Ryflo - Privacy Policy

RYFLO - PRIVACY POLICY

Last Updated: Apr 22, 2026

This Privacy Notice for Ryflo Inc. ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

  • Download and use our mobile application (Ryflo: Social Investing for Gen-Z), or any other application of ours that links to this Privacy Notice

  • Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at hello@ryflo.com

Ryflo Inc. is the data controller responsible for the processing of personal information described in this Privacy Notice for purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR) and UK GDPR.

Ryflo Inc.
8 The Green, STE A
Dover, Delaware 19901
United States

Ryflo Inc. has not appointed a Data Protection Officer (DPO), as it is not required to do so under Article 37 of the GDPR based on the nature and scope of its processing activities at this time.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us below.

Do we process any sensitive personal information? Some of the information may be considered "special" or "sensitive" in certain jurisdictions, for example your racial or ethnic origins, sexual orientation, and religious beliefs. We may process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law. Learn more about sensitive information we process below.

Do we collect any information from third parties? We may collect information from public databases, marketing partners, social media platforms, and other outside sources. Learn more about information collected from other sources below.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information below.

In what situations and with which types of parties do we share personal information? We may share information in specific situations and with specific categories of third parties. Learn more about when and with whom we share your personal information below.

How do we keep your information safe? We have adequate organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about how we keep your information safe below.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Learn more about your privacy rights below.

How do you exercise your rights? The easiest way to exercise your rights is by submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

Want to learn more about what we do with any information we collect? Review the Privacy Notice in full.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?

2. HOW DO WE PROCESS YOUR INFORMATION?

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

7. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

8. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

9. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

10. HOW LONG DO WE KEEP YOUR INFORMATION?

11. HOW DO WE KEEP YOUR INFORMATION SAFE?

12. DO WE COLLECT INFORMATION FROM MINORS?

13. WHAT ARE YOUR PRIVACY RIGHTS?

14. CONTROLS FOR DO-NOT-TRACK FEATURES

15. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

16. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

17. DO WE MAKE UPDATES TO THIS NOTICE?

18. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

19. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

  • names

  • email addresses

  • usernames

  • passwords

  • contact or authentication data

Sensitive Information. When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:

  • financial data

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, X, or other social media account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.

Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission:

  • Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device's contacts, and other features. If you wish to change our access or permissions, you may do so in your device's settings.

  • Mobile Device Data. We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID, and information about the features of our application(s) you accessed.

  • Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device's settings.

This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information, such as your Internet Protocol (IP) address and/or browser and device characteristics, is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

The information we collect includes:

  • Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called "crash dumps"), and hardware settings).

  • Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.

  • Location Data. We collect location data such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.

Information collected from other sources

In Short: We may collect limited data from public databases, marketing partners, social media platforms, and other outside sources.

In order to enhance our ability to provide relevant marketing, offers, and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, data providers, social media platforms, and from other third parties. This information includes mailing addresses, job titles, email addresses, phone numbers, intent data (or user behavior data), Internet Protocol (IP) addresses, social media profiles, social media URLs, and custom profiles, for purposes of targeted advertising and event promotion.

If you interact with us on a social media platform using your social media account (e.g., Facebook or X), we receive personal information about you from such platforms such as your name, email address, and gender. You may have the right to withdraw your consent to processing your personal information. Learn more about withdrawing your consent. Any personal information that we collect from your social media account depends on your social media account's privacy settings. Please note that their own use of your information is not governed by this Privacy Notice.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We process the personal information for the following purposes listed below. We may also process your information for other purposes only with your prior explicit consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.

  • To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service.

  • To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.

  • To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.

  • To fulfill and manage your orders. We may process your information to fulfill and manage your orders, payments, returns, and exchanges made through the Services.

  • To enable user-to-user communications. We may process your information if you choose to use any of our offerings that allow for communication with another user.

  • To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.

  • To send you marketing and promotional communications. We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time. For more information, see "WHAT ARE YOUR PRIVACY RIGHTS?" below.

