format
6. Right to object (Art. 21) — object to processing based on legitimate interest, including profiling
7. Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting prior lawful processing
8. Right not to be subject to automated decision-making (Art. 22) — see Section 9

To exercise any of these rights, contact contact@rectiva.io. We will respond within one month and, where the request is complex, may extend the period by two further months with prior notice.

Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

9. Automated Decision-Making (Art. 22 GDPR)

The Service includes automated processing of User Content submitted for AI Review:

• Logic involved: an AI model evaluates whether submitted User Content complies with active AI Rules configured by the workspace Super Admin.
• Review outcomes: the AI Review returns a result of Block, Warning, or Passed.
• Significance and consequences: where a Block-level outcome is returned, the Service may restrict Export of the affected content until the issue is corrected and the review is rerun. The AI Review is provided as a supporting tool for brand compliance workflows and does not replace the responsibility of the relevant workspace administrator or user.

Your rights:

• Request information about how AI Review evaluates submissions and which AI Rules are active
• Contest a review outcome
• Obtain human review by the Operator
• Object to automated processing — noting that doing so may restrict access to features that depend on AI Review, such as Export

To exercise these rights, contact contact@rectiva.io.

10. Children's Data (Art. 8 GDPR)

The Service is not directed at children. We do not knowingly process personal data of individuals under the age of 16. Account registration is blocked where the user indicates an age below this threshold.

If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will delete such data without undue delay. If you are a parent or guardian and believe your child has provided us with personal data, please contact contact@rectiva.io.

11. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain authenticated sessions (strictly necessary)
• Remember user preferences (functional)
• Measure product usage and improve the Beta funnel via Amplitude (analytics, with consent)

Analytics (Amplitude). We use Amplitude for product usage analytics. Amplitude is initialized only after you grant analytics consent through the cookie banner; before consent, no Amplitude SDK is initialized, no Amplitude cookie is created, and no data is sent. If you withdraw consent, further analytics tracking stops. When enabled, Amplitude receives internal user and company identifiers, device/session identifiers, event names, and coarse event properties (such as role or counts) — it does not receive your email, name, company name, file names, uploaded content, or free-form input. Analytics cookies set by Amplitude include, for example, AMP_* and AMP_MKTG_* (the exact set is confirmed against the browser at runtime).

Before analytics consent is granted, certain coarse product events related to signup or invitation acceptance may be temporarily stored in the user's browser session storage. These temporary events do not include email, name, company name, invite token, file name, uploaded content, prompts, or free-form input. They are sent to Amplitude only if the user grants analytics consent during the same session. If the user declines consent, withdraws consent, the session expires, or validation fails, they are deleted without being sent.

For non-essential cookies, we rely on your consent obtained through a cookie banner. You may withdraw consent at any time via the cookie preferences link in the footer. You may also configure your browser to refuse cookies, though some Service features may not function correctly as a result.

12. Geographical Service Limitations

Service availability is determined at the Operator's discretion. Pursuant to applicable laws, access to the Service may be restricted in certain countries or regions. Users are responsible for compliance with the laws of their country of residence.

13. Region-Specific Disclosures — United States

This Section provides additional disclosures and rights for residents of U.S. states with applicable privacy laws. As a Beta service operated by a sole independent operator, we do not currently meet the statutory thresholds that mandate compliance with these laws (e.g., California CCPA/CPRA revenue and volume thresholds). Nevertheless, we voluntarily extend the disclosures and consumer rights described below to U.S. users as a matter of policy.

13.1 California Residents (CCPA/CPRA)

A. Categories of Personal Information Collected

The table below summarizes the categories of personal information (as defined in Cal. Civ. Code §1798.140(v)) we have collected in the preceding 12 months.

We do not collect from the following CCPA categories: Customer records (financial account details), Protected class characteristics, Commercial information, Biometric information, Geolocation data (precise), Sensory data, Professional / employment information, Education information.

B. Sensitive Personal Information (SPI)

We do not collect, use, or disclose Sensitive Personal Information as defined in Cal. Civ. Code §1798.140(ae). Accordingly, no "Right to Limit Use of Sensitive Personal Information" link is required, and no SPI-specific disclosures apply.

