Privacy Policy
Effective date: February 5, 2026 · Last updated: February 5, 2026
Revoly is operated by an individual entrepreneur based in Portugal, EU.
Beta The Service is currently in public beta.
1. Overview & Data Controller
Revoly.ai ("we", "us", "our", "Revoly") is an AI-powered personal assistant that connects to your email, calendar, messaging apps, and browses the web to perform tasks on your behalf. This Privacy Policy explains what data we collect, why we collect it, the legal basis for processing, and your rights regarding your data.
Data Controller: The data controller for the purposes of GDPR and applicable data protection laws is the individual entrepreneur operating Revoly.ai, based in Portugal, EU. You can reach us at hello@revoly.ai.
We believe in being direct: to work as your AI assistant, Revoly needs access to sensitive data like your emails, calendar, and messages. We treat this responsibility seriously. Your data is used only to provide the Service to you, is never used to train AI models, is never shared between users, and is never sold.
This Privacy Policy should be read together with our Terms of Service.
2. Data We Collect
2.1 Account information
- Name, email address, and profile picture (via Google login through Clerk)
- Authentication tokens and session data managed by Clerk
- Payment information processed by Stripe (we do not store credit card numbers — Stripe handles all payment data directly)
- Billing history and subscription status
2.2 Email data (Gmail)
When you connect your Gmail account, with your explicit consent, Revoly accesses and processes:
- Incoming and outgoing email content (body text and subject lines)
- Email metadata: sender, recipient(s), timestamps, labels, thread identifiers
- Email attachments when relevant to the AI Agent's tasks
- Contact information of email correspondents (names and email addresses)
Revoly accesses your Gmail data only when you initiate a task, request information, or have explicitly enabled an automation (such as inbox digests or auto-filtering). We do not passively scan or monitor your inbox in the background without your active configuration.
The AI Agent may read, filter, prioritize, draft, and send emails on your behalf using your connected Gmail account.
2.3 Calendar data (Google Calendar)
When you connect your Google Calendar, with your explicit consent, Revoly accesses and processes:
- Event details: title, description, location, date/time, duration
- Attendee information: names and email addresses
- Reminders, recurrence rules, and event status
- Free/busy information
Revoly accesses your calendar data only when you initiate a task, ask about your schedule, or have explicitly enabled calendar automations.
The AI Agent may read, create, modify, reschedule, and cancel calendar events on your behalf.
2.4 Messaging data (Telegram)
When you connect the Revoly Telegram bot, Revoly accesses and processes:
- Messages you send to and receive from the Revoly bot
- Your Telegram user ID and username
- Message timestamps and metadata
2.5 Web browsing data
When you instruct the AI Agent to perform web research or browse websites:
- URLs of websites visited by the AI Agent on your behalf
- Content extracted from visited web pages (text, data, and relevant information)
- Search queries performed on your behalf
Web browsing is performed within isolated environments for each user. The AI Agent does not interact with websites using your personal browser session or credentials (other than connected services).
2.6 AI memory & conversation data
- Conversations with Revoly (your requests, instructions, and the AI Agent's responses)
- AI memory: learned preferences, patterns, writing style, routines, and context derived from your interactions to improve personalization over time
- OAuth tokens for connected services (stored encrypted)
2.7 Usage and technical data
- Feature usage patterns, interaction logs, and error reports
- Device type, browser type, operating system, and screen resolution
- IP address and approximate geographic location (derived from IP)
- Timestamps of actions and API requests
2.8 Future integrations & extensible capabilities
Revoly is built on an extensible AI agent platform. New integrations and tools may be added over time (such as additional messaging platforms, CRM tools, project management services, or other third-party applications). When new integrations become available:
- Each integration will require your explicit consent before we access any data from the new service
- We will request only the minimum permissions necessary for each integration
- The data protection principles described in this Privacy Policy (data isolation, no model training, no cross-user access, encryption) apply equally to all current and future integrations
- We will update this Privacy Policy and our sub-processors list when new integrations involve sharing your data with additional third-party services
- You can disconnect any integration at any time through your account settings
3. Legal Basis for Processing (GDPR Art. 6)
We process your personal data on the following legal bases under GDPR Article 6(1):
| Data category | Purpose | Legal basis |
|---|---|---|
| Account information | Account creation, authentication, service provision | Contract performance (Art. 6(1)(b)) |
| Payment & billing data | Payment processing, subscription management | Contract performance (Art. 6(1)(b)) |
| Gmail data | Email management by AI Agent (reading, drafting, sending) | Consent (Art. 6(1)(a)) — granted when you connect Gmail |
| Google Calendar data | Calendar management by AI Agent | Consent (Art. 6(1)(a)) — granted when you connect Calendar |
| Telegram messages | Messaging interface with AI Agent | Consent (Art. 6(1)(a)) — granted when you connect Telegram |
| Web browsing data | Web research and information retrieval on your behalf | Contract performance (Art. 6(1)(b)) |
| AI memory & conversation data | Personalization, service delivery, context retention | Contract performance (Art. 6(1)(b)) |
| Usage & technical data | Service improvement, security monitoring, bug detection | Legitimate interest (Art. 6(1)(f)) |
| Tax & accounting records | Legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
Withdrawing consent: Where processing is based on consent (connected services), you may withdraw your consent at any time by disconnecting the relevant service in your Revoly account settings. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.
