Privacy Policy

1. Introduction

This Privacy Policy explains how RiffleCM LLC (“RiffleCM”, “we”, “us”, or “our”) collects and processes personal data and describes the rights available to individuals regarding their personal data. Our services include a software platform used by construction and specialty trade businesses (e.g., distributors, installers, and related partners) to manage bids, pricing, projects, and relationships, along with related websites, mobile apps, and APIs (collectively, the “Services”).

If you have any questions about this Privacy Policy or wish to exercise your rights, contact us at privacy@rifflecm.com or by mail at 3165 Commercial Ave, Northbrook, IL 60062. Our preferred contact method is email.

By using the Services or providing personal data, you agree to this Privacy Policy. If you do not agree, please do not provide personal data or use the Services.

We may update this Privacy Policy from time to time, including to reflect changes in law or our practices. If changes materially affect your rights or obligations, we will take commercially reasonable steps to notify you (e.g., by email or in-product notice). Otherwise, please check this page periodically for updates.

Role as controller vs. processor.

• We are a controller when we determine the purposes and means of processing (e.g., website analytics, account administration, marketing, security).
  
• We are a processor when we process personal data uploaded or connected by a business customer into its RiffleCM workspace. In that case, we process such data according to our customer’s instructions and our agreement with them.
  
  

Integrations and third-party applications.
You may enable integrations (e.g., Google, Microsoft, cloud storage, email, inventory/ERP, manufacturer APIs) or third-party apps that interoperate with the Services (“Integration Apps”). Integration Apps are provided by independent third parties that act as separate controllers of any personal data you choose to share with them. Your use of any Integration App is governed by that third party’s terms and privacy policy. We encourage you to review those terms carefully.

Our Services are not directed to children, and we do not knowingly collect data from children.

Our Services may contain links to third-party websites and apps. We do not control those third parties and are not responsible for their privacy statements.

2. What personal data do we collect and from whom?

“Personal data” means information that identifies or can reasonably be linked to an individual. Examples include name, business contact details, account credentials, IP address, and usage data. We may anonymize/de-identify or pseudonymize data and use it for lawful business purposes.

We generally do not seek to collect “special categories” of personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health, or sexual orientation). If you choose to provide such data (or a customer uploads it), we will process it only as permitted by law and our customer agreements.

2.1 Data you provide to us

You may provide personal data when you:

• create or access a RiffleCM account or workspace;
  
• use our website or mobile app;
  
• subscribe to product updates or marketing;
  
• communicate with us (support requests, feedback, sales inquiries);
  
• apply for a job; or
  
• provide services to us.
  

Some data is required to provide the Services; we indicate when data is mandatory. If required data is not provided, we may be unable to deliver the relevant Service.

You must ensure any data you provide is accurate and up to date. We may keep records of correspondence and, where permitted, support calls.

2.2 Data we automatically collect

When you use the Services, we automatically collect certain information, such as:

• device and technical info (browser, OS, device type);
  
• settings and preferences (time zone, language);
  
• usage data (pages viewed, features used, session duration).
  

We may use cookies and similar technologies. For details, see our Cookies Policy.

2.3 Data from connected services (e.g., Google/Microsoft/other integrations)

If you connect third-party accounts (e.g., Google Workspace/Gmail/Drive, Microsoft Outlook/OneDrive, cloud storage, inventory/ERP, pricing/manufacturer APIs), we may access and process data from those services to provide in-product functionality (e.g., enrich contacts, sync messages or files, associate communications and documents with projects/opportunities, power bid/pricing workflows). Common categories may include:

• profile (name, email);
  
• emails (content, attachments, metadata);
  
• files and file metadata;
  
• contact and organization records;
  
• inventory, pricing, product/catalog, and related commerce data where you enable such integrations.
  

Use of Google User Data (Google API Services – Limited Use) (if you connect Google):