  • To deliver targeted advertising to you. We may process your information to develop and display personalized content and advertising tailored to your interests, location, and more. We do not currently serve third-party targeted advertising to users. If we introduce targeted advertising in the future, we will update this Privacy Notice and obtain any consent required by applicable law.

  • To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.

  • To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.

  • To determine the effectiveness of our marketing and promotional campaigns. We may process your information to better understand how to provide marketing and promotional campaigns that are most relevant to you.

  • To save or protect an individual's vital interest. We may process your information when necessary to save or protect an individual’s vital interest, such as to prevent harm.

User-Generated Content and No Investment Advice

Our Services are currently offered as a social, paper-trading environment and do not involve real-money trading or brokerage services. We are not a licensed broker, investment advisor, or financial institution, and we do not provide individualized investment advice, recommendations, or portfolio management.

All content available on the Services, including portfolios, trade ideas, comments, discussions, and other user-generated content (UGC), is created and shared by users and does not represent our views or advice. You are solely responsible for any decisions you make based on UGC, and you should not rely on such content as professional financial advice.

We process personal information related to UGC in order to:

  • Host, display, and share content between users.

  • Maintain the credibility and integrity of profiles and displayed activity.

  • Enforce our terms, community guidelines, and content standards.

We are not responsible for, and do not endorse, any UGC. You should carefully evaluate any content on the Services before making decisions in any real-world investing context outside the platform.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

  • Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. 

  • Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.

  • Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:

  • Send users information about special offers and discounts on our products and services

  • Develop and display personalized and relevant advertising content for our users

  • Analyze how our Services are used so we can improve them to engage and retain users

  • Support our marketing activities

  • Diagnose problems and/or prevent fraudulent activities

  • Understand how our users use our products and services so we can improve user experience

  • Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.

  • Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

For clarity, the following table summarizes the primary legal bases relied upon for key categories of processing activities under GDPR and UK GDPR:

Purpose of Processing — Legal Basis

  • Account creation, authentication, and service delivery — Performance of a contract


  • User communications, service notices, and support — Performance of a contract / Legitimate interests


  • Security, fraud prevention, abuse monitoring — Legitimate interests / Legal obligations


  • Analytics, product improvement, and aggregated insights — Legitimate interests


  • Marketing communications — Consent (where required) / Legitimate interests (where permitted)


  • Targeted advertising and tracking technologies — Consent (where required by law)


  • Compliance with legal, regulatory, and law enforcement requests — Legal obligations


  • Protection of users’ vital interests — Vital interests

Where required by applicable law, we rely on your explicit consent, which you may withdraw at any time as described in this Privacy Notice.

If you are located in Canada, this section applies to you.

We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:

  • If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way

  • For investigations and fraud detection and prevention

  • For business transactions provided certain conditions are met

  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim

  • For identifying injured, ill, or deceased persons and communicating with next of kin

  • If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse

  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province

  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records

  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced

  • If the collection is solely for journalistic, artistic, or literary purposes

  • If the information is publicly available and is specified by the regulations

  • We may disclose de-identified information for approved research or statistics projects, subject to ethics oversight and confidentiality commitments

Privacy Officer (PIPEDA). In accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Ryflo Inc. has designated a Privacy Officer responsible for overseeing compliance with PIPEDA and handling related inquiries. You may contact our Privacy Officer at hello@ryflo.com.

Commercial Electronic Messages (CASL). For users located in Canada, we obtain express consent before sending commercial electronic messages, including marketing emails and SMS communications, in accordance with Canada's Anti-Spam Legislation (CASL). You may withdraw your consent at any time by following the unsubscribe instructions in any such message or by contacting us at hello@ryflo.com.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.

