how we handle your stuff.

Riff (“Riff”, “we”, “us”, “our”) is a vertical feed of AI-generated micro-games at riff.games and on our mobile apps. The service is operated by DirtCube Interactive LLP, a limited liability partnership registered in India and headquartered in Navi Mumbai.

For the purposes of the EU/UK General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA/CPRA”), and India’s Digital Personal Data Protection Act, 2023 (“DPDP”), DirtCube Interactive LLP is the data controller / data fiduciary in respect of the personal data described in this policy.

We collect only what we need to run Riff well, keep it safe, and bill paid plans correctly. The categories below are the entirety of what we collect today.

• Account data — email address, handle, display name, hashed password, and your Riffer avatar configuration.
• Content you create — the prompts you submit, the generated game code, your remixes, your clips, comments, likes, follows, and scores.
• Usage data — pages visited, riffs played, generation events, in-app actions, error reports, and crash logs.
• Device and connection data — IP address (hashed for rate-limiting and abuse prevention), browser, operating system, screen size, language, and timezone.
• Payment data — billing name and address, transaction identifiers, and payment status. Card numbers and bank credentials are processed by our payment providers; we do not see or store them.
• Communications — emails or messages you send to us at hello@riff.games or equivalent support channels.
• Cookies and similar — first-party cookies for sign-in, security and preferences; analytics cookies; ad-serving cookies once advertising is enabled on the free tier.

We do not knowingly collect biometric data, government identity numbers (Aadhaar, PAN, etc.), precise GPS location, or sensitive categories of personal data such as health, religion or sexual orientation. Please do not provide them.

We process the data above for the following purposes:

• To provide the service — authenticating you, generating your riffs, displaying the feed, calculating leaderboards, delivering notifications and saving your work.
• To keep the service safe — moderating content, enforcing rate limits, detecting abuse, preventing fraud and complying with applicable law.
• To improve the service — measuring product performance, debugging crashes, evaluating generation quality and conducting aggregated analytics.
• To bill paid plans — processing payments, issuing invoices and providing customer support.
• To communicate with you — sending transactional emails (sign-in, billing, security), service announcements, and, where you have opted in, product updates.
• To show advertising on the free tier, and to measure ad performance.
• To meet legal obligations — tax, accounting, responding to lawful requests from authorities and enforcing our Terms of Service.

Where required by law, we rely on the following lawful bases under the GDPR: performance of our contract with you, our legitimate interests in operating and improving the service, your consent (for optional marketing emails and certain cookies), and compliance with legal obligations.

We share personal data only with categories of vendors that help us run Riff, and only to the extent each category needs. Each vendor we use is bound by a written contract that requires them to protect your data and use it solely for the services they provide to us.

cloud infrastructure

Database, authentication, storage and application-hosting providers used to run the Service.

ai model providers

Foundation-model providers used to generate game code, images, audio, classifications and captions in response to your prompts.

analytics

Aggregate web-and-product analytics providers used to measure performance and improve the Service.

payment processors

Regulated payment-processing providers used to handle billing for paid plans, in India and internationally.

communications

Transactional and product email delivery providers used to send sign-in, billing and account messages.

advertising networks

Advertising-network and measurement providers used to deliver, frequency-cap and report on ads on the free tier.

security & abuse prevention

Bot-detection, fraud-prevention and content-moderation providers used to keep the Service safe.

We may update the specific vendors within each category from time to time. The current list of named vendors is available on request to hello@riff.games.

We do not sell or rent your personal data. We do not share your data with advertisers in a way that would constitute a “sale” or “sharing” for cross-context behavioural advertising under the CCPA/CPRA.

We may disclose data to law enforcement or other authorities where we are legally required to do so, or where we believe in good faith that such disclosure is necessary to protect the rights, property or safety of Riff, its users or the public.

Riff is built and operated from India. Some of the sub-processors listed above are located in the United States, the European Union, Singapore or other jurisdictions. As a result, your personal data may be processed outside your country of residence.

Where required, transfers are protected by appropriate safeguards, including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Agreement, and equivalent mechanisms for other regions. By using Riff you acknowledge and consent to these international transfers.

We retain personal data only as long as we need it for the purposes described in this policy or as required by law.

