Effective date: 10 June 2025 · Red Rift, Inc. d/b/a Stribely · 2252 Keylon Dr, West Bloomfield, MI 48324 USA
Red Rift, Inc., a Delaware corporation doing business as Stribely (“Stribely,” “we,” “us,” or “our”), provides a payroll and vendor transparency platform for enterprise customers. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the Stribely Services (the “Services”). It applies to information we process on behalf of our business customers (“Customer Data”) and to information we process for our own business operations (“Corporate Data”).
When we process Customer Data, Stribely acts as a “service provider” under US state privacy laws and a “processor” under the GDPR. Our customers act as “businesses” or “controllers.” We use Customer Data solely as instructed by the customer and consistent with contractual obligations.
Customer Data is information uploaded to or generated by the Services at the direction of a customer, such as payroll records, vendor invoices, audit notes, approvals, and communications. Customer Data may include:
We also collect information to operate our business, including:
In the preceding twelve (12) months, Stribely has collected the following categories of personal information (as defined by the California Consumer Privacy Act as amended by the CPRA and comparable state laws):
| Category | Examples | Source / Purpose |
|---|---|---|
| Identifiers | Legal name, alias, email address, phone number, employee/vendor IDs | Provided by customers, users, or collected automatically to authenticate and operate the Services |
| Customer records | Employment details, payroll inputs, vendor contracts, banking instructions | Customer uploads to manage payroll and vendor workflows |
| Protected classification characteristics | Only if customers upload information related to benefits or statutory reporting | Customer-controlled; processed solely at the customer’s direction |
| Commercial information | Transaction history, invoice metadata, service usage records | Generated by the Services to provide audit trails and analytics |
| Internet or network activity | Log data, device/browser information, session telemetry | Collected automatically for security, troubleshooting, and product analytics |
| Geolocation data | Approximate location derived from IP address | Used for security monitoring, localization, and compliance requirements |
| Sensitive personal information | Government identifiers, financial account numbers, salary data, biometric identifiers where enabled | Processed only when supplied by customers to deliver payroll and vendor services |
| Professional or employment information | Job titles, departments, supervisor relationships, performance metrics supplied by customers | Used to facilitate payroll approvals, attestation, and analytics |
| Inferences | Risk scores, exception flags, or insights derived from platform analytics | Generated to support anomaly detection and compliance checks |
Sensitive personal information is collected and processed only when submitted by a customer or user for payroll, tax, compliance, identity verification, or vendor due diligence purposes. Stribely does not use sensitive personal information to infer characteristics about individuals or for cross-context behavioral advertising, and any such information is subject to heightened access controls.
Certain optional Services features allow customers to capture biometric identifiers or biometric information (such as facial geometry, voiceprints, or keystroke dynamics) for workforce or vendor verification. Stribely processes this information only on behalf of and at the documented instructions of the customer that enabled the feature. Customers must provide required notices and obtain any legally mandated consents (including under Illinois BIPA, the Texas Capture or Use of Biometric Identifier Act, and comparable laws) before submitting biometric data to the Services. Stribely stores biometric templates using encryption and deletes them in accordance with the retention schedule in Section 8 or as otherwise agreed in writing with the customer.
We collect personal information from the following sources:
The tables below summarize how we use personal information as a service provider and as a business subject to US state privacy laws (e.g., CCPA/CPRA, VCDPA, CPA) and global regulations (e.g., GDPR).
| Purpose | Details | Legal Basis / Legitimate Interest |
|---|---|---|
| Provide and secure the Services | Operate the platform, host data, maintain audit trails, run workflows, deliver notifications, and provide support. | Contract performance (with customers); legitimate interests in delivering secure Services; compliance with payroll and financial regulations as requested by customers. |
| Improve and develop the Services | Analyze Platform Metrics, gather product feedback, test features, and benchmark performance without revealing personal identities. | Legitimate interests in improving and ensuring the resilience of the Services; aggregated, de-identified use. |
| Compliance and risk management | Conduct audits, manage security incidents, enforce policies, comply with legal obligations, and respond to lawful requests. | Legal obligations (e.g., responding to subpoenas); legitimate interests in preventing fraud and ensuring regulatory compliance. |
| Business operations and communications | Manage accounts, billing, marketing (where permitted), partner relationships, and corporate analytics. | Contract performance; legitimate interests in running our business; consent where required for marketing. |
We do not sell personal information, share it for cross-context behavioral advertising, or use Customer Data for targeted advertising.
Where customers upload or request processing of sensitive personal information (such as Social Security numbers, national identifiers, bank account numbers, biometric identifiers, or precise geolocation), Stribely processes the information strictly to deliver the requested Services, fulfill legal obligations, prevent fraud, or ensure platform security. Any optional features that rely on sensitive personal information require customer configuration and may be disabled at any time.
Stribely is in the process of self-certifying to the EU-US Data Privacy Framework and its UK Extension. We will update this Policy once certification is approved and will process Corporate Data received from Europe in accordance with the applicable Framework principles. Until then, and for all Customer Data, Stribely relies on Standard Contractual Clauses or other customer-approved transfer mechanisms and enforces the contractual protections described in Section 5.
