Sign in Request demo

Privacy Policy

Effective date: 19 April 2026 · Version 2.0 · Last reviewed: 19 April 2026

Preamble

This Privacy Policy describes how Ri.NET collects, uses, discloses, and safeguards personal data processed through rinet.dev and the Ri.NET Civic Intelligence Operating System. Ri.NET is built in the European Union and operates under European data protection standards, including Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and the Dutch implementing legislation (UAVG).

We have written this policy in plain language wherever possible. Where legal precision requires technical vocabulary, the glossary at the end explains the terms we use. If anything here is unclear, contact us. We treat your questions as legitimate feedback, not as support tickets.

1. Scope & acceptance

This policy applies to:

  • Visitors to rinet.dev and any subdomain (including, without limitation, documentation, registration, demo-booking, API playground, and legal pages);
  • Registered users of the Ri.NET developer platform (free tier, Starter, Pro, Enterprise, and Sovereign deployment customers);
  • Individuals whose personal data is processed by Ri.NET customers using our platform — for example, public officials whose roles are indexed by the platform;
  • Prospective customers, press contacts, and other third parties who interact with Ri.NET through forms, email, or scheduled demonstrations.

By using rinet.dev or any service linked from it, you acknowledge that you have read, understood, and accepted this policy. If you do not accept it, do not use the service.

2. Data controller

The data controller for personal data processed through rinet.dev is Ri.NET, registered in the Chamber of Commerce (Kamer van Koophandel, KvK) in Amsterdam, Netherlands. The controller is a zelfstandige zonder personeel (ZZP) sole-proprietor entity operating under Dutch commercial law.

Contact details: damir@rinet.one. Registered address: Amsterdam, Netherlands (full street address provided upon written request for regulatory or legal correspondence).

3. Categories of personal data we process

We process the following categories of personal data. Each category is listed with the purpose for which it is collected, the legal basis under which it is processed, and the retention period applicable to it.

3.1 Identity and contact data

Name, email address, company or organization, professional role or title, country, business telephone number (if voluntarily provided). Collected through the registration form on rinet.dev/register.html, the demo-booking form on rinet.dev/demo.html, or direct correspondence.

3.2 Professional and commercial context data

Industry, team size, intended use case, budget range, project timeline, and voluntary "tell us more" free-text. Collected optionally during registration to help us provide relevant information and product support. Optional.

3.3 Authentication data

When you sign in via a supported identity provider (Google OAuth, LinkedIn OAuth — see section 9), we receive a persistent provider identifier and, with your consent granted through the identity provider’s own consent flow, your verified email address and profile name.

3.4 Technical and device data (fingerprinting)

See section 7 for a detailed explanation. Includes IP address, user-agent string, HTTP header composition, browser capabilities, screen resolution, timezone, reported language preferences, canvas rendering signature, WebGL-derived GPU identification string, audio-context characteristics, and session identifiers.

3.5 Usage data

Pages visited, navigation sequence, session duration, feature interactions, API endpoint requests, request timestamps, response status codes, error occurrences. Aggregated with authentication data only for registered users.

3.6 Communications content

Content of email correspondence, demo-meeting notes, support-request content, and any voluntary feedback. Processed for the purpose of fulfilling the contract or legitimate interest in product improvement.

3.7 Payment data (planned — paid tiers)

If and when you subscribe to a paid tier (Starter, Pro, Enterprise), payment processing will be handled by Stripe, an independent payment processor. We receive only the transaction identifier, subscription status, and anonymized billing country. We do not receive or store your full payment card details.

3.8 Compliance-relevant special-category data

We do not intentionally collect special-category data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data for identification, health data, or data concerning sexual orientation). If such data is transmitted to us inadvertently (for example, in a free-text field), we will delete it as soon as we become aware.

4. Sources of personal data

We obtain personal data from the following sources:

  • Directly from you — when you fill out a form, send us an email, or interact with our platform.
  • Automatically from your device — through standard web-request headers, browser capabilities, and explicit fingerprinting (section 7).
  • From identity providers — when you authenticate through Google or LinkedIn, we receive confirmed profile data.
  • From payment processors — when you complete a paid subscription via Stripe.
  • From public sources — if you identify as a public official or a company whose public registry record is indexed by the Ri.NET platform, we may process publicly-available information about you in accordance with the legitimate-interest basis set out in section 6.

5. Purposes of processing

We process your personal data only for the specific purposes listed below. Each purpose is anchored to a legal basis. We do not process personal data for any other purpose without either obtaining your separate consent or updating this policy and notifying you.

