Privacy Policy

Last updated: April 30, 2026

This policy explains what information Revdoku collects, why, and what we do with it. We have kept it short and in plain language.

What we collect

Account information. When you sign up, we collect your email address, your name (optional), and a hashed password. If you pay for a plan, our payment processor collects your billing details — we never see your full card number.

Documents and content. When you upload a document or generate a report, we store the content so we can provide the Service to you. You can delete documents and reports at any time.

Usage data. We log events such as sign-ins, uploads, reviews, and shared-link views. We use this to operate the Service, debug issues, and detect abuse.

Technical data. We collect IP address, browser, OS, and pages visited. We use cookies and similar technology to keep you signed in and to measure aggregate usage.

How we use it

• To provide, operate, and improve the Service.
• To run AI document review (see AI processing below).
• To bill you and prevent fraud.
• To detect, investigate, and respond to abuse — including automated scanning of shared reports, third-party safety services, and human review when content is flagged to us.
• To send transactional emails (e.g., receipts, security notices). We send marketing email only if you opt in.
• To comply with legal obligations.

AI processing

Document review is performed using third-party AI models. We currently use Google Gemini, Anthropic Claude, and OpenAI models. Models are accessed directly via cloud APIs (Google Cloud, Amazon Bedrock) and through OpenRouter, an AI API gateway that routes requests to model providers. All providers operate under commercial API terms that prohibit using your content to train their models and do not retain your content beyond what is needed to return a response. See our Security page for more.

Trust and safety

We scan content made publicly accessible through shared report links to detect serious abuse — including malware, known illegal content, and material prohibited by our Acceptable Use Policy. Confirmed child sexual abuse material (CSAM) is reported to the National Center for Missing & Exploited Children (NCMEC) as required by U.S. law (18 U.S.C. § 2258A).

We do not actively monitor private (unshared) content. Keeping uploaded content compliant with our AUP and applicable law is your responsibility. We may access private content only to investigate a security incident, respond to a support request you make, or comply with valid legal process.

Sharing

We do not sell your personal information.

We share information only with:

• Service providers that help us operate the Service (hosting, payment processing, AI providers, customer support tools), under contracts that limit their use of your data.
• Authorities or third parties when required by law (subpoena, court order) or to protect rights, safety, or security.
• Successors in the event of a merger, acquisition, or asset sale.

When you generate a shared report link, anyone you give the link to can view the report contents. That is by design — you control the link.

Data location

Production data is stored in the United States (Amazon AWS). EU hosting is on the roadmap.

Retention

We keep account and content data while your account is active. After deletion, content is removed from active systems within 30 days; backups roll off within 90 days. We may retain limited records longer where required by law (e.g., tax records).

Your rights

Depending on where you live, you may have the right to:

• Access the data we hold about you.
• Correct or update it.
• Delete it.
• Object to or restrict certain processing.
• Receive an export of it.
• Withdraw consent (where processing is based on consent).

California residents have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of “sales” or “sharing.” We do not sell or share personal information for cross-context behavioral advertising.

EU/UK residents have rights under GDPR. The legal bases for our processing are contract (to provide the Service), legitimate interests (to operate and secure it), and consent (where applicable).

To exercise any right, email [email protected].

HIPAA

For Enterprise customers handling protected health information (PHI), we offer HIPAA-compliant configuration and a Business Associate Agreement (BAA). See our HIPAA page.

Children

The Service is not intended for children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact [email protected] and we will delete it.

Security

We use encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and audit logging. No system is perfectly secure, but we work to limit risk. See our Security page for more.

Changes

We may update this policy. Material changes take effect when we update the “Last updated” date. We will notify active users by email of significant changes.

Contact

• Privacy questions, rights requests, and abuse reports: [email protected]
• General: https://revdoku.com