• Account data: for as long as your account is active, plus up to 90 days after account deletion to allow recovery and to satisfy abuse-prevention requirements.
• Content: public riffs and clips remain visible until you delete them. Items remixed by other users may persist as part of the remix lineage even after you delete your original.
• Usage and security logs: up to 90 days, except where longer retention is needed to investigate suspected abuse or fraud.
• Billing records: retained for the period required by Indian tax and accounting law (currently 8 years) and equivalent local law for other jurisdictions.
• Backups: encrypted backups are retained for up to 30 days and rotate out automatically.

Depending on where you live, you may have some or all of the following rights in respect of your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct data that is inaccurate or incomplete.
• Deletion — ask us to delete your account and associated personal data.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Objection / restriction — object to certain processing or ask us to restrict it.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• India (DPDP) — right of grievance redressal through our Grievance Officer (see contact section below).
• EU / UK (GDPR) — right to lodge a complaint with your local supervisory authority.
• California (CCPA / CPRA) — right to know, right to delete, right to correct, right to opt-out of the sale or sharing of personal information (we do not sell or share for cross-context behavioural advertising) and right to non-discrimination for exercising your rights.

To exercise any of these rights, email hello@riff.games from the address on your account. We will respond within 30 days, or as required by applicable law. We may need to verify your identity before fulfilling certain requests.

Riff is not directed to children under 13. We do not knowingly collect personal data from anyone under 13. For users in India, processing of the personal data of any user under 18 is subject to verifiable parental consent in accordance with the DPDP Act.

If you believe a child has provided personal data to Riff without appropriate consent, please contact us at hello@riff.games and we will delete it promptly.

We use first-party and third-party cookies for the following purposes:

• Strictly necessary — authentication, session security, CSRF protection. The Service cannot function without these.
• Preferences — your theme choice, locale, and similar settings.
• Analytics — aggregate and pseudonymous web-and-product analytics.
• Advertising — once enabled, advertising-network cookies for ad delivery, frequency capping and measurement.

You can control cookies via your browser settings. Blocking strictly necessary cookies will break sign-in and most of the product.

On the free tier, Riff serves advertising including interstitial, banner and rewarded video formats through third-party advertising-network and mediation partners.

Our advertising partners may use cookies, mobile advertising identifiers and similar technologies to deliver, frequency-cap and measure ads. Their use of information is governed by their own privacy policies. Where required by applicable law, we will request your consent to advertising cookies and identifiers before they are used.

Google AdSense. Riff uses Google AdSense, a service provided by Google LLC, to display ads on our website. Google, as a third-party vendor, uses cookies (including the DoubleClick DART cookie) and device identifiers to serve ads based on a user’s prior visits to this website and other sites on the internet. Google’s use of advertising cookies enables it and its partners to serve ads to our users based on their visit to Riff and/or other sites on the internet. Users may opt out of personalised advertising by visiting Google Ads Settings or aboutads.info/choices. For more information about how Google uses data when you visit our partners’ sites or apps, see policies.google.com/technologies/partner-sites.

You can manage your advertising preferences in your device or browser settings, and you can opt out of personalised advertising using industry self-regulatory tools such as the Digital Advertising Alliance, the Network Advertising Initiative, the European Interactive Digital Advertising Alliance, and your platform’s own ad-tracking controls (e.g., Limit Ad Tracking on iOS and the Android advertising-ID reset).

We protect your personal data using industry-standard technical and organisational measures, including TLS 1.2+ encryption in transit, encryption at rest for backups and storage, hashed passwords using modern algorithms, role-based access control and principle of least privilege for our staff and sub-processors.

No system can be 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant authorities and affected users in accordance with applicable law.

We may update this policy from time to time. The “last updated” date at the top of this page reflects the most recent revision.

Where changes are material we will notify you in advance by email or via an in-product banner, at least 30 days before the changes take effect, except where shorter notice is required by law or to address a security risk.

For any question, request or grievance regarding your personal data or this policy, please contact us at the address below. In accordance with the DPDP Act and applicable Indian law, our Grievance Officer is reachable at the same contact details. We acknowledge complaints within 7 working days and aim to resolve them within 30 days where possible.

DirtCube Interactive LLP  ·  C-45/3, TTC MIDC Rd, Turbhe MIDC, Turbhe, Navi Mumbai, Maharashtra 400703, India  ·  hello@riff.games  ·  +91 97696 14546.