Privacy Policy
app.revsko.com (together, the "Service"). It also describes how we handle data accessed through Google Workspace, Microsoft 365, and other email-provider integrations on behalf of business customers.
1. Scope and the roles we play
revsko is a business-to-business service used by companies ("Customers") to operate outbound sales workflows. Two distinct relationships are covered by this policy:
- Coedify as a controller — for personal information about visitors to revsko.com, prospects who contact us, and Customer personnel who hold accounts with us (e.g., names, email addresses, billing details, support requests).
- Coedify as a processor — for personal information that our Customers upload into, generate within, or instruct us to retrieve through the Service in order to operate their outbound workflows. This includes contact lists, email content drafted on the Customer's behalf, replies received, and data retrieved via the Customer's connected Google Workspace, Microsoft 365, or other accounts ("Customer Data"). The Customer is the controller of Customer Data. Coedify processes Customer Data only under the Customer's written instructions, as further described in the Data Processing Addendum.
If you are an end user whose information has been uploaded to revsko by a Customer (for example, a prospect a Customer is contacting), please direct privacy requests to that Customer in the first instance. We will support our Customers in responding to such requests as required by applicable law.
2. Information we collect
2.1 Information you provide directly
- Account information: name, business email, company name, role, password (hashed), and tenant identifier.
- Billing information: billing contact, address, tax identifiers, and payment method tokens (full card numbers are handled by our payment processors; we do not store them).
- Sales-enquiry information: information you submit through the website enquiry form, calendar booking link, or by emailing us (business description, deal size, current outbound approach, and similar fields).
- Support communications: messages, attachments, and contact details you share when contacting support.
2.2 Information we collect automatically
- Usage data: pages visited, features used, timestamps, approval actions, and similar operational metadata.
- Device and log data: IP address, browser type, operating system, referrer, and language preferences. We retain server logs for a limited period for security, debugging, and abuse prevention.
- Cookies and similar technologies: see section 13.
2.3 Customer Data we process on a Customer's behalf
- Contact records: names, business emails, phone numbers, LinkedIn URLs, job titles, company information, and enrichment data, uploaded by the Customer or retrieved through enrichment vendors the Customer has authorised.
- Email content and metadata: drafts, approved message content, sent-confirmation records, message identifiers, thread identifiers, delivery state, and timestamps. When the Customer connects a Google Workspace or Microsoft 365 mailbox, we access only the scopes the Customer authorises (see section 5 and section 6).
- WhatsApp content and metadata: messages exchanged inside opted-in conversations the Customer manages through the WhatsApp Business Platform. At launch, WhatsApp use is limited to India recipients and opted-in or recipient-initiated conversations; revsko does not send cold WhatsApp messages.
- Workflow state: stage transitions, agent run records, approval decisions, notes, and audit history.
- Calendar data: meeting bookings and limited calendar metadata required to recognise accepted meetings.
2.4 Information from third parties
- Enrichment providers the Customer has authorised (for example, Apollo or similar services) — used to enrich contact records.
- OAuth identity providers (Google, Microsoft) — limited profile and authentication data when a user signs in or connects a workspace account.
- Payment processors and analytics providers — limited information about transactions and aggregate site traffic.
3. How we use information
We use information for the following purposes:
- Provide the Service: operate the Customer's configured outbound workflow, including research, drafting, sending, reply triage, and follow-up, all under Customer instruction.
- Account and billing administration: create and maintain accounts, authenticate users, calculate outcome-based fees (accepted qualified meetings), and invoice.
- Security and abuse prevention: detect, investigate, and prevent fraudulent, illegal, malicious, or policy-violating activity.
- Customer support: respond to requests, troubleshoot, and improve service quality.
- Product improvement: understand how the Service is used and improve features and reliability. Google user data and data derived from Google user data are not used for generalised analytics, benchmarking, playbook optimisation, foundation-model training, advertising, creditworthiness, lending, or any non-user-facing product improvement. Any use of Google user data is limited to providing or improving visible, prominent user-facing features for the authorising Customer and user, as required by the Google API Services User Data Policy. The same restriction applies to Microsoft 365 / Graph user data and data derived from it (see section 6).
- Legal and compliance: comply with applicable law, enforce our terms, respond to lawful requests, and protect rights, property, and safety.
- Direct communication: send service announcements, security notices, and (with appropriate basis) limited marketing about our own services. You can opt out of marketing at any time.
We do not sell personal information, and we do not use personal information for advertising, retargeting, or profiling unrelated to providing the Service.