The categories of third parties we may share personal information with are as follows:

  • Ad Networks

  • Cloud Computing Services

  • Communication & Collaboration Tools

  • Data Analytics Services

  • Data Storage Service Providers

  • Finance & Accounting Tools

  • Payment Processors

  • Order Fulfillment Service Providers

  • Performance Monitoring Tools

  • Product Engineering & Design Tools

  • Website Hosting Service Providers

  • User Account Registration & Authentication Services

  • Testing Tools

  • Social Networks

  • Sales & Marketing Tools

  • Retargeting Platforms

  • Affiliate Marketing Programs

  • Government Entities

  • AI Platforms

Data Processing Agreements: Ryflo enters into Data Processing Agreements (DPAs) with all third-party processors handling personal information. These agreements ensure processors implement appropriate security measures and process data only on Ryflo's instructions. A current list of our processors is available upon request and is updated whenever processor relationships  change. Users may request details about specific processors by emailing hello@ryflo.com

We also may need to share your personal information in the following situations:

  • Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

  • Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this Privacy Notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.

  • Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.

  • Other Users. When you share personal information (for example, by posting comments, contributions, or other content to the Services) or otherwise interact with public areas of the Services, such personal information may be viewed by all users and may be publicly made available outside the Services in perpetuity. If you interact with other users of our Services and register for our Services through a social network (such as Facebook), your contacts on the social network will see your name, profile photo, and descriptions of your activity. Similarly, other users will be able to view descriptions of your activity, communicate with you within our Services, and view your profile.

5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?

In Short: We are not responsible for the safety of any information that you share with third parties that we may link to or who advertise on our Services, but are not affiliated with, our Services.

The Services may link to third-party websites, online services, or mobile applications and/or contain advertisements from third parties that are not affiliated with us and which may link to other websites, services, or applications. Accordingly, we do not make any guarantee regarding any such third parties, and we will not be liable for any loss or damage caused by the use of such third-party websites, services, or applications. The inclusion of a link towards a third-party website, service, or application does not imply an endorsement by us. We cannot guarantee the safety and privacy of data you provide to any third-party websites. Any data collected by third parties is not covered by this Privacy Notice. We are not responsible for the content or privacy and security practices and policies of any third parties, including other websites, services, or applications that may be linked to or from the Services. You should review the policies of such third parties and contact them directly to respond to your questions.

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

We also permit third parties and service providers to use online tracking technologies on our Services for analytics and advertising, including to help manage and display advertisements, to tailor advertisements to your interests, or to send abandoned shopping cart reminders (depending on your communication preferences). The third parties and service providers use their technology to provide advertising about products and services tailored to your interests which may appear either on our Services or on other websites.

To the extent these online tracking technologies are deemed to be a "sale"/"sharing" (which includes targeted advertising, as defined under the applicable laws) under applicable US state laws, you can opt out of these online tracking technologies by submitting a request as described below under section "DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?"

Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.

Google Analytics

We may share your information with Google Analytics to track and analyze the use of the Services. The Google Analytics Advertising Features that we may use include: Remarketing with Google Analytics, Google Display Network Impressions Reporting and Google Analytics Demographics and Interests Reporting. To opt out of being tracked by Google Analytics across the Services, visit https://tools.google.com/dlpage/gaoptout. You can opt out of Google Analytics Advertising Features through Ads Settings and Ad Settings for mobile apps. Other opt out means include http://optout.networkadvertising.org/ and http://www.networkadvertising.org/mobile-choice. For more information on the privacy practices of Google, please visit the Google Privacy & Terms page.

Information about the specific cookies and similar technologies we use, their purposes, and how you can manage your preferences is incorporated into this Privacy Notice. For questions about our use of cookies or tracking technologies, please contact us at hello@ryflo.com.

7. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

In Short: We offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies.

As part of our Services, we offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies (collectively, "AI Products"). These tools are designed to enhance your experience and provide you with innovative solutions. The terms in this Privacy Notice govern your use of the AI Products within our Services.

Use of AI Technologies

We provide the AI Products through third-party service providers ("AI Service Providers"), including Anthropic (Claude). As our AI capabilities evolve, we will update this section to reflect current providers. As outlined in this Privacy Notice, your input, output, and personal information will be shared with and processed by these AI Service Providers to enable your use of our AI Products. 

Our AI Products

Our AI Products are designed for the following functions:

  • AI insights

Our AI Products may, for example, surface insights such as trending user strategies, popular simulated trades, or illustrative performance metrics based on aggregated activity within the Services. These insights are informational only and are not individualized investment advice.