• When you connect a Google account to RiffleCM, we may request access to the following Google services and data (depending on what you enable in Settings): Gmail (read metadata and content of messages you select to sync; send messages you authorize), Google Drive (read file metadata/content you select to attach or index; write files you export from RiffleCM), Google Calendar (read/write events you select), and Google Contacts (read contacts to enrich records).
• Purpose (user-facing features only). We use Google data solely to power features that are visible and prominent in RiffleCM (e.g., viewing and linking emails/files to deals or projects; composing/sending emails you initiate; showing calendars next to jobs; enriching contacts). We do not use Google data for advertising or for building profiles unrelated to these features.
• Storage & retention. If you enable syncing, we store the minimum necessary data to deliver the features you turned on (e.g., message headers, thread IDs, selected message bodies/attachments, file metadata/content, event details). Data is encrypted in transit and at rest. You can disconnect Google at any time by navigating to your Profile & Settings → scrolling to Email Connections, which stops new access. You may request deletion of previously synced Google data via privacy@rifflecm.com or in-app data deletion tools; we’ll complete deletion subject to legal/contractual retention requirements.
• Sharing & transfers. We do not sell or share Google user data for targeted advertising. We do not transfer Google user data to third parties except (i) to our subprocessors acting as our service providers to deliver these features under strict contracts, (ii) as required by law, or (iii) as part of a merger, acquisition, or asset sale.
• Human access. We do not allow humans to read Google user data unless you give affirmative consent for specific content (e.g., support troubleshooting you request), access is necessary to investigate abuse/security issues, required by law, or for internal operations where data is aggregated and de-identified.
• Policy compliance. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Learn more here: https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes.
• Disconnecting Google. You can revoke RiffleCM’s access in Google’s account settings at any time.
  

2.4 Data we receive from others

We may receive personal data about you from:

• your employer or colleagues (to invite or manage your workspace access);
  
• our customers (when they upload or connect data to their workspace);
  
• Integration Apps and service providers (payment processors, security providers, analytics, support tools);
  
• references or recruiting platforms if you apply for a role.
  

If we receive a personal, non-work email from a third party in connection with a business account, you may notify us and we will remove it where appropriate.

3. Lawful use of personal data

We process personal data under one or more of the following legal bases (as applicable):

• Consent (e.g., where you connect an Integration App; consent for certain marketing or cookies);
  
• Contract (to provide the Services to you or your employer and to take steps at your/their request);
  
• Legal obligations (e.g., tax, accounting, compliance, security obligations);
  
• Legitimate interests (e.g., improving and securing the Services, communicating product changes, preventing fraud/abuse), balanced against your rights.
  

3.1 Data from your employer/colleague

If your employer or colleague uses RiffleCM and invites you, we process your data to create/manage your account and provide the Services under our agreement with that customer.

3.2 Data from connected services

If you connect third-party services, we process the data from those services to provide the features you enabled (see 2.3 and the Google limits above).

3.3 Customer-uploaded or entered data

Where a customer uploads or enters personal data into its workspace, we process it as a processor under the customer’s instructions and our agreement with them.

3.4 Legitimate interests

We may process personal data for customer support, fraud prevention, security, audits, service improvement, product announcements, and similar operational purposes.

3.5 Product updates and marketing

If you subscribe to receive product updates or marketing, we may use your contact, usage, and profile data to send you relevant information. You can opt out at any time via the unsubscribe link, in-app settings, or by contacting us. Transactional/service messages (e.g., security, billing, service changes) will continue as necessary even if you opt out of marketing.

3.6 Service improvement and analytics

We analyze usage to operate, secure, and improve the Services. See our Cookies Policy for details.

3.7 Recruiting

If you apply for a job, we use your data to process the application and communicate with you.

3.8 Change of purpose

We will use personal data only for the purposes described unless we reasonably consider another compatible purpose. If we need to use data for an unrelated purpose, we will explain the legal basis or seek consent where required.

4. Who we share data with

We may share personal data with:

• Service providers and subprocessors (e.g., hosting, infrastructure, email, analytics, payments, support, auditors, advisors) who act under our instructions and appropriate contractual safeguards;
  
• Legal and compliance recipients where required (e.g., to comply with law, enforce terms, protect rights, security, safety, or prevent fraud/abuse);
  
• Corporate transactions (e.g., merger, acquisition, financing, sale of assets). If a transaction occurs, we will notify users where required.
  

We provide only the minimum data necessary to service providers and require deletion or de-identification when services end, where feasible.

5. International transfers

We may store and process data in the United States and other countries. Where required, we use appropriate safeguards for cross-border transfers (e.g., Standard Contractual Clauses, UK IDTA/Addendum, or other lawful mechanisms). Contact us at privacy@rifflecm.com for details on applicable transfer safeguards.

6. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration. These include secure hosting, access controls, encryption in transit, and employee policies consistent with applicable law. No system is perfectly secure; if we learn of a breach, we will act promptly and notify affected parties as required by law.

If you are a customer, each party’s security and data protection commitments are further described in the RiffleCM Terms of Service Agreement.

