Privacy Policy

Effective Date: 19 June 2026Version: 1.3.9

This Privacy Policy explains how RevvTik Ltd (“RevvTik”, “we”, “us”), a company established in the United Kingdom, processes personal data when you use our websites, applications, and services (the “Services”). It is designed to meet transparency obligations under the UK GDPR and the Data Protection Act 2018, and where the Services are offered to individuals in the European Economic Area, the EU GDPR (Articles 13 and 14). For the contractual relationship between your organisation (business customer) and RevvTik as processor, see our Data Processing Addendum.

1. Data controllers and roles

RevvTik as processor: When your company subscribes to RevvTik, your organisation is typically the data controller for personal data in recordings, transcripts, scores, and coaching outputs relating to your team. RevvTik processes that data only on your instructions, as described in the DPA and your subscription terms.

RevvTik as controller: For account registration, support contact details, security logs relating to our platform, and website visitors, RevvTik may act as controller for its own business purposes, such as delivering the service, security, product administration, and product improvement where permitted.

2. Identity, supervisory authority, and EU representative

  • Controller / service operator: RevvTik Ltd, 128 City Road, London, EC1V 2NX, established in the United Kingdom.
  • ICO registration: RevvTik Ltd is registered with the Information Commissioner's Office under reference ZC160387 (Data Protection (Charges and Information) Regulations 2018).
  • Contact: support@revvtik.com
  • Lead supervisory authority (UK GDPR): the Information Commissioner's Office (ICO) - https://ico.org.uk/.
  • Data Protection Officer: RevvTik is not required to appoint a DPO under Art. 37 UK GDPR / EU GDPR at this stage. All privacy matters are handled by our internal privacy team at support@revvtik.com. If our processing scope changes in a way that requires a DPO, we will appoint one and update this policy.
  • EU / EEA representative: RevvTik has not yet appointed an EU representative. We are assessing our Article 27 EU GDPR obligations for EU/EEA use of the Services. Where an EU representative is required for a customer deployment or market expansion, we will appoint an EU-based representative and update this policy with the representative's legal name, address, and contact details.
  • UK representative: not required because RevvTik is established in the UK.

3. Categories of data subjects and personal data

3.1 Data subjects

  • Customer users: admins, managers, and salespeople using RevvTik under your account.
  • Individuals in recordings: prospects, customers, and other meeting participants whose voice, words, or opinions appear in audio or transcripts your users submit or connect via integrations.
  • Website visitors: anyone visiting our marketing site, legal pages, or documentation.

3.2 Categories of personal data

  • Account & profile: name, email, role, organisation and account identifiers, authentication events (sign-in method, session identifiers, IP address, and browser user agent where recorded for security), and account status.
  • Meeting & coaching content: audio/video files or recordings ingested via upload or third-party integrations; transcripts (produced by RevvTik's transcription provider from audio, not from third-party transcript APIs unless separately configured); AI-generated summaries, scores, evidence snippets, coaching insights; and metadata such as duration, timestamps, platform identifiers, and meeting titles.
  • Meeting participants & prospects: participant names and email addresses from connected meeting platforms where available (for example Zoom past participant lists) to associate calls with prospects and exclude internal attendees.
  • Integration credentials: per-user OAuth tokens and related metadata for platforms such as Zoom, Google, and FreJun when an authorised user connects their own account, protected using encryption at rest where applicable. Workspace administrators enable platforms for the organisation; they do not connect a single shared Zoom or Google account on behalf of all users in the product.
  • Technical & security: IP address, device/browser details where captured, and audit logs of access to the Services. Application logs and operational telemetry are designed not to include raw transcript text; see Security.

3.3 Integrations

Zoom Integration

When a user authorizes RevvTik through Zoom OAuth, RevvTik may access only the Zoom resources and permissions approved by the user during authorization, such as meeting metadata, participant information, and cloud recordings. RevvTik accesses Zoom data solely to provide transcription, AI coaching, scorecards, analytics, and related platform functionality. Users may disconnect the Zoom integration at any time, which removes stored authorization credentials and stops future synchronization.

4. Purposes and legal bases (Article 6)

We process personal data only where there is a valid legal basis. The table below summarises typical processing. Your organisation’s own legal analysis may vary by jurisdiction; RevvTik provides this description for transparency.