4. Legal bases for processing (GDPR / India DPDP)
Where the EU/UK GDPR applies, we rely on the following legal bases:
- Contract — to provide the Service to Customers and account holders.
- Legitimate interests — to secure the Service, prevent abuse, improve features, and conduct limited business-to-business communications, balanced against your rights.
- Legal obligation — to comply with applicable laws and respond to lawful requests.
- Consent — where required, including for certain cookies or optional communications.
Where India's Digital Personal Data Protection Act 2023 ("DPDP") applies, we process personal data on the basis of consent or one of the "legitimate uses" recognised by the Act. The Digital Personal Data Protection Rules 2025 have been notified by the Ministry of Electronics and Information Technology, and obligations apply on the staged commencement timeline set out in those rules. We will provide notices, manage consent, respond to data-principal requests, and report personal-data breaches on the timelines required by the Act and Rules as those obligations come into force, and we will update this policy accordingly. The grievance contact for DPDP-related requests is set out in section 16.
5. Google API Services — Limited Use Disclosure
Limited Use Disclosure. revsko's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
5.1 What Google user data we access — scope-by-scope
When a Customer connects a Google Workspace or consumer Gmail account, revsko requests only the OAuth scopes needed to operate the features the Customer has configured. The connected user sees the exact scopes requested at the consent screen and can revoke access at any time at myaccount.google.com/permissions. The scopes revsko may request, the data each grants, the user-facing feature it powers, and why a narrower scope is insufficient, are set out below.
| OAuth scope | Data accessed | User-facing feature in revsko | Why a narrower scope is insufficient |
|---|---|---|---|
openid · https://www.googleapis.com/auth/userinfo.email · https://www.googleapis.com/auth/userinfo.profile |
Google account identifier, primary email address, and basic profile fields (name, locale, picture). | Federated sign-in to revsko using Google and linking the user to the Customer's tenant. | These are the minimum standard scopes required for "Sign in with Google". |
https://www.googleapis.com/auth/gmail.compose |
Ability to create, read, update, and delete drafts and send messages created by the app. It does not grant general read access to the mailbox. | After the operator approves an outreach draft in revsko, the Service creates a Gmail draft for the operator to review and send from Gmail. | gmail.compose is the narrowest Gmail scope that allows revsko to create Gmail drafts for human review. revsko does not request gmail.send, gmail.modify, gmail.readonly, or https://mail.google.com/ for the launch flow. |
https://www.googleapis.com/auth/calendar.readonly |
Read-only access to calendars and events for the connected account. | Checks calendar availability and proposes meeting slots in operator-reviewed email drafts. | Free/busy-only access can be insufficient when the operator needs revsko to reason about existing event timing and availability context. This scope is read-only and does not allow revsko to create calendar events. |
https://www.googleapis.com/auth/calendar.events |
Read and write access to calendar events for the connected account. | Creates or updates meeting events only when the Customer has explicitly approved calendar booking for a meeting workflow. | Read-only calendar access cannot create an approved meeting event. This scope is used only for operator-approved booking flows; it is not used to send outreach. |
If a Customer's configuration does not require a particular scope, revsko does not request it. revsko does not request gmail.send, gmail.modify, gmail.readonly, https://mail.google.com/, or any other Gmail scope outside the table above. If future reply-triage features require Gmail read access, we will update this policy and the consent screen before requesting the additional scope.
5.2 How we use Google user data
We use Google user data only to provide and improve user-facing features that are prominent in the Service's user interface, specifically:
- Creating Gmail drafts after the operator has approved the message in revsko.
- Checking calendar availability and proposing meeting slots in operator-reviewed drafts.
- Creating or updating calendar events only when the Customer has explicitly approved a meeting-booking workflow.
- Recording draft, calendar, and sent-confirmation metadata in the Customer's audit history.
5.3 What we will not do with Google user data
"Google user data" includes raw data received from Google APIs and any data derived, summarised, or aggregated from it.
- We will not transfer Google user data to any third party except (a) to provide or improve user-facing features that are prominent in revsko's user interface, with the user's authorisation; (b) for security purposes, such as investigating abuse; (c) to comply with applicable laws; or (d) as part of a merger, acquisition, or sale of the developer's assets, in which case we will continue to use Google user data only as described in this policy after obtaining explicit prior consent from affected users.
- We will not use or transfer Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
- We will not use, transfer, or sell Google user data to determine creditworthiness or for lending purposes.
