ForceWeaver/ Trust

⚖️ LEGAL REVIEW REQUIRED. This draft is template content. Do not publish without sign-off from qualified data-protection counsel. Placeholders in {{double_braces}} must be completed, and jurisdiction-specific clauses must be confirmed.

Privacy Policy

Effective date: {{EFFECTIVE_DATE}}

This Privacy Policy describes how {{LEGAL_ENTITY}} ("we", "us", "Revsnap") collects, uses, shares, and protects personal data when you visit our websites, sign up for our service, or use the Revsnap product (the "Service").

This policy is written to comply with the UK GDPR, the EU GDPR (Regulation (EU) 2016/679), and the Privacy and Electronic Communications Regulations (PECR). If you are a California resident, additional disclosures are in the CCPA/CPRA Addendum below.

1. Who we are

  • Controller: {{LEGAL_ENTITY}}, registered at {{REGISTERED_ADDRESS}} (company number {{COMPANY_NUMBER}}).
  • Data protection contact: {{DPO_EMAIL}}
  • Lead supervisory authority: {{SUPERVISORY_AUTHORITY}}.
  • EU representative (Art. 27): {{EU_REP}} (complete if we are not established in the EU but offer the Service to EU data subjects).

For personal data we process on behalf of our customers (for example, end-user identifiers a customer puts into Revsnap, or Salesforce business data they connect to the Service), the customer is the controller and we are the processor. Those activities are governed by our Data Processing Agreement.

2. Personal data we collect

Category Examples Source
Account data Name, business email, password (hashed by Supabase Auth), workspace, role You, when you sign up or are invited
Authentication artefacts Session cookies, API keys (we store only a SHA-256 hash of the secret) Generated when you use the Service
Salesforce connection metadata Org ID, instance URL, OAuth scopes granted Your Salesforce org, when you connect it
Customer-captured Salesforce data The JSON payloads you explicitly capture as snapshots Your Salesforce org, when you trigger a capture
Usage data Pages visited, actions taken, feature usage (only with your consent) Cookies / PostHog
Communications Support tickets, emails to us You
Billing data Stripe customer ID, subscription metadata. We do not store card data; Stripe holds it. You / Stripe
Audit trail Workspace lifecycle events (invites, role changes, SSO events, API-key creation) Generated by the Service

We do not intentionally collect special-category data (health, biometric, etc.) and ask that you do not submit it to the Service.

3. How and why we use personal data

Purpose Lawful basis (UK / EU GDPR Art. 6)
To create and operate your account Performance of a contract (Art. 6(1)(b))
To deliver the core product (snapshot capture, test execution, billing) Performance of a contract
To send transactional emails (invites, billing receipts, security notices) Performance of a contract / legitimate interests
To prevent fraud, abuse, and security incidents Legitimate interests (Art. 6(1)(f)) — protecting our service and customers
To comply with legal obligations (e.g., accounting, tax, regulator requests) Legal obligation (Art. 6(1)(c))
To improve the product via analytics Consent (Art. 6(1)(a)) — analytics are off until you opt in
To send marketing communications Consent — and you can withdraw it any time

A complete record of processing activities is maintained internally per Art. 30 (ROPA).

4. Cookies and similar technologies

See the Cookie Policy. Strictly necessary cookies are set without consent; analytics and similar are loaded only after you opt in via our consent banner.

5. Who we share personal data with

We do not sell personal data. We share it with:

  • Sub-processors who help us run the Service (Supabase, Vercel, Stripe, Resend, Upstash, PostHog) — see the live list at Sub-processors. Each is bound by a DPA.
  • Your own Salesforce org, by design — we authenticate back into it to read the data you ask us to read.
  • Authorities / advisers, when required by law, a binding regulator request, or to protect rights.
  • Successors, if {{LEGAL_ENTITY}} is acquired, merged, or restructured — subject to equivalent protections.

6. International transfers

Personal data may be transferred outside your country to provide the Service. Where transfers occur from the UK / EEA to a country without an adequacy decision, we rely on:

  • EU Standard Contractual Clauses (Module 2, controller-to-processor), and
  • the UK International Data Transfer Addendum (UK IDTA) where the UK GDPR applies.

Copies of the transfer instruments in place are available on request at {{DPO_EMAIL}}.