Processing activityPurposeTypical legal basis
Account creation, login, RBACProvide the Services and secure accessPerformance of contract; legitimate interests
Ingest recordings (upload, Zoom, Meet, FreJun, etc.)Transcription, analysis, coachingCustomer’s instructions as controller; contract with RevvTik
Transcription via AssemblyAI or similar providerConvert audio to textSame as above; subprocessors listed publicly
AI analysis / scoringGenerate scores, insights, evidence, and coachingSame as above; Art. 22 safeguards described below
Audit logging & security monitoringDetect abuse, secure data, investigate incidentsLegitimate interests; legal obligation where applicable
Support & incident responseResolve tickets and notify of security incidentsContract; legitimate interests; legal obligation

Employees and consent: Where your users are employees, your organisation should not rely solely on “consent” as the only basis for workplace monitoring in all jurisdictions. Many regulators expect legitimate interest assessments, proportionality checks, transparency notices, or employment-law compliance. RevvTik’s customer Terms require you to ensure a lawful basis for your use case.

5. Whether you must provide personal data (Art. 13(2)(e))

Whether you must provide personal data, and what happens if you do not, depends on your relationship with RevvTik and the feature you use:

  • Business account users (RevvTik as controller for account data): To create and maintain a user account, you must provide certain information such as your name, work email, and authentication credentials. Without this, we cannot provide secure access to the Services. Other profile fields may be optional depending on your organisation's configuration.
  • Customer subscription (RevvTik as processor): Your organisation chooses what call, meeting, or telephony content to submit or connect. RevvTik does not require a specific recording to be uploaded, but your organisation cannot use coaching, transcription, or scoring features for content it does not provide or connect.
  • Contractual necessity: Where processing is necessary to perform our contract with your organisation or with you as an authorised user, failure to provide the minimum data needed for that feature may mean we cannot deliver that part of the Service.
  • No statutory obligation: RevvTik does not generally require you to provide personal data because of a legal obligation to us, except where we must retain limited records for tax, accounting, security, or regulatory purposes.
  • Consequences: If required account data is not provided or is withdrawn, we may be unable to authenticate you, maintain your session, or support your workspace. If your organisation stops submitting or connecting content, related transcripts, scores, and coaching outputs will not be generated for new activity. Existing retained content is handled under our retention and deletion rules in Section 7.

6. Sub-processors and international transfers

We use sub-processors to host and operate the Services. A current list with purpose, country of processing, and safeguards is published at Sub-processors. The principal categories are:

  • Cloud hosting (AWS, Google Cloud, or Microsoft Azure - region per deployment).
  • Transcription: AssemblyAI, using the EU-hosted transcription service (Ireland) where configured for RevvTik production transcription.
  • AI inference: OpenAI or Azure OpenAI, depending on deployment configuration and customer requirements.
  • Meeting platforms: Zoom and Google (Workspace / Meet / Drive) when an authorised user connects their own account via OAuth. Access is limited to scopes shown at connect time (for example Zoom cloud recordings and past participant metadata; Google Meet files and related calendar context). Microsoft Teams is not available as an automated connector in the product today; customers may still label manual uploads as Teams where applicable.
  • Telephony: FreJun, when an authorised user connects their account or where an organisation configures FreJun for ingestion under admin settings.

Transfers from the UK and EEA: RevvTik is established in the United Kingdom. Transfers between the UK and the EEA are covered by the UK adequacy regulations and the European Commission’s adequacy decision for the UK. Where personal data is transferred to countries without an adequacy decision, for example certain AI inference providers or support tooling hosted outside the EEA, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Commission’s 2021 Standard Contractual Clauses (including Module Two for controller-to-processor transfers and Module Three for onward sub-processor transfers, with Annex I–III completed in our Data Processing Addendum), supplemented by technical and organisational measures such as encryption in transit and at rest, access controls, audit logging, and where relevant, a Transfer Risk / Transfer Impact Assessment. Sub-processors are contractually restricted from using Customer Data to train their general-purpose models except where separately agreed by the Customer with that vendor.

7. Retention & growth tracking

We keep coaching content long enough for it to be useful, and no longer. Retaining transcripts and scores over time lets a salesperson compare past performance with current performance, see which coaching produced results, and follow long-term growth trends. Retention is subject to customer-configured limits, scheduled deletion controls, and proportionality safeguards.

