Privacy Policy

While using Riverr services you agree that you are familiar with the Privacy Policy of our service and accept it.

Last modified: May, 2020

Generally

Your security and right to privacy is important to us. Riverr Pte. Ltd. (“Riverr”) respect the rights of our “clients”, “visitors” and the “users” of Riverr’s “Platform” that includes Apps and websites and all electronic services, applications and internal links on the platform.

Any information you provide via the Platform is respected, kept secret and will not be used in any manner or for any purpose that you have not instructed or permitted. You will find a description of Riverr’s data processing practice in this Privacy Policy.

This Privacy Policy applies only to the Platform and does not extend to third party websites or the like that might be accessible from the Platform. We have tried to keep this Privacy Policy as simple as possible. Therefore, information of a technical nature is omitted. If you have questions about this Privacy Policy or technical questions, please contact us for clarification.

By using our Platform, you agree to our Privacy Policy.

Overall, Riverr collects data:

  • To offer our users an efficient, data-driven credential management platform;
  • To meet the legal, accounting and tax requirements;
  • To provide information about the Platform – for example about new features;
  • To find and fix any ‘bugs’ or errors at the Platform;
  • To provide offers and marketing;
  • To authenticate your access to certain parts of the Platform and confirm your consent to our General Terms or other agreements;
  • To personalize your experience on the Platform and the websites;
  • To improve the Platform and the services that Riverr provides;
  • To address specific inquiries you make at Riverr;
  • To address and confirm the execution of documents and templates;
  • To enable you to use our services, including check your payment information, and billing for the services you use;
  • To send newsletters and messages to you.

You can choose to share personal information with other Parties in documents and drafts you send. We will not sell, rent, loan, trade, or the other way disclose your information with third parties unless such disclosure is necessary to: comply with a court order or other legal process, protect our rights or property, enforce our General Terms or develop our product.

Collecting information

Riverr only collects the data which is necessary for us to provide you with a secure, fast and efficient Platform. In order to do so, we will use the collected data to develop new features. We may collect personal information that makes users identifiable. Users will be identifiable to be able to connect and share their profile and selective information to third-party applications. The user is able to see all connections in the module: Connect in the platform. To use the Platform you need to provide certain personally identifiable information (defined below), and non-personally identifiable information (as defined below), and we collect this information and use it in accordance with the practices described in this Privacy Policy.

Personal Information (Identifiable)

Riverr collects personal information such as name, email and telephone number when you register at the Platform. This information is necessary to make sure that your credentials are valid.

Riverr may also utilize your email and telephone number to inform you about the Platform and new features that might be relevant to you. Riverr may also use your email for the purposes of customer support and marketing related matters. You are always entitled to unsubscribe from marketing emails. Unsubscribing can be done in the bottom of the emails you might receive. 

The platform enables a “user’s” documentation, like certificates to be shared securely and seamlessly in a electronic format known as a “verifiable credential”, or “verifiable certificate”. The “user” will receive verifiable credentials in his digital wallet as part of the platform and have the ability to control who they share their data with. 

Trusted and recognised entities such as maritime authorities, flag states, training centers and educational providers, medical clinics and employers can access the verifiable credential if granted access by the “user”. The “users” ID will be verified in different ways through Riverr Identity Services either by using third-party national login (eID) (example of such is SingPass in Singapore) or by using identity document for ID (proof) and facial recognition to compare the person (match) with their passport picture. 

This solution is meant to ensure certificates are authentic, reduce the work of endorsing certificates and reduce the workload of uploading certificates to the crewing system.

To provide our Identity Services, we need to collect certain information about our “clients” users. When verifying the identity of a user, we’ll ask for an image of their identity document as well as a picture or video of their face. We’ll then seek to verify whether the identity document is likely to be genuine and whether the person in the photo or video is likely the same person pictured in the identity document. We will also look to identify signs of fraud (for example, someone wearing a mask to impersonate another person or conceal their own real identity). If the user is successful on both the document and facial verification checks, Riverr client will likely consider the user to have proven their identity. 

