Privacy Policy & GDPR
1. Data Controller
The data controller for personal data processed through RevHapi is:
- Company: Waldroid Digital Ltd
- Registered in: England and Wales
- Email: contact@revhapi.com
- Website: revhapi.com
If you have questions about how we handle your personal data, please contact us at the email address above.
2. Data We Collect
Account data
When you register, we collect your email address, name (if provided), and encrypted password. We also store your subscription tier and billing status.
Platform connection data
When you connect advertising platforms (Meta, Google Ads, AdSense, Ad Manager), we store OAuth tokens required to fetch your ad data from those platforms. We do not store your platform passwords.
Ad performance data
We fetch and store revenue, spend, impression, and click data from your connected ad platforms. This data belongs to you and relates to your business activity, not to personal information about individuals.
Usage data
We may collect anonymised usage data such as feature interactions, page views, and error logs to improve the Service.
Payment data
Payments are processed by Stripe. We do not store full card details. We retain billing history (invoice amounts, dates, subscription tier) for legal and accounting purposes.
Support data
If you contact support, we retain the content of your messages and any attachments to help resolve your issue.
Cookies
We use cookies as described in our Cookie Policy.
3. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Providing the platform and your account | Contract |
| Processing payments | Contract |
| Fetching your ad platform data via OAuth | Contract |
| Sending transactional emails (invoices, alerts) | Contract |
| Security monitoring and fraud prevention | Legitimate Interest |
| Improving the Service via anonymised analytics | Legitimate Interest |
| Marketing emails and product updates | |
| Analytics cookies (Google Analytics) |
4. How We Use Your Data
We use the data we collect to:
- Create and maintain your account
- Fetch, process, and display your ad platform data in the dashboard
- Process subscription payments and send invoices
- Provide customer support
- Send essential service communications (security alerts, billing notifications)
- Send product updates and marketing emails where you have consented
- Detect and prevent fraud and abuse
- Improve and develop the Service using aggregated, anonymised data
- Comply with legal obligations
We do not use your data for automated decision-making or profiling that produces legal effects.
5. Sharing Your Data
We do not sell your personal data. We share data only with the following categories of recipients:
- Supabase — Our database and authentication provider. Data is stored in Supabase's infrastructure.
- Stripe — Payment processing. Subject to Stripe's privacy policy.
- Vercel — Hosting and serverless functions. Data may transit Vercel's infrastructure.
- Google / Meta — We interact with their APIs on your behalf to retrieve your data. We do not share your RevHapi account data with them.
- Legal authorities — Where required by law or to protect our legal rights.
All third-party processors are required to handle your data in accordance with applicable data protection law.
6. Data Retention
We retain your personal data for as long as your account is active or as necessary to provide the Service.
- Account data: Retained while your account is active. Deleted within 90 days of account deletion request.
- Ad performance data: Retained while your account is active. Deleted with your account.
- Billing records: Retained for 7 years for legal and tax compliance.
- Support communications: Retained for 2 years after resolution.
- Backups: Encrypted backups may retain data for up to 30 days after deletion.
7. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Row-level security policies in our database
- OAuth token encryption
- Strict access controls — only authorised personnel can access production systems
- Regular security reviews of our infrastructure
While we take security seriously, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please disclose it responsibly to contact@revhapi.com.
8. International Data Transfers
Our service infrastructure (Supabase, Vercel) may involve transfers of personal data outside the UK and European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions, as required by UK GDPR and EU GDPR.
9. Your Rights
Under UK GDPR and EU GDPR, you have the following rights:
To exercise any of these rights, please contact us at contact@revhapi.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local supervisory authority in the EU.
10. Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service prior to the changes taking effect. The "Last updated" date at the top of this page shows when the policy was most recently revised.
Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.
12. Contact & Data Protection
For any privacy-related enquiries, data subject rights requests, or to raise a concern about our data practices, please contact us:
- Email: contact@revhapi.com
- Contact page: revhapi.com/contact
- Company: Waldroid Digital Ltd, England and Wales
We take privacy enquiries seriously and aim to respond within 5 business days, and no later than 30 days as required by applicable law.
If you are not satisfied with our response, you have the right to complain to a supervisory authority. In the UK this is the Information Commissioner's Office (ICO).