7. Your rights

Your privacy rights depend on your location and applicable law. Subject to limitations, you may have the right to:

• Access your personal data;
  
• Rectify inaccurate or incomplete data;
  
• Delete personal data;
  
• Restrict or object to certain processing;
  
• Port personal data to another service provider;
  
• Withdraw consent where processing is based on consent (withdrawal does not affect prior processing);
  
• Opt out of marketing communications at any time.
  

We may request information to verify your identity and will respond within the time required by law. If we process your data on behalf of a customer (as processor), please direct your request to that customer (the controller). If you contact us directly, we will notify and assist our customer where appropriate.

If you have concerns, please contact us first. You may also have the right to lodge a complaint with your local data protection authority.

8. Retention

We retain personal data as long as necessary to provide the Services, comply with legal obligations (e.g., tax and accounting), resolve disputes, and enforce agreements.

• Customer user data (when you are associated with a customer account) is generally retained while we have a relationship with that customer and for a reasonable period thereafter, unless earlier deletion is requested by the customer or required by law.
  
• Customer-uploaded data is retained per the customer’s instructions and our agreement.
  
• We may de-identify data for research and statistical purposes and use it indefinitely without further notice.
  

9. General

If any provision of this Privacy Policy is held invalid or unenforceable, it will be interpreted to reflect the parties’ intentions, and the remaining provisions will remain in full force and effect.

Governing law & jurisdiction. This Privacy Policy and any disputes arising out of or related to it are governed by the laws of Delaware, without regard to conflict-of-laws rules. Exclusive jurisdiction and venue shall be the state or federal courts located in Delaware, unless otherwise required by applicable law.

10. How to contact us

Questions or privacy requests: privacy@rifflecm.com
Mailing address: 3165 Commercial Ave, Northbrook, IL 60062
If you are in the EU/UK and wish to contact an EU/UK representative (if/when appointed), please email us at the address above for the latest details.

11. U.S. State Privacy Notice (including California)

This section supplements the Privacy Policy for residents of U.S. states with comprehensive privacy laws (e.g., California, Colorado, Connecticut, Utah, Virginia) and uses terms defined by those laws.

Categories of personal information we collect

Depending on how you interact with us, we may collect:

• Identifiers: name, email address, account IDs, IP address, device identifiers.
  
• Customer Records/Commercial Info: business contact details, role/title, transaction history, subscription and billing info.
  
• Internet/Network Activity: usage data, device info, log data, analytics.
  
• Geolocation data: imprecise location from IP.
  
• Professional/Employment Info: employer, team/workspace affiliation.
  
• Inferences: derived from usage to improve features and relevance.
  
• Sensitive information: Generally not sought; processed only if you provide it or a customer uploads it, and only as permitted by law.
  

Purposes of collection and use

See Sections 3, 4, and 6 above (provide and secure the Services, perform contracts, improve and analyze, communicate service changes, comply with law, and prevent fraud/abuse).

Disclosures and “sharing”

We disclose personal information to service providers and other recipients as described in Section 4. We do not “sell” personal information as defined by CPRA, and we do not share personal information for cross-context behavioral advertising. We also do not use Google user data for advertising.

Your state privacy rights

Subject to exceptions, you may have the right to:

• access/know and obtain a portable copy of your personal information;
  
• delete personal information;
  
• correct inaccuracies;
  
• opt out of certain processing (e.g., targeted advertising, sale, profiling for significant effects—none of which we engage in as described above);
  
• appeal our denial of a request.
  

To exercise rights, email privacy@rifflecm.com with your request and state of residence. We will verify your identity before fulfilling requests. You may designate an authorized agent, subject to verification requirements.

We do not discriminate against you for exercising your privacy rights.

Children’s data

We do not knowingly collect or “sell” personal information of children under 16.

12. Cookies and tracking

We use cookies and similar technologies to operate the Services, remember preferences, and analyze usage. Where required, we obtain consent. For details and controls, please see our Cookies Policy.

13. Data Processing Addendum (DPA)

When RiffleCM acts as a processor for a customer, our processing is governed by our customer agreement and any applicable Data Processing Addendum (including applicable cross-border transfer mechanisms). Customers may request our current DPA by contacting privacy@rifflecm.com.

Defined terms

• Customer: the business entity that contracts with RiffleCM for the Services.
  
• Workspace: a Customer’s instance of the Services where Customer Data is stored and managed.
  
• Customer Data: data (including personal data) that a Customer uploads or connects to the Services.
  

Questions or requests?

Email privacy@rifflecm.com. We’ll help you exercise your rights or route the request to the correct controller (e.g., your employer).