Privacy Policy

Revelara AI LLC ("Revelara AI," "we," "us," or "our") operates the Revelara platform and website at revelara.ai (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our Service.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information. When you create an account, we collect information you provide directly, including your name, email address, company name, job title, and password.

1.2 Payment and Billing Information. If you subscribe to a paid plan, we collect billing details such as your name, billing address, and payment method. Payment processing is handled by our third-party payment processor (currently Stripe, Inc.), and we do not store full credit card numbers on our systems.

1.3 Customer Data. Through your use of the Service, you may submit or connect data sources that include:

• Postmortem and incident report data
• Source code repository metadata (such as git commit hashes, file paths, and change summaries)
• Identified reliability risks and evidence of risk resolution
• Other operational or reliability-related information you choose to provide

We refer to this collectively as "Customer Data." You retain ownership of your Customer Data at all times.

1.4 Usage Data. We automatically collect information about how you interact with the Service, including pages viewed, features used, timestamps, browser type, operating system, IP address, and referring URLs.

1.5 Cookies and Similar Technologies. We use cookies, local storage, and similar tracking technologies to maintain your session, remember your preferences, and understand how the Service is used. You can control cookie settings through your browser, though some features of the Service may not function properly without them.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process transactions and send related information (confirmations, invoices)
• Scan your connected codebases and data sources to identify reliability risks and track their resolution
• Send you technical notices, updates, security alerts, and administrative messages
• Respond to your requests, comments, and questions
• Monitor and analyze usage trends to improve the user experience
• Detect, investigate, and prevent fraud or other harmful activity
• Comply with legal obligations

We do not use your Customer Data to train machine learning models or for any purpose other than providing the Service to you, unless you give us explicit written consent.

3. Analytics

We use PostHog for product analytics to understand how visitors interact with our website and Service. PostHog collects usage data such as page views, clicks, and session information. You can learn more about PostHog's privacy practices at posthog.com/privacy.

4. Third-Party Integrations and Limited Use Compliance

The Service offers optional integrations that allow you to connect third-party accounts so Revelara AI can access data necessary to provide reliability risk analysis. You authorize each integration explicitly through the third party's standard authorization flow (typically OAuth), and you may disconnect any integration at any time from your account settings.

The integrations we currently support, the data we access, and how we use it are described below. We do not access more data than is necessary to provide the user-facing features described here.

4.1 Google Drive. When you connect Google Drive, we request the following OAuth scopes:

• https://www.googleapis.com/auth/drive.file (non-sensitive): per-file access to documents you explicitly select via Google's Picker UI. We use this to support the "Select files" experience for ingesting individual postmortems or incident reports.
• https://www.googleapis.com/auth/drive.readonly (restricted): read-only access to your Google Drive content. We use this only to support the "Sync a folder" experience, where you designate a Drive folder containing postmortems or incident reports and we periodically read the contents of that folder so newly added documents are picked up automatically.

We download document content from Drive into Revelara AI's storage and process it to extract reliability signals (for example, incident summaries, contributing factors, and remediation notes).

Google API Services User Data Policy — Limited Use disclosure. Revelara AI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide or improve user-facing features that are prominent in the Service's user experience.
• We do not use Google user data for advertising purposes of any kind.
• We do not sell Google user data.
• We do not use Google Workspace data, including Drive content accessed via OAuth, to develop, improve, or train generalized AI/ML models. This restriction is unconditional and is not subject to user opt-in.
• We do not allow humans to read your Google user data, except: (a) with your explicit consent for specific documents; (b) where necessary for security purposes (such as investigating abuse or a security incident); (c) where necessary to comply with applicable law; (d) where the data has been aggregated and de-identified for internal operational use; or (e) where you have asked us to look at specific data to debug a customer-reported issue.
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features (for example, our cloud hosting and storage providers, listed in Section 5), to comply with applicable laws, or as part of a merger, acquisition, or sale of assets where the acquirer agrees to honor these same commitments.

Disconnect and deletion for Google Drive. When you disconnect Google Drive from your Revelara AI account, or when we detect that you have revoked Revelara AI's access from your Google account (at myaccount.google.com/permissions), we will delete all documents and document-derived data (including embeddings, extracted facts, and search indices) ingested from your Drive within 30 days. If you later reconnect, we re-ingest from scratch; we do not retain prior state across a disconnect. We may retain data longer only where required by law, and in such cases the data remains subject to all the Limited Use commitments above.

4.2 JIRA (Atlassian). When you connect JIRA, we request the OAuth scopes read:jira-work, write:jira-work, manage:jira-webhook, and offline_access. We use these to: read issues you have labeled for tracking by Revelara AI (typically scoped via a JQL filter such as labels = revelara); create or update issues that represent reliability risks and remediation work; register and manage webhooks so we receive change events for those issues; and refresh access tokens in the background so the integration continues to work without re-prompting you. We do not read JIRA issues that fall outside the scope you configure.