To do all of this, we closely examine the information contained in the images, including the machine readable data (such as an identity document barcode) and the image metadata (such as the name of the camera model used to take the image). The Riverr Identity Lifecycle is described below for the “client”, “user” and “data-providers” on how we collect that information.

  1. The “Client” Users

Are individuals whose identities we verify or otherwise check on behalf of our clients. We collect users’ information from clients or directly from the users themselves. This information might include an image of an identity document (e.g. a passport or a driver’s license), photos (at times, taken in quick succession for anti-fraud purposes) or a video of the user, and the biometric facial identifiers in those images. This enables us to help the client verify that the user is the true owner of the identity document and has not shown signs of fraud. 

In some circumstances, we may also collect device identifiers and IP addresses to help us understand whether a device has previously been used in relation to suspected fraudulent activity and whether Riverr is permitted to provide Identity Services in the country in which the user is located. 

  1. The “User”

Users are individuals whose identities we verify or otherwise check on behalf of our clients. We collect users’ information from clients or directly from the users themselves. This information might include an image of an identity document (e.g. a passport or a driver’s license), photos (at times, taken in quick succession for anti-fraud purposes) or a video of the user, and the biometric facial identifiers in those images. This enables us to help the client verify that the user is the true owner of the identity document and has not shown signs of fraud. 

In some circumstances, we may also collect device identifiers and IP addresses to help us understand whether a device has previously been used in relation to suspected fraudulent activity and whether Riverr is permitted to provide Identity Services in the country in which the user is located. 

  1. The “Data Providers”

We also keep logs of how our clients, users, and data providers interact with our Identity Services. This might include timestamps of when the information was submitted to Riverr, and information about the device used to submit that information. 

Sometimes, we receive information we don’t need to provide our Identity Services. For example, instead of a picture of their identity document, a user might upload a completely unrelated image. When this happens, we seek to delete this data.

Passing a Riverr Check 

If we’re able to verify the identity of a user and the user is able to pass all requested checks, we notify the client who can then continue with their onboarding process. 

Not Passing a Riverr Check

If we’re unable to verify the identity of a user or the user isn’t able to pass all requested checks, we recommend to the client that they conduct additional checks before continuing with the onboarding process. We sometimes help with those additional checks too. 

Developing our Identity Services 

To further develop our Identity Services, we train our computers to recognize specific patterns in information and make predictions about new sets of information based on those patterns. This is known as machine learning. 

We’ve gathered a substantial and unique set of images from around the world, from which we can train our machine learning models to locate and extract the information in documents, to detect fraudulent documents, and to engage in facial verification. We also train our human analysts to perform those tasks so they can assist when our machine learning models aren’t best suited for the task or are still learning. Sometimes, we’ll also re-run and re-submit checks to ensure our Identity Services are working properly, particularly when testing a new feature or service for quality assurance. Together, these developments help make Riverr’s Identity Services stronger and safer for all clients and users. 

We use information to provide and maintain our Identity Services on behalf of clients on the basis that the user has consented to the processing or otherwise requested Identity Services, the client has a legitimate or lawful reason for requesting Identity Services, or the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest. We also use information to further develop our Identity Services on the basis that the processing is necessary in the legitimate interest of the client or Riverr, the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest, the processing is necessary for scientific research purposes, or the user has provided their consent. 

Facial Biometric Comparison 

When providing our Identity Services, we will frequently extract and compare numerical biometric data from facial images to understand whether two faces are likely to be a match. We do this on behalf of our clients for two reasons. Primarily, we will check whether a user owns their identity document by comparing an image of their face to the facial image contained in the identity document. When we do this, we do not retain the extracted numerical biometric data for any length of time beyond this comparison. In addition, we may also check whether we have previously verified a user on behalf of a specific client to help that client understand when a user may be generating multiple identities. We do this by comparing the facial image of a user to the facial images of other users previously verified on behalf of that specific client. To provide this check quickly, we store the numerical biometric data extracted from the previously collected facial images until the client deletes those original images. 