We do not use AI or other automated decision‑making tools to make binding legal or similarly significant decisions about you (such as credit decisions or account denials) without appropriate safeguards. If, in the future, we use automated decision‑making that produces legal or similarly significant effects for you, we will:

  • Clearly inform you when such automated decision‑making is taking place.

  • Provide meaningful information about the logic involved.

  • Offer a simple way for you to request human review of the decision and to contest the outcome, where required by law.

You may contact us at hello@ryflo.com for more information about how our AI Products use your personal information.

How We Process Your Data Using AI

All personal information processed using our AI Products is handled in line with our Privacy Notice and our agreement with third parties. This ensures high security and safeguards your personal information throughout the process, giving you peace of mind about your data's safety.

Data Protection Impact Assessment: Ryflo is committed to conducting Data Protection Impact Assessments (DPIAs) where required by applicable law, including under GDPR and UK GDPR, particularly in connection with its use of artificial intelligence and the processing of financial data. Where a DPIA has been carried out, identified risks and mitigation measures are documented internally. Users may contact us at hello@ryflo.com for more information about our data protection practices.

8. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (like your Facebook or X logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, and profile picture, as well as other information you choose to make public on such a social media platform.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

9. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: We may transfer, store, and process your information in countries other than your own.

Our servers are located in the United States. If you are accessing our Services from outside the U.S, please be aware that your information may be transferred to, stored by, and processed by us in our facilities and in the facilities of the third parties with whom we may share your personal information (see "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?" above), in the U.S, and other countries.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.

European Commission's Standard Contractual Clauses:

We have implemented appropriate safeguards to protect your personal information in connection with international transfers, including the use of the European Commission's Standard Contractual Clauses (SCCs) with our key third-party processors. These clauses require all recipients to protect personal information originating from the EEA or UK in accordance with European data protection laws. We have executed Data Processing Agreements incorporating SCCs with our primary vendors, including cloud infrastructure, authentication, and communication service providers. Further details can be provided upon request at hello@ryflo.com

9A. DO YOU HAVE FINANCIAL DATA RIGHTS IN THE UNITED STATES?

In Short: If you are a U.S. user, you have specific rights regarding access to your personal financial data. We support these rights by enabling you to obtain and export your financial data in a usable format and by limiting how authorized third parties can use that data.

If you are a resident of the United States, you may have rights under federal law, including the Consumer Financial Protection Bureau’s Personal Financial Data Rights Rule (Section 1033 of the Dodd‑Frank Act), once and to the extent that rule applies to Ryflo.

Even though our Services currently operate on a paper‑trading basis (and do not involve real-money brokerage services), we treat certain categories of data as “personal financial data” for purposes of transparency and user control. This may include:

  • Simulated portfolio compositions and paper-trading positions.

  • Simulated transaction history and order activity within the Services.

  • Other account data that reflects your investing behavior within the app.

Where applicable law requires, we will:

  • Provide you, upon request, with access to your personal financial data that we hold.

  • Provide your personal financial data in a readily usable, machine‑readable format so that you can transmit it to another provider, where technically feasible.

  • Implement processes to ensure that third parties you authorize to access your personal financial data through our Services may only use that data for the limited purposes you have consented to, and are subject to contractual and legal restrictions.

As our Services evolve and to the extent we handle additional financial account information, we will update this section to reflect our obligations and your rights under applicable U.S. financial data access rules.

Note: The CFPB's Personal Financial Data Rights Rule is currently under agency reconsideration (as of April 2026), and compliance timelines are subject to change. Ryflo will update this section as regulatory guidance is finalized.

10. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, anti‑money laundering, dispute resolution, or other legal requirements).

Different categories of data may be kept for different periods. For example:

  • Account and profile data (including date of birth): kept for as long as your account is active and for a reasonable period thereafter to enable reactivation (where permitted), respond to requests, and enforce our terms.

