Privacy Policy
Last updated: 5 May 2026
This Privacy Policy describes how RevTurbine ("RevTurbine", "we", "us", or "our") collects, uses, shares, and protects personal information when you visit the website at revturbine.com (the "Site") or use the RevTurbine product (the "Service").
By using the Site or Service, you agree to the practices described in this policy. If you do not agree, please do not use the Site or Service.
For any privacy-related question or request, contact us at privacy@revturbine.com.
Information we collect
When you visit the Site
We collect limited information automatically from all visitors to the Site:
- Technical data — IP address, device type, browser, operating system, referrer, pages viewed, and time on page. This is collected by our hosting provider (Vercel) and our analytics tools (Vercel Analytics, Vercel Speed Insights, Ahrefs Analytics).
- Business identification (US visitors only) — when you visit the Site from a US-based IP address, we use a third-party service (RB2B) that may identify you and your employer using their identity graph. RB2B may surface your name, employer, work email address, and LinkedIn profile URL. This service does not operate outside the United States.
- Cookies — RB2B sets a first-party cookie used for visitor identification. Vercel Analytics, Vercel Speed Insights, and Ahrefs Analytics are cookieless. The Service uses functional cookies necessary for authentication.
When you contact us through the Site
When you submit one of our contact, booking, or email-signup forms, we collect:
- The information you provide — typically your name, email address, the topic you select, and any message you write.
- Scheduling information you provide when booking a session, which is processed by Calendly.
We use this information to respond to you, follow up about your enquiry, and (if you opt in) send product updates.
When you use the Service
When you create an account or use the Service, we collect:
- Account information — your name, email address, and password (stored only as a salted hash). If you sign in via Google, GitHub, or Microsoft Entra ID, we receive your basic identity details from that provider.
- Workspace and tenant information — organization name, workspace members, roles, and configuration.
- Billing information — processed by Stripe (we operate a Stripe Connect platform). We do not store full payment-card details. We retain Stripe customer and subscription identifiers and high-level billing metadata.
- Usage and event data — page views, placement impressions and conversions, billing events, and other in-product activity. These events are sent to Tinybird and retained for 365 days.
- AI prompts and content — when you use AI-powered features, your prompts and any codebase content you provide (including content fetched from GitHub using tokens you supply) are forwarded to Anthropic (Claude) and/or OpenAI through the Vercel AI Gateway for processing.
- Operational data — session and rate-limiting data processed by Upstash Redis; background and webhook events (including Stripe webhook payloads) processed by Inngest; transactional email (verification, magic links, invitations) sent via Google (Gmail API); server logs sent to Axiom for observability.
How we use information
We use personal information to:
- Provide, operate, secure, and improve the Site and the Service.
- Authenticate you and protect your account.
- Process payments and manage subscriptions.
- Send transactional, service, and (where you've opted in) marketing communications.
- Respond to your enquiries and follow up about sales.
- Analyze usage to improve our product, content, and marketing.
- Detect, investigate, and prevent fraud, abuse, and security threats.
- Comply with legal obligations.
Legal bases (UK / EU / EEA visitors)
Where the UK GDPR or EU GDPR applies, we rely on the following legal bases:
- Performance of contract — to provide the Service you signed up for.
- Legitimate interests — for analytics, business identification, fraud prevention, marketing to business contacts, and improving our offering.
- Consent — where required (you may withdraw consent at any time).
- Legal obligation — where applicable.
Service providers (sub-processors)
We share personal information with the following third-party service providers, each bound by data-protection commitments where applicable. This list reflects our current sub-processors and may change over time.
| Provider | Purpose | Primary location |
|---|---|---|
| Vercel | Hosting, web analytics, performance monitoring | United States |
| Neon (via Vercel Postgres) | Primary database | United States |
| Upstash | Session cache and rate limiting | United States |
| Google (OAuth) | Google sign-in | United States |
| Google (Gmail API) | Transactional email | United States |
| GitHub | OAuth sign-in; repository access via user-supplied tokens | United States |
| Microsoft (Entra ID) | OAuth / SSO sign-in | United States |
| Stripe (Stripe Connect) | Payment processing | United States |
| Tinybird | Clickstream and event analytics (365-day retention) | European Union |
| Anthropic (Claude) | AI / large-language-model processing | United States |
| OpenAI | AI / large-language-model processing | United States |
| Vercel AI Gateway | Proxy for LLM requests | United States |
| Inngest | Background jobs and webhook processing | United States |
| Axiom | Logs and observability | United States |
| Ahrefs Analytics | Marketing analytics (cookieless) | European Union |
| RB2B | B2B visitor identification (US visitors only) | United States |
| Calendly | Session scheduling | United States |
International transfers
Most of our service providers are based in the United States. By using the Site or Service, you understand that your information may be transferred to and processed in the United States and other jurisdictions whose data-protection laws may differ from those in your country. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
Data retention
We retain personal information for as long as needed for the purposes described in this policy, unless a longer retention period is required by law:
- Marketing site analytics and visitor identification — retained while reasonably useful for the purposes above.
- Account data — retained for the lifetime of your account, plus a reasonable archival period after deletion.
- Usage and clickstream events (Tinybird) — 365 days.
- Billing records — retained as required by tax and accounting laws (typically 7 years).
- Logs and operational data — retained per provider defaults, typically 30–90 days.
Your rights
Depending on where you live, you may have rights in relation to your personal information, including the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Delete your information.
- Restrict or object to certain processing.
- Receive a copy of your information in a portable format.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local data-protection authority.
If you are a California resident, you have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell personal information for monetary value. Our use of RB2B for visitor identification may be considered "sharing" under CPRA — to opt out, email privacy@revturbine.com.
If you are in the UK, EU, or EEA, you have rights under the UK GDPR / EU GDPR as described above.
To exercise any of these rights, email privacy@revturbine.com. We will respond within the timeframe required by applicable law.
Cookies and tracking
The Site uses:
- First-party cookies set by RB2B for B2B visitor identification (US visitors only).
- Cookieless analytics via Vercel Analytics, Vercel Speed Insights, and Ahrefs Analytics.
- Functional cookies required for authentication when using the Service.
You can configure your browser to block or delete cookies. Doing so may affect parts of the Service that depend on them (for example, staying signed in).
Security
We use industry-standard security measures including encryption in transit (TLS), salted password hashing, OAuth-based sign-in where available, and access controls. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
Children
The Site and Service are not directed at children under the age of 16, and we do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, please contact us.
Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated through the Site or the Service.
Contact us
For any privacy-related question, request, or complaint:
RevTurbine Email: privacy@revturbine.com