Automated Decision Making and Riverr Reports 

When we verify an identity or carry out a check on behalf of a client, we provide a Riverr Report to that client. This Riverr Report details our recommendation and the reasoning behind it. The reasons are generated from the different machine learning models and human powered processes that are used to verify an identity or perform a check. As these machine learning models and human powered processes are under constant development, it is difficult to maintain a list of them in this Privacy Policy.

Processing payment information 

If you are using one of our paid plans, Riverr will use a third party to process your payment information. Riverr will not store any payment information, but will use Stripe to process the payments.

If you invite a third-party to the Platform to Connect, the email of the third party will be stored on the Riverr platform in order for you to monitor the invitation. Riverr cannot control what information our users enter into the platform thus will not be held responsible for any such information. Platform may track and collect the Internet Protocol (IP) address when you visit and use the Platform.

Non-personal information

Riverr can track and collect the following categories of Information when you visit and use the Platform: the domain servers; types of computers (including mobile devices such as tablets and smartphones); navigation paths used while visiting the website or platform; browser settings; installed plug-ins; local preferences storage; screen resolutions; local time zones; font lists; the user-agent information, and the types of web browsers that are used to access the Platform.

Your content

Your use of Riverr’s Platform might involve you sharing, uploading or inputting various content containing personal information into the Platform, including but not limited to: credentials, attachments, and conversations. This content is encrypted and stored by us. You control who you invite to view or sign the content and how your content is shared with others. In general, Riverr does not monitor that content. We strongly recommend that you do NOT store any sensitive information (cf. Article 9 in the General Data Protection Regulation).

Riverr may see your credentials to support requests on your instructions – for example, if it is necessary to maintain and optimize the Platform, solving support-tasks or if we have a justified belief that you are violating any laws or this Privacy Policy. We may also analyze the content in aggregate and on an anonymized basis, in order to better understand the manner in which our Platform is being used and in the end develop optimizations. We will immediately contact you if we are informed that an instruction violates the General Data Protection Regulation, other EU-laws or Singapore Law (PDPA).

Automatically Collected Data

Cookies: A “cookie” is a small text file stored on a user’s computer for record-keeping purposes. We use cookies on the Platform to simplify user login and management of the Platform. Via your internet browser, you can control and restrict cookies. If you reject cookies, you may still use the Platform, but in some areas or features on the Platform, your options will be limited. Cookies will not be sold, rented or lent, but they can be used for analysis and advertising purposes in accordance with this Privacy Policy. The Information is stored in the time allowed by law. We delete the data when they are no longer deemed necessary. The period of which depends on the nature of the Information and the background for storage. It is therefore not possible to give a specific time on when the Information is deleted.

Behavior: We are using session-recordings to analyze user behavior on the Platform in order to understand how the Platform is being used and in the end optimize user experience on the Platform. Session-recordings are conducted without seeing the content you have on the Riverr platform.

Data Processor Agreement

“Clients” of the Platform will receive a Data Processor Agreement to be read and signed. The agreement states the rights and obligations of both parties for when Riverr is processing personal information on behalf of the Data Controller. This Agreement is based on a standard which has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements. The Data Processing Agreement contains, but is not limited to, the following points:

  • that Riverr shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which Riverr is subject.
  • that Riverr shall ensure that persons authorized to process personal data on behalf of the Data Controller have undertaken to observe confidentiality, or is subject to a suitable statutory obligation of confidentiality.
  • that Riverr shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation
  • that Riverr shall meet the requirements of the General Data Protection Regulation in order to engage another processor (subprocessor).
  • that Riverr shall assist the Data Controller with appropriate technical and organisational measures, in the fulfilment of the Data Controller’s obligation
  • that Riverr shall be under obligation, at the Data Controller’s discretion, to erase or return all the personal data to the Data Controller
  • that Riverr is able to show documentation to the data controller.
  • You can request the full Data Processing Agreement by contacting us. 

