Privacy Policy
Last updated: April 2026
1. Who We Are
Revv (“we”, “us”) provides a voice-to-CRM tool for field sales teams. This policy explains how we collect, use, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR).
2. Data We Collect
- Account data: Name, email address, organization name (via Clerk authentication)
- Voice recordings: Temporarily processed for transcription. Audio is never stored on our servers — it is sent directly to OpenAI Whisper for processing and immediately discarded.
- Visit data: Transcripts, AI-extracted summaries, quality scores, email drafts, HubSpot sync status
- Location data: GPS coordinates captured at recording time (opt-in only, used for visit context)
- Calendar data: Event titles, times, and attendees from connected Google or Microsoft calendars (read-only access)
- Payment data: Processed by Stripe. We do not store credit card numbers.
3. How We Use Your Data
- Transcribe voice memos and extract structured visit data
- Sync visit activity to your organization's HubSpot CRM
- Generate follow-up email drafts
- Provide quality feedback and coaching suggestions
- Display upcoming calendar events for visit planning
- Process payments and manage subscriptions
4. Legal Basis for Processing
We process your data based on:
- Contract performance: To provide the Revv service you subscribed to
- Legitimate interest: To improve our service, prevent fraud, and ensure security
- Consent: For optional features like location tracking and analytics
5. Sub-Processors
We share data with these third-party processors:
| Service | Purpose | Location |
|---|
| OpenAI | Voice transcription (Whisper) and AI extraction (GPT-4o) | US |
| Clerk | Authentication and user management | US |
| Supabase | Database hosting | EU (configurable) |
| Stripe | Payment processing | US/EU |
| HubSpot | CRM sync (your organization's account) | US/EU |
| Google | Calendar integration (per-user OAuth) | US |
| Microsoft | Calendar integration (per-user OAuth) | US/EU |
6. Your Rights
Under GDPR, you have the right to:
- Access: Export all your personal data (Settings → Export My Data)
- Erasure: Delete your personal data (Settings → Delete My Data)
- Rectification: Update your profile information via account settings
- Portability: Receive your data in machine-readable JSON format
- Withdrawal of consent: Revoke any optional consent at any time
- Objection: Object to processing based on legitimate interest
7. Data Retention
Visit data is retained according to your organization's configured retention policy. Organization admins can set retention periods between 30 days and 2 years. After the retention period, personal data is anonymized while aggregate metrics are preserved.
8. Security
We protect your data with:
- AES-256-GCM encryption for OAuth tokens at rest
- HMAC-signed OAuth state parameters
- Row-level security policies on the database
- Rate limiting on all API endpoints
- TLS encryption for all data in transit
9. Contact
For privacy inquiries or to exercise your rights, contact us at privacy@userevv.com.