7. Retention

We retain personal data for as long as necessary for the purpose for which it was collected, plus any period required by law. The full schedule is in the Data Retention Schedule. Summary:

  • Account data: while your account is active; then 90 days after closure (so it can be restored on request) and then deleted.
  • Snapshots and test runs: under your control during the lifetime of your subscription; deleted 30 days after subscription end.
  • Billing records: 6 years after the end of the relevant accounting period (UK statutory).
  • Audit logs: 12 months online, longer on cold storage if required for regulator response.

8. Your rights

Under the UK / EU GDPR you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • request deletion ("right to be forgotten") subject to legal exceptions;
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent where consent is the lawful basis (without affecting prior processing);
  • lodge a complaint with your supervisory authority (e.g., the UK ICO at https://ico.org.uk).

To exercise any right, email {{DPO_EMAIL}}. We respond within one month (extendable by two months for complex requests, with notification). We may need to verify your identity before acting.

9. Automated decision-making

We do not make decisions producing legal or similarly significant effects about you using solely automated processing.

10. Children

The Service is intended for business use. We do not knowingly collect personal data from children under 16.

11. Security

We maintain technical and organisational measures appropriate to the risk. A summary of our controls is in the Security Whitepaper.

12. Changes to this policy

Material changes are notified in-product and by email to account owners at least 30 days before they take effect, where the change requires renewed consent or a substantive opt-out. Version history is in CHANGELOG.

13. Contact

{{DPO_EMAIL}} — for any privacy question or to exercise your rights. {{LEGAL_EMAIL}} — for contractual matters.

CCPA / CPRA Addendum (California residents)

If you reside in California, the following additional disclosures apply.

  • Categories of personal information collected: identifiers, internet/network activity, commercial information, professional/employment information (limited to your job title at signup).
  • Sources: you, your employer or invitee, our service providers, and your Salesforce org.
  • Purposes: as set out in §3 above.
  • Disclosed for a business purpose to: our sub-processors (§5).
  • Sold or shared: No. We have not sold or "shared" (as defined under the CPRA) personal information in the preceding 12 months.
  • Your rights: the right to know, delete, correct, limit use of sensitive personal information, opt out of sharing, and non-discrimination. Email {{DPO_EMAIL}} to exercise them.

We do not knowingly process the personal information of California consumers under 16 for sale or sharing.

Last reviewed: 2026-05-15

⚖️ LEGAL REVIEW REQUIRED. Counsel should confirm PECR / ePrivacy alignment and the consent banner copy.

Cookie Policy

Effective date: {{EFFECTIVE_DATE}}

This Cookie Policy explains how {{LEGAL_ENTITY}} uses cookies and similar technologies on the Revsnap product and marketing sites. It is published in addition to the Privacy Policy.

1. What are cookies?

A cookie is a small file stored on your device when you visit a website. Cookies allow the site to remember actions and preferences. We also use similar technologies such as local storage and pixel tags; we refer to all of them as "cookies" here.

2. Categories we use

Category Examples Lawful basis Set when?
Strictly necessary Supabase Auth session cookie, PKCE code-verifier cookie for Salesforce OAuth, CSRF protection, consent state Necessary for the Service to function (no consent required under PECR) Always
Functional UI preferences (e.g., theme, last-used filters) Necessary or consent When you set the preference
Analytics PostHog cookies for product analytics Consent Only after you opt in
Marketing None at present n/a n/a

We do not use cross-site advertising cookies.

3. Consent

When you first visit the Service, we present a consent banner. Strictly necessary cookies are set without consent because they are required to operate the Service. You can opt in or out of analytics at any time:

  • Click "Cookie settings" in the footer or in your account settings.
  • You can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing already carried out.

Our consent state is recorded so we do not ask again on every visit. We re-prompt when material changes are made to the categories of cookies used.

4. Sub-processors using cookies on our behalf

Sub-processor Purpose Notes
Supabase Authentication session cookies Strictly necessary. Set only when signed in.
PostHog Product analytics Only after consent. Served via a first-party /ingest proxy from our domain so traffic does not directly touch the PostHog domain from your browser.
Vercel Edge platform cookies for routing and abuse prevention Strictly necessary.
Stripe Cookies on Stripe-hosted Checkout / Customer Portal pages These are set by Stripe on their own domains during checkout. Stripe's own cookie policy applies.

5. Your choices

You can control cookies in your browser. Most browsers let you:

  • block all cookies,
  • delete existing cookies, and
  • be notified when a cookie is set.

If you block strictly necessary cookies, parts of the Service will not work.

6. Changes

We will update this policy when we change the cookies we use. Material changes are reflected in our consent banner and may require renewed consent.

7. Contact

{{DPO_EMAIL}}.

Last reviewed: 2026-05-15