  • Paper-trading and activity data (e.g., simulated transactions, portfolio history, UGC): kept for as long as necessary to provide the Services, support your experience, and maintain an audit trail, and for an additional period where required for regulatory, legal, or security purposes.

  • Technical logs and security‑related information: kept for a period sufficient to detect, investigate, and mitigate security incidents and abuse, and to comply with applicable law.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information. If immediate deletion or anonymization is not possible (for example, because the information is stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion or anonymization is possible.

11. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

12. DO WE COLLECT INFORMATION FROM MINORS?

In Short: Our Services are intended for users who are at least 18 years old (or the equivalent age as specified by law in your jurisdiction). We verify age using date of birth (DOB) checks and do not knowingly collect data from or market to children under 18.

Our Services are designed for adults and are not directed to children. By using the Services, you represent that you are at least 18 years of age (or the equivalent age of majority in your jurisdiction).

When you create an account, we ask you to provide your date of birth. We use your date of birth to:

  • Verify that you meet the minimum age requirement to use the Services.

  • Maintain the credibility and authenticity of user profiles.

  • Enforce our age restrictions and prevent underage use.

If we learn that personal information from a user under 18 (or the equivalent age of majority in their jurisdiction) has been collected, we will:

  • Deactivate the account as soon as reasonably practicable; and

  • Take reasonable measures to promptly delete such data from our records, except where we are required or permitted to retain it for legal or regulatory purposes.

If you become aware of any data we may have collected from a child under the age of 18 (or the equivalent age of majority in your jurisdiction), please contact us at hello@ryflo.com so we can take appropriate action.

13. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human review. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

We will consider and act upon any request in accordance with applicable data protection laws.

We aim to respond to all valid requests within one month (30 days) of receiving them. If your request is particularly complex, or if you have made multiple requests, we may extend this period by an additional one or two months where permitted by law. If we need more time, we will notify you and explain the reasons for the delay.

 

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, replying "STOP" or "UNSUBSCRIBE" to the SMS messages that we send, or by contacting us using the details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below. You will then be removed from the marketing lists. However, we may still communicate with you, for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with third parties.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:

  • Log in to your account settings and update your user account.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

If you have questions or comments about your privacy rights, you may email us at hello@ryflo.com

14. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.

15. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. More information is provided below.

Categories of Personal Information We Collect

The table below shows the categories of personal information we may collect. The table includes illustrative examples of each category and does not reflect the personal information we collect from you. For a comprehensive inventory of all personal information we process, please refer to the section "WHAT INFORMATION DO WE COLLECT?"

Category

Examples

Collected

A. Identifiers

Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name



YES


B. Personal information as defined in the California Customer Records statute

Name, contact information, education, employment, employment history, and financial information



YES


C. Protected classification characteristics under state or federal law

Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic data



YES


D. Commercial information

Transaction information, purchase history, financial details, and payment information



NO


E. Biometric information

Fingerprints and voiceprints



NO


F. Internet or other similar network activity

Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements. 



YES


G. Geolocation data

Device location



YES


H. Audio, electronic, sensory, or similar information

Images and audio, video or call recordings created in connection with our business activities



NO


I. Professional or employment-related information

Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us



NO


J. Education Information

Student records and directory information



NO


K. Inferences drawn from collected personal information

Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics



YES


L. Sensitive personal Information

Account login information, precise geolocation and financial information including account access details



YES

We only collect sensitive personal information, as defined by applicable privacy laws or the purposes allowed by law or with your consent. Sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. You may have the right to limit the use or disclosure of your sensitive personal information. We do not collect or process sensitive personal information for the purpose of inferring characteristics about you.

We may also collect other personal information outside of these categories through instances where you interact with us in person, online, or by phone or mail in the context of:

  • Receiving help through our customer support channels;

  • Participation in customer surveys or contests; and

  • Facilitation in the delivery of our Services and to respond to your inquiries.

