Privacy Policy

1. Data Controller

The data controller is the owner of RevenlyAI. For any questions about this Policy or our data practices, contact:info@revenlyai.com.

2. Data we collect

• Account data: name, email, password or authentication credentials, billing address.
• Subscription & billing data: plan details, invoices, payments, VAT info, Stripe customer ID.
• Business data: business name, type, location, staff, services, pricing, working hours.
• Calendar & appointment data: connected Google Calendars, bookings, time slots, notes.
• Customer data of your clients: contact info, messages, bookings, reviews, channel communication history.
• Technical data: IP address, device info, browser, pages visited, cookies and similar identifiers.

2-bis. Prelaunch data scope

• In early access, we primarily collect contact details, lead status (waitlist/founder), payment status and launch preference metadata.
• Full production onboarding data may only be requested at or after launch.

3. How we use data

• to provide and maintain the Service;
• to authenticate users and secure access;
• to integrate with third-party services (Google Calendar, WhatsApp, Instagram, Messenger, review platforms);
• to send onboarding, billing and system communications;
• to generate aggregated analytics and usage statistics;
• to comply with accounting, tax and regulatory obligations;
• to improve and develop new features.

4. Legal basis for processing (GDPR)

• Contract: necessary to provide the Service.
• Legitimate interest: security, analytics, product improvement.
• Consent: for optional marketing or cookies.
• Legal obligation: tax / accounting requirements.

4-bis. Roles (Controller / Processor)

For your end-customer data processed through RevenlyAI workflows, you generally act as data controller and RevenlyAI acts as data processor on your behalf. For RevenlyAI account, billing and security operations, RevenlyAI acts as data controller.

5. Data sharing and processors

We may share personal data with trusted service providers such as:

• Hosting and infrastructure providers (Vercel, Supabase)
• Payment processor (Stripe)
• Meta / WhatsApp / Instagram / Messenger
• Analytics and error monitoring tools
• Email delivery platforms

These providers act as processors and follow strict confidentiality agreements.

6. International transfers

Some infrastructure providers are located in the United States. International transfers rely on Standard Contractual Clauses (SCC) and appropriate safeguards under applicable data protection law.

Where required, we apply supplementary technical and organizational controls to protect personal data during cross-border processing.

7. Data retention

• Automation events and operational logs are retained for up to 120 days, then deleted.
• Resolved/expired booking suggestions are retained for up to 45 days, then deleted.
• Expired workspace invites are retained for up to 30 days, then deleted.
• Billing/accounting records may be retained longer where required by law.

8. Your rights

Depending on your location, you may request:

• Access to your data
• Rectification
• Erasure (“right to be forgotten”)
• Restriction of processing
• Data portability
• Objection to processing
• Withdrawal of consent
• Complaint to a supervisory authority (e.g. Garante Privacy in Italy)

To exercise these rights, contact:info@revenlyai.com.

9. Security

We implement technical and organizational measures to protect data. However, no system is 100% secure.

10. Third-party services and links

The Service may link or integrate with third-party services. We are not responsible for their policies.

10-bis. Health data and HIPAA scope

RevenlyAI is not configured as a HIPAA-compliant service by default. Do not process Protected Health Information (PHI) in RevenlyAI unless a specific HIPAA addendum / BAA and related technical controls are formally in place.

11. Changes to this Policy

We may update this Policy periodically. Updated versions will be posted here.