Introduction
Who we are, what this policy covers, and how to reach us.
Privacy Built into Everything
RevWave is designed so your data stays yours. We collect only what we need to operate the platform, we never sell it, and we give you the tools to access, correct, export, or delete it at any time.
This Privacy Policy applies to RevWave.ai, the AI-powered revenue intelligence platform operated by RevWave Inc. ("RevWave", "we", "us", or "our"). RevWave Inc. is the data controller for all personal data processed under this policy for the purposes of the EU General Data Protection Regulation (GDPR) and equivalent laws.
This policy applies to the RevWave platform at app.revwave.ai, the marketing website at revwave.ai, and any related APIs or services. It covers personal data we collect from users, account administrators, and visitors to our website.
For privacy inquiries, contact us at privacy@revwave.ai. For security vulnerabilities, use security@revwave.ai.
What We Collect
We collect only what is necessary to operate the platform and provide the service you signed up for. We do not buy data from third-party brokers or run behavioral advertising networks.
| Data Category | What It Includes & How We Get It |
|---|---|
| Account Data | Name, email address, and company name — provided by you when you sign up or update your profile. Used to identify your account and communicate with you. |
| CRM Data Deals, Contacts, Companies |
Deal records, contact details, and company data synced from HubSpot or Salesforce. Synced only after you explicitly grant OAuth authorization — we request only the minimum required scopes. You can disconnect the integration at any time in Settings → Integrations. |
| Usage Data | Pages visited, features used, and agent interactions within the platform. Used to improve the product and understand how features are adopted. Not shared with advertising platforms. |
| Technical Data | IP address, user agent string, and browser type, collected automatically when you use the platform. Stored in our security audit log for fraud prevention and incident investigation. Email addresses and OAuth values are scrubbed from application logs before emission. |
| Conversation Data | Messages you send to the WAVE AI assistant. Stored per-user and per-tenant to provide conversational context. Never shared across organizations. Not used to train AI models (see Data Sharing section). |
| Payment Data | Billing is processed by Stripe. RevWave does not store or have access to your card number, CVC, or full card details. We receive only a Stripe customer ID and subscription status necessary to manage your account. |
What we do not collect: Email body content, calendar event text, call recordings, or any data not explicitly authorized through our integration APIs. No advertising pixels or third-party tracking scripts run on authenticated platform pages.
How We Use It
We use your data to operate the platform, keep it secure, and communicate important changes. We do not use it for advertising or sell it to any third party.
Operate the Platform
Provide and improve the RevWave platform — including deal tracking, pipeline visualization, and all other features you use. Your data is the input to the service you subscribed to.
Run AI Agents on Your Behalf
WAVE and the specialized revenue agents process your CRM and conversation data to generate insights, drafts, and recommendations. Agents only access data you have explicitly authorized RevWave to sync. Every agent action is logged and attributable.
Security & Fraud Prevention
Technical data (IP, user agent) and audit log data are used to detect and investigate unauthorized access attempts, abuse, and security incidents. PII is scrubbed from application-level logs before emission.
Product Updates & Notices
We send transactional emails (account confirmation, password reset, billing notices) and, with your consent, occasional product update emails. You can opt out of product update emails at any time via the unsubscribe link or in Settings → Notifications.
Platform Improvement
Aggregated, anonymized usage data helps us understand which features are working and where the product needs improvement. Individual usage data is not shared externally for this purpose.
Legal Compliance
We retain and process data as required to comply with applicable law, respond to lawful government requests, and enforce our Terms of Service.
Legal Basis (GDPR Art. 6)
For users in the European Economic Area (EEA), the UK, or Switzerland, we rely on the following lawful bases under GDPR Article 6 for processing personal data.
| Legal Basis | Processing Activities Covered |
|---|---|
| Contract Performance Art. 6(1)(b) |
Processing your account data and CRM data to provide the RevWave service you subscribed to. Without this data, we cannot perform our contractual obligations. |
| Legitimate Interests Art. 6(1)(f) |
Security monitoring and fraud prevention, maintaining audit logs, improving the platform based on anonymized usage patterns, and protecting our platform and users from abuse. Our interests do not override your fundamental rights and freedoms. |
| Consent Art. 6(1)(a) |
Marketing communications and product update emails. You may withdraw consent at any time via the unsubscribe link in any email or by emailing privacy@revwave.ai. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Legal Obligation Art. 6(1)(c) |
Retaining records required by applicable law, responding to lawful court orders or government requests, and fulfilling tax and financial record-keeping obligations. |
Data Sharing
We share data with subprocessors necessary to operate the platform. We do not sell personal data, share it with data brokers, or allow subprocessors to use it for their own purposes.
We do not sell personal data. We have not sold personal data in the past 12 months and do not intend to. RevWave's business model is subscription software — not data monetization.
Supabase / PostgreSQL
All platform data is stored in Supabase's managed PostgreSQL (hosted on AWS us-east-1). SOC 2 Type II certified. AES-256 encryption at rest. Point-in-time recovery backups.
Anthropic (Claude API)
Your conversation data and CRM context are sent to Anthropic's Claude API to generate WAVE agent responses. Anthropic does not train models on API-submitted data by default. RevWave does not use training-enabled API terms.
Railway
FastAPI backend and Celery worker hosted on Railway (US-based infrastructure). Environment secrets managed by Railway; not accessible to third parties. TLS enforced on all ingress.
Netlify
The platform UI (app.revwave.ai) is hosted on Netlify. SOC 2 Type II certified. CDN-distributed with TLS termination. No customer data is stored at the CDN layer.
