Privacy Policy

This Privacy Policy explains how River DMA ("we", "us", "our") collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and the Dutch Implementation Act (Uitvoeringswet AVG / UAVG).

1. Data Controller

River DMA, established in the Netherlands, is the data controller responsible for the processing of your personal data through this Service.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Username — chosen by you during registration.
• Email address — used for authentication, communication, and license delivery.
• Password — stored in a securely hashed format (we never store plaintext passwords).

2.2 Payment Data

Payment processing is handled entirely by third-party providers (Stripe, PayPal via SellAuth). We do not store your credit card numbers, bank account details, or other financial information. We may receive from payment providers: transaction ID, email, payment status, and amount paid.

2.3 License & Usage Data

• License keys — generated and assigned to your account.
• Hardware ID (HWID) — a hash identifying your hardware configuration, used for license binding.
• IP address — collected during authentication and checkout for security purposes.

2.4 Technical Data

When you use the Service, we may automatically collect:

• Browser type and version.
• Operating system.
• Session data (login times, session tokens).

3. Legal Bases for Processing

We process your personal data based on the following legal grounds under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)) — to provide you with the Service, manage your account, and deliver license keys.
• Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, and improving the Service.
• Consent (Art. 6(1)(a)) — for sending non-essential communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with applicable tax and accounting obligations.

4. How We Use Your Data

• To create and manage your account.
• To process purchases and deliver license keys via email.
• To bind licenses to your hardware (HWID).
• To send transactional emails (verification, password reset, license delivery).
• To detect and prevent fraud or unauthorized access.
• To maintain and improve the Service.
• To comply with legal obligations.

5. Third-Party Services

We use the following third-party services that may process your data:

• Stripe — payment processing. Stripe Privacy Policy
• PayPal (via SellAuth) — payment processing. PayPal Privacy Policy
• Resend — transactional email delivery. Resend Privacy Policy
• Neon — database hosting (PostgreSQL). Neon Privacy Policy

These providers act as data processors and process data on our behalf under appropriate data processing agreements.

6. Data Retention

• Account data is retained as long as your account exists. You may request deletion at any time.
• Payment records are retained for 7 years as required by Dutch tax law (Algemene wet inzake rijksbelastingen).
• Session data is automatically deleted upon expiration.
• Admin action logs are retained for operational and audit purposes.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate data.
• Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18) — request limitation of processing in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used format.
• Right to object (Art. 21) — object to processing based on legitimate interest.
• Right to withdraw consent — at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us through the Service. We will respond within 30 days as required by the GDPR.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Passwords are hashed using industry-standard algorithms.
• All data in transit is encrypted via TLS/SSL.
• Database access is restricted and authenticated.
• Admin actions are logged for accountability.

While we take reasonable precautions, no system is 100% secure. We cannot guarantee absolute security of your data.

9. International Transfers

Your data may be processed by third-party services located outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

10. Cookies

We use strictly necessary cookies for authentication and session management. These cookies are essential for the Service to function and do not require consent under the Dutch Telecommunications Act (Telecommunicatiewet). We do not use tracking or advertising cookies.

11. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete such data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. We encourage you to review this policy periodically.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us through our website or the support channels provided in the Service.