Privacy Policy
Last updated: 15 June 2026
This Privacy Policy explains how RevAIved d.o.o. ("RevAIved", "we", "us") collects, uses, stores and shares personal data when you use our mobile applications, website and related services (together, the Service). RevAIved is a company incorporated in the Republic of Slovenia. It is a private companionship product: you describe someone you've lost, and an artificial intelligence ("AI") system generates messages in their voice so you can keep a connection alive. It is not therapy, not medical care, and not the actual person. See our Terms of Service for the full scope of the Service.
We follow the European General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Slovenia's Personal Data Protection Act (ZVOP-2, in force since 26 January 2023), the UK GDPR, the California Consumer Privacy Act as amended (CCPA/CPRA), the Washington My Health My Data Act ("MHMDA"), and other applicable privacy laws. Where any law gives you stronger rights, you have those stronger rights.
1. Plain-English summary
If you only read this section, here's what it says: we store the personas you create, the photos you upload, and the chat messages you exchange. We need them to give you the Service. We send the text of your messages to OpenAI so the AI can generate replies. We do not sell your data, we do not use your messages or memories to train any AI model, we do not run third-party trackers in the mobile app, and you can delete everything in one tap from inside the app. If you're under 18 we ask you not to use RevAIved.
2. Who we are & how to reach us
- Data controller: RevAIved d.o.o., incorporated in the Republic of Slovenia. (Registered address available on request.)
- Contact: support@revaived.com
- Privacy questions / data-subject requests: privacy@revaived.com
- Notice-and-action under EU Digital Services Act Art. 16 / illegal content reports: legal@revaived.com
- Supervisory authority: Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec / IP-RS), Dunajska cesta 22, 1000 Ljubljana — ip-rs.si. You may also lodge a complaint with the supervisory authority in your country of residence.
If you are in the United Kingdom, we will appoint a UK representative under Article 27 UK GDPR if and when our processing of UK residents' data requires it. Until then, you may direct UK queries to privacy@revaived.com.
3. What we collect
We collect only what we need to run the Service. Specifically:
- Account data. Your email address or, if you sign in with Google or Apple, the unique identifier those providers return, plus the name and email you allow them to share with us. We store a hashed password if you use email/password sign-in.
- Persona content. Everything you provide to create or edit a persona — name, relationship, year of birth, place, personality traits, hobbies, catchphrases, optional nickname, optional avatar photo.
- Chat content. The text messages you send to a persona and any images you attach, plus the AI-generated replies. May include sensitive context (grief, bereavement, family relationships, mental-health-adjacent reflections). See §6 below for how we treat this.
- Generated content. The replies the AI sends back to you, and short "memory" snippets the system extracts from conversations so the persona can remember details over time.
- Operational data. Server logs (IP address, user agent, timestamps, request paths), audit records of API calls, correlation IDs, app version, OS version, device identifiers needed for crash reporting.
- Safety signals. When our moderation layer flags a message as crisis-related (self-harm category), we record the category label, a timestamp, and a correlation ID — not an additional copy of the message.
- Payment data. If you subscribe to a paid tier, the App Store (Apple) or Play Store (Google) handles your payment under their own privacy policies; we receive only your subscription status, tier and a transaction reference. We do not see your card details.
- Communications with us. Emails you send to support and our responses.
4. What we don't collect & don't do
- We do not sell or "share" (as defined by CCPA/CPRA) your personal data.
- We do not use your conversations, persona content or memory snippets to train any general-purpose AI model — ours or anyone else's. Our agreement with OpenAI uses their API tier, where input/output is excluded from model training by default.
- We do not embed third-party advertising or behavioural-tracking SDKs in the mobile app.
- We do not perform cross-context behavioural advertising.
- We do not use your data to make solely automated decisions that have legal or similarly significant effects on you (see §13 on AI replies).
- We do not intentionally collect data from children under 18 (see §17).
5. Why we process & legal bases under GDPR
Each processing activity needs a legal basis. We rely on the following:
- Provide the Service (account creation, persona storage, chat delivery, paid tier management) — Art. 6(1)(b) GDPR, performance of contract with you.
- Process chat content that reveals or implies your mental-health or emotional state — Art. 9(2)(a) GDPR, explicit consent. Because grief, bereavement and emotional content can be inferred mental-health data, we treat all chat content as Article 9 "special category" data and process it only where you have explicitly consented to that processing by creating an account and continuing to use the Service after our pre-chat disclosure. You can withdraw this consent at any time by deleting your account (which deletes the content).
- Operational security, abuse prevention, audit logging — Art. 6(1)(f), legitimate interest in keeping the Service safe and lawful. We've balanced this against your privacy and you can object (see §12).
- Safety / crisis moderation (recording when a message is flagged) — Art. 6(1)(f) legitimate interest (protection of users); for the underlying message text the legal basis is the same as for chat content.
- Comply with legal obligations (tax, accounting, lawful requests) — Art. 6(1)(c).