C. Sale or Sharing of Personal Information

• Sale: We do not sell personal information for monetary or other valuable consideration.
• Share: Share = No. We use Amplitude for product usage analytics only, after analytics consent. We do not use Amplitude for cross-context behavioral advertising, and we do not share personal information for cross-context behavioral advertising. We do not use any advertising pixels, ad networks, retargeting, or cross-context behavioral advertising tools.

D. Your CCPA Rights

California residents have the following rights:

1. Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected, sources, purposes, and recipients.
2. Right to Delete — Request deletion of personal information we have collected, subject to legal exceptions.
3. Right to Correct — Request correction of inaccurate personal information.
4. Right to Opt-Out of Sale or Sharing — Direct us not to share your personal information.
5. Right to Limit Use of Sensitive Personal Information — Not applicable (we do not collect SPI).
6. Right to Data Portability — Receive a copy of your personal information in a portable, machine-readable format.
7. Right to Non-Discrimination — Exercise your rights without being denied service, charged different prices, or provided a different level of quality.

E. How to Exercise Your Rights

• Email: contact@rectiva.io with the subject line "Privacy Request"
• Authorized Agent: You may designate an authorized agent to make a request on your behalf. We will require written authorization and may verify the agent's identity and authority.
• Verification: To process your request, we will verify your identity using information we already hold about you (e.g., the email address associated with your account). For sensitive requests, additional verification may be required.
• Response Time: We will confirm receipt within 10 business days and respond substantively within 45 days. We may extend the response period by an additional 45 days when reasonably necessary, with prior notice.
• Fees: Requests are free of charge, except where manifestly unfounded or excessive.

We do not share personal information for cross-context behavioral advertising (see Section 13.1.C), so no opt-out action is necessary. Should our practices change, we will provide an opt-out mechanism and honor the Global Privacy Control signal as described in Section 13.1.F.

F. Global Privacy Control (GPC)

We honor the Global Privacy Control (GPC) browser signal. When a GPC signal is detected, we treat it as a valid request to opt out of Sharing of personal information from that browser, in line with the California Attorney General's guidance and CPPA regulations.

G. Children Under 16

We do not knowingly collect personal information from California residents under 16. If we become aware that we have collected personal information from a minor without the required affirmative authorization (or, for those under 13, verifiable parental consent), we will delete such information. Parents and guardians may contact contact@rectiva.io to request deletion.

H. Automated Decision-Making Technology (ADMT)

We use AI processing to evaluate user-submitted images against content guidelines configured by workspace administrators within our B2B Service. This processing is not used to make decisions about:

• Employment, hiring, or workplace evaluation
• Lending, credit, or insurance
• Education access or assessment
• Healthcare access or treatment
• Housing access

Accordingly, our processing does not fall within the scope of California's ADMT regulations addressing "significant decisions" under the CPPA's 2026 rulemaking. We disclose the existence and general logic of the automated processing here in the interest of transparency, and the rights described in Section 9 of this Notice apply.

I. Financial Incentives

We do not offer financial incentives or price/service differences in exchange for personal information.

13.2 Other U.S. State Privacy Laws

Residents of the following states are extended substantively equivalent rights under our policy: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Indiana (ICDPA), Kentucky (KCDPA), and Rhode Island (RIDPA). The categories of personal information, sources, purposes, recipients, retention, and rights described in Section 13.1 apply equivalently. To exercise rights, contact contact@rectiva.io.

Note that some state laws use different terminology (e.g., "Targeted Advertising" instead of "Sharing", "Sensitive Data" with broader scope). Where any U.S. state law grants you a right not enumerated above, we will honor that right as required by the applicable law.

13.3 No Right of Private Action (Most States)

Most U.S. state privacy laws do not provide a private right of action. California's CCPA provides a limited private right of action for certain data breaches (Cal. Civ. Code §1798.150). Nothing in this Notice waives any non-waivable statutory rights.

14. Changes to This Notice

We may update this Privacy Notice from time to time. We will notify users of material changes at least 30 days in advance via email and in-product notice. The "Effective Date" at the top of this Notice indicates when the current version took effect.

15. Contact

For any questions, requests, or complaints regarding this Privacy Notice or our processing of your personal data:

• Email: contact@rectiva.io
• For California / U.S. state privacy requests: contact@rectiva.io with subject "Privacy Request"
• For opt-out of Sharing: contact@rectiva.io with subject "Do Not Share My Personal Information"

Effective Date: 20 May 2026