- We will not allow humans to read Google user data unless (a) we have obtained the affected user's affirmative agreement to view specific messages, files, or other data; (b) doing so is necessary for security purposes, such as investigating a bug or abuse; (c) doing so is necessary to comply with applicable laws; or (d) the data, including derivations, has been aggregated and is used for internal operations in compliance with the Google API Services User Data Policy.
- We will not use Google user data, or data derived from it, to develop, improve, or train generalised or non-personalised AI or machine-learning models. Where AI models are used to provide user-facing features (such as drafting outreach or classifying replies), Google user data is processed transiently to produce the user-facing output for the authorising user and is not retained by the AI provider for training. See section 7.
- We will not use Google user data for non-user-facing purposes such as generalised analytics, benchmarking across customers, or playbook optimisation outside the authorising Customer's tenant.
5.4 Storage, encryption, and deletion of Google user data
- Google user data is encrypted in transit (TLS) and at rest.
- Access is scoped per tenant and per user; revsko enforces tenant isolation across all stored Customer Data.
- A connected user can disconnect their account or revoke OAuth access at any time. On disconnection, we stop accessing Google user data and delete cached copies in accordance with section 10, except where retention is required by law.
6. Microsoft 365 and other email-provider integrations
Status: at launch, revsko operates on Google Workspace / Gmail only. Microsoft 365 (Microsoft Graph) is a planned integration and is not enabled, and not authorised to process Customer Data, until it goes live and the change-notice procedure in the DPA has been observed (see the planned sub-processors list at revsko.com/security/#subprocessors). The permissions and commitments below describe how revsko will use Microsoft Graph access when and if a Customer connects a Microsoft 365 account after that integration is live.
When revsko supports Microsoft 365 (via Microsoft Graph) and other email or calendar providers, the same principles described in section 5 apply, adapted to each provider's terms. revsko's use of Microsoft APIs complies with the Microsoft APIs Terms of Use, the Microsoft Identity Platform Terms of Use, and the relevant Microsoft 365 application certification requirements. A valid Microsoft 365 commercial licence is required to use Microsoft 365 integrations through revsko.
6.1 Microsoft Graph permissions revsko may request
| Microsoft Graph permission | Data accessed | User-facing feature |
|---|---|---|
openid · profile · User.Read |
Basic Microsoft account profile and identifier. | Federated sign-in and tenant linkage. |
Mail.Send |
Send messages on the connected user's behalf. | Outreach Agent sends approved emails. |
Mail.ReadWrite |
Read, create, update, and move messages and folders. | Reply Triage, Follow-up Agent, draft management, and folder/category updates for transparency in the connected mailbox. |
Calendars.Read |
Read events on the connected calendar. | Detect Accepted Qualified Meetings for outcome billing. |
6.2 Microsoft data commitments
- We request only the Microsoft Graph permissions required for the features the Customer has configured.
- We use Microsoft APIs Data only to provide and improve user-facing features in revsko's user interface for the authorising user.
- We do not use or transfer Microsoft APIs Data for advertising, marketing, or any purpose outside the permissions granted by the user.
- We do not use Microsoft APIs Data, or data derived from it, to train foundation models or for generalised, non-user-facing analytics.
- Microsoft user data is encrypted in transit and at rest, scoped per tenant, and deleted within 30 days of OAuth disconnection or account closure, except where retention is required by law.
- The connected user can review and revoke revsko's access at myapps.microsoft.com (work/school accounts) or account.live.com/consent/Manage (personal Microsoft accounts).
7. Use of AI models and customer content
revsko uses large-language-model providers (for example, OpenAI and Anthropic) to power agent features such as research, drafting, and reply classification. Our standing rules:
- Customer Data, including content retrieved from Google Workspace or Microsoft 365, is sent to AI providers only to produce a user-facing output (a draft, a classification, an enrichment summary) for the authorising Customer and user, and only in the volume needed for that output. Google user data and Microsoft user data are transferred to AI sub-processors only as needed for visible, prominent user-facing features in revsko's user interface, and only to the named AI sub-processors listed at revsko.com/security/#subprocessors.
- We use AI provider configurations that prohibit the provider from training its general foundation models on Customer Data and that apply zero retention (or the shortest retention available). We rely on each provider's enterprise / zero-retention / data-processing terms as published by that provider.
- Coedify does not train its own foundation models on Customer Data. Coedify does not train, fine-tune, or evaluate any model on Google user data, Microsoft user data, or data derived from them.
- Aggregated, de-identified operational signals (for example, which prompt patterns produced higher acceptance rates) may be used to improve playbooks and product features. This excludes Google user data and Microsoft user data and any data derived from them, which are not used for cross-customer benchmarking, playbook optimisation, or any non-user-facing improvement.
