Book a Demo

Last Updated: 19 May, 2026

Privacy Policy

Version 2.0

This Privacy Policy explains how Revmai Ltd collects, uses, shares, and protects personal data when you visit our website, use our Services, or otherwise interact with us. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

This Privacy Policy should be read together with our Terms of Service, our Data Processing Addendum, our Sub-Processor list, and our Cookies Notice — all available at revmai.com/legal.

ON THIS PAGE

We take your privacy seriously

If you have any questions about this policy or how we handle your data, we’re here to help.

Contact Us ➔

Who we are and how to contact us

The data controller for personal data processed under this Privacy Policy is:

Revmai Ltd

A company registered in England and Wales with company number 16515498.

Registered Office

30 The Causeway, Chatham, ME4 3SR, United Kingdom.

ICO Registration:

ZC009882

Privacy and Data Protection Officer:

dpo@revmai.con

General Privacy Enquiries:

privacy@revmai.con

Security and Breach Reports:

security@revmai.con

Postal Address:

as above, marked "FAO Data Protection"

Scope and our role

Revmai processes personal data in two different roles depending on the activity:

2.1 : When we act as controller.

We are the controller for personal data we collect directly when you visit our website, register for an account, contact us, attend our events, or receive our marketing communications. We are also the controller for personal data we collect from third parties to enrich our marketing database for our own outreach. This Privacy Policy describes that processing.

2.2 : When we act as processor.

When our customers use the Services to manage their own commercial activities — including uploading contact lists, sending outreach, recording or transcribing meetings, building proposals, and generating AI Output — Revmai processes the personal data in those activities as a processor on behalf of the customer. The customer is the controller. The processing is governed by our Data Processing Addendum at revmai.com/legal/dpa and is not the subject of this Privacy Policy. If you are an employee, contact, or other data subject of a Revmai customer, please contact the customer directly to exercise your rights; we will support the customer in responding to you.

Definitions

  • “Authorised User” means an individual employee, contractor, or agent of a Revmai customer who is permitted to access the Services under that customer’s account.
  • “Customer” means an organisation that has subscribed to the Services under our Terms of Service or an Order Form.
  • “Customer Data” means personal data uploaded to, generated by, or processed through the Services on behalf of a Customer, where Revmai acts as processor.
  • “Personal data” means any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
  • “Prospect” means an individual whose personal data we process for our own marketing or sales activity (i.e., where we are controller).
  • “Services” means the Revmai platform and related services, as described in our Terms of Service.
  • “Sub-Processor” means a third party engaged by Revmai to process personal data on our behalf or on behalf of our customers, as listed at revmai.com/legal/sub-processors.
  • “You” means the data subject reading this Privacy Policy — a website visitor, prospect, account holder, Authorised User, marketing recipient, or other person whose personal data Revmai processes as controller.

Personal data we collect

We collect the following categories of personal data when we act as controller. Some categories apply only to certain types of data subject (e.g., account holders only).

4.1 : Information you provide to us

  • Identity and contact data — full name, job title, employer, business email address, business phone number, country.
  • Account data — login credentials (we store only a salted hash of your password), seat permissions, account preferences.
  • Communications data — the content of any emails, support tickets, demo requests, or other messages you send us, and any attachments.
  •  Event data — attendance at our events, meetings, or webinars; recordings only where notice and consent are obtained.
  • Marketing preferences — your consent or opt-out status for our marketing communications.
  • Payment data — for customers, billing contact name, billing address, VAT number; card details are processed by our payment processor and Revmai does not store full card numbers.

4.2 : Information collected automatically

  • Usage data — pages visited, features used, time spent in the Services, interaction with the ROSIE AI Co-Pilot and other modules, error logs.
  •  Device and technical data — IP address, browser type and version, operating system, time-zone setting, device identifiers, language preferences, referring URL.
  • Cookies and similar technologies — see clause 14 (Cookies) and our separate Cookies Notice at revmai.com/legal/cookies.

4.3 : Information collected automatically

  • Usage data — pages visited, features used, time spent in the Services, interaction with the ROSIE AI Co-Pilot and other modules, error logs.
  • Device and technical data — IP address, browser type and version, operating system, time-zone setting, device identifiers, language preferences, referring URL.
  • Cookies and similar technologies — see clause 14 (Cookies) and our separate Cookies Notice at revmai.com/legal/cookies.

