Data Processing Agreement
Last updated: March 20, 2026
This DPA forms part of the Terms of Service and governs how Revly processes personal data on your behalf. By using Revly, you (the Controller) appoint Revly as your data Processor for visitor analytics.
What Revly Processes On Your Behalf
When visitors interact with a site where the Revly script is installed, the following signals are processed:
| Signal | How it's used | Stored? |
|---|---|---|
| IP address | Derive country/region; compute anonymized hash | Never β discarded immediately |
| User-Agent | Derive device, browser, OS | Only as aggregate (e.g. "Chrome / Mobile") |
| Page URL and referrer | Pageview and traffic source analytics | Yes |
| Visit timestamp | Time-based analytics | Yes |
How We Anonymize Visitor Data
Revly uses a daily rotating hash to count unique visitors without storing personal data:
SHA256(daily_salt + site_domain + ip_address + user_agent)
The daily_salt is regenerated every 24 hours and the old one is permanently deleted. This makes it impossible to re-identify visitors or correlate data across days. Raw IP addresses are never written to disk.
Revly's Commitments as Processor
- Process visitor data only to deliver the analytics service to you
- Keep all data confidential; restrict access to personnel who need it to operate the service
- Use encryption in transit (TLS) and at rest, with strict per-account access controls
- Notify you within 72 hours if we become aware of a breach affecting visitor data
- Delete all visitor-related data within 60 days of account closure (hash salts are deleted within 24 hours; aggregated analytics within 12 months)
- Assist you in responding to data subject requests to the extent technically feasible β note that Revly cannot identify individual visitors from anonymized data
- Make available on written request the information needed to verify compliance with this DPA
Subprocessors
We use third-party providers for database storage, in-memory caching, and hosting/CDN. A full named list is available on written request at contato@revly.app.
We will give you 14 days' advance notice by email before engaging a new subprocessor. If you object, you may terminate the service within that window for a prorated refund of any unused prepaid period.
Your Responsibilities as Controller
- Have a lawful basis to collect and process visitor data through the Revly script
- Inform your visitors about analytics collection as required by applicable law
- Not use the Revly script to collect personally identifiable information (names, emails, IDs, health data, etc.)
- Comply with all applicable data protection laws, including LGPD and GDPR where applicable
Under the LGPD, Revly acts as operador and you act as controlador as defined in Articles 5(VI) and 5(VII). Revly will cooperate with the ANPD as required by law.
Government and Legal Requests
Revly will only disclose visitor data to government authorities or law enforcement when strictly required by a legally binding order. We will notify the Controller of any such request to the extent permitted by law.
Survival and Governing Law
The confidentiality and data deletion obligations in this DPA survive the termination of the customer's account and the Terms of Service.
This DPA is governed by the same law as the Terms of Service. Questions: contato@revly.app