Privacy Policy

This policy explains what personal data Revan collects, why we collect it, how we use it, and the rights you have over it. It applies to https://revan.app and to the logged-in product.

On this page

1. Who we are

[REPLACE: registered legal entity name] is the data controller for the personal data described in this policy. We trade as Revan.

We are established in the European Union, in [REPLACE: EU member state of establishment].

Registered office: [REPLACE: street, city, postal code, EU member state]. Company number: [REPLACE: company registration number]. VAT number: [REPLACE: EU VAT number, or remove sentence].

You can reach our privacy team at privacy@revan.app. Our Data Protection Officer can be reached at [REPLACE: dpo@revan.app or remove sentence].

2. What data we collect

We collect the following categories of personal data:

  • Account data. Your name, email address, password hash, and the authentication method you use. If you sign in with Google, we receive your basic Google profile (name, email, profile picture, and Google account ID).
  • Portfolio data. The holdings, transactions, watchlists, notes, and tags you add to the product. We treat this as confidential.
  • Subscription and billing data. If you buy a paid subscription, we receive: the plan you bought, the price, the billing period, the start and renewal dates, your billing country, your tax status (consumer or business), and a transaction reference from our payment processor. The payment processor handles your card or bank details directly; we do not store full card numbers on our servers.
  • Device and log data. IP address, user agent, request timestamps, referrer, and error traces. We need these to run the service and to detect abuse.
  • Communications. Messages you send to support, and the email or in-app responses we send back.
  • Optional analytics data. Page or route identifiers, filtered query parameters, coarse location, device type, and Core Web Vitals. We only collect this when you turn analytics on in Settings, Account.

We process personal data for the following purposes, on the following legal bases under GDPR:

  • To provide the free product. We use account data and portfolio data to run features you ask for. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
  • To provide and bill paid subscriptions. We use account data and subscription and billing data to take payment, manage renewals and cancellations, and give you access to paid features. Legal basis: performance of a contract (Art. 6(1)(b)).
  • To keep the product safe. We use log data to block fraud, abuse, and brute-force attempts. Legal basis: legitimate interests (Art. 6(1)(f)) in protecting our users and our service.
  • To meet legal duties. We keep certain records (in particular, invoices and tax records for paid subscriptions) to comply with tax, accounting, and consumer-protection law. Legal basis: legal obligation (Art. 6(1)(c)).
  • To send service messages. We email you about security events, billing, subscription changes, and material changes to this policy. Legal basis: contract and legitimate interests.
  • To measure usage and performance. We load Vercel Web Analytics and Vercel Speed Insights only after you opt in. Legal basis: consent (Art. 6(1)(a)). You can withdraw consent at any time in Settings, Account.

We do not sell your personal data. We do not use it for advertising. We do not build advertising profiles.

4. Who we share it with

We share personal data only with service providers that help us run the product, and only as needed for them to do that work. Each provider is bound by a written data-processing agreement.

  • Hosting and delivery. Vercel (web hosting, edge network, opt-in analytics).
  • Sign-in. Google (OAuth) when you choose Google sign-in.
  • Email delivery. Our transactional email provider for password resets, security alerts, billing receipts, and service notices.
  • Payments. Our payment processor for paid subscriptions. The processor is the controller for your card or bank details and the joint controller with us for the transaction record.

We may also share data when we are legally required to do so, for example in response to a valid court order, or to protect the rights, property, or safety of users or the public.

5. International transfers

We store and process personal data inside the European Economic Area whenever we can.

Some of our service providers operate outside the EEA, mainly in the United States. When we transfer personal data outside the EEA we rely on a transfer mechanism approved under Chapter V of GDPR. In most cases this is the European Commission's Standard Contractual Clauses (Decision 2021/914). Where the European Commission has issued an adequacy decision for the destination country, we rely on that adequacy decision instead.

We carry out a transfer impact assessment for each provider and apply additional safeguards such as encryption in transit and at rest, pseudonymisation where practical, and contractual access controls.

You can ask us for a copy of the safeguards we use by writing to privacy@revan.app.

6. How long we keep it

We keep personal data only as long as we need it for the purposes set out above:

  • Account and portfolio data. While your account is active. After you delete your account, we erase personal data within 30 days.
  • Subscription and billing records. Invoices and tax records are kept for the period required by EU and member-state tax and accounting law (typically 7 to 10 years), even after you delete your account.
  • Backups. Encrypted backups roll off on a fixed schedule. Deleted data is purged from backups within 90 days.
  • Log data. Up to 12 months, then deleted or aggregated.

7. How we keep it safe

We encrypt personal data in transit (TLS) and at rest. Passwords are hashed with a slow, salted algorithm. Access to production systems is limited to staff who need it and is logged.

We test our systems and update our dependencies on a regular cadence. We will tell you and the relevant supervisory authority about a personal-data breach when the law requires it.

No system is perfectly secure. Use a strong, unique password and turn on multi-factor authentication if it is available to you.

8. Your rights

Under GDPR and similar laws you can ask us to:

  • Access the personal data we hold about you.
  • Correct data that is wrong or out of date.
  • Delete your data (the right to erasure). Records we must keep by law, such as invoices for paid subscriptions, are excluded from erasure for the period the law requires.
  • Restrict or object to certain processing.
  • Port your data to another service in a structured, machine-readable format.
  • Withdraw consent at any time, where processing is based on consent. Withdrawing consent does not affect processing done before you withdrew it.

You can download a JSON export of your data in Settings, Account, Data export. For other requests, email privacy@revan.app. We respond within one month, as required by Art. 12(3) GDPR. We may extend this by two further months for complex requests and will tell you if we do.

If you think we have not handled your data correctly, you can lodge a complaint with a supervisory authority under Art. 77 GDPR. Our lead supervisory authority is [REPLACE: lead supervisory authority in your member state]. You can also complain to the authority in the EU member state where you live, work, or where the alleged breach took place.

9. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in, store your language preference (`revan_locale`), and protect accounts. These cannot be turned off without breaking the product.

Inside the logged-in app, we load Vercel Web Analytics and Vercel Speed Insights only after you opt in under Settings, Account. The marketing site and the documentation do not load these scripts.

Your choice is stored locally in your browser under the key `revan_telemetry_consent`. Turn the control off to withdraw consent. Read the full Cookie Policy for the details.

10. Automated decisions and profiling

We do not make decisions about you that have legal or similarly significant effects through automated means alone. The platform shows you data and analytics you can act on; you remain the decision-maker.

11. Children

The product is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has given us data, contact us and we will delete it.

12. Changes to this policy

We will update this policy when our practices change or the law requires it. If the change is material, we will email you or show a notice in the product before it takes effect. The date at the top of this page shows when it was last updated.

13. Contact

Privacy questions: privacy@revan.app.

Data Protection Officer: [REPLACE: dpo@revan.app or remove sentence].

General contact: contact@revan.app.

Postal address: [REPLACE: registered legal entity name], [REPLACE: street, city, postal code, EU member state].