Privacy Notice
Last updated: 03/26/2025

At Riffbot.ai, we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and share your information when you use our website and services. It also outlines your rights and choices regarding your personal data.

By accessing or using Riffbot.ai, you agree to the practices described in this privacy policy. We encourage you to read it carefully to understand how your information is handled.

If you have any questions or concerns, please contact us at [email protected].

What information do we collect?

We collect different types of information depending on how you interact with Riffbot.ai. This includes data from educators and trainers who create accounts, students and participants who engage with Reflection Bots, and general visitors to our website.

Users (Educators and Trainers):

When you sign up for Riffbot.ai, we collect your first name, surname, email address, payment and invoicing details. We also collect cookies necessary for core platform functionality, and anonymized usage data through Google Analytics to understand how the platform is used and improve our services.

Students and other participants:

When engaging in conversation with a Reflection Bot created by a user, the system records the date and time of the interaction, the country of origin (based on IP address), and the content of the conversation (messages from both the participant and the bot). If the bot creator enables the option, participants may be prompted to enter a name and email address before or after the interaction. This information is collected only if voluntarily provided — no login is required.

Website Visitors:

For general users browsing our website, we collect anonymized website usage data (e.g. pages visited, time spent) and basic technical details such as browser type, device information, and IP address, through tools like Google Analytics.

How do we use your information?

The information we collect is used to provide, support, and improve the Riffbot.ai platform. This includes enabling educators and trainers to create and manage Reflection Bots, ensuring that participants can engage in meaningful and secure conversations, and analyzing platform usage to guide development and optimize performance. We use this data to enhance the quality of our services, maintain system integrity, prevent misuse, and fulfill legal obligations when necessary.

Riff team members may access user information only as needed to support platform operations or respond to support requests. We do not use any user data to train Large Language Models (LLMs), and we never sell or share user data with third parties. Anonymized usage data, such as visit duration or interaction frequency, may be processed using analytics tools like Google Analytics to help us better understand how Riff is being used. This data does not contain personally identifiable information and is used solely to improve service delivery.

The Riff team has no access to the personal information of participants who engage in reflections via bots created by educators or trainers. Only the bot creator has visibility into the data collected through their custom Reflection Bots. This is a core part of Riff's privacy design, supporting educators' ownership and responsibility over the data they collect and use for learning.

Who has access to your information?

Access to user information within Riffbot.ai is strictly limited and purpose-driven. The Riff team only accesses personal data when it is necessary to provide technical support, investigate issues, or improve the reliability and performance of the service. Internal access is role-based and restricted to authorized personnel who are bound by confidentiality obligations.

When a student or participant engages with a Reflection Bot, their information is only visible to the educator or trainer who created that specific bot. The Riff team does not review or access this data unless explicitly requested by the educator for troubleshooting or support purposes. This ensures that educators retain ownership over the information they collect and that participant privacy is respected at all times.

This approach reflects our core design principle: users retain control of their data. Participants are not required to create accounts or log in, and identifying information is collected only when an educator enables the option and the participant chooses to provide it. Even in those cases, the data remains tied solely to the educator’s dashboard and is not accessed or used by Riffbot.ai for any other purpose.

Data sharing and third parties

Riffbot.ai does not sell, rent, or share user data with third parties for commercial purposes. We do not use personal information for training AI models, including Large Language Models (LLMs), and we never share participant data with advertisers or data brokers. In limited cases, we rely on carefully vetted third-party service providers to support our platform—for example, for secure hosting, analytics, and infrastructure services. These providers may have limited access to data strictly for the purpose of delivering their contracted services and are bound by strict confidentiality and data protection obligations.

In situations where we are legally obligated to disclose information—such as in response to a court order, subpoena, or other lawful request—we will comply only to the extent required by law and will seek to protect user privacy as much as possible. In the unlikely event that Riffbot.ai is acquired or merged with another organization, we will notify users in advance. If data ownership changes, the new entity will be required to honor the commitments outlined in this privacy policy or seek renewed user consent.

Our position on data sharing reflects our belief that privacy is essential to ethical AI use in education, and it aligns with our certification commitment to responsible, transparent, and user-controlled data practices.