Subprocessors

Riverr collaborates with various subprocessors in order to provide the Platform. We utilize third parties to store the Platform, collect feedback, analyze user behavior, fix errors, process payments, send emails and communicate with the users in order to provide customer support and information about the product and to meet the requirements stated by Singapore or EU Law. The subprocessors may get access to your information, bot solely with the purpose of facilitating the best possible credential management Platform as stated above. They are solely allowed to process data under the instruction you are giving us. Our subprocessors are required to have a privacy policy and security standards in place that is at least as protective of your information as is this Privacy Policy.

Riverr has the Data Controller’s general consent for the engagement of subprocessors. Riverr shall, however, inform the Data Controller of any planned changes with regard to additions to or replacement of other data processors and thereby give the Data Controller the opportunity to object to such changes. Such notification shall be submitted to the Data Controller a minimum of 14 days prior to the engagement of sub-processors or amendments coming into force. If the Data Controller should object to the changes, the Data Controller shall notify the Data Processor of this within 7 of receipt of the notification. The Data Controller shall only object if the Data Controller has reasonable and specific grounds for such refusal. 

Relation to the Law

We may share your personal information with public and legal authorities if Singapore or EU-law obliges us to. For example, if we have a justified belief that it is necessary to comply with EU’s General Data Protection Regulation or if we suspect that you use of the Platform violates EU- or Member State laws.

Security measures – this is how we protect your personal information

We are entitled and under the obligation to make decisions about the technical and organizational security measures that are to be applied to create the necessary level of data security and to protect your personal information against loss, misuse, publicity or unauthorized access. We use firewalls, encryption techniques, and authentication procedures to maintain the security during your sessions on the Platform.

Unauthorized access to personal information

You can control who you are sharing content and user information with. To prevent unauthorized access, maintain data and ensure the appropriate use of Information, we have implemented commercially reasonable physical, technical and administrative control mechanisms to protect your information. However, we cannot control the actions of other users with whom you share your content and we are not responsible for third party circumvention of any privacy settings or security measures on the Platform.

Your choice

You may decline to submit personally identifiable information through the Platform, in which case Riverr may not be able to provide certain features and functionalities of the Platform to you – for example, storage of your documents or digital signature. If you decide to terminate your use of the Platform, you can request access to your personal information, and request us to comply with the right to Data Portability. You can also request that your personal information is deleted. Some information will be stored in at least 5 years after you terminate your use of the Platform in order for us to comply with any legal obligations – for example regarding tax and accounting obligations. If you make agreements containing personal information on Riverr, other parties are still allowed to store these on the Platform if they wish to.

Children’s Privacy

Our Platform is not directed to persons under the age of 13. We do not knowingly collect or solicit personal information from anyone under the age of 13 or knowingly allow such persons to register for an account on the Platform. If we become aware that we have collected personal information from a child under age 13 without verified consent of a parental or guardian, we take steps to remove that information. We can not control if our users collect and store data of persons under the age of 18. In general, we advise our users to collect parental consent before they collect and store data of anyone under the age of 18.

Responsibility

Riverr’s Platform is an online tool to facilitate the process of creating, signing and storing credentials. It is always your responsibility to ensure that information and content that you enter and upload on the Platform is your property (or has obtained permission to do so). The information and content shall be correct and is not against the law or the rights of others. It is also your responsibility to provide the correct receiver in the transmission of data in the module “connect”.

Updates and Changes to this Privacy Policy

If we change our Privacy Policy, we will post those changes on this page in order to keep you aware of what information we collect, how we use it and under what circumstances we may disclose it. You will furthermore receive an email concerning changes to our Privacy Policy at least 14 days before they enforce. You will then get 7 days to object to the changes in our Privacy Policy.

Contacting Us

The Website and platform is owned by Riverr Pte. Ltd. (Co. Reg. No 202012249W). If you have questions about our Privacy Policy or to Riverr otherwise, please send an Email to: hello@Riverr.ai or call us on phone no. Telephone: +65.83443290 You can also find us on our physical address 6 Raffles Quay, Singapore 048580.

You hereby consent to this Privacy Policy and our general terms and conditions by using Riverr, the Platform or the websites.