Privacy

Last updated: 2026-05-11.

This page describes what Ripenn collects and how that data flows. For how Ripenn's audits actually run and what each AI provider does with your prompts, see Data Usage. For the production architecture and security controls, see Security. For the complete list of third parties that hold customer data, see Subprocessors.

Who we are

Ripenn is operated by GenerativeModels Inc., a Canadian corporation headquartered in Toronto, Ontario. In this document, “we”, “us”, and “Ripenn” refer to GenerativeModels Inc. as the data controller for personal information processed by the Ripenn service.

For privacy questions, data export requests, or to exercise any of the rights described below, email support@ripenn.ai.

What Ripenn collects

Ripenn collects three categories of data:

  • Account information. Email, hashed password, and any name fields you provide at sign-up. Stored in Supabase Auth. If you sign in with an OAuth provider, Ripenn stores the identity record returned by that provider (provider name, provider user ID, email).
  • Audit configuration and results. The brand domain you are tracking, the prompts in your prompt set, the categories you assign to them, the competitors you list, and the responses each AI engine returned when those prompts were run. Stored in Ripenn's database.
  • Billing metadata. Your Stripe customer ID, subscription status, current billing period, and product tier. Card numbers are not stored by Ripenn — Stripe Checkout handles them, and Ripenn only receives the customer reference.

What Ripenn does not collect

  • End-user PII from the websites you audit. Ripenn fetches the same pages a logged-out visitor would see; it does not log into your CMS or read non-public content.
  • Visitor data from your customers. Ripenn audits content, not the people who read it.
  • Card numbers, CVVs, or bank details. Stripe handles all payment data; Ripenn never sees it.

Where the data lives

  • Application data: Supabase, hosted on AWS in region us-east-2 (Ohio, United States). Row-level security is enforced on every table so a query can only see rows the authenticated user is entitled to.
  • Background jobs: Temporal workflows execute on Google Cloud Run, orchestrated by Temporal Cloud. Workers read and write the same Supabase database.
  • Web app: Next.js on Vercel. Vercel terminates TLS in production.

If you are an EU, UK, or other non-Canadian customer, your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (and, for UK customers, the UK International Data Transfer Addendum) with our infrastructure providers as the safeguard for these transfers. The list of subprocessors and the data each receives is on the Subprocessors page.

Legal bases for processing (GDPR / UK GDPR)

For customers and end users in the EU, UK, or EEA, our legal bases under GDPR Article 6 are:

  • Performance of a contract — for account creation, running audits, billing, and providing the service you signed up for.
  • Legitimate interests — for product analytics, error monitoring, security, anti-abuse measures, and improving the service. You may object to processing on this basis at any time (see “Your rights” below).
  • Consent — for any non-essential cookies and for marketing communications, where applicable.
  • Legal obligation — for record-keeping required by tax, accounting, or other applicable law.

Third parties Ripenn shares data with

Ripenn does not sell or rent personal data. Each service below receives only the data needed to deliver a specific feature. The full list with descriptions is on the Subprocessors page; a short summary:

  • Stripe — billing email, subscription state, payment events.
  • OpenAI, Anthropic, Google (Vertex AI & Gemini), Perplexity — the prompts in your prompt set are sent to these providers so the audit can run. Provider-side training and retention rules are described in Data Usage.
  • PostHog (US cloud) — product analytics.
  • Cloudflare Turnstile — anti-bot challenge on the sign-in form.
  • Jina Reader (optional) — used to render JavaScript-heavy pages during content imports. Receives the URL being crawled.
  • Webflow, WordPress.com — only if you connect them; Ripenn stores the OAuth token you grant.

Cookies and local storage

  • Session cookies — set by Supabase Auth (cookie names start with sb-), HTTP-only, secure in production. Required for sign-in.
  • PostHog writes an anonymous distinct ID to local storage in your browser for event correlation.
  • Ripenn writes a small amount of non-sensitive UI state to local storage in your browser (for example, your current project selection).

EU and UK visitors are presented with a cookie consent banner on first visit. Non-essential cookies (analytics) do not load until consent is granted.

Retention and deletion

  • Application data is kept until you delete it. Deleting a project cascade-deletes its documents and members. Account-level deletion is processed by emailing support@ripenn.ai; a self-serve flow is on the roadmap.
  • Stored audit responses are retained for the lifetime of the project.
  • Stripe records are retained as long as the subscription relationship exists, then handled per Stripe's own retention policy.
  • Database backups are managed by Supabase: daily automated backups retained for 7 days on our current plan.

Your rights

Depending on where you live, you have some or all of the following rights with respect to your personal information:

  • Access — request a copy of the personal data Ripenn holds about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your account and associated data.
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — at any time, for any processing based on consent.
  • Lodge a complaint — with your local supervisory authority (for EU/UK residents) or with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, email support@ripenn.ai. We respond within 14 days.

Security incidents

If we become aware of a personal data breach affecting your account, we will notify affected customers without undue delay, and in any case within 72 hours where required by applicable law (GDPR Article 33/34). For details on the controls in place to prevent such incidents, see the Security page.

Children

Ripenn is a B2B product not directed at individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to Ripenn, contact support@ripenn.ai and we will delete it.

Changes

When we change what this page says, the change is committed to the public Ripenn repository alongside the code that justifies it. The “Last updated” date at the top reflects the most recent edit. Material changes affecting how we use your data will be communicated by email to active customers.