Privacy Policy
Effective Date: January 1, 2026 | Last Updated: May 1, 2026
Revuly is committed to protecting your privacy. This Policy explains what data we collect, how we use it, and your rights — including compliance with GDPR and Google OAuth requirements.
1. Who We Are
Revuly Inc. operates the Revuly platform at revuly.com. We are the data controller for personal data collected through the Service. Contact us at privacy@revuly.com.
2. Data We Collect
| Category | Data Points | Source |
|---|
| Account | Email address, name, password (hashed) | Registration form |
| Restaurant | Restaurant name, type, city, country | Onboarding form |
| Google Business | Google account ID, Business Profile ID, review data, OAuth tokens | Google OAuth |
| Usage | Reply count, login timestamps, subscription plan | Automated |
| Communications | Email notification preferences | Settings form |
3. Google Data — Limited Use Disclosure
Revuly's use of information received from Google APIs is limited to the following, in compliance with the Google API Services User Data Policy:
- Reading reviews: We access your Google Business Profile reviews solely to display them within your Revuly dashboard and generate AI reply suggestions.
- No data sharing: Google review data is not shared with, sold to, or used by any third party for advertising or other purposes.
- No autonomous posting: Revuly never posts replies to Google on your behalf without your explicit manual action.
- Token storage: OAuth access and refresh tokens are stored encrypted and used only to fetch review data on your behalf.
- Data deletion: Upon account deletion, all Google OAuth tokens and associated review data are permanently deleted within 30 days.
4. How We Use Your Data
- To provide, maintain, and improve the Revuly platform
- To generate AI reply suggestions using Anthropic Claude
- To send email notifications about new reviews (with your consent)
- To send weekly reports (Growth/Pro plans, with your consent)
- To process subscription billing via our payment processor
- To prevent fraud and enforce our Terms of Service
5. Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process your data under the following legal bases:
- Contract performance: Processing necessary to provide the Service you subscribed to
- Legitimate interests: Security, fraud prevention, service improvement
- Consent: Email notifications and marketing communications (you may withdraw consent at any time)
6. Data Sharing & Third Parties
We do not sell your personal data. We share data only with:
- Supabase — Database and authentication infrastructure (data stored in EU region)
- Anthropic — Review text is sent to Claude API to generate reply suggestions (not retained by Anthropic for training)
- Resend — Email delivery service for notifications and reports
- Vercel — Hosting and deployment platform
7. Data Retention
We retain your data for as long as your account is active. If you delete your account:
- Account and profile data: deleted within 30 days
- Review data: deleted within 30 days
- Google OAuth tokens: immediately revoked and deleted
- Billing records: retained for 7 years as required by law
8. Your Rights (GDPR)
If you are located in the EEA, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Request we limit processing of your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw marketing consent at any time
To exercise these rights, email privacy@revuly.com. We will respond within 30 days.
9. Cookies
Revuly uses essential session cookies for authentication only. We do not use advertising or tracking cookies. You can clear cookies through your browser settings; this will log you out of the Service.
10. Security
We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for OAuth tokens, and role-based access controls. We conduct regular security reviews.
11. International Transfers
Data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required by GDPR.
12. Children's Privacy
The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us immediately.
13. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email and in-app notice at least 14 days before changes take effect.
14. Contact & Supervisory Authority
Questions? Contact our privacy team at privacy@revuly.com. If you are in the EEA and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority.