Privacy Policy

My Rider is operated by Evolving Story LLC (“we”, “us”, “our”). We operate the website https://buildmyrider.com and the My Rider platform. Our contact email for privacy matters is hello@buildmyrider.com.

My Rider is a personal preference platform. You build a “rider” — a profile of your preferences — and share it with businesses ahead of your arrival so they can prepare for you. Each rider is identified by a unique My Rider Number (MRN, format MYR-XXXXXX).

When you create a rider, you may provide:

• Name and email address
• Birth month and day (we never collect your birth year)
• Travel and accommodation preferences
• Food and drink preferences, dietary restrictions, and allergies
• Morning rituals, scent preferences, and gift preferences
• Your general vibe and personality notes
• A linked partner MRN (if you choose to connect riders)
• Family preferences: children’s first names, approximate ages, preferences, and allergies — entered by you as a parent or guardian

We also automatically collect standard server logs (IP address, browser type, pages visited) for security and performance. We do not use cookies for advertising.

My Rider includes an optional “Dietary preferences” feature where you can indicate food-related preferences such as gluten-free, dairy-free, vegan, or others you enter yourself. Some of this information — such as religious dietary practices (e.g. Halal, Kosher) or preferences that may imply a health condition — may constitute special category data under GDPR (Article 9).

We want to be clear about what this feature is and is not:

• Dietary preferences are entirely optional. You choose what, if anything, to add.
• They are entered voluntarily by you, in your own words.
• They are shared with partner properties that look up your rider number — the same way all other rider preferences are shared.
• They are intended for hospitality preparation only — not medical, insurance, or employment purposes.
• We do not use dietary preference data for profiling, advertising, or any purpose beyond delivering your preferences to properties you authorize.

By adding dietary preferences to your profile, you are providing explicit consent for us to store and share this data with partner properties in accordance with this policy. You can remove any preference at any time from your dashboard, which immediately stops it from being shared on future lookups.

This feature is not suitable for managing serious food allergies or medical dietary requirements. Always communicate those directly with any property before arrival.

My Rider does not collect personal data directly from children under the age of 13. If your rider includes a Family section, any information about your children is entered by you — the parent or guardian — on their behalf. We treat this data with extra care and do not use it for any purpose other than fulfilling your rider preferences with businesses you choose to share with.

If you believe a child under 13 has independently created an account, please contact us at hello@buildmyrider.com and we will promptly delete the account.

We use your data to:

• Power your rider profile and generate your unique MRN
• Deliver your preference data to businesses you share your MRN with
• Process payments via Stripe (for business subscribers)
• Send transactional emails (account confirmation, data request responses)
• Improve the platform and fix bugs

We do not sell your data to advertising networks. We do not use your data for targeted advertising. We do not share your data with anyone you have not explicitly authorized by sharing your MRN.

This is an important part of our business model, and we want to be transparent about it.

Businesses (hotels, restaurants, airlines, and others) pay My Rider for API access. When a business enters an MRN you have shared with them, our API returns the preference data associated with that MRN. You control which businesses can see your data — only businesses that have an MRN you shared with them can look you up. We do not proactively sell or distribute your rider to any business you have not already shared it with.

Business subscribers are contractually prohibited from reselling or redistributing your preference data to third parties.

If you are in the European Union or European Economic Area, we process your data under the following legal bases:

• Contract: Processing your data is necessary to provide the My Rider service you signed up for.
• Consent: Where we rely on consent (e.g., optional marketing emails, and optional dietary preferences), you can withdraw it at any time.
• Legitimate interests: Security monitoring, fraud prevention, and platform improvement — balanced against your privacy rights.

For special category data (GDPR Article 9) — which may include dietary preferences that reveal religious beliefs or health-related information — we rely on your explicit consent, given at the point you voluntarily enter and save that information to your profile. You may withdraw this consent at any time by removing the relevant preferences from your dashboard or deleting your account.

If you are in the EU or EEA, you have the right to:

• Access: Request a copy of the data we hold about you.
• Rectification: Correct any inaccurate data.
• Erasure: Ask us to delete your account and all associated data.
• Portability: Receive your data in a machine-readable format.
• Restriction: Ask us to pause processing while a complaint is resolved.
• Objection: Object to processing based on legitimate interests.

To exercise any of these rights, email hello@buildmyrider.com with the subject line “Data Request”. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

If you are a California resident, you have the right to:

• Know: Request details about the personal information we collect and how we use it.
• Delete: Request deletion of your personal information.
• Opt out of sale:We do not sell your personal information to data brokers or ad networks. Providing your MRN to a business you choose is not a “sale” under CCPA because you initiate and control it.
• Non-discrimination: We will not treat you differently for exercising these rights.

To submit a California privacy request, email hello@buildmyrider.com with the subject line “California Privacy Request”.

We use a small number of trusted third-party services to operate My Rider. Each is bound by a data processing agreement and is prohibited from using your data for their own purposes.

• Supabase — Our database and authentication provider. Data is stored in PostgreSQL hosted on AWS infrastructure. Supabase is SOC 2 Type II certified.
• Stripe — Payment processing for business subscribers. Stripe is PCI-DSS Level 1 certified. We do not store full card numbers — Stripe handles all payment data.
• Vercel — Hosting and edge delivery for the web application.
• Anthropic (Claude AI)— We use Anthropic’s API to generate hospitality recommendations and grocery suggestions for partner properties based on your rider preferences. Preference data (not your name or contact details) is sent to Anthropic to generate these recommendations. Anthropic does not use this data to train their models per their API data usage policy.

We keep your rider data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required by law to retain certain records (e.g., payment records, which Stripe retains per financial regulations).

Server logs are retained for up to 90 days for security purposes and then deleted.

Your data is encrypted in transit (TLS) and at rest. Authentication is handled by Supabase Auth, which uses industry-standard bcrypt password hashing and supports multi-factor authentication. We follow the principle of least privilege — our team only accesses user data when necessary to resolve a support request or investigate a security issue.

No system is perfectly secure. If you discover a vulnerability, please report it to hello@buildmyrider.com.

My Rider is based in the United States. Our infrastructure (Supabase/AWS) processes data in the US. If you are accessing My Rider from the EU or EEA, your data will be transferred to and stored in the US. We rely on Standard Contractual Clauses (SCCs) with our processors to ensure appropriate safeguards are in place for these transfers.

If we make material changes to this policy, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of My Rider after changes take effect constitutes acceptance of the revised policy.

For any privacy questions, data requests, or concerns, reach us at:

We aim to respond to all privacy inquiries within 5 business days.