Legal

Privacy Policy

Effective 2026-05-03

Draft. This document is a working template pending review by qualified counsel and has not been formally adopted as the binding legal agreement between you and Revent. Do not rely on it for legal purposes until the banner is removed.

1. What we collect

Account data: name, email, password hash (never stored in plaintext), OAuth account identifiers when you sign in with Google.

Workspace data: workspace name, industry, website, country, and any agent-specific data you authorize us to read (e.g. Google Search Console / Analytics metrics for the Business Dashboard agent).

Billing data: Stripe customer id and subscription state. We never see or store your card number — Stripe handles that and is PCI-DSS compliant.

Operational data: session metadata (IP address, user agent, last active timestamp) for security and abuse prevention. Audit log of significant actions (agent install, coupon apply, workspace settings change).

2. How we use it

Provide the Service and keep it running.
Bill you for the agents you install.
Send transactional email (signup verification, password reset, install confirmation) via Resend.
Detect and prevent abuse (brute-force, credential stuffing, scraping).
Improve the Service via aggregate, anonymized usage signals.

3. How we protect it

Workspace data is encrypted at rest with per-workspace data encryption keys (DEKs); each DEK is encrypted with a master key encryption key (KEK) held only in our production environment. Sessions are signed and rotated. OAuth tokens for third-party services (Google, etc.) are encrypted with the same envelope scheme before being persisted.

4. Subprocessors

We share data with the following service providers, each under their own privacy practices:

Stripe — billing, payment method storage, invoice delivery.
Resend — transactional email delivery.
Neon — managed Postgres database hosting.
Google — when you authorize a Google-based agent (e.g. Search Console / Analytics integration). Tokens are stored encrypted.

We do not sell your data, share it for advertising, or expose it to third parties outside this list without your explicit consent or a legal obligation.

5. Your rights

Depending on where you live (GDPR, CCPA, etc.) you may have rights to access, correct, export, or delete your personal data. You can:

Edit your profile at /app/account.
Edit your workspace at /app/settings.
Cancel any agent at any time from /app/marketplace; cancel your subscription on /app/billing.
Email privacy@revent.store for export or deletion requests not yet self-service.

6. Retention

Active workspace data is retained for as long as your account is active. On account deletion, encrypted data is permanently destroyed via cryptographic erasure of the workspace DEK; backups are purged within thirty (30) days. Audit log entries are retained for two (2) years for security forensics.

7. Cookies

We use cookies only for authenticated sessions (Better Auth’s session cookie) and CSRF defense. We do not run third-party advertising trackers. We may add first-party analytics (e.g. self-hosted Plausible) with appropriate consent before opening to general availability.

8. International transfers

Data is stored in Neon’s eu-west-2 region. Stripe and Resend may process data in the US under their respective data-transfer mechanisms (SCCs / DPF). By using the Service you consent to these transfers.

9. Children

The Service is not directed to children under sixteen (16). We do not knowingly collect data from children.

10. Changes to this policy

Material changes will be communicated via the email on file at least fourteen (14) days before they take effect. The latest version is always at /privacy.

11. Contact

Privacy questions: privacy@revent.store.