- Customers may bring their own AI provider keys ("BYOK"), in which case the terms of the Customer's contract with that provider govern.
8. Sharing and sub-processors
We share personal information only with the following categories of recipients:
- Sub-processors we engage to host, transmit, analyse, and secure data. A current list and the role of each sub-processor is maintained at revsko.com/security/#subprocessors. We require sub-processors to provide protections at least as protective as this policy and our Data Processing Addendum.
- Customers and their authorised users — Customer Data is accessible to the Customer that owns it and to users the Customer has authorised within their tenant.
- Professional advisers — lawyers, accountants, auditors, and insurers under confidentiality obligations.
- Authorities — when required by law, court order, or to protect rights, property, or safety. We will challenge requests that we believe are overbroad or unlawful where we can do so.
- Successors — in the event of a merger, acquisition, financing, reorganisation, or sale of assets, subject to commitments to honour this policy or notify you of material changes.
We do not sell personal information and we do not engage in "cross-context behavioural advertising" as those terms are defined under US state privacy laws.
9. International data transfers
Coedify is headquartered in India. We and our sub-processors may process personal information in jurisdictions other than the one in which it was collected. Where required (for example, transfers of EU/UK personal data outside the EEA/UK), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent UK transfer mechanisms, and we implement supplementary measures where required.
10. Data retention and deletion
We retain personal information only as long as needed for the purposes set out in this policy or as required by law. The table below summarises retention by data category.
| Data category | Default retention |
|---|---|
| Account information (name, business email, role, hashed credentials, tenant identifier) | Life of the account plus up to 24 months for dispute resolution, then deleted or anonymised. |
| Billing and tax records (invoices, payment-method tokens, GST/VAT data) | As required by applicable tax law (typically 6–8 years), then deleted. |
| OAuth tokens (Google, Microsoft, other providers) | Until the user disconnects, the account is closed, or 30 days of inactivity. Revoked immediately on disconnection. |
| Google user data and Microsoft user data (Gmail draft content, calendar data, provider identifiers, derived data) | Deleted within 30 days of OAuth disconnection, account closure, or Customer termination, except where retention is required by law. |
| Email content and metadata processed on the Customer's behalf (drafts, sends, replies) | Retained for the Customer's subscription term and deleted within 30 days of termination. |
| Workflow state, audit history, approval decisions | Retained for the Customer's subscription term and deleted within 30 days of termination. |
| Suppression lists (unsubscribes, opt-outs, bounces) | Retained for the life of the Customer's tenant and for a reasonable period afterwards as required by anti-spam law (CAN-SPAM, CASL, GDPR, DPDP). |
| Application logs and security events | Up to 90 days, then deleted or aggregated. |
| Backups | Expire on the standard backup cycle (typically up to 35 days) after the underlying record is deleted. |
| Marketing and sales-enquiry contact data | Up to 24 months from last interaction unless you opt in to longer retention or request earlier deletion. |
A Customer or end user can request earlier deletion at any time by emailing privacy@revsko.com, subject to the Customer's own retention obligations and applicable law.
11. Security
We implement organisational and technical measures appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+) and at rest.
- Tenant-isolated data stores and scoped permissions per agent and per user.
- Approval-gated workflows so that every important action waits for human approval before it is executed.
- Audit logging of access to Customer Data and administrative actions.
- Access controls and authentication for personnel, with the principle of least privilege.
- Vulnerability monitoring and timely patching of dependencies.
- Secure software development practices and code review.
No system can be made perfectly secure. If you believe you have identified a security issue, please contact security@revsko.com. Additional detail is available on the Security page.
12. Your rights
Depending on where you live, you may have the following rights with respect to your personal information:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct inaccurate or incomplete information.
- Deletion / erasure — ask us to delete information, subject to lawful exceptions.
- Portability — request a structured, machine-readable copy of certain information.
- Restriction or objection — restrict or object to certain processing, including direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
- Complaint — lodge a complaint with a supervisory authority (such as your local Data Protection Authority or the Indian Data Protection Board, once constituted).
To exercise these rights, email privacy@revsko.com. We will verify your identity before fulfilling a request. If your information was uploaded by a Customer (you are an end user, not an account holder), we will typically refer your request to that Customer and assist them in responding.
12.1 Response timelines
- EU / UK GDPR — without undue delay and at the latest within one month of receipt; we may extend by two further months for complex or numerous requests, with notice and reasons.