4. How We Use Your Data
We use your data for the following purposes:
- Service delivery: Operating the AI Agent to perform tasks you request — reading emails, managing calendars, sending messages, browsing the web, and other automated actions
- Personalization: Building AI memory based on your preferences, writing style, and routines so the AI Agent becomes more useful over time
- Service improvement: Identifying and fixing bugs, improving reliability and performance, and developing new features
- Security: Detecting and preventing fraud, abuse, unauthorized access, and security threats
- Communication: Sending service-related notices (e.g., billing confirmations, security alerts, Terms updates). We will never send marketing communications without your explicit consent
- Legal compliance: Fulfilling tax, accounting, and regulatory obligations
We do not:
- Sell your data to anyone, under any circumstances
- Use your data to train AI models (neither our own nor third-party models)
- Share your data between users — each user's data is completely isolated
- Use your email, calendar, or message content for advertising, marketing, or profiling for advertising purposes
- Provide your data to data brokers or advertising networks
5. AI Processing & Anthropic
Revoly uses Claude, made by Anthropic, to understand your requests and generate responses. This means your messages and relevant context (such as email content, calendar data, or web page content) are sent to Anthropic's API for real-time processing.
How data flows to Anthropic
- When you interact with the AI Agent, your input and relevant context are sent to the Anthropic API
- We send only the data necessary for the specific task — we do not send your entire inbox or calendar to Anthropic
- Anthropic processes the data and returns a response, which the AI Agent uses to take actions or generate outputs
Anthropic's data handling
- We use Anthropic's commercial API, which does not use your data for AI model training (per Anthropic's API data policy)
- Data sent to Anthropic is processed in real-time and is not permanently retained by Anthropic beyond what is necessary for the API request, subject to Anthropic's data retention policies for safety, abuse prevention, and legal compliance (typically up to 30 days)
- Anthropic acts as a data processor (sub-processor) under our instruction
AI Agent actions
Revoly's AI Agent can perform actions on your behalf, including sending emails, managing calendar events, responding to messages, and browsing the web. You are ultimately responsible for all actions the AI Agent takes through your connected accounts. We strongly recommend reviewing AI-generated content before it is sent to third parties. See our Terms of Service §6 for details on AI Agent responsibilities.
6. Google API Services & User Data
Revoly's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Limited Use compliance
- We only use Google user data to provide and improve the Service's user-facing features visible and accessible to you
- We do not transfer Google user data to third parties except: (a) to Anthropic for AI processing to deliver the Service, (b) as necessary with service providers operating on our behalf, (c) for security purposes, or (d) as required by law
- We do not use Google user data for serving advertisements
- We do not use Google user data for any purpose not directly related to providing the Revoly service to you
Human access to Google user data
Revoly employees and contractors will not read your Google user data unless:
- You have given us your explicit, affirmative consent for specific content (e.g., for troubleshooting a reported issue)
- It is necessary for security purposes (such as investigating a security incident or abuse)
- It is necessary to comply with applicable law or legal process
- The data has been aggregated and fully anonymized so that it cannot be associated with any individual user, and is used solely for internal operations
Google data retention
Email content and calendar data retrieved from Google APIs is cached temporarily (maximum 30 days) for service delivery purposes. Cached data is automatically deleted after this period. Conversation logs and AI memory derived from Google data are retained for the duration of your account (see Data Retention).
Revoking Google access
You can revoke Revoly's access to your Google account at any time:
- Go to myaccount.google.com/permissions
- Find "Revoly" in the list of apps with access to your account
- Click on "Revoly" and then click "Remove Access"
- Confirm the revocation
After revocation, Revoly will no longer be able to access your Gmail or Google Calendar. Cached Google data will be deleted within 30 days. You can also disconnect Google services from within the Revoly app settings.