Data sharing and third parties

We retain user information only for as long as it is necessary to provide our services and fulfill the purposes outlined in this privacy policy. For educators and trainers, personal data such as account details and Reflection Bot content remains stored for as long as the account is active. Users have the ability to delete individual bots and their associated data at any time directly from their dashboard. If an account is deleted or becomes inactive, we remove the associated data from our systems within a reasonable period, typically no later than thirty (30) days after account deactivation.

For students and participants, reflection data is linked only to the specific bot created by an educator and is retained according to that educator's use of the platform. If an educator deletes a bot, all related participant data is immediately deleted as well. No participant is ever required to log in, and any name or email provided voluntarily is stored only if the educator has enabled that option. Riffbot does not retain student or participant data beyond what is needed to support educational reflection and analysis, and none of this data is used for training AI models.

Anonymous website usage data, such as site visits or interaction durations, may be retained for a period of up to twelve (12) months to help us understand and improve platform performance, after which it is either anonymized further or deleted.

This approach reflects our privacy-by-design principles and commitment to ethical data stewardship.

How we store and protect your information?

All personal data collected through Riffbot.ai is stored on encrypted servers that are securely backed up and maintained in accordance with high industry standards. Our hosting infrastructure is designed for reliability and data protection, with physical and digital safeguards in place to prevent unauthorized access, loss, or alteration. Backups are performed regularly to protect against data loss, and all transmissions are encrypted in transit and at rest.

User data is retained only while an account remains active. When an account is deleted or becomes inactive, the associated data is removed from our systems within a defined period, typically no later than thirty (30) days. If Riffbot.ai is ever shut down, all stored data is securely deleted. In the event of an acquisition, users will be notified before any transfer of data ownership occurs.

Access to stored data is restricted to authorized members of the Riff team and governed by strict internal controls and logging. Our systems are monitored continuously, and we conduct regular audits to ensure that our security practices remain up to date.

This approach reflects our commitment to responsible data stewardship and compliance with privacy regulations, including GDPR, FERPA, and COPPA.

Compliance with data protection laws

At Riffbot.ai, we are committed to protecting user privacy in accordance with globally recognized data protection laws and education-specific regulations. Our data handling practices are designed to comply with the General Data Protection Regulation (GDPR) for users in the European Union, the Family Educational Rights and Privacy Act (FERPA) for educational records in the United States, and the Children’s Online Privacy Protection Act (COPPA) for users under the age of 13.

We do not knowingly collect personal information from children unless it is provided through an educator-managed interaction. Reflection Bots are used in educational contexts, and any student data collected is tied solely to the educator’s setup. Participants are not required to create accounts or provide personal data unless prompted by the educator, and even then, all such data is handled securely and transparently.

As stated in our application to the Digital Promise certification, we publicly disclose what user data we collect, how it is stored, how long it is retained, and what control users have over it. These policies are freely accessible and written to be understandable by a range of users, especially educators and academic institutions.

At this stage, Riffbot.ai is made available exclusively to universities and higher education institutions. As such, we do not intentionally target or collect information from children under 13, and our product is not directed toward K-12 students. However, our platform has been designed with future compliance in mind, and our data practices reflect the spirit of regulations like COPPA in preparation for broader educational use. Our platform’s security measures, breach response plan, and privacy design all reflect our broader commitment to safe and responsible data stewardship.

If you have specific questions about how Riffbot.ai aligns with these regulations, or if you are an institution seeking further documentation, you can contact us at [email protected].

AI usage and transparency

Riffbot.ai uses artificial intelligence to generate personalized, reflective conversations between students and the Reflection Bot. These conversations are designed to encourage deeper thinking and support learning outside of the classroom. The AI responds dynamically to each user’s input, prompting follow-up questions based on their reflections.

To ensure transparency, we clearly indicate within the product when users are engaging with AI-generated content. This helps distinguish between automated responses and any human-generated input, reducing the risk of confusion. Additionally, we maintain a public FAQ that explains how AI is used within the platform, what types of inputs inform the AI’s responses, and what limitations users should be aware of.

