Privacy Policy

Last Updated: July 22, 2025

Rizzard OÜ, a limited-liability company registered in Estonia (registry code 17283924) and located at Narva mnt 5, 10117 Tallinn, Estonia, operates the Rizzard mobile application ("App") and website at rizzard.app ("Website") (together, the "Service").

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service, in compliance with the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using the Service, you consent to the practices described below.

1. Lawful Basis and Transparency

We process personal data based on:

• Contract: To provide the Service.
• Consent: For non-essential cookies or optional communications.
• Legitimate Interests: For analytics to improve the Service, balanced against your rights.
• Legal Obligation: To comply with laws (e.g., tax reporting).

We inform you of data collection via this Privacy Policy, accessible on rizzard.app and in-app. Processing is fair, not detrimental, unexpected, or misleading.

2. Information We Collect

We minimize data collection for specific purposes. We collect the following information to provide and improve the Service:

a. Account, Subscription and Interaction Data

• Nickname; optionally email address and user ID (optionally anonymised via "Hide My Email").
• Chosen subscription tier
• Credit usage
• Feature taps and navigation events (anonymized)

Purpose: Account creation and management.

b. Audio Data

• Voice input (transferred in real-time to third-party services for simulation, processing, and analysis)
• Transcripts and analysis results (stored locally on your device only)
• Session metadata (e.g. number of sessions used, scenario type, session timing, performance metrics ("rizz score")

Purpose: Provide and improve AI coaching; display past sessions and user progress.

Rizzard does not retain voice recordings, transcripts, or analysis data on its servers.

c. Analytics Data

Anonymized usage data via PostHog (e.g., session count, device type, feature usage trends)

d. Cookies (Website Only)

Data: Essential cookies (e.g., session IDs) for functionality.

Purpose: To maintain user sessions and ensure Service operation.

Legal Basis: Legitimate interests.

Management: You can disable cookies in your browser settings, but this may affect functionality. Non-essential cookies will prompt consent per GDPR.

We do not use non-essential cookies on the Website. If added in the future, we will seek prior consent via a compliant cookie banner.

3. Purpose and Data Minimisation

We use your data strictly to:

• Deliver AI voice coaching sessions and conversations based on your subscription tier
• Enable local progress tracking
• Prevent abuse of the credit system
• Analyze aggregated usage to improve the product (analytics)
• Fulfill our legal obligations (compliance)

Anonymised data may be kept indefinitely for statistics. We do not use your personal data for advertising or sell it to third parties.

4. Data Accuracy and Security

We implement industry-standard technical measures (e.g., encryption, access controls) and organizational measures to protect data. We rely on user-supplied accuracy (editable in Settings) and employ encryption in transit (TLS). No system is fully secure; you use the Service at your own risk.

• Transcripts and analyses are stored locally on your device and not on our servers
• Data in transit is encrypted via TLS
• Third-party processors (see §7) apply their own security measures
• We use role-restricted internal access only for critical functions (e.g., abuse prevention)

5. Storage Limitation

We do not store any personal data server-side beyond what is necessary to manage your subscription tier and weekly credit status. Such data is retained until your account is deleted, unless longer retention is needed for legal compliance, dispute resolution, or Service delivery.

• Voice data is streamed and processed via third-party providers and not stored by Rizzard
• Transcripts and analysis remain on your device until deleted by you
• Analytics data is anonymized and may be retained in aggregate form

You may delete the App at any time to remove locally stored data.

6. Privacy by Design and DPIA

We embed privacy by design via:

• Minimal data collection (e.g., avoiding mandatory sign-in or account creation; if required, anonymized Sign in with Apple).
• Offering user-controlled data deletion and optional sharing.
• Storing transcripts and coaching outcomes only on-device.
• Offering users control over deletion (via local storage management).
• Limiting data sent to third-party AI processors to what's required for sessions.
• Consent for non-essential cookies.
• Anonymized analytics.
• Regularly reviewing AI-model outputs for bias.

7. Third-Party Services

We rely on external services for processing and analytics. These are bound by contractual obligations (e.g., GDPR-compliant processor agreements) and privacy safeguards:

• Apple / Apple App Store for payment processing and In-App Purchases support (see Apple's terms and privacy policy).
• OpenAI: voice processing, transcription, and coaching feedback (see openai.com).
• VapiAI: voice processing, voice simulation, interaction flow, and coaching feedback (see https://vapi.ai/privacy)
• Google Gemini: voice processing, transcription, and coaching feedback (see https://policies.google.com/privacy)
• xAI: voice processing, transcription, and coaching feedback (see https://x.ai/legal/privacy-policy)
• Deepgram: voice processing, transcription, and coaching feedback (see https://deepgram.com/privacy)
• PostHog: anonymized analytics to improve the Service (see https://posthog.com/privacy).
• Superwall: purchase and subscription transaction processing support, without storing personal data (see superwall.com/privacy).