4.4 : Information from third parties

  • Public sources — for our own outreach, we may collect business contact data from publicly available sources (corporate websites, professional networks, business directories) consistent with the source’s terms.
  • Data providers — we use People Data Labs and similar B2B data providers for marketing enrichment. Where we are controller, this processing is described here; where we enrich Customer Data on a customer’s instruction, we act as processor.
  • Integrations — when you connect a third-party service (e.g., Google Workspace, Microsoft 365, HubSpot, Salesforce, LinkedIn) to our Services, we receive data through that integration as permitted by your authorisation.

4.5 : Sensitive (special category) data

  • We do not seek to collect, and ask you not to provide, any special category data under UK GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic or biometric data; data concerning health, sex life, or sexual orientation). If you inadvertently provide special category data (for example in the content of a support ticket), we will process it only to respond to the issue and delete it at the earliest reasonable opportunity.

Purposes and lawful bases

We process your personal data for the following purposes and on the following lawful bases under UK GDPR Article 6:

Providing the Services to customers (account access, support, billing)

Lawful basis: Performance of a contract (Article 6(1)(b)) — between Revmai and the customer; for Authorised Users, performance of the customer’s contract; necessary to take steps prior to entering a contract for account holders during onboarding.

Service security, abuse prevention, fraud detection, audit logging

Lawful basis: Legitimate interests (Article 6(1)(f)) — our interest in maintaining a secure and reliable platform for all customers; this interest is not overridden by your rights or freedoms.

Product analytics, usage analysis, service improvement

Lawful basis: Legitimate interests (Article 6(1)(f)) — our interest in improving the Services. We aggregate and anonymise data wherever possible so that no individual is identifiable.

Direct marketing to website visitors and prospects who have not previously been our customer

Lawful basis: Consent (Article 6(1)(a)) — collected via our cookie banner or marketing signup form. You may withdraw consent at any time.

Direct marketing to existing customers about similar Revmai products and services

Lawful basis: Legitimate interests (Article 6(1)(f)) and the PECR soft opt-in — our interest in informing existing customers about relevant services, with an unsubscribe option in every message.

Responding to enquiries and providing customer support

Lawful basis: Legitimate interests (Article 6(1)(f)) — our interest in responding to people who contact us; performance of a contract where the enquiry relates to an existing contract.

Complying with legal obligations (tax, accounting, regulatory, court orders)

Lawful basis: Legal obligation (Article 6(1)©).

Establishing, exercising, or defending legal claims

Lawful basis: Legitimate interests (Article 6(1)(f)) — our interest in protecting our legal position.

Corporate transactions (due diligence on a merger, acquisition, or sale)

Lawful basis: Legitimate interests (Article 6(1)(f)) — our interest in undertaking and protecting the value of corporate transactions; we use suitable safeguards (NDAs, anonymisation) where personal data is shared with advisers and bidders.

Where we rely on legitimate interests, you have the right to object to the processing — see clause 12 (Your rights). We have undertaken a balancing assessment for each legitimate interest relied on; a summary is available on request at dpo@revmai.com.

Sharing and recipients

We share personal data only as set out in this clause.

6.1 : Sub-Processors

  • We engage sub-processors to provide hosting, AI, email delivery, data enrichment, analytics, and other services. Our current sub-processor list — including the name of each provider, the role they perform, the country of processing, and the transfer mechanism (where applicable) — is published at revmai.com/legal/sub-processors. We update the list when sub-processors change.

6.2 : Categories of sub-processor at the date of this Policy

  • Cloud hosting and AI compute (Microsoft Azure, UK); AI inference (Anthropic, US; Google Gemini, US; Azure OpenAI, UK); workplace productivity OAuth and meetings (Google, US; Microsoft, UK/US); meeting transcription (Fireflies.ai, US — customer-initiated pull integration); transactional and outreach email (SendGrid, US); B2B data enrichment (People Data Labs, US; Bright Data, Israel); vector database (Qdrant Cloud); web search (Serper, US); source-control and continuous integration (GitHub Actions, US).

