Riako

Privacy Policy

Last updated: April 13, 2026

This Privacy Policy explains how Donneko OÜ ("Riako," "we," "us," or "our") collects, uses, and protects your personal data when you use the Riako platform at riako.ai (the "Service"). By using the Service, you consent to the practices described in this policy.

1. Data Controller

The data controller responsible for your personal data is:

Donneko OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117
[email protected]

2. Information We Collect

2.1 Account Information

When you create an account, we collect information provided by your OAuth provider (Google or Apple), which may include your email address and display name.

2.2 Chat and Content Data

We store messages you send and receive within the Service, characters you create (including names, descriptions, personality traits, and images), and related metadata. This data is necessary to provide and improve the Service.

2.3 Payment Information

Payment processing is handled by Stripe. We do not store your credit card numbers or full payment details. We receive transaction identifiers and subscription status from Stripe to manage your account. Please refer to Stripe's Privacy Policy for details on how Stripe handles your payment data.

2.4 Usage and Device Data

We automatically collect certain technical information when you use the Service, including IP address, browser type, device type, operating system, referring URLs, pages visited, and interaction timestamps. We use analytics services (such as Firebase Analytics) to understand usage patterns.

2.5 Images

Images you upload (such as character reference images) and AI-generated images are stored on our cloud infrastructure (AWS S3). These images are associated with your account.

3. How We Use Your Information

We use your personal data for the following purposes:

  • Provide the Service: To operate the platform, deliver chat functionality, generate AI responses, and manage your account.
  • Improve the Service: To analyze usage patterns, fix bugs, and develop new features.
  • AI Training: We may use de-identified and aggregated chat data to train and improve our AI models. We take reasonable measures to strip personally identifiable information before using data for this purpose.
  • Safety and Moderation: To detect, prevent, and respond to violations of our Terms of Service, including prohibited content.
  • Payments: To process subscriptions, credits, and related billing.
  • Communication: To send you service-related notifications (e.g., account verification, security alerts, billing updates). We do not send marketing emails without your explicit consent.

4. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data based on the following legal grounds:

  • Contract: Processing necessary to provide you with the Service you requested (Art. 6(1)(b) GDPR).
  • Legitimate Interest: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing abuse (Art. 6(1)(f) GDPR).
  • Consent: Where required, we will obtain your consent before processing (Art. 6(1)(a) GDPR).
  • Legal Obligation: Processing necessary to comply with applicable laws (Art. 6(1)(c) GDPR).

5. Data Sharing

We do not sell your personal data. We may share your information with:

  • Service Providers: Third-party vendors who assist us in operating the Service, including cloud hosting (AWS), payment processing (Stripe), email delivery (AWS SES), and analytics (Firebase). These providers process data on our behalf under contractual obligations.
  • AI Model Providers: To generate text and image responses, we send relevant chat context to third-party AI inference providers. This data is transmitted for inference purposes only.
  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal obligations). Publicly created characters may remain visible after account deletion in anonymized form.

7. Data Security

We implement reasonable technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data ("right to be forgotten").
  • Portability: Request your data in a structured, machine-readable format.
  • Restriction: Request that we limit how we process your data.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

If you are located in the EEA, you also have the right to lodge a complaint with your local data protection authority.

9. International Data Transfers

Your data may be transferred to and processed in countries outside of your country of residence, including countries that may not provide the same level of data protection. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure the protection of your data.

10. Cookies

We use essential cookies and local storage to maintain your session, authentication tokens, and user preferences (such as theme and language settings). We use analytics cookies (Firebase) to understand how the Service is used. You can manage cookie preferences through your browser settings.

11. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page with an updated "Last updated" date. Your continued use of the Service after changes constitutes your acceptance of the revised policy.

13. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Donneko OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117
[email protected]