Educators have control over the prompts used by the Reflection Bots, and we are currently working on extending this control further by allowing users to influence or override aspects of the AI’s behavior when needed. This is part of our commitment to responsible AI use, as defined by the Digital Promise certification, which emphasizes clarity, user control, and support for human decision-making.

We do not use any data collected through the platform to train or fine-tune the underlying AI models. Our system operates using third-party foundational models, and our prompts are applied dynamically to serve each interaction without storing or learning from user input.

Bias monitoring and reporting

At Riffbot.ai, we recognize that all AI systems carry the potential for bias, especially when used in educational settings where fairness and inclusivity are essential. As part of our commitment to responsible AI, we have built processes to identify, monitor, and mitigate bias throughout the lifecycle of our product — from design and development to deployment.

Our AI system is built on third-party foundational models. While we do not train or fine-tune these models using user data, we apply structured prompts and constraints to guide responses in educationally appropriate and neutral directions. During internal testing and pilot phases, our team actively reviews AI behavior to identify and reduce unintended patterns, such as reinforcing stereotypes or misinterpreting reflective input from students. When problematic outputs are detected, we revise prompts, adjust response structures, or introduce additional logic to reduce recurrence.

In addition to internal monitoring, educators using Riff are empowered to report concerns. If a user believes the AI’s behavior was biased, harmful, or inappropriate, they can submit feedback directly through our contact email at [email protected] or via any future in-app reporting feature. These reports are reviewed by our team and used to inform ongoing adjustments to prompt design and AI behavior.

Our approach is aligned with the definition of algorithmic bias adopted by Digital Promise, which emphasizes the risk of unrepresentative data or unfair assumptions leading to inequitable outcomes. As the platform evolves, we will continue to refine our safeguards to ensure equitable and respectful AI experiences for all users.

What happens if Riffbot.ai shuts down or is acquired?

If Riffbot.ai ever ceases operations, we will delete all stored user data in a secure and irreversible manner. Users will be notified in advance of the shutdown, giving them time to download or delete their data if desired. We will not retain any user information beyond the closure date, in line with our commitment to privacy and ethical data stewardship.

In the event that Riffbot.ai is acquired or merged with another organization, we will inform users before any transfer of data occurs. Ownership of user data may pass to the acquiring entity, but only under the condition that the new organization agrees to uphold the principles of this privacy policy or seeks explicit consent from users for any changes in data handling. Users will be given the opportunity to opt out or delete their data before such a transition takes effect.

These steps reflect our commitment to transparency and user control, and they ensure continuity with the privacy promises we make today—regardless of what changes may come in the future.

Your rights and choices

As a user of Riffbot.ai, you have the right to access, manage, and control your personal data. Educators and trainers can view and delete their accounts, as well as remove any Reflection Bots and associated data at any time directly from their dashboard. This ensures full ownership and management of the content created and collected through the platform.

Students and participants who engage with Reflection Bots do not need to create accounts and are not required to provide identifying information. However, if a participant voluntarily provides a name or email address during a reflection session and later wishes to have this information removed, they may contact the educator who created the bot or email our team directly at [email protected]. We will work with the responsible educator to ensure that the request is honored promptly.

We are committed to supporting the principles of data minimization, transparency, and control. If you wish to inquire about the personal data we hold about you, request a correction, or ask for deletion, you may contact us at any time. We will respond as quickly as possible and within any applicable legal timelines.

Your privacy choices matter to us, and we are continually working to make data control tools even more accessible within the platform.

How can you contact us about privacy concerns?

If you have any questions, concerns, or requests related to your personal data or this privacy policy, we encourage you to get in touch. You can contact our privacy team at [email protected]. Whether you need assistance accessing your data, wish to report a concern, or want to better understand how we handle information, we’re here to help and will respond as promptly as possible.

Changes to this Privacy Notice

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal obligations. When updates are made, we will post the revised version on our website and revise the “last updated” date accordingly. For significant changes that affect your rights or how your data is used, we will provide clear notice, either through the platform or via email when possible.

We encourage you to review this page periodically to stay informed about how we protect your information.