6.3 : Other recipient

  • We may share personal data with our professional advisers (lawyers, accountants, insurers, auditors) under confidentiality obligations; with HMRC and other regulators or law-enforcement bodies where required by law; with prospective buyers and their advisers in connection with any actual or proposed corporate transaction (subject to NDAs and anonymisation where possible); and with payment processors and banks for the purpose of receiving payment.

6.4 : No sale of personal data

  • Revmai does not sell personal data.

International transfers

Some of our sub-processors are located outside the United Kingdom. Where personal data is transferred to a third country (other than to a country covered by UK Adequacy Regulations), we put in place one of the transfer mechanisms recognised under UK GDPR Chapter V:

  • UK Adequacy Regulations — for transfers to EEA countries and other jurisdictions designated as adequate by the UK Government (currently including, for example, the EEA, Switzerland, Israel, Canada (commercial organisations), and others — see ico.org.uk for the current list).
  • UK Extension to the EU-US Data Privacy Framework (UK Extension to the DPF) — for transfers to recipients in the United States that are certified to the UK Extension. Our US sub-processors that are DPF-certified currently include Anthropic, Google, Microsoft, and GitHub.
  • UK International Data Transfer Agreement (UK IDTA) — for transfers to recipients in third countries not covered by Adequacy Regulations and not certified under the UK Extension to the DPF. We currently use the UK IDTA for transfers to Fireflies.ai, SendGrid, People Data Labs, and Serper.
  • UK International Data Transfer Agreement (UK IDTA) — for transfers to recipients in third countries not covered by Adequacy Regulations and not certified under the UK Extension to the DPF. We currently use the UK IDTA for transfers to Fireflies.ai, SendGrid, People Data Labs, and Serper.

Where required, we have undertaken a transfer risk assessment in line with ICO guidance. You can request a copy of the relevant transfer mechanism or transfer risk assessment by contacting dpo@revmai.com.

Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, as required by law, or as necessary to establish, exercise, or defend legal claims. The following retention periods apply (where multiple bases apply, the longer period applies):

  • Account data (account holders, Authorised Users) — Active life of the account plus seven years after closure — to satisfy obligations under the Companies Act 2006 and HMRC tax law and to defend legal claims under the Limitation Act 1980.
  • Marketing list data (prospects who have engaged with our marketing) — Until opt-out, or three years from last engagement, whichever is sooner.
  • Website usage and analytics (cookie-based) — 14 months from collection, subject to our Cookies Notice.
  • Security and audit logs — 12 months from creation, longer where required for an active investigation, regulatory inquiry, or legal claim.
  • Support correspondence and ticket records — Three years after closure of the relevant case.
  • Financial records (invoices, payment records) — Seven years (HMRC requirement).
  • Recordings of demos, events, and webinars (where consent obtained) — Two years from creation.
  • Personal data of Customer-uploaded contacts and Customer meeting transcripts — As processor — per Customer instruction; default 30 days after subscription end for deletion (Terms of Service v2 clause 20.4).

No method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security but we work continuously to improve our controls.

Security

We use appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, having regard to the state of the art and the nature, scope, and purposes of processing (UK GDPR Article 32).

Our measures include:

  • Encryption of personal data at rest using AES-256 and in transit using TLS 1.2 or higher.
  • Multi-factor authentication on administrative and privileged accounts.
  • Role-based access control with the principle of least privilege.
  • Centralised audit logging of access and changes to personal data.
  • Regular vulnerability scanning and patching of infrastructure.
  • Background screening of employees with privileged access.
  • Confidentiality obligations on all employees, contractors, and sub-processors.
  • Incident response procedures aligned to ICO guidance.

Where required, we have undertaken a transfer risk assessment in line with ICO guidance. You can request a copy of the relevant transfer mechanism or transfer risk assessment by contacting dpo@revmai.com.

Automated decision-making and profiling

Several features of our Services use artificial intelligence to assist commercial decision-making — including the ROSIE AI Co-Pilot, the AI SDR, prospect scoring, and meeting summarisation. These features involve profiling within the meaning of UK GDPR Article 4(4).

We do not make solely automated decisions that produce legal effects, or similarly significant effects, on any data subject within the meaning of UK GDPR Article 22. Where the Services suggest a prospect score, generate an outreach draft, or summarise a meeting, the final commercial decision (whom to contact, what to send, how to act) is taken by a human at the customer organisation.

