Privacy Policy

1. Introduction

Reavo is a B2B prospecting platform that helps businesses find potential clients, collect professional contact information, and send outreach emails. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (reavo.co) and our platform (the "Service").

By using Reavo, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

• SARL Lux Studio
• 24 avenue de la Gare, 69580 Sathonay-Camp, France
• RCS Lyon No. 994 423 127
• Email: contact@reavo.co

3. Data We Collect

3.1 Account Data

When you sign up and use Reavo, we collect:

• Full name
• Email address
• Company name
• Billing address
• Payment information (processed securely by Stripe; we never store card numbers)

3.2 Automatically Collected Data

When you browse our website, we may collect:

• IP address
• Browser type and operating system
• Pages visited and visit duration
• Cookies and analytics trackers (with your consent)

3.3 Prospect Data

As part of the Service, Reavo collects professional contact data (names, business emails, phone numbers, job titles) from publicly accessible sources: company websites, professional directories, professional social networks, and public registries.

4. Google User Data

This section describes how Reavo accesses, uses, stores, and shares data obtained through Google APIs. Reavo's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.1 What Google Data We Access

When you connect your Gmail or Google Workspace account to Reavo via Google OAuth 2.0, we request access to the following scopes:

• Email sending (Gmail API): permission to send emails on your behalf from your connected Google account. This is used exclusively to deliver your prospecting emails through your own mailbox.
• Email profile information: your email address and basic profile information, used to identify your connected account within Reavo.

4.2 How We Use Google User Data

Google user data is used strictly for the following purposes:

• Sending prospecting emails that you have composed and approved, from your own Gmail or Google Workspace account
• Displaying your connected email address within the Reavo interface so you can manage your account

We do not use Google user data for advertising, market research, email tracking unrelated to the Service, or any purpose other than providing and improving the Reavo Service as described here.

4.3 What We Do NOT Access

Reavo does not:

• Read, scan, analyze, or store the content of your personal or received emails
• Access your Google Contacts, Calendar, Drive, or any other Google service
• Monitor your inbox or email activity
• Access your Google account password at any time

4.4 Storage of Google User Data

We store only the OAuth 2.0 authentication tokens required to maintain your connection to Google. These tokens are:

• Stored securely in our database (Supabase, hosted on AWS EU servers)
• Encrypted in transit (TLS/HTTPS) and at rest
• Accessible only to authorized Reavo systems needed to send emails on your behalf

We do not store email content, attachments, headers, or metadata from your Google account. Email content is generated within Reavo and transmitted directly to Google's API for sending. It is not retained after delivery.

4.5 Sharing of Google User Data

We do not sell, share, rent, or transfer Google user data to any third party.

Google user data is never shared with advertisers, data brokers, analytics providers, or any entity other than Google itself (through its own API to execute the send request). No human at Reavo accesses your Google user data unless explicitly required for technical support at your request.

4.6 Limited Use Disclosure

Reavo's use of information received from Google APIs complies with the Google API Services User Data Policy, including the following Limited Use requirements:

• We only use Google user data to provide and improve the user-facing features of Reavo that are visible to the user
• We do not transfer Google user data to third parties unless necessary to provide the Service, required by law, or with explicit user consent
• We do not use Google user data for serving advertisements
• We do not allow humans to read Google user data unless we have obtained explicit affirmative consent, it is necessary for security purposes, it is required by law, or it is aggregated and anonymized for internal operations

4.7 Revoking Access

You can disconnect your Google account from Reavo at any time by:

• Going to your Reavo account settings and disconnecting your Google account
• Visiting your Google Account permissions page and revoking access for Reavo

Upon disconnection, your OAuth tokens are deleted from our systems within 24 hours. No Google user data is retained after revocation.

5. Microsoft User Data

Reavo also supports connecting Microsoft Outlook and Microsoft 365 accounts via Microsoft OAuth 2.0 (Microsoft Graph API). The same principles apply:

• We only request permissions necessary to send emails on your behalf
• We do not read, analyze, or store your personal email content
• We do not sell or share your Microsoft data with third parties
• You can revoke access at any time from your Microsoft account security settings or from Reavo

6. Purpose of Data Processing

We process personal data for the following purposes:

• Contract performance (Art. 6.1.b GDPR): creating and managing your account, providing the Service, billing, and customer support
• Legitimate interest (Art. 6.1.f GDPR): improving the Service, fraud prevention, platform security, and usage analytics
• Legal obligation (Art. 6.1.c GDPR): invoice retention and tax compliance
• Consent (Art. 6.1.a GDPR): marketing communications (newsletters, product updates)

7. Sub-processors

Your data may be processed by the following sub-processors:

• Supabase (database): account and prospect data storage, hosted on European servers (AWS EU)
• Vercel (hosting): website and application hosting, European servers (AWS EU)
• Stripe (payments): secure payment processing (PCI-DSS certified)
• Google (Gmail API): email sending via user-connected Gmail/Google Workspace accounts
• Microsoft (Graph API): email sending via user-connected Outlook/Microsoft 365 accounts
• AI providers (OpenAI, Anthropic, Mistral, or other providers): content generation and AI features. Providers may change to improve Service quality.

We never sell, rent, or share your personal data with third parties for commercial purposes. Data sharing is limited to what is strictly necessary for the operation of the Service.

8. International Data Transfers

Our primary infrastructure providers (Supabase, Vercel) host data on servers located in the European Union (AWS EU). Some providers (Stripe, AI providers, Google, Microsoft) may process data in the United States. These transfers are governed by appropriate safeguards under the GDPR, including Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

9. Data Retention

• Account data: retained for the duration of your subscription, then deleted within 30 days after account closure
• Billing data: retained for 10 years in compliance with legal accounting obligations
• Browsing data: retained for a maximum of 13 months (CNIL recommendation)
• Prospect data: deleted within 30 days after account closure
• Google/Microsoft OAuth tokens: deleted within 24 hours of disconnection or account closure

10. Cookies

10.1 Strictly Necessary Cookies

These cookies are essential for the website to function (authentication, security). They do not require your consent.

10.2 Analytics Cookies

We use audience analytics tools to measure website traffic and improve the user experience. These cookies are only set with your consent.

10.3 Managing Preferences

You can change your cookie preferences at any time through your browser settings or via the consent banner displayed on the website.

11. Your Rights

Under the GDPR, you have the following rights:

• Right of access: obtain confirmation that your data is being processed and receive a copy
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure: request deletion of your data under applicable conditions
• Right to restriction: request restriction of processing in certain cases
• Right to portability: receive your data in a structured, commonly used format
• Right to object: object to the processing of your data on legitimate grounds
• Right to withdraw consent: at any time, for processing based on consent

To exercise these rights, contact us at: contact@reavo.co. We will respond within one month.

If you believe your rights have not been respected, you may file a complaint with the CNIL: www.cnil.fr.

12. Data Security

Reavo implements appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. All connections are encrypted via HTTPS, payment data is processed by Stripe (PCI-DSS certified), and data access is restricted to authorized personnel only.

13. Data Breach Notification

In the event of a data breach likely to result in a high risk to your rights and freedoms, Reavo will notify you promptly and no later than 72 hours after becoming aware of the incident, in accordance with Articles 33 and 34 of the GDPR.

14. Changes to This Policy

We reserve the right to update this Privacy Policy. In the event of a material change, we will notify you by email or through the Service. The date of the last update is indicated at the top of this page.

15. Contact

For any questions regarding this Privacy Policy or your personal data: contact@reavo.co