Stripe
All payment processing is handled by Stripe. Card numbers and payment credentials are never stored by RevWave — Stripe handles PCI-DSS compliance for payment data.
Sentry
Application errors are reported to Sentry for diagnosis. PII scrubbing is applied at the SDK level before any error is emitted — email addresses, phone numbers, and OAuth values are redacted.
A full subprocessor list with DPA references is available in the Data Processing Agreement at revwave.ai/dpa. For legal disclosures, we will notify you before complying with any government or legal request for your data when permitted by law to do so.
Data Retention
We retain data for as long as necessary to provide the service or as required by law. The table below summarizes retention periods by data type.
| Data Type | Retention Period & Deletion |
|---|---|
| Account Data Name, email, company |
Retained while your account is active. Following a deletion request, account data is purged within 30 days. After the 30-day window, data is irrecoverably deleted and cannot be restored. |
| CRM Sync Data Deals, contacts, companies |
Deleted when you disconnect the integration in Settings → Integrations, or when you delete your account. Deletion is completed within 24 hours of the request. |
| Conversation History WAVE AI transcripts |
Retained while your account is active. You may request deletion of your conversation history at any time by emailing privacy@revwave.ai. Completed within 30 days. |
| Security Audit Logs | Retained for 12 months from the date of the event, then automatically purged. Audit logs are used for security investigation and incident response; earlier deletion is not available. |
| Application Logs | Retained for 30 days in Railway's logging infrastructure, then purged automatically. PII is scrubbed before logs are written. |
| Payment Records | Stripe retains payment records per their own retention policy and applicable financial regulations. RevWave retains only the Stripe customer ID and subscription status for as long as your account exists. |
Your Rights (GDPR Art. 15–22)
If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR. We respond to all verifiable requests within 30 days. Submit requests via the platform Settings or email privacy@revwave.ai.
Right to Access
You have the right to request a copy of all personal data we hold about you. In the platform, go to Settings → Security → Download My Data to export a JSON file of your profile, conversation history, wave sessions, and agent memories instantly. You may also request a full export via email.
Right to Rectification
You have the right to correct inaccurate personal data. Update your name, email, and company in Settings → Account at any time. For data you cannot update yourself, contact privacy@revwave.ai.
Right to Erasure
You have the right to request deletion of your personal data ("right to be forgotten") where we have no legal basis to retain it. Submit a deletion request in Settings → Account → Delete Account or email privacy@revwave.ai. We will complete deletion within 30 days (security audit logs retained for 12 months per our legitimate interest in security).
Right to Data Portability
You have the right to receive your personal data in a structured, machine-readable format. Export a complete JSON file of all your personal data at any time from Settings → Security → Download My Data. No need to contact us — this is self-serve and immediate.
Right to Object
You have the right to object to processing based on legitimate interests (Art. 6(1)(f)). Submit your objection to privacy@revwave.ai with the specific processing you object to. We will assess and respond within 30 days. You also have the right to object to direct marketing at any time — use the unsubscribe link in any email.
Right to Restrict Processing
You have the right to request that we restrict processing of your data while a dispute about accuracy or the basis for processing is resolved. Contact privacy@revwave.ai to request a restriction.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal data lawfully. In the EU, the lead supervisory authority for cross-border complaints is typically that of the EU member state where you reside. We encourage you to contact us first at privacy@revwave.ai — we will work to resolve your concern directly.
Response time: We respond to all verifiable rights requests within 30 days of receipt. If a request is complex or we receive a high volume, we may extend this by up to an additional 60 days and will notify you within the first 30 days if an extension is needed. There is no charge for submitting a request.
Security
We use technical and organizational measures appropriate to the sensitivity of the data we process. Our full security posture is documented at revwave.ai/trust.
RevWave implements a defense-in-depth architecture across five independently enforced layers: TLS 1.3 in transit, Postgres Row-Level Security on all 32+ tenant-scoped database tables, JWT-based authentication with 1-hour token expiry, Fernet AES-128 encryption for all CRM OAuth credentials at rest, and rate limiting per IP and per tenant.
Every AI agent action is logged with user, tenant, timestamp, and tool attribution — no AI action in RevWave is unlogged or unattributable. MFA (TOTP) is available for all users via Settings → Security.
In the event of a personal data breach, we will notify affected users and, where required by GDPR Article 33, the relevant supervisory authority within 72 hours of becoming aware. Our incident response runbook includes GDPR breach notification assessment procedures.
Cookies
We use essential cookies only. No advertising cookies. No third-party tracking scripts.
No advertising or tracking cookies. RevWave does not use Google Analytics, Facebook Pixel, or any other third-party advertising or behavioral tracking scripts on the authenticated platform. Cookie preferences can be managed in your browser settings. Blocking essential cookies will prevent you from staying logged in.
Contact & Policy Updates
How to reach us with privacy questions, and how we handle changes to this policy.
For questions about this privacy policy, data subject rights requests, or how we handle your personal data, contact our privacy team.
privacy@revwave.aiFor vulnerability reports and security concerns, use our dedicated security channel. 48-hour acknowledgment SLA, coordinated disclosure.
security@revwave.aiWe may update this Privacy Policy from time to time. For material changes — changes that affect how we collect, use, or share personal data in ways that are less favorable to you — we will notify you by email at least 30 days before the change takes effect, giving you time to review and, if applicable, withdraw consent or close your account before the new terms apply.
For non-material changes (formatting, clarifications, contact information updates), we will update the effective date at the top of this page. The current version of this policy is always available at revwave.ai/privacy. Continued use of the platform after the effective date of a material change constitutes acceptance.