- CCPA / CPRA and other US state privacy laws — confirm receipt within 10 business days and substantively respond within 45 calendar days, with one 45-day extension where reasonably necessary and noticed.
- India DPDP — within the period prescribed by the DPDP Rules 2025 and any updates from the Data Protection Board.
- Right to appeal — where US state law (e.g. Virginia, Colorado, Connecticut, Texas, Oregon) grants an appeal right, we will provide an appeal route via privacy@revsko.com and respond to appeals within 60 days.
12.2 Notice to US state residents (California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others as applicable)
The categories of personal information we have collected, the sources, the business purposes, and the categories of recipients in the past 12 months are summarised below. We do not "sell" personal information and we do not "share" personal information for cross-context behavioural advertising as those terms are defined under US state privacy laws. We do not knowingly process the personal information of consumers under 16 for sale or share. You may exercise the rights above without discrimination.
| Category of personal information | Sources | Business purpose | Categories of recipients |
|---|---|---|---|
| Identifiers (name, business email, account identifiers, IP address) | Directly from you; automatically through use of the Service | Provide and secure the Service; account administration | Sub-processors listed at /security/#subprocessors |
| Commercial information (subscription, billing) | Directly from you; payment processors | Billing; outcome accounting | Payment processors; tax authorities where required |
| Internet or other electronic network activity (usage, logs) | Automatically | Security; troubleshooting; product improvement (excluding Google/Microsoft user data) | Hosting and security sub-processors |
| Professional information (job title, employer) | Directly from you; from Customers about their personnel | Provide and configure the Service for the Customer | Same as above |
| Inferences drawn from the above (e.g., feature preferences) | Derived from usage | Improve features for the authorising Customer (excluding restricted data) | None outside our sub-processors |
| Customer Data uploaded or retrieved on a Customer's behalf (contact lists, mailbox content, calendar events) | Customer upload; provider integrations (Google / Microsoft) | Operate the Customer's outbound workflow as instructed | Sub-processors; recipients chosen by the Customer |
We do not process "sensitive personal information" within the meaning of the CCPA/CPRA for the purpose of inferring characteristics about a consumer.
12.3 Global Privacy Control (GPC)
We do not "sell" or "share" personal information, so opt-out signals such as Global Privacy Control have no practical effect on our processing. We treat any GPC signal we receive as a request to confirm this status and to apply the strongest available privacy preference for that browser.
13. Cookies, fonts, and analytics
The marketing website at revsko.com uses a minimal set of strictly necessary cookies and may use Cloudflare Web Analytics, a privacy-preserving analytics service that does not use cookies for cross-site tracking and does not collect personal data such as IP addresses for cross-site profiling. We may add other analytics tools later; if those tools require consent under applicable law, we will obtain it.
The application at app.revsko.com uses cookies and similar technologies that are strictly necessary to provide the Service (for example, session and CSRF tokens). Where additional, non-essential cookies are used, we will request consent where required.
Fonts. Pages on revsko.com self-host web fonts from the same revsko.com domain. We do not load Google Fonts or other third-party font CDNs from visitors' browsers.
You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent parts of the Service from functioning.
14. Children
The Service is intended for business use by adults. It is not directed to children, and we do not knowingly collect personal information from children under 16 (or the higher age set by applicable law, including the age of consent under India's DPDP). The Service must not be used to operate child-directed workflows or to process the personal information of children, and Google Workspace and Microsoft 365 integrations must not be used in connection with any service directed to children. If you believe a child has provided us with personal information, contact privacy@revsko.com and we will take appropriate steps to delete it.
15. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify Customers by email or through the Service. Continued use of the Service after an update constitutes acceptance of the revised policy.
16. How to contact us
Controller: Coedify Technology LLP
Address: C-89, 5th Floor, Sector 2, Noida, Uttar Pradesh 201301, India
Privacy contact: privacy@revsko.com
Security contact: security@revsko.com
General contact: hello@revsko.com · +91 81300 46116
India DPDP grievance officer. Data principals may contact the grievance officer at privacy@revsko.com. We will acknowledge complaints on receipt and respond within the period prescribed by the DPDP Rules 2025.
EU and UK GDPR Article 27 representatives. Coedify has no establishment in the EU or the UK and has not appointed EU or UK Article 27 representatives. Until named representatives are published here, revsko is not offered to Customers established in the EU or UK and must not be used for outbound campaigns that intentionally target EU/UK data subjects, unless Coedify confirms in a written Order that the processing is exempt from the representative requirement or that representatives have been appointed before processing begins. EU/UK data subjects can reach us at the privacy contact above.