4.3 Linear. When you connect Linear, we request the OAuth scopes read and write. We use these to read issues from teams and labels you designate for tracking, and to create or update issues that represent reliability risks and remediation work. We rely on Linear's workspace-level webhook to receive change events.

4.4 Notion. When you connect Notion, you grant Revelara AI access to specific pages or databases you select through Notion's standard integration authorization flow. We use this access to read postmortem and incident pages from the locations you designate. Notion does not use OAuth scope strings; access is governed by the page-level permissions you grant at the time of connection.

4.5 GitHub. Revelara AI is installed as a GitHub App on the repositories you select. We use this installation to create and update GitHub Issues that represent risk remediation work, and to attach evidence (such as commit hashes or pull request URLs) when those issues close. We do not access repository source code beyond what is needed to read commit metadata associated with linked issues.

4.6 Slack. When you connect Slack, you provide a bot token from a Slack App that grants Revelara AI permission to post messages to channels you designate. The Slack integration is outbound only: we send risk alerts and lifecycle notifications to your Slack workspace. We do not read messages, channels, or user data from your Slack workspace.

4.7 Disconnect and deletion for non-Google integrations. When you disconnect a non-Google integration, we delete the access tokens immediately and delete any data ingested from that integration within 30 days, on the same basis described above for Google Drive. Reconnect after disconnect performs a fresh sync.

5. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

Service Providers (Subprocessors). We share information with third-party vendors who perform services on our behalf. Our current subprocessors are:

• Google Cloud Platform (Google LLC) — cloud hosting, compute, and storage of all Customer Data; located in the United States.
• Vertex AI / Google Gemini (Google LLC) — large language model inference for risk analysis features. Inputs and outputs are not used by Google to train Google's foundation models under our enterprise terms.
• WorkOS, Inc. — single sign-on and authentication (Google, GitHub, Microsoft OAuth, and SAML).
• Stripe, Inc. — payment processing and billing for paid Subscriptions.
• Resend — transactional email delivery (account verification, billing, security notices).
• PostHog, Inc. — product analytics, as described in Section 3.

Each subprocessor is contractually obligated to use your information only as necessary to provide their services to us, and to apply security and confidentiality protections consistent with this Privacy Policy. We will update this list when we add or remove a subprocessor.

Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or governmental request.

Business Transfers. If Revelara AI is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control. Any acquirer will be required to honor the Limited Use commitments in Section 4 with respect to data received from Google APIs.

With Your Consent. We may share information with third parties when you have given us explicit consent to do so.

6. Data Security

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These include encryption of data in transit (TLS) and at rest, access controls and authentication requirements, regular security assessments, and audit logging of access to Customer Data.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

7. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. Customer Data ingested from third-party integrations is retained for the duration of your subscription and is deleted within 30 days of either (a) you disconnecting the integration or revoking our access at the third party, or (b) account termination, except where we are required by law to retain it. Other Customer Data is deleted within 90 days of account termination.

Usage data and analytics may be retained in aggregated, de-identified form indefinitely.

8. Your Rights and Choices

8.1 All Users. You may update or correct your account information at any time by logging into your account. You may disconnect any third-party integration at any time from your account settings, which triggers the deletion process described in Sections 4 and 7. You may request deletion of your account by contacting us at privacy@revelara.ai; we will process such requests within 30 days. You may opt out of non-essential communications by using the unsubscribe link in our emails.

8.2 California Residents (CCPA/CPRA). If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of personal information (we do not sell personal information)
• Not be discriminated against for exercising your rights

To exercise these rights, contact us at privacy@revelara.ai. We will verify your identity before processing your request.

8.3 European Economic Area, United Kingdom, and Swiss Residents (GDPR/UK GDPR). If you are located in the EEA, UK, or Switzerland, the following additional provisions apply:

Legal Basis for Processing. We process your personal data on the following legal bases: performance of our contract with you (to provide the Service), our legitimate interests (to improve the Service, prevent fraud, and communicate with you), your consent (where you have provided it, such as for marketing communications), and compliance with legal obligations.

Your Rights. You have the right to:

• Access your personal data
• Rectify inaccurate personal data
• Request erasure of your personal data
• Restrict processing of your personal data
• Data portability (receive your data in a structured, machine-readable format)
• Object to processing based on legitimate interests
• Withdraw consent at any time where processing is based on consent

International Transfers. Your data is processed and stored in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our transfer mechanism for data transferred from the EEA/UK to the US. By using the Service, you acknowledge this transfer.

Data Protection Inquiries. For GDPR-related inquiries, contact us at privacy@revelara.ai.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@revelara.ai.

10. Third-Party Links

The Service may contain links to third-party websites. This Privacy Policy does not apply to those third parties. The third-party data integrations we offer (such as Google Drive, JIRA, Linear, Slack, GitHub, and Notion) are governed by Section 4 of this Privacy Policy as well as by the third party's own terms and privacy policy. We encourage you to review the third party's privacy policy before connecting your account.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Revelara AI LLC
Email: privacy@revelara.ai
Website: https://revelara.ai