We will use and retain the collected personal information as needed to provide the Services or for:

  • Category A - As long as the user has an account with us

  • Category B - As long as the user has an account with us

  • Category C - Collected solely for age verification purposes; retained as long as the account is active

  • Category F - As long as the user has an account with us

  • Category G - As long as the user has an account with us

  • Category K - As long as the user has an account with us

  • Category L - As long as the user has an account with us

Sources of Personal Information

Learn more about the sources of personal information we collect in "WHAT INFORMATION DO WE COLLECT?"

How We Use and Share Personal Information

Learn more about how we use your personal information in the section, "HOW DO WE PROCESS YOUR INFORMATION?"

Will your information be shared with anyone else?

We may disclose your personal information with our service providers pursuant to a written contract between us and each service provider. Learn more about how we disclose personal information in the section, "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?"

We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be "selling" your personal information.

The categories of third parties to whom we disclosed personal information for a business or commercial purpose can be found under "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?"

Your Rights

You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights include:

  • Right to know whether or not we are processing your personal data

  • Right to access your personal data

  • Right to correct inaccuracies in your personal data

  • Right to request the deletion of your personal data

  • Right to obtain a copy of the personal data you previously shared with us

  • Right to non-discrimination for exercising your rights

  • Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California’s privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")

Depending upon the state where you live, you may also have the following rights:

  • Right to access the categories of personal data being processed (as permitted by applicable law, including the privacy law in Minnesota)

  • Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in California, Delaware, and Maryland)

  • Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in Minnesota and Oregon)

  • Right to review, understand, question, and correct how personal data has been profiled (as permitted by applicable law, including the privacy law in Minnesota)

  • Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including the privacy law in California)

  • Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including the privacy law in Florida)

How to Exercise Your Rights

To exercise these rights, you can contact us by submitting a data subject access request, by emailing us at hello@ryflo.com, or by referring to the contact details at the bottom of this document.

Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.

Request Verification

Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes.

If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such request on your behalf.

Appeals

Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at hello@ryflo.com. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.

Financial Incentives

"Financial incentive" means a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion, sale, or sharing of personal information.

The law permits financial incentives or a price or service difference if it is reasonably related to the value of the consumer’s data. A business must be able to explain how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data. The explanation must include:

  • a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and

  • a description of the method the business used to calculate the value of the consumer’s data.

We may decide to offer a "bona fide loyalty program" under Colorado law, or a "financial incentive" under California law (e.g., price or service difference) in exchange for the retention, sale, or sharing of a consumer’s personal information.

If we decide to offer a financial incentive, we will notify you of such financial incentive and explain the price difference, as well as material terms of the financial incentive or price of service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference.

Under California law, the value of your personal information to us is related to the value of the free or discounted products or services, or other benefits that you obtain or that are provided as part of the applicable program, less the expense related to offering those products, services, and benefits to program participants.

If you choose to participate in the financial incentive you can withdraw from the financial incentive at any time by emailing us at hello@ryflo.com, or by referring to the contact details at the bottom of this document.

California "Shine The Light" Law

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?"

16. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: You may have additional rights based on the country you reside in.

European Union and European Economic Area (GDPR)

If you are located in the European Union (EU) or European Economic Area (EEA), the General Data Protection Regulation (GDPR) gives you specific rights regarding your personal information.

As a data subject in the EU/EEA, you have the following rights:

  • Right of access: You have the right to request a copy of the personal information we hold about you.

  • Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal information we hold about you.

  • Right to erasure: You have the right to request that we delete your personal information in certain circumstances, including where it is no longer necessary for the purposes for which it was collected.

  • Right to restriction of processing: You have the right to request that we restrict the processing of your personal information in certain circumstances.

  • Right to data portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.

  • Right to object: You have the right to object to the processing of your personal information where we rely on legitimate interests as our legal basis, including for direct marketing purposes.

  • Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you.

To exercise any of these rights, please contact us at hello@ryflo.com. We will respond to all valid requests within 30 days. In complex cases we may extend this by a further two months, in which case we will notify you.

If you believe we are processing your personal information unlawfully, you have the right to lodge a complaint with your local EU Member State data protection authority. A list of EU data protection authorities is available at:

https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

We do not transfer your personal information outside the EEA without ensuring appropriate safeguards are in place, as described in Section 9 of this Privacy Notice.

