Privacy Policy
Rival Signal, Privacy Policy
Last updated: July 5, 2026
Effective date: July 5, 2026
This Privacy Policy explains how Deserve Studio LLC ("Rival Signal", "we", "us", or "our") collects, uses, and shares information when you use rivalsignal.co, app.rivalsignal.co, our API and MCP server, and related services (the "Service"). It also explains your rights and how to exercise them.
For personal data of our account holders and website visitors, we act as a controller. For Customer Data you process through the Service in your role as a business, we generally act as a processor on your behalf, and our data processing terms (DPA) govern that relationship.
1. Information we collect
Account and identity data. When you sign up, our identity provider Clerk collects and stores your name, email address, authentication credentials, and profile details. We receive a user identifier and profile fields from Clerk.
Workspace and team data. Names and emails of members you invite, your Workspace settings, and roles.
Billing data. When you subscribe, our payment processor Stripe collects and processes your payment method and billing details. We do not store full card numbers. We receive limited billing metadata such as plan, status, and the last four digits of your card.
Customer Data you submit. The competitors, domains, notes, filters, alert thresholds, and integration settings you enter into the Service.
Public Competitor Data. On your instruction, the Service collects publicly available information about the competitors you track, such as their public pricing, homepage, changelog, blog, and careers pages, along with historical snapshots of those pages. We collect only publicly accessible content and honor reasonable technical access controls.
Integration data. If you connect Slack or other tools, we store the tokens and identifiers needed to deliver alerts and exchange data with that integration.
Usage and device data. Log data such as IP address, browser type, pages viewed, actions taken, timestamps, and error diagnostics, collected to operate, secure, and improve the Service.
Communications. Messages you send us and support requests.
2. How we use information
We use information to:
provide, operate, and maintain the Service, including detecting changes, generating AI Output, and delivering alerts;
authenticate you and secure accounts and Workspaces;
process payments and manage subscriptions;
send transactional and service messages, and, where permitted, product updates you can opt out of;
provide support and respond to your requests;
monitor, debug, and improve performance, reliability, and safety;
create de-identified, aggregated analytics that do not identify you;
comply with law and enforce our Terms.
Legal bases (GDPR). Where the GDPR applies, we rely on: performance of a contract (to provide the Service you signed up for); legitimate interests (to secure, operate, and improve the Service, and to collect Public Competitor Data for competitive intelligence, balanced against affected parties' rights); consent (for optional marketing and certain cookies, which you can withdraw); and legal obligation (for tax and compliance).
3. AI processing
To generate explanations, impact scores, recommended plays, and other AI Output, the Service sends the relevant detected changes and related context to AI providers, currently Google (Gemini models, including embeddings) and Anthropic (Claude models). We select providers that offer business or API terms under which submitted content is not used to train their general models. We do not sell your Customer Data.
We also generate vector embeddings of signals to power semantic features such as related moves. Embeddings are stored in our database and are not shared for advertising.
4. Subprocessors
We use trusted third parties to run the Service. Each is bound by contractual data-protection obligations.
Subprocessor | Purpose | Data involved |
|---|---|---|
Clerk | Authentication and user management | Account and identity data |
Stripe | Payment processing and subscriptions | Billing data |
Vercel | Application hosting and delivery | Usage and log data, in transit |
Neon (AWS, US) | Managed PostgreSQL database | Customer Data, Public Competitor Data, embeddings |
Google (Gemini) | AI reasoning and embeddings | Detected changes and related context |
Anthropic (Claude) | AI reasoning | Detected changes and related context |
Inngest | Background job and workflow orchestration | Job metadata and Customer Data references |
Plunk | Transactional and product email | Name and email address |
Slack | Optional alert delivery, if you connect it | Alert content and workspace identifiers |
Public data services (Google favicon service, thum.io, Internet Archive Wayback Machine) | Favicons, screenshots, historical page snapshots | Public competitor URLs only |
We will maintain a current subprocessor list and give notice of material changes as required by our DPA.
5. How we share information
We do not sell your personal data. We share information only:
with the subprocessors above, to run the Service;
within your Workspace, with the members you invite;
when you connect an integration, with that third party as you direct;
to comply with law, legal process, or a lawful government request;
to protect the rights, safety, and security of Rival Signal, our users, or the public;
in a merger, acquisition, or asset sale, subject to this Policy.
6. International transfers
We and our subprocessors may process data in countries other than yours, including the United States. Where required, we use appropriate safeguards for cross-border transfers, such as the European Commission's Standard Contractual Clauses and equivalent mechanisms. Contact us for more detail on the safeguards in place.
7. Data retention
We retain Customer Data for as long as your Account is active and as needed to provide the Service. After you delete data or close your Account, we make it available for export for a limited period and then delete or de-identify it in the ordinary course, unless we must retain it to comply with law, resolve disputes, or enforce our agreements. Backups are cycled out on a rolling basis. Aggregated, de-identified data may be kept indefinitely.
8. Security
We apply administrative, technical, and organizational measures to protect data, including per-Workspace tenant isolation, access controls, encryption in transit, and guarding against server-side request forgery when collecting public pages. No system is perfectly secure, so we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify you and regulators as required by law. Report security concerns to product+security@deserve.studio.
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. Where the GDPR applies, you may also lodge a complaint with your supervisory authority.
If you are a California resident, you have rights under the CCPA/CPRA, including to know, delete, and correct personal information, and to opt out of "sale" or "sharing". We do not sell personal information. We will not discriminate against you for exercising your rights.
To exercise any right, email product@deserve.studio. We will verify your request and respond within the time required by law. If we process personal data as a processor on behalf of a business customer, we will refer your request to that customer.
10. Cookies and tracking
We use only cookies and similar technologies that are necessary to run the Service, such as keeping you signed in through our identity provider, Clerk. We do not currently use third-party advertising or cross-site tracking cookies. If we add optional analytics in the future, we will update this Policy and, where required, ask for your consent first. You can control cookies through your browser settings.
11. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
12. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email or in-app before they take effect and update the "Last updated" date above.
13. Contact
Deserve Studio LLC
30 N Gould St, STE R, Sheridan, WY 82801
Privacy contact: product@deserve.studio
Security contact: product+security@deserve.studio
Web: rivalsignal.co