Privacy Policy

Last updated: March 12, 2026

1. Who We Are

RivalShift ApS ("we", "us", "our") operates the RivalShift service. This policy explains how we collect, use, and protect your personal data.

2. Data We Collect

Account data

  • Email address (used for authentication and communications)
  • Company domain (optional, used for competitor discovery)
  • Business description, industry, and market focus (optional)

Usage data

  • Competitors you add and pages you monitor
  • Search and discovery queries
  • Email preferences and notification settings

Billing data

  • Payment information is processed directly by Stripe. We store only your Stripe customer ID and subscription status — never your card details.

Automatically collected

  • IP address (for rate limiting, not stored long-term)
  • Authentication cookies (required for session management)

3. How We Use Your Data

  • To provide the monitoring service (crawling, analysis, reports)
  • To send weekly intelligence reports and instant alerts
  • To improve competitor discovery accuracy
  • To process payments and manage subscriptions
  • To send service-related communications (trial reminders, updates)

4. Third-Party Services

We use the following third-party services to operate RivalShift:

  • Supabase — Authentication and database hosting (EU region)
  • Stripe — Payment processing
  • OpenAI — AI-powered change analysis and competitor discovery
  • Firecrawl — Web page crawling for JavaScript-heavy sites
  • Resend — Transactional email delivery
  • SerpAPI — Search engine queries for competitor discovery
  • Vercel — Application hosting

Each service processes data according to their own privacy policies. We only share the minimum data necessary for each service to function.

5. Data Retention

  • Account data: Retained while your account is active. Deleted when you delete your account.
  • Page snapshots: Only the most recent snapshot per page is retained. Previous snapshots are replaced on each crawl.
  • Change history: Retained while your account is active.
  • Search logs: Automatically deleted after 90 days.
  • Discovery sessions: Unclaimed sessions are deleted after 7 days.

6. Your Rights

Under GDPR and applicable Danish law, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and all associated data (available in Settings)
  • Export your data (contact us)
  • Object to processing or request restriction
  • Withdraw consent at any time

7. Cookies

We use only essential cookies for authentication session management (via Supabase). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Email Communications

You can control which emails you receive from the Settings page. Every email includes a one-click unsubscribe link. Available email types:

  • Weekly intelligence reports
  • "All quiet" confirmations
  • Instant change alerts
  • Trial reminders

9. Security

We protect your data with encryption in transit (TLS) and at rest. Authentication uses secure, httpOnly cookies. Database access is controlled via Row Level Security (RLS) policies. We do not store passwords — authentication is handled via magic links and OAuth.

10. Children

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email at least 14 days before taking effect.

12. Contact

For privacy-related questions or to exercise your rights, contact us at privacy@rivalshift.com.