Stribely does not make decisions that produce legal or similarly significant effects about individuals solely through automated processing. Certain analytics features may generate risk scores or anomaly flags to assist authorized users in reviewing payroll or vendor transactions, but final decisions remain with Customer personnel.
We may disclose personal information to:
A current list of Stribely subprocessors is available at https://stribely.com/subprocessors. Customers may subscribe to updates when new subprocessors are engaged. Stribely conducts security and privacy due diligence on each subprocessor and ensures transfers outside the United States rely on appropriate safeguards.
As of 1 November 2025, Stribely does not engage third-party subprocessors for Customer Data. Production services operate on Microsoft Azure infrastructure managed directly by Stribely, and no additional vendors have access to Customer Data on our behalf. We will update this disclosure and notify affected customers at least thirty (30) days before onboarding any new subprocessor.
We use cookies, pixels, and similar technologies to operate our websites, secure sessions, remember preferences, and measure campaign performance. You can manage cookie preferences through browser settings or the cookie banner presented on our sites. Essential cookies are required for core functionality and cannot be disabled.
At this time, Stribely does not respond to “Do Not Track” signals because an industry standard has not been adopted. We honor legally required browser-based opt-out signals in jurisdictions where such signals are recognized, including the Global Privacy Control for California consumers.
Stribely maintains an information security program aligned with the control requirements underlying SOC 2 Type II and ISO/IEC 27001 frameworks. We implement encryption in transit and at rest, network segmentation, access controls, secure software development practices, penetration testing, logging, and incident response. We also conduct background checks on employees with elevated access and enforce confidentiality agreements. When biometric verification features are enabled, Stribely stores biometric templates in logically segregated, encrypted repositories with strict access controls and tamper detection. As of 1 November 2025, Stribely is undergoing formal SOC 2 Type II and ISO/IEC 27001 audits and will update this section when certification is complete.
Despite our safeguards, no system is entirely secure. Customers are responsible for protecting account credentials, configuring access controls, and ensuring their authorized users follow security best practices.
We retain Customer Data for the duration of the customer’s subscription and for up to thirty (30) days thereafter to support export requests, unless the customer instructs otherwise or law requires longer retention. Backup archives are purged on rolling schedules. Corporate Data is retained as long as necessary to fulfill the purposes described in this Policy and to comply with legal obligations, resolve disputes, or enforce agreements.
| Data Category | Typical Retention | Rationale |
|---|---|---|
| Customer Data (production) | Subscription term + up to 30 days | Enable customer data export, dispute resolution, and audit completion |
| Customer Data (backups) | Rolling 90-day encrypted backups | Business continuity and disaster recovery |
| Biometric templates (optional features) | Deleted within 30 days after verification or 3 years after last interaction (whichever occurs first) | Compliance with biometric privacy laws and documented customer instructions |
| Support tickets and logs | Up to 24 months | Issue resolution, security investigations, product improvements |
| Billing and contractual records | Minimum 7 years | Financial reporting, tax, and compliance requirements |
| Marketing and prospect data | Until opt-out or 24 months of inactivity | Business development and event communications |
Depending on your location, you may have rights to access, correct, delete, or receive a copy of personal information, and to opt out of certain processing. These rights may include:
To exercise rights relating to Customer Data, please contact the organization that provided your information to Stribely. We support our customers in fulfilling data subject requests in accordance with contract terms. For rights related to Corporate Data or Stribely’s direct relationships, you may email privacy@stribely.ai or call +1-313-473-0262. We may need to verify your identity before fulfilling a request. Verified requests to delete biometric templates collected through optional features will be completed within thirty (30) days unless a longer period is required by law.
Authorized agents may submit requests on behalf of individuals by providing proof of authorization (such as a valid power of attorney or signed permission) and verifying their own identity. If we decline a request, residents of Colorado, Connecticut, or Virginia may appeal by emailing privacy@stribely.ai with “Privacy Appeal” in the subject line. We will provide a written response within 45 days. If you remain dissatisfied, you may contact your state attorney general or data protection authority.
The disclosures in this Section apply to residents of California, Colorado, Connecticut, Utah, Virginia, and other US jurisdictions with similar privacy statutes.
Additional region-specific privacy notices and regulatory filings (including Canadian PIPEDA and Brazilian LGPD addenda) are available upon request at privacy@stribely.ai.
The Services are not directed to children under the age of 18, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to Stribely, contact us so we can take appropriate action.
Stribely is headquartered in the United States and stores primary production data in US-based facilities unless a customer contract specifies another region. When Customer Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the US, we rely on Standard Contractual Clauses, and—once our Data Privacy Framework certification is approved—participation in the applicable Framework programs, or other lawful transfer mechanisms. We impose contractual safeguards on subprocessors that receive personal information from outside the United States.
We may update this Privacy Policy from time to time. If we make material changes, we will provide advance notice through the Services, via email, or by posting an updated notice on this page. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.
For questions or concerns about this Privacy Policy or our data practices, contact:
Privacy Office · Red Rift, Inc.
2252 Keylon Dr, West Bloomfield, MI 48324 USA
privacy@stribely.ai · +1-313-473-0262
EU/UK individuals may also contact our EU representative at eu-privacy@stribely.ai. If you have unresolved concerns, you may lodge a complaint with the data protection authority in your jurisdiction.