7. Automated Decision-Making & Profiling (GDPR Art. 22)
The AI Agent performs automated processing of your data, including actions that may have significant effects. Specifically:
Automated actions by the AI Agent
- Email management: The AI Agent automatically filters, prioritizes, drafts, and (with your configuration) sends emails on your behalf based on learned preferences, instructions, and contextual analysis
- Calendar management: The AI Agent automatically creates, modifies, reschedules, or cancels calendar events based on your instructions and scheduling rules
- Message responses: The AI Agent may automatically generate and send responses to Telegram messages
- Content generation: The AI Agent generates summaries, digests, draft communications, and other content based on your data
Logic and significance
The AI Agent uses large language model technology (provided by Anthropic) to analyze your communications, instructions, and context. It generates responses and takes actions based on pattern recognition and statistical inference. These actions may have significant real-world effects, including:
- Commitments made on your behalf via email (e.g., accepting invitations, confirming meetings)
- Schedule changes that affect your and others' plans
- Communications that may create contractual or professional obligations
Your rights regarding automated decisions
Under GDPR Article 22, you have the right to:
- Obtain human intervention: You may request that any specific automated action be reviewed by a human by contacting hello@revoly.ai
- Express your point of view: You may challenge or contest any automated decision
- Opt out: You may disable specific automated features or disconnect services at any time through your account settings
- Review before sending: For critical actions (such as sending emails to external parties), we provide confirmation steps. We strongly recommend keeping confirmation enabled for important communications
8. Data Isolation & Security
We implement technical and organizational measures to protect your data:
- User isolation: Each user's AI Agent operates in a logically isolated environment. Your data is separated from other users' data, and your AI Agent cannot access any other user's information
- Encryption at rest: All stored data, including OAuth tokens and sensitive credentials, is encrypted using AES-256 encryption
- Encryption in transit: All network connections use TLS 1.2 or higher
- Minimal OAuth scopes: We request only the minimum permissions necessary from connected services
- Access controls: Internal access to user data is strictly restricted, role-based, and logged. Access is granted only on a need-to-know basis
- Token security: OAuth tokens are stored encrypted and are never exposed in logs or debug output
- Regular assessment: We periodically review and update our security practices
As the Service is in beta, we are continuously improving our security posture. While we take reasonable measures to protect your data, no system is perfectly secure, and we cannot guarantee absolute security. Please report any security concerns to hello@revoly.ai.
9. Third-Party Services & Sub-processors
We use the following third-party services (sub-processors) to operate Revoly. Your data may be shared with these services to the extent necessary for service delivery:
| Service | Role | Data processed | Location |
|---|---|---|---|
| Anthropic (Claude AI) | AI model provider — processes your inputs and generates AI Agent responses and actions | Messages, relevant email/calendar content, instructions, conversation context | USA |
| Google (Gmail & Calendar) | Connected service — email and calendar data accessed via Google APIs with your consent | Email content, calendar events, metadata | USA / Global |
| Telegram | Connected service — messaging platform | Messages to/from Revoly bot, user ID | UAE / Global |
| Clerk | Authentication provider — Google login and session management | Name, email, profile picture, session tokens | USA |
| Stripe | Payment processor | Payment card data, billing address, transaction records | USA / Ireland |
| Railway | Infrastructure hosting | All application data (encrypted) | EU (preferred) / USA |
OpenClaw is the open-source AI agent framework that powers the assistant. It runs on our own infrastructure and does not transmit your data to any external service independently.
Each third-party service operates under its own privacy policy. We select providers that meet our standards for data protection, but we encourage you to review their policies. If we add new sub-processors that materially change how your data is processed, we will update this policy and notify you.
For a current, maintained list of all sub-processors, see our Sub-processors page.
10. International Data Transfers
Your data may be processed outside the European Economic Area (EEA), particularly by sub-processors located in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place:
| Recipient | Country | Safeguard |
|---|---|---|
| Anthropic | USA | Standard Contractual Clauses (SCCs) / Data Processing Addendum |
| Clerk | USA | Standard Contractual Clauses (SCCs) |
| Stripe | USA / Ireland | EU-US Data Privacy Framework / SCCs / Adequacy decision (Ireland) |
| USA / Global | EU-US Data Privacy Framework / SCCs | |
| Telegram | UAE / Global | Standard Contractual Clauses (SCCs) |
Standard Contractual Clauses (SCCs) are approved by the European Commission and provide contractual safeguards for international data transfers. You may request a copy of the applicable safeguards by contacting hello@revoly.ai.