If you believe that an automated decision has been made about you through our Services, please contact dpo@revmai.com. You have the right to express your point of view, contest the decision, and obtain human review.

AI and large language models

Our Services rely on third-party large language models, including services provided by Anthropic, Azure OpenAI, and Google. We have configured our agreements and processing settings so that:

  • Your personal data is not used to train, fine-tune, or otherwise improve third-party foundation models.
  • Prompts and outputs are processed only to deliver the requested Service feature and are retained by the relevant provider only for the period and purposes set out in our sub-processor agreements with them.
  • We may use aggregated and anonymised data — from which no individual can be identified — to improve our own Services.

AI outputs may contain errors. Please review AI outputs before relying on them, particularly for any decision that affects an individual's legal rights, employment, credit, insurance, or other significant matter.

Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access (Article 15) — to obtain confirmation of whether we process your personal data and a copy of the data.
  • Right to rectification (Article 16) — to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure (Article 17) — to request deletion of your personal data where one of the grounds in Article 17 applies.
  • Right to restriction of processing (Article 18) — to require us to restrict processing in certain circumstances.
  • Right to data portability (Article 20) — to receive a copy of personal data you have provided in a structured, commonly used, machine-readable format, and to transmit it to another controller.
  • Right to object (Article 21) — to processing based on legitimate interests, including profiling; and to processing for direct marketing at any time.
  • Right not to be subject to a solely automated decision producing legal or similarly significant effects (Article 22) — see clause 10.
  • Right to withdraw consent (Article 7(3)) — where the processing is based on consent, you may withdraw consent at any time; this does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact dpo@revmai.com. We will respond within one month, or where we extend the period under UK GDPR Article 12(3), we will tell you within that month and explain why.

Right to complain to the Information Commissioner’s Office.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority. The ICO can be contacted at:

  • Online: ico.org.uk/concerns
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

 

We would, however, appreciate the chance to address your concerns first — please contact us at dpo@revmai.com.

Marketing communications

We send marketing communications about Revmai's products and services on one of three bases: (a) your consent (where you have opted in through our website or signup forms); (b) the soft opt-in under regulation 22(3) of PECR (where you are an existing customer, the communication is about similar products and services, and you were given a simple way to opt out when your data was first collected); or (c) for B2B contacts (corporate subscribers under PECR), the rules permit communications without consent provided we offer an opt-out in each communication.

You can opt out of marketing at any time by using the unsubscribe link in any of our marketing emails, by emailing privacy@revmai.com, or by updating your communication preferences in your Revmai account.

Cookies

We use cookies and similar technologies on our website to make the website work, to remember your preferences, to measure how the website is used, and (where you consent) to deliver advertising. Detailed information about the cookies we use, their purposes, the parties who set them, and how you can manage your preferences is set out in our Cookies Notice at revmai.com/legal/cookies. You can also manage cookies directly through your browser settings.

Strictly necessary cookies are set without consent because they are required to deliver the website to you (for example, to remember items in a form). All other categories — analytics, functional, marketing — are set only where you have consented through our cookie banner. You may change or withdraw your cookie consent at any time by clicking the "Cookie preferences" link in the website footer.

Children

Our Services and website are intended for use by businesses and their employees. We do not knowingly collect personal data from children under the age of 16. If you are under 16, please do not provide personal data to us. If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will take steps to delete that data promptly.

Personal data breaches

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by UK GDPR Article 34.
  • Notify our customers (where the breach involves Customer Data and we are processor) without undue delay, in accordance with the Data Processing Addendum.

Our breach notification will describe (where the information is available) the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and to mitigate its effects.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. For material changes (changes that significantly affect how we process your personal data, the recipients we share it with, or your rights), we will give you at least 30 days' prior notice by email (where we have your email address) or by a prominent notice on our website. For non-material changes (clarifications, typographical corrections, updates required by law), we will update the "Last Updated" date at the top of this Privacy Policy.

Older versions of this Privacy Policy are available on request at dpo@revmai.com.

End of Privacy Policy

Revmai Ltd  |  Company number 16515498  |  30 The Causeway, Chatham, ME4 3SR  |  dpo@revmai.com

Ready to Accelerate?

Give Your TeamMore Time to Sell

From first contact to signed contract — with less friction, more intelligence, and real human support.

Book a Demo ➔ Take The Time-Theft Audit
Book a Demo