Legal

Privacy Policy

A compact view of what Revelar processes, why it is needed, how long it is kept, and how to exercise your rights.

Last updated: 2026-05-03

1. Data Controller

Revelar is responsible for the processing of account and product data it controls. For privacy inquiries, contact privacy@revelar.xyz. For support, contact support@revelar.xyz.

2. Data We Process

Account Data

Email address, authentication identifiers, profile fields, settings, billing state, and organization membership data.

Workspace Report Text

Report text can be processed during active AI and dictation workflows, but Revelar does not keep it as a server-side report archive.

Usage Metadata

Product, billing, credit, and safety metadata needed to run the service.

Technical Data

Session, device, diagnostic, and security metadata needed for authentication, abuse prevention, debugging, and reliability.

3. Legal Basis

Service Delivery

Processing needed to provide the reporting workspace, AI assistance, dictation, and organization features.

Contract

Processing needed for account access, auth email, billing, settings, support, and security.

Consent

Marketing communications are consent-based where required and can be withdrawn.

4. Retention

Workspace report text
Active local session, not kept as server archive
AI edit review state
Active local session
Account data
Until deletion request or account lifecycle need
Security and diagnostic metadata
As needed for security, reliability, and legal obligations

5. Your Rights

To exercise these rights, email privacy@revelar.xyz or use the account data export page.

  • Access your personal data through the data export feature or privacy request.
  • Request correction of inaccurate personal data.
  • Request deletion of your account and personal data, subject to legal retention duties.
  • Receive exportable account data in JSON format.
  • Object to processing where applicable.
  • Withdraw consent for marketing communications at any time.

7. AI Processing

AI requests may process current report text when the user asks for assistance. Vendor retention and no-training evidence is tracked per AI route before stronger public claims are made.

8. Processors

Supabase

Authentication, database, account data, organization data, and RLS-backed storage.

Vercel

Hosting, serverless runtime, and deployment infrastructure.

Google

OAuth sign-in where users choose Google authentication.

Resend

Authentication email through Supabase SMTP and support email from support@revelar.xyz. Email must not contain clinical report content.

12. Cookies and local storage

Revelar uses necessary authentication cookies and local browser storage for requested product functions such as sessions, workspace state, language, organization selection, and first-use warnings. Non-essential analytics or marketing trackers should not be used without the required consent and a published inventory.

9. International Transfers

Revelar uses EU-first processing where documented, including configured realtime dictation routes and Resend domain sending from Ireland. Provider support, account data, email metadata, and logs may involve processing outside the EU, so this is not an EU-only residency claim. Customer DPA, subprocessor list, and transfer mechanisms still need to be published before stronger transfer claims are made.

10. Security Measures

  • TLS in transit and managed provider encryption for hosted infrastructure.
  • Row-Level Security and membership checks for account and organization-backed data.
  • Workspace inactivity controls clear local workspace state.
  • Workspace report text is not kept as a server-side report archive.

6. Contact

For privacy inquiries, data subject requests, DPA questions, or complaints, contact our privacy mailbox.

privacy@revelar.xyz

11. Updates

This privacy notice may be updated as the product, processor list, DPA, and clinical deployment posture mature.