  • Service delivery. To provision accounts, issue API keys, authenticate sessions, route API traffic, apply rate limits, enforce tier entitlements, and operate the platform as described.
  • Communications. To respond to inquiries, confirm demo bookings, send service-operational notifications, and (with your separate consent) occasional product update newsletters.
  • Security and fraud prevention. To detect abusive behavior, defend against unauthorized access, investigate suspected violations, and maintain the integrity of the platform. Fingerprinting (section 7) is central to this purpose.
  • Analytics and product improvement. To understand aggregate usage patterns, prioritize roadmap investment, measure documentation effectiveness, and improve the developer experience.
  • Legal and regulatory compliance. To comply with Dutch, European, and applicable international law, including tax obligations, data-retention requirements, and responses to lawful requests by competent authorities.
  • Contract administration. To establish, administer, perform, and terminate service contracts with customers and suppliers.

Under GDPR Article 6, we rely on the following legal bases:

  • Consent (Art. 6(1)(a)). For marketing communications, optional cookies (see Cookie Policy), and non-essential analytics. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Contract (Art. 6(1)(b)). For everything necessary to deliver the service you registered for — account management, API provisioning, billing, support.
  • Legitimate interest (Art. 6(1)(f)). For security and fraud prevention, core analytics, product improvement, and processing of publicly-available information about public-sector entities. We balance our legitimate interest against your rights and freedoms; our assessment is documented and available on written request.
  • Legal obligation (Art. 6(1)(c)). For tax, accounting, and regulatory retention obligations under Dutch and EU law.

7. Device fingerprinting — full disclosure

Ri.NET is transparent about the fact that we collect technical telemetry. We explain precisely what, how, and why.

7.1 What we collect

When you visit a page on rinet.dev, our JavaScript running in your browser collects the following signals and transmits them to our server:

  • Your IP address (observed by our web server);
  • The user-agent string, browser vendor, and platform identification reported by your browser;
  • HTTP Accept-* headers, including Accept-Language;
  • Client Hints if your browser supports them (sec-ch-ua-*);
  • Screen resolution and device pixel ratio;
  • Viewport size and color depth;
  • Browser-reported timezone and timezone offset;
  • Declared language preferences;
  • Hardware concurrency (number of CPU threads your browser exposes) and estimated device memory;
  • Touch-support indicator and maximum touch points;
  • WebGL renderer and vendor strings — these identify the GPU model and driver;
  • A canvas fingerprint hash — a SHA-256 hash of a small graphic we draw to an off-screen canvas, which produces a slightly-different signature on different combinations of hardware, operating system, and rendering stack;
  • AudioContext characteristics (sample rate, context state);
  • Page title, URL, path, query-string, and document referrer;
  • UTM campaign parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) if present in the URL;
  • A session identifier stored in sessionStorage.

7.2 Why we collect it

Device fingerprinting serves three distinct purposes: (a) security — distinguishing legitimate visitors from automated scrapers, abuse attempts, and coordinated attack traffic; (b) fraud prevention — ensuring that one person does not create multiple free-tier accounts to circumvent rate limits; (c) analytics — understanding how developers actually use our documentation so we can improve it. Ri.NET’s business model depends on trust; the fingerprinting is part of how we earn that trust.

7.3 Why we disclose it

Many platforms perform exactly this collection silently. We do not think that is acceptable practice. If you are entrusting Ri.NET with an architecture decision worth six figures, you deserve to know precisely what the platform observes about you before you register. Everything in the list above is observable by you in your browser’s developer tools; we simply choose to write it down in plain language.

7.4 Your controls

If you prefer not to be fingerprinted, we recommend: (a) using a browser with built-in anti-fingerprinting protections such as Brave, Firefox with resistFingerprinting enabled, or Tor Browser; (b) using a VPN if you wish to obscure your IP address; (c) contacting us at damir@rinet.one to request that your fingerprint records be deleted (see section 12).

8. Retention periods

We retain personal data only as long as necessary for the purpose that justifies its collection.

  • Account data. Retained for the duration of the active account, plus a 30-day grace period after account closure to allow for accidental deletion recovery.
  • Technical telemetry (fingerprints, page views). Retained for 13 months on rolling basis, then anonymized and aggregated.
  • Communications. Retained for 24 months after last communication, unless part of a contractual record (longer retention).
  • Audit logs. Retained for 7 years per Dutch commercial-law and EU regulatory retention requirements, including the Commercial Code provisions on accounting records.
  • Billing records. Retained for 7 years per Dutch fiscal law.
  • Backups. Purged in line with parent dataset retention plus a maximum 90-day rolling backup window.

9. Processors and sub-processors

We use the following categories of third parties to help us operate the service. Each is bound by a written data-processing agreement consistent with GDPR Article 28.