  • Audio recordings: deleted promptly after transcription processing completes, subject to temporary retry, integrity-check, or cleanup operations required for reliable processing. We do not retain raw audio beyond what is required to produce the transcript and operate the processing pipeline.
  • Transcripts, AI analyses, scores, coaching insights: retained for up to 24 months from creation by default, then automatically deleted by an automated retention process. This default supports historical comparison and growth analytics for your team.
  • Customer-configurable shorter retention: Org admins can lower the retention period for their organisation (currently: 12 / 18 / 24 months). Once changed, the new shorter limit is enforced on existing data going forward.
  • Pre-deletion notice: Before scheduled retention deletions, we record advance notices for operators, for example in operational logs and deduplicated notice records, approximately 30 days ahead where configured. This is primarily an administrator-facing signal today, not a guarantee of an in-product reminder to every end user.
  • Account & profile data: kept for the duration of the subscription plus a short wind-down period for export, billing reconciliation, and legal holds.
  • Audit logs: retained for security, accountability, and abuse investigation. They record who accessed what; they do not contain transcript content.
  • Integration credentials: protected using encryption at rest and removed when no longer needed, for example when an integration is disconnected or routine credential cleanup applies.
  • On verified account or organisation deletion, Customer Data is deleted from primary application systems within 30 days, subject to technical and legal retention constraints. Backup copies may persist through backup retention and rotation cycles, typically not exceeding a further 30 days, and are protected from normal use until overwritten or purged.
  • For verified individual erasure requests, RevvTik will respond within the applicable legal timeframe and delete or anonymise personal data where required, subject to legal exceptions, technical constraints, and the Customer's role as controller.

8. Automated scoring, profiling, and Art. 22

RevvTik generates numerical scores and qualitative coaching insights using AI models across defined sales dimensions such as qualification, discovery, objection handling, next-step control, and follow-up clarity, with transcript-linked evidence excerpts. This can constitute profiling under GDPR Art. 4(4) where the GDPR applies.

  • Coaching, not a decision engine. During onboarding, staff see a clear statement that scores are for coaching and must not be the sole basis for employment decisions. In-product, call detail includes links to documentation and an optional Need help? flow for salespeople and managers to understand scores and raise concerns with their organisation.
  • Meaningful information. Each call shows per-parameter scores or N/A with a short reason, related coaching sections, and a link to our public guide on how scoring works.
  • Challenging a score. Salespeople and managers can use the in-app Understand this call score page, reached from call detail, to read how results are produced and, if needed, send a structured request to their company admin. Admins may triage internally and, where your organisation uses it, escalate to RevvTik for operational review. This replaces a fixed “dispute” button on every scorecard; the pathway is admin-mediated by design.
  • Objecting to profiling (Art. 21). Where the GDPR applies, you may object to processing based on legitimate interests, including profiling, by contacting support@revvtik.com or your employer as controller for customer-controlled workplace accounts.
  • Impact assessment. We maintain data-protection impact-style documentation for high-risk processing and review it when the product changes in material ways.

9. Data subject rights

Depending on your jurisdiction, you may have the right to:

  • Access a copy of your personal data (Art. 15)
  • Rectify inaccurate data, including requesting correction or review of transcript issues through available help flows or support@revvtik.com (Art. 16)
  • Erase data, subject to legal exceptions (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability, including structured machine-readable export (Art. 20)
  • Object to processing based on legitimate interests, including AI profiling (Art. 21)
  • Not be subject to solely automated decisions and request human review (Art. 22)
  • Withdraw consent where processing was consent-based (Art. 7(3))
  • Lodge a complaint with a supervisory authority

How to exercise rights - three channels:

  1. In-app (active users): Dashboard Settings — password, platform connections, download my data self-export, and links to review-related pages where applicable. For access, erasure, rectification, or objection requests that are not covered there, use the email channel below or your organisation’s admin.
  2. Email (current or former users): support@revvtik.com. We may verify your identity before processing.
  3. Through your organisation’s admin for customer-controlled actions such as offboarding, deactivation, removal, or organisation-level retention settings. Your admin cannot block or intercept a rights request you make directly to RevvTik.

Response time (Art. 12(3)): we acknowledge requests within 72 hours and resolve within one calendar month. Complex cases may be extended by up to two further months; we will tell you within the first month with reasons.

10. Breach notification

If we become aware of a personal data breach affecting Customer Data, we notify the relevant Customer, as controller, without undue delay and in any event within 72 hours, with the information needed for Customer’s own Art. 33/34 obligations. Where RevvTik acts as controller, for example for account metadata or website visitor data, we notify the competent supervisory authority within 72 hours where required and affected individuals where the risk is high.

11. Individuals in recordings — information when we do not collect data from you (Art. 14)

If you appear in a call, meeting, or recording processed through RevvTik but did not create a RevvTik account or submit the recording yourself, your personal data is usually obtained from your organisation's users or from a connected platform (for example Zoom, Google Meet, or FreJun), not directly from you. This section provides the transparency information required by Article 14 UK/EU GDPR where RevvTik processes such data.