11. Cookies & Tracking
We keep cookies and tracking minimal:
- Essential authentication cookies: Session tokens to keep you logged in (strictly necessary — no consent required under ePrivacy Directive)
- No advertising cookies: We do not run ads and do not set advertising or targeting cookies
- No third-party trackers: We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts
- No cross-site tracking: We do not track you across other websites
If we introduce analytics or non-essential cookies in the future, we will update this policy, implement a cookie consent mechanism, and request your consent where required by applicable law. For full details, see our Cookie Policy.
12. Data Retention
| Data type | Retention period |
|---|---|
| Account information | Duration of your account + 30 days after deletion |
| Conversation history & AI memory | Duration of your account; deleted within 30 days of account deletion |
| Cached Google data (email/calendar content) | Maximum 30 days; refreshed as needed for active tasks |
| Telegram messages | Duration of your account; deleted within 30 days of account deletion |
| OAuth tokens | Until service is disconnected or account is deleted; revoked immediately on disconnection |
| Payment & billing records | As required by applicable tax and accounting law (typically 7 years) |
| Usage & technical logs | 90 days (rolling) |
| Encrypted backups | Up to 30 days after primary data deletion |
Account deletion: When you delete your account, all your data — including conversation history, AI memory, connected account tokens, and stored preferences — is permanently deleted within 30 days. Encrypted backups may retain data for up to 30 additional days, after which they are rotated out.
Exceptions: We may retain certain data beyond the periods above where required by applicable law (e.g., tax and accounting records), to resolve disputes, enforce our agreements, or comply with legal obligations. In such cases, we retain only the minimum data necessary and for the minimum period required.
Free trial / inactive accounts: If you do not subscribe after your trial, your data is retained for 30 days to allow you to return, then permanently deleted (subject to the exceptions above).
13. Your Rights (GDPR)
As we are based in Portugal (EU) and GDPR applies to our processing of your data, you have the following rights:
- Access (Art. 15): Request a copy of all personal data we hold about you
- Rectification (Art. 16): Correct inaccurate or incomplete personal data
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format
- Restriction (Art. 18): Restrict how we process your data in certain circumstances
- Object (Art. 21): Object to processing based on legitimate interest. Where we process data for legitimate interests, you may object, and we will cease processing unless we demonstrate compelling legitimate grounds
- Withdraw consent (Art. 7): Revoke consent for data processing at any time (e.g., disconnecting Gmail, Calendar, or Telegram). This does not affect lawfulness of prior processing
- Automated decisions (Art. 22): Request human review of automated decisions that significantly affect you (see Section 7)
- Lodge a complaint: File a complaint with the Portuguese data protection authority (CNPD — www.cnpd.pt) or your local supervisory authority
To exercise any of these rights, email hello@revoly.ai. We will verify your identity and respond within 30 days (extendable by 60 days for complex requests, with prior notice). Exercising your rights is free of charge.
14. Data of Third Parties
When you use Revoly, the AI Agent may process personal data of third parties — for example, the names and email addresses of people who email you, or attendees of calendar events.
- Legal basis: We process this third-party data under legitimate interest (Art. 6(1)(f) GDPR) — specifically, your legitimate interest in managing your personal communications and schedule, analogous to how email clients and calendar applications process such data
- Minimal processing: Third-party data is processed only to the extent necessary to deliver the Service to you (e.g., displaying sender names, processing email content for summaries)
- No profiling: We do not build profiles of third parties or use their data for any purpose beyond providing the Service to you
- AI processing: Third-party data contained in your emails or calendar events may be transmitted to Anthropic's API for processing, where it is handled under the same protections as your own data (not used for model training, not permanently retained)
If a third party contacts us to exercise their data protection rights regarding data processed through your use of the Service, we will notify you and work with you to comply with legitimate requests.
15. Age Requirement
Revoly is not intended for users under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe that a person under 18 has created an account or provided personal data to us, please contact us at hello@revoly.ai and we will promptly investigate and delete such data.
16. Changes to This Policy
We may update this Privacy Policy as the Service evolves, our data practices change, or legal requirements are updated. For significant changes that materially affect how we process your data:
- We will notify you by email or in-app notification at least 14 days before they take effect
- We will clearly describe what has changed and why
- If you disagree with the changes, you may delete your account before the changes take effect
Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. We will always update the "Last updated" date at the top of this page.
17. Contact & Privacy Inquiries
For privacy questions, data protection requests, or concerns about how your data is handled:
- General inquiries & data requests: hello@revoly.ai
- Abuse reports: abuse@revoly.ai
- Location: Portugal, EU
If you are not satisfied with our response, you have the right to lodge a complaint with the CNPD (Portuguese Data Protection Authority) at www.cnpd.pt, or with your local supervisory authority.