United Kingdom (UK GDPR)

If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 give you specific rights regarding your personal information.

Ryflo Inc. processes the personal data of UK residents in accordance with UK GDPR and the Data Protection Act 2018. The lawful bases on which we rely to process your personal data are the same as those described for EU users in Section 3 of this Privacy Notice, including performance of a contract, legitimate interests, consent, and legal obligations.

Your rights under UK GDPR mirror those available to EU users described above, including the rights of access, rectification, erasure, restriction, data portability, objection, and the right not to be subject to automated decision-making.

To exercise any of these rights, please contact us at hello@ryflo.com. We will respond to all valid requests within 30 days.

If you are unhappy with how we have handled your personal information, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection authority, at https://ico.org.uk/make-a-complaint/.

Financial Promotion — UK Specific Ryflo is not authorised or regulated by the Financial Conduct Authority (FCA). The Services do not constitute a financial promotion under the Financial Services and Markets Act 2000 (FSMA). All trading on the platform is simulated and no real money or securities are involved. Nothing on the platform constitutes an invitation or inducement to engage in investment activity as defined under FSMA. You should not rely on any content on the platform as financial advice or as a basis for real investment decisions.

We do not transfer your personal information outside the UK without ensuring appropriate safeguards are in place in accordance with UK GDPR requirements, as described in Section 9 of this Privacy Notice.

Singapore (PDPA)

If you are located in Singapore, the Personal Data Protection Act 2012 (PDPA) governs the collection, use, and disclosure of your personal information.

Under the PDPA, you have the right to:

  • Request access to your personal information held by us

  • Request correction of any inaccurate personal information

  • Withdraw consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions

We collect, use, and disclose your personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and for which we have obtained your consent where required.

If you withdraw your consent, we will inform you of the likely consequences of doing so, which may include our inability to provide certain Services to you.

To exercise your rights or for any questions about our data protection practices, please contact us at hello@ryflo.com.

Data Protection Officer (PDPA). In accordance with the Personal Data Protection Act 2012 (PDPA), Ryflo Inc. has designated a Data Protection Officer responsible for ensuring compliance with the PDPA. You may contact our DPO at hello@ryflo.com

Data Retention. For users located in Singapore, personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable law, in accordance with the PDPA. Once the purpose has been fulfilled and retention is no longer necessary, we will make reasonable efforts to ensure that your personal data is deleted or anonymised.

Data Breach Notification. In the event of a data breach that meets the mandatory notification threshold under the PDPA (as amended in 2021), Ryflo Inc. will notify the Personal Data Protection Commission (PDPC) and, where required, the affected individuals, in accordance with Singapore law and within the prescribed timeframes.

Australia

We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988.

This Privacy Notice satisfies the notice requirements defined in the Australian Privacy Act, in particular: what personal information we collect from you, from which sources, for which purposes, and other recipients of your personal information.

If you do not wish to provide the personal information necessary to fulfill their applicable purpose, it may affect our ability to provide our services, in particular:

  • offer you the products or services that you want

  • respond to or help with your requests

  • manage your account with us

  • confirm your identity and protect your account

At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?"

If you believe we are unlawfully processing your personal information, you have the right to submit a complaint about a breach of the Australian Privacy Principles to the Office of the Australian Information Commissioner.

Switzerland (FADP)

If you are located in Switzerland, the Federal Act on Data Protection (“FADP”) gives you rights regarding your personal information, including rights to access, correction, deletion, and objection.

For Swiss users, where we process sensitive personal data (including certain financial or profiling data), we will obtain your explicit consent when required by FADP. When transferring your personal information to countries that do not provide an adequate level of protection as determined by Swiss authorities, we implement appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognized by the Federal Data Protection and Information Commissioner (FDPIC). 

You may contact us at hello@ryflo.com to obtain more information about such transfers.

17. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

18. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at hello@ryflo.com or contact us by post at:

Ryflo Inc.

8 The Green

#STE A

Dover, Delaware

19901

19. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please fill out and submit a data subject access request.