  • Hosting infrastructure. Hetzner Online GmbH, Germany — physical hosting of our GPU and database servers. GDPR-compliant German data center.
  • DNS and CDN. Hetzner DNS (authoritative) — for rinet.dev, rinet.one, and related properties.
  • Email delivery. Self-hosted mail server (Poste.io on our infrastructure) plus Gmail as SMTP smarthost relay. TLS in transit.
  • Identity providers (when used). Google (Google Sign-In), LinkedIn (LinkedIn OAuth).
  • Payment processing (when activated). Stripe Payments Europe, Ltd. — PCI-DSS Level 1 certified. We do not store payment card data.
  • Analytics. Self-hosted Plausible on our infrastructure (cookieless). Google Analytics 4 may be enabled only with your consent.
  • Blockchain audit anchoring. Polygon Proof-of-Stake network — for immutable audit-log anchoring only. No personal data is written to the blockchain; only a cryptographic hash of log roots.

10. International data transfers

Ri.NET is operated on European infrastructure. Personal data is processed in the European Economic Area by default. Where limited processing occurs outside the EEA (for example, through specific Google services), we rely on the European Commission’s Standard Contractual Clauses and any supplemental technical measures required by the Schrems II jurisprudence of the Court of Justice of the European Union.

11. Security measures

We implement comprehensive technical and organizational security measures. A non-exhaustive summary:

  • AES-256 encryption for data at rest;
  • TLS 1.3 for all data in transit, with strict HSTS enforced on rinet.dev;
  • Per-tenant key derivation with automated rotation;
  • mTLS (mutual TLS) for internal service-to-service calls with SPIFFE-derived identities;
  • Zero-trust internal fabric — no service trusts any other service by default;
  • Scope-limited authorization tokens on every internal call;
  • Immutable append-only audit logs anchored nightly to the Polygon Proof-of-Stake blockchain;
  • Role-based access control with principle of least privilege;
  • Automated vulnerability scanning and patch management;
  • Regular penetration testing and security audits.

12. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15). You may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16). You may request correction of inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17). You may request deletion of your data in defined circumstances.
  • Right to restriction of processing (Art. 18). You may request that we pause processing in specified circumstances.
  • Right to data portability (Art. 20). You may request machine-readable export.
  • Right to object (Art. 21). You may object to processing based on legitimate interest.
  • Right to withdraw consent. Where processing depends on your consent, you may withdraw it at any time.
  • Right to lodge a complaint (Art. 77). With the Dutch Data Protection Authority or your home-country supervisory authority.

We respond to rights requests within 30 calendar days (extendable to 90 for complex requests). There is no fee unless requests are manifestly unfounded or excessive.

13. Automated decision-making and profiling

We do not subject you to decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you within the meaning of GDPR Article 22. The Ri.NET platform itself performs extensive automated processing on public-sector data, but that processing surfaces findings to human analysts; it does not take legal action against data subjects.

14. Minors

Our service is intended for professional use. We do not knowingly collect personal data from individuals under 16 years of age. If you believe a minor has provided personal data to us, contact us so we can delete it.

15. Data breach notification

In the event of a personal-data breach likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours as required by GDPR Article 33, and we will notify affected data subjects without undue delay as required by Article 34.

16. Data Protection Officer

While a formal DPO appointment is not mandatory for our current scale of processing, we have designated Damir Radulic (damir@rinet.one) as the primary contact for all data-protection matters. Inquiries receive a response within 5 business days.

17. Complaints procedure

If you believe we have mishandled your personal data, please first contact us at damir@rinet.one. We take complaints seriously and will investigate promptly. If you are not satisfied with our response, you may lodge a complaint with:

  • The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl;
  • Your home-country supervisory authority, if you are resident in the EU/EEA.

18. Amendments to this policy

We may update this policy from time to time to reflect changes in applicable law, our operations, or the service. Material changes will be communicated in advance by email to registered users and announced prominently on rinet.dev for at least 30 days before taking effect. Continued use of the service after the effective date constitutes acceptance.

19. Contact

Data-protection inquiries, rights requests, and complaints: damir@rinet.one

20. Glossary

Controller. The entity that determines the purposes and means of processing personal data.

Processor. An entity that processes personal data on behalf of the controller.

Personal data. Any information relating to an identified or identifiable natural person.

Processing. Any operation performed on personal data, whether by automated means or not.

Data subject. The natural person to whom the personal data relates.

GDPR. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

UAVG. Uitvoeringswet Algemene verordening gegevensbescherming — the Dutch law implementing GDPR.

Fingerprint. A combination of technical signals that, taken together, can identify a device or browser with high probability.

SCC. Standard Contractual Clauses — European Commission-approved template agreements for international data transfers.