Who is the controller: In most cases your employer, the selling organisation using RevvTik, or another business that connected the recording is the data controller for that content. RevvTik acts as a processor on the controller's instructions. For questions about why the recording was made or the controller's lawful basis, contact that organisation first. RevvTik's privacy contact is support@revvtik.com.

  • Categories of data: voice, spoken words, names or identifiers visible in metadata, professional context, and AI-generated transcript text, summaries, scores, or coaching insights derived from the recording.
  • Source: the controller's users (upload or integration) or the connected meeting/telephony platform. We do not generally obtain this data from publicly accessible sources unless your organisation chooses to submit such content.
  • Purposes: transcription, analysis, scoring, coaching, quality review, and related features requested by the controller — see Sections 4 and 8.
  • Legal basis: determined by the controller (for example legitimate interests, contract, or employment law compliance). RevvTik processes on the controller's instructions under contract.
  • Recipients: RevvTik personnel with a legitimate need; sub-processors listed at Sub-processors; and the controller's authorised users.
  • International transfers: as described in Section 6 and our DPA.
  • Retention: audio is deleted after transcription; transcripts and related outputs are retained per Section 7 unless the controller sets a shorter period or deletion is requested.
  • Automated processing: AI scoring and profiling may apply — see Section 8. These outputs are intended for coaching, not as sole automated decisions about you.
  • Your rights: you may have rights of access, rectification, erasure, restriction, objection, and related rights under applicable law. Exercise them through the controller where they decide processing, or contact support@revvtik.com if you believe RevvTik holds your data. We will coordinate with the controller where required. See Section 9.
  • Complaints: you may lodge a complaint with a supervisory authority — see Section 14.

Controller transparency duty: The organisation that records or submits the conversation remains responsible for informing you where required, including under the ePrivacy Directive and national call-recording or employment-monitoring laws. RevvTik provides optional participant notice templates for controllers; they do not replace the controller's own legal obligations.

12. Special category data (Art. 9)

Sales conversations may incidentally reveal health, religion, political opinions, trade-union membership, or other special category data. RevvTik does not seek this data. We rely on access controls, retention limits, and minimisation. Structured exports may redact certain prospect identifiers where that feature is enabled. The controller remains responsible for documenting an Art. 9(2) basis where required and for proportionality.

13. Cookies and similar technologies

A dedicated cookie list and preferences are in our Cookie Policy. We use cookies and similar technologies for authentication and session continuity, security, and core service functionality. We do not currently use analytics or marketing cookies unless introduced with consent and an updated Cookie Policy. Where possible we prefer privacy-preserving measurement approaches that minimise personal data collection (Art. 25 GDPR).

Customer workspace sign-in uses a server-side session model. After successful authentication (email and password and/or Google OAuth, where enabled), RevvTik issues a short-lived signed access token (JSON Web Token, JWT) in an HttpOnly cookie named `rt_at` (fifteen (15) minutes) and a rotating opaque refresh token in a separate HttpOnly cookie named `rt_rt` (up to seven (7) days of inactivity, or until you sign out). Refresh tokens are stored only as cryptographic hashes in our database; if a revoked refresh token is reused, the session is ended for security. JWT access tokens are sent automatically by your browser on API requests and are not stored in `localStorage` or `sessionStorage`. For UI convenience, a minimal user profile (such as display name and role) may be cached locally without session secrets.

14. Complaints to a supervisory authority

RevvTik Ltd is registered with the Information Commissioner's Office under registration reference ZC160387. You can verify our registration on the public ICO register.

If you believe our processing of your personal data is unlawful, you may lodge a complaint with a supervisory authority. Because RevvTik is established in the United Kingdom, our lead authority is the Information Commissioner's Office (ICO). If you are located in the EU/EEA, you may also complain to the data protection authority in your country of residence, place of work, or place of the alleged infringement. The European Data Protection Board (EDPB) maintains a directory at edpb.europa.eu. We would appreciate the chance to address concerns first at support@revvtik.com.

15. Changes and prior versions

We will update this policy when our practices change. Material changes will be notified, for example by email or in-app notice. Version history: this document is version 1.3.9. Retain prior copies for your records if you are a controller documenting compliance.

Business customers should also involve qualified counsel for their entity and jurisdictions.


Contract entity & contact

RevvTik Ltd
128 City Road
London EC1V 2NX
United Kingdom

Support and Legal Contact: support@revvtik.com

Related policies: Privacy Policy · Terms of Service