Your data may be shared with these providers only as needed to operate and support the Service. Rizzard OÜ is not responsible for the operation, terms, or privacy practices of these third-party services and their actions or outages. Your use of these services is subject to their respective terms and privacy policies. We encourage you to review them.

We do not permit our AI providers to use your voice or transcript data for model training unless you give explicit consent.

8. Data Subject Rights

You may access, rectify, erase, restrict, or port your data, object to processing, and withdraw consent at any time. Requests via Settings or support@rizzard.app are answered within one month.

You have the following rights:

• Informed: This Policy details data practices.
• Access: Request a copy of your data.
• Rectification: Correct inaccurate data.
• Erasure: Delete your data (account deletion).
• Restriction: Limit processing.
• Portability: Export data in a machine-readable format.
• Object: Oppose processing (e.g., analytics).
• Withdraw Consent: Withdraw consent at any time, where applicable.

For California residents (CCPA):

• Right to Know: You can request details about the personal information we collect, use, or disclose.
• Right to Delete: You can request deletion of your personal information, subject to exceptions.
• Right to Opt-Out: Rizzard OÜ does not sell personal information, so no opt-out is needed.

Exercise rights via in-app Settings or info@rizzard.app. We respond within one month, extending if complex. Requests may be denied if legally permitted (e.g., unverifiable identity).

9. Data Protection Officer

Contact our DPO info@rizzard.app for GDPR matters or supervisory-authority liaison.

10. International Data Transfers

As an Estonian company, your data is primarily processed in the EU/EEA. When we use third-party services, data may be transferred to countries like the US (e.g., OpenAI and Deepgram, in the US). We ensure such transfers comply with GDPR/UK GDPR (e.g., via Standard Contractual Clauses) and CCPA where applicable.

11. Data Breach Reporting

If a breach risks your rights and freedoms, we notify the Estonian Data Protection Inspectorate (AKI) within 72 hours and affected users without undue delay. Processors must notify us immediately.

12. How We Use Your Information

We process your information based on the following legal bases: to provide the Service (contract), pursue legitimate interests (e.g., analytics), comply with legal obligations, or with your consent (e.g., cookies). Uses include:

• Service Delivery: Deliver AI voice-coaching, scores, provide personalized recommendations, and session history
• Improvement: Improve features via aggregate analytics
• Communication: Send essential notifications (e.g., account updates) or optional updates (opt-out available in Settings).
• Compliance: Meet legal requirements (e.g., tax; GDPR, CCPA) or prevent harm (e.g., fraud detection).

We use automated tools to analyze your session input and generate feedback, including your "Rizz Score." This is done solely for motivational and self-improvement purposes. The Rizz Score is not used to make decisions that produce legal or similarly significant effects as defined under GDPR Article 22. You are not subject to profiling that affects your rights or freedoms under applicable law.

13. Sharing Your Information

We do not sell your personal data. We only share information with third parties in the following limited circumstances:

• With service providers and processors listed in Section 7, solely to operate, maintain, and improve the Service. These third parties process data on our behalf and are bound by contractual obligations, including data protection safeguards.
• With Apple, for managing subscriptions via In-App Purchases. We do not access or store your payment credentials.
• If legally required, to comply with a valid legal process, enforce our Terms, respond to fraud or abuse, respond to authorities, or protect the rights of Rizzard OÜ or others.
• In connection with a business transfer, such as a merger, acquisition, or asset sale. We will provide notice and choices where required by law.

All such disclosures are made in compliance with GDPR, CCPA, and other applicable regulations, and we ensure that appropriate data processing agreements or safeguards (e.g. SCCs) are in place.

14. Child Users

The Service is not for users under 13. Users aged 13-15 require verifiable parental consent (info@rizzard.app). Data from children under 13 is deleted immediately if discovered.

15. Updates to This Policy

We may update this Policy to reflect Service changes or legal requirements. Updates will be posted on rizzard.app at least 7 days before taking effect, with in-app/email notices for material changes where required. Continued use after updates constitutes consent.

16. Contact

Rizzard OÜ is the data controller under GDPR.

Contact us at:

For privacy inquiries, email info@rizzard.app

For GDPR-related concerns, you may contact the Estonian Data Protection Inspectorate (aki.ee) or your local supervisory authority.

For EU users, you can lodge a complaint with a supervisory authority (e.g., Estonian Data Protection Inspectorate at www.aki.ee). For UK users, you can contact the Information Commissioner's Office at www.ico.org.uk. For California residents, you can contact the California Attorney General.

17. Additional Information for California Residents

If you are a California resident, you may request information regarding the disclosure of personal information to third parties for their direct marketing purposes during the immediately preceding calendar year.

We do not sell your data. You have the right to:

• Access the categories and specific data we've collected
• Request deletion
• Be informed about data usage
• Appoint an agent to act on your behalf

Exercise CCPA rights via info@rizzard.app