Revela Privacy Notice
Last updated: 3 July 2026
Who we are
Revela ("we") helps you understand the terms of service and privacy practices of the digital services you use, and measures your privacy maturity. We are a data controller under the Kenya Data Protection Act, 2019 and, where applicable, the EU General Data Protection Regulation (GDPR).
What we collect and why
- Account data (name, email, profile photo from Google Sign-In) — to create and secure your account. Legal basis: contract performance.
- Service selections — the services you tell us you use, so we can tailor summaries and assessments. Legal basis: contract performance.
- Chat messages with the AI advisor — retained so you can revisit your conversations. Sent to Anthropic (our AI processor) to generate responses. Legal basis: consent.
- Assessment answers and scores — to compute and track your privacy maturity over time. Legal basis: consent.
- Payment records — amount, status and transaction reference processed through Lipad (our payment processor). We never see or store your card number or M-Pesa PIN. Legal basis: contract performance and legal obligation (financial records).
What we don't do
- We do not sell your personal data.
- We do not use your data for third-party advertising.
- We do not train AI models on your conversations.
Your rights
Under the Kenya DPA (ss. 26, 40) and GDPR (Arts. 15–21) you have the right to access, correct, export and delete your data, and to withdraw consent. You can exercise export and deletion instantly from Settings. Complaints can be lodged with the Office of the Data Protection Commissioner (Kenya) at odpc.go.ke or your local supervisory authority in the EU.
Retention
Your data is kept while your account is active. On deletion, all personal data is erased immediately; payment records are retained in anonymized form only, to meet financial record-keeping obligations.
Processors
- Anthropic — AI responses (chat, question generation).
- Lipad (Musoni / Little) — payment processing (M-Pesa, cards).
- Google — sign-in authentication.
Security
Sessions use signed, HTTP-only cookies. Data is stored in a access-controlled PostgreSQL database. Payment payloads to Lipad are AES-256 encrypted per their specification.
Contact
Data protection queries: privacy@revela.app (placeholder — set your real contact before going live).