Legal
Privacy Policy
Last updated: January 15, 2026
Revvlab takes your privacy seriously. This policy explains what data we collect, why we collect it, how we protect it, and the rights you have over it. It applies to all users of the Revvlab platform and website.
1Information We Collect
• Account and profile data: When you register for Revvlab, we collect your name, business email address, company name, phone number, and billing information. For team members added to your account, we collect their names and email addresses.
• Usage data: We automatically collect information about how you interact with the Revvlab platform, pages visited, features used, session duration, button clicks, and similar telemetry. This data is tied to your account and used exclusively to improve the product.
• Conversation data: When you connect a WhatsApp Business number, Instagram account, or email channel to Revvlab, the platform processes messages flowing through those channels. This includes inbound messages from your customers and outbound replies generated by the AI. Conversation data is processed on your behalf as a data processor under the India DPDP Act 2023.
• Payment information: Billing and payment data (card numbers, bank account details) are processed by our PCI-DSS-compliant payment partners. Revvlab stores only a tokenised reference and the last four digits of your payment method, never full card numbers.
• Integration data: If you connect Shopify or another e-commerce platform, we receive order data, product catalog information, and customer purchase history to the extent required to power cart recovery, upsell, and support flows.
2How We Use Your Information
• Service delivery: We use your data to operate the Revvlab platform, routing conversations, training your AI Brain on your brand voice, executing automated flows, and generating analytics and revenue attribution reports.
• Service improvement: Aggregated and anonymised usage data helps us understand which features are valuable and where the product can improve. We do not use your customers' conversation data to train shared AI models without explicit written consent.
• Communications: We send transactional emails (onboarding, billing receipts, security alerts) and, with your explicit opt-in, product update emails and newsletters. You can unsubscribe from non-transactional communications at any time.
• Legal compliance and safety: We may use and disclose information as required by applicable law, court order, or regulatory authority, and to protect the rights, property, or safety of Revvlab, our customers, or the public.
3Information Sharing
• We do not sell your data: Revvlab does not sell, rent, or trade any personal data, yours or your customers', to third parties for advertising or marketing purposes.
• Sub-processors and service providers: We share data with a limited set of vendors who help us operate the service: cloud infrastructure providers (AWS Mumbai region), payment processors, email delivery providers, and analytics tools. Each sub-processor is bound by a data processing agreement with confidentiality and security obligations at least as stringent as our obligations to you. A current list of sub-processors is available on request at privacy@revvlab.ai.
• Business transfers: In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the successor entity. We will provide notice before this occurs and, where legally required, seek your consent.
• Legal requirements: We may disclose data when compelled by a valid legal process. Where permitted, we will notify the affected account holder before disclosure.
4Data Retention
• Account data is retained for the duration of your active subscription and for 90 days following termination or deletion of your account. After 90 days, account data is permanently deleted from production systems. Anonymised, aggregated analytics may be retained indefinitely.
• Conversation data (messages processed through connected channels) is retained for 24 months from the date of each conversation, after which it is automatically purged. Brands on the Revenue Share plan may request a shorter retention window of 12 months at no additional cost.
• Billing records are retained for 7 years to comply with Indian financial regulations under the Companies Act 2013 and GST requirements.
You may request early deletion of your data at any time (see Section 5). Deletion requests are processed within 30 days, except where retention is required by law.
5Your Rights
Under the India Digital Personal Data Protection Act 2023 and, where applicable, the GDPR, you have the following rights with respect to your personal data:
• Right of access: Request a copy of the personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete data.
• Right to deletion: Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: Receive your account and conversation data in a structured, machine-readable format (JSON or CSV).
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to nominate: Under the DPDP Act, you may nominate another individual to exercise your data rights on your behalf.
To exercise any of these rights, email privacy@revvlab.ai from the address associated with your account. We will respond within 30 days (or 72 hours for urgent deletion requests involving a security incident).
6Security
Revvlab employs industry-standard technical and organisational measures to protect your data:
• Encryption in transit: All data transmitted between your browser, our APIs, and connected channels uses TLS 1.2 or higher.
• Encryption at rest: All stored data, including conversation history, account data, and backups, is encrypted using AES-256.
• SOC 2 Type II: Our infrastructure and internal controls are audited annually under the SOC 2 Type II framework. Audit reports are available to enterprise customers under NDA.
• Access controls: Internal access to production systems follows the principle of least privilege. Access is reviewed quarterly and revoked immediately upon role change or termination.
• Vulnerability management: We conduct regular penetration tests and participate in a responsible disclosure programme. Critical vulnerabilities are patched within 24 hours of confirmation.
No method of transmission or storage is 100% secure. If you discover a potential security issue, please report it responsibly to security@revvlab.ai.
7Cookies & Tracking
Revvlab uses only essential cookies — those strictly necessary to operate the application. Essential cookies manage your authenticated session, maintain security tokens, and remember your language and UI preferences. We do not set any third-party advertising cookies, behavioural tracking cookies, or cross-site tracking pixels.
If we introduce optional analytics cookies in the future, we will seek your explicit consent via a cookie consent interface before setting them.
8Contact & Complaints
Revvlab is the Data Fiduciary (controller) for account and usage data, and a Data Processor for conversation data processed on your customers' behalf.
For privacy-related queries, requests, or complaints, contact our Data Protection Officer at: Revvlab, Mumbai, Maharashtra, India. Email: privacy@revvlab.ai. General: hello@revvlab.ai.
We aim to respond to all privacy enquiries within 10 business days. If you are unsatisfied with our response, you may lodge a complaint with India's Data Protection Board once it becomes operational, or with your local supervisory authority if you are located in the European Economic Area.
Revvlab may update this Privacy Policy periodically. We will notify registered users of material changes by email at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.