Privacy Policy

Ralevio acts as controller for its own marketing site, account creation and sign-in, billing, support, security logging, abuse prevention, and workspace-level product analytics.

For workspace customer records such as bookings, orders, appointments, worker reviews, and client profiles stored inside a workspace, Ralevio generally acts as processor on behalf of the workspace owner or admin.

Workspace owners and admins remain responsible for their own customer-facing notices, instructions, legal bases, and response handling where they use Ralevio to manage end-customer data.

Account and workspace data: name, email, recovery email, phone, role, workspace legal/contact details, onboarding metadata, and billing-related records.

Public client data: phone numbers used for OTP, full name, avatar data, booking and order history, appointment records, worker review content, and linked phone-session tokens.

Technical and security data: IP address, browser and device metadata, logs, request IDs, rate-limit counters, consent state, and abuse-prevention signals.

Contract performance: to deliver booking, onboarding, workspace management, authenticated access, and customer-facing service flows.

Legitimate interests: to secure the service, prevent fraud or spam, investigate incidents, debug failures, and improve reliability.

Consent: non-essential public analytics, marketing attribution storage, and Google Analytics are enabled only after consent where required and can be withdrawn later.

Supabase processes authentication, Postgres data, storage, and server-side administrative access for the application.

Twilio processes phone numbers and message or verification metadata for public OTP checkout, staff phone authentication, and worker invite SMS.

Upstash Redis processes shared cooldown and rate-limit tokens when that optional configuration is enabled. Linear receives authenticated feedback tickets from the in-app feedback form. Google OAuth receives sign-in identifiers when a user chooses Google sign-in. Google Analytics receives public-site analytics only when it is enabled and the user has granted consent.

These providers may process data outside your country. We rely on vendor contracts, platform terms, and transfer safeguards appropriate to the relevant flow. Production hosting and CDN inventory must still be reviewed separately from this source tree before launch.

We do not sell personal data.

Public client phone sessions are rotated after 90 days.

Workspace growth analytics events and billing funnel events are cleaned up after 365 days.

Marketing attribution is stored in the browser only after consent and is removed from cookies and localStorage when that consent is withdrawn.

Orders, appointments, billing records, and workspace operational data are retained according to workspace instructions, contractual needs, and legal obligations. The current codebase supports targeted erasure or anonymisation flows, but it does not yet enforce a blanket age-based purge for every operational record category.

Authenticated owners and admins can export their own account and administered workspace access data through /api/privacy/export.

Authenticated workspace owners and admins handling end-customer requests inside their own tenant can use /api/admin/clients/privacy/export and /api/admin/clients/privacy/delete after signing in and supplying the relevant workspaceId and clientId.

Verified public clients can request export through /api/public/privacy/export and supported deletion through /api/public/privacy/delete after phone-session verification.

You may also request correction, restriction, portability, objection, or raise a complaint with your local data protection authority. Use /contact to route privacy or support requests, and note that workspace owners or admins remain responsible for end-customer requests tied to their own workspace data.

We may ask for identity verification before acting on a request.

Essential cookies and storage support authentication, language preferences, booking continuity, security controls, and abuse prevention.

Non-essential marketing attribution and Google Analytics remain disabled until consent is granted.

You can withdraw consent from the cookie banner. When analytics consent is withdrawn, the public marketing attribution storage is removed from cookies and localStorage.

See /terms for service obligations and /contact for privacy or support routing.

We apply role-based access controls, server-side verification, transport security, audit logging, and rate limits across sensitive flows.

No system can guarantee absolute security, but the codebase is designed to reduce unnecessary access and to keep sensitive operations behind authenticated or verified server routes.