Revly
πŸ‡§πŸ‡·πŸ‡ΊπŸ‡Έ
Get Started Free

Privacy Policy

Last updated: March 20, 2026

This Privacy Policy explains how Revly (revly.app) collects, uses, and protects data. It covers two distinct groups: website visitors (people who visit sites that use the Revly script) and customers (people who create a Revly account).

Website Visitors

What we don't collect

Revly's tracking script does not collect personally identifiable information and does not enable cross-site tracking. It uses two first-party cookies strictly for essential analytics (visitor and session identification) β€” no advertising or third-party cookies.

We do not collect or store: full IP addresses, third-party tracking cookies, persistent device fingerprints, names, emails, national IDs, or any PII from visitors.

What the script does collect

  • Page URL and referrer (traffic source)
  • Device type, OS, and browser (aggregated only β€” not fingerprinted)
  • Country and region (derived from IP geolocation; the IP is not stored)
  • Visit timestamp
  • Anonymized daily fingerprint β€” a hash of daily_salt + site_domain + ip + user_agent. The salt rotates every 24 hours and old salts are permanently deleted, making it impossible to track individuals across days
  • Custom events sent by the site owner via the tracker API
  • Session data: duration and pages visited

First-party cookies

The tracking script sets two first-party cookies in the visitor's browser:

CookiePurposeExpiry
_revly_vidVisitor identification β€” distinguishes returning visitors1 year (renewed on each pageview)
_revly_sidSession grouping β€” groups pageviews into a single visit30 minutes of inactivity

Both cookies contain only a random opaque identifier β€” no personally identifiable information. They are first-party (set by the site's own domain via JavaScript), use SameSite=Lax, and are never used for cross-site tracking.

Depending on your jurisdiction (e.g., ePrivacy Directive, LGPD), you may need to inform visitors and obtain consent for using client-side storage.

The legal basis for processing visitor signals is legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7(IX)) β€” specifically, the need to derive aggregated, non-identifying analytics. IP addresses are used only transiently and never stored.

The website owner (customer) is the data controller for visitor analytics. Revly acts as data processor. See our Data Processing Agreement.

Visitor data retention

IP addresses are never stored. Daily hash salts are deleted every 24 hours. Aggregated analytics data is retained for the duration of the customer's account plus up to 12 months after account closure.

Customers (Account Holders)

What we collect

When you create a Revly account:

  • Name and email address
  • Authentication and session data (session tokens, login timestamps)
  • Registered websites (domains)
  • Billing data β€” processed by our payment provider (we do not store credit card numbers)
  • Dashboard access logs and actions on the platform
  • IP address and device info for security and fraud prevention

We process this data to run the service (contract performance), for security (legitimate interest), and to comply with legal obligations. We do not sell your data.

Customer data retention

DataRetention
Account data (name, email, domains)Account duration + 60 days after closure
Billing and transaction records5 years (Brazilian fiscal law)
Access and security logs6 months (rolling)
Analytics dataAccount duration + 12 months after closure

General

Data sharing

We do not share personal data with third parties except when required by law or with essential service providers (subprocessors) under confidentiality agreements. We engage providers for database storage, caching, hosting, payment processing, email delivery, and authentication. A full named list is available on written request. Changes to subprocessors are communicated in the DPA.

Some subprocessors are located in the United States. For transfers outside Brazil and the EEA we rely on Standard Contractual Clauses or equivalent safeguards.

Cookies

Revly does not use advertising or third-party tracking cookies. We use:

  • A session cookie to keep you logged in to the dashboard (HttpOnly, SameSite, Secure).
  • Two first-party analytics cookies (_revly_vid and _revly_sid) set by the tracking script on your visitors' sites β€” see the "First-party cookies" section above.

Emails

We use a third-party provider for transactional emails (account confirmation, alerts, billing receipts). We do not use email tracking pixels. Delivery is not guaranteed and may be affected by spam filters or provider settings.

Your rights (LGPD / GDPR)

You have the right to access, correct, delete, or export your personal data, object to processing, and withdraw consent at any time. To exercise any of these rights, email contato@revly.app β€” we respond within 15 business days (LGPD) or 30 calendar days (GDPR).

If you are a visitor on a site that uses Revly, contact the site owner directly β€” they are the data controller and Revly cannot identify you individually from anonymized data.

In the event of a breach likely to affect your data, we will notify you and the relevant authority (ANPD and/or EU supervisory authority) within 72 hours.

Contact

contato@revly.app β€” You also have the right to file a complaint with the ANPD (Brazilian National Data Protection Authority) or the relevant EU supervisory authority.