- Defend or pursue legal claims — Art. 6(1)(f) / Art. 9(2)(f).
6. Sensitive data & mental-health context
We recognise that what you say to a persona may reveal sensitive information about your emotional state, your bereavement, or your mental health. We treat all chat content as Article 9 special-category data under GDPR and process it only on the basis of your explicit consent (Art. 9(2)(a)).
For users in Washington State, we recognise that grief, bereavement and emotional content may constitute "consumer health data" under the My Health My Data Act. We will provide a Washington-specific Consumer Health Data Privacy Policy on request and will obtain the separate, affirmative consents that MHMDA requires before any sale (we do not sell) or sharing for marketing (we do not do this) of such data.
We have completed a Data Protection Impact Assessment ("DPIA") under Article 35 GDPR before offering the Service. We review the DPIA on material changes and at least annually.
7. Service providers (processors) we use
We use a small, named set of vendors. Each is bound by a written data-processing agreement.
- Supabase (Supabase, Inc.). Authentication, PostgreSQL database, object storage for avatars and chat images. Hosting region: EU (Frankfurt). Function: hosting processor.
- OpenAI (OpenAI, L.L.C. / OpenAI Ireland Ltd). Large-language-model API used to generate persona replies, and a moderation API used to detect crisis-category content. Function: AI processor. Per OpenAI's API policy, content sent through the API is not used to train OpenAI's models. We have signed OpenAI's Data Processing Addendum.
- Apple Inc. Sign in with Apple (authentication identifier), App Store (payments, subscription management, refund processing).
- Google LLC. Sign in with Google (authentication identifier), Google Play (payments, subscription management).
- Email / support tooling for replying to your support requests.
A current list of our processors and sub-processors is available at any time on request to privacy@revaived.com. We will notify users in-app before adding or replacing any processor that materially affects this Policy.
8. International data transfers
Our primary data store is in the European Union. Some processors (notably OpenAI) process data in the United States. Where personal data leaves the European Economic Area, we rely on:
- European Commission adequacy decisions where they exist (e.g., UK adequacy);
- Standard Contractual Clauses (Decision 2021/914) plus, where appropriate, supplementary technical and organisational measures;
- The UK International Data Transfer Addendum for UK-origin data;
- Brazilian ANPD Standard Contractual Clauses for LGPD-origin data.
For Brazilian, UK, Swiss and other transfers, we apply the equivalent safeguards required by the relevant law. You can request a copy of the transfer mechanism for a specific processor by emailing privacy@revaived.com.
9. How long we keep your data
| Category | Retention |
|---|---|
| Account, personas, chat messages, photos, extracted memories | Until you delete them or delete your account. We do not retain copies after deletion. |
| Operational logs (server-side request logs) | 30 days, then deleted. |
| Audit records of API requests (correlation IDs, status codes, safety flags) | 12 months, then deleted. |
| Backups | Encrypted backups are retained for up to 30 days for disaster recovery, after which deleted content is fully purged. |
| Records required by tax / accounting law | As required by Slovenian law (typically up to 10 years under the Slovenian Companies Act / ZGD-1 and Tax Procedure Act / ZDavP-2), separated from operational systems. |
| Records needed to defend legal claims | Until the relevant limitation period expires, then deleted. |
Account deletion (from the Profile screen) is immediate, irreversible, and has no recovery path. Storage objects (photos and chat images) and database rows are removed within minutes; backups purge on the schedule above.
10. Your rights under GDPR / UK GDPR
If you are in the EU, EEA or the UK, you have the right to:
- Access a copy of the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erasure ("right to be forgotten") (Art. 17);
- Restrict processing in certain circumstances (Art. 18);
- Portability — receive your data in a structured, machine-readable format (Art. 20);
- Object to processing based on legitimate interest (Art. 21);
- Withdraw consent at any time, without affecting the lawfulness of prior processing;
- Lodge a complaint with the Slovenian Information Commissioner (ip-rs.si) or your local supervisory authority;
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22) — see §13.
To exercise any of these rights, email privacy@revaived.com. We respond within 30 days (extendable by 60 days for complex requests, with notice).
11. Your rights in California (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of recipients;
- Delete the personal information we have collected from you (with limited exceptions);
- Correct inaccurate personal information;
- Opt out of "sale" or "sharing" of personal information — although we do not sell or share your data, you may still register this preference;
- Limit use and disclosure of Sensitive Personal Information ("SPI") — we treat chat content as SPI and use it only to provide the Service you requested;
- Non-discrimination for exercising any CCPA right.
We honour the Global Privacy Control (GPC) signal sent from compatible browsers. To exercise a California right, email privacy@revaived.com from the account email associated with your data, or use the in-app delete-account flow. You may use an authorised agent; we will verify the agent's authority.
12. Your rights in Washington (My Health My Data Act)
If you are a Washington resident, in addition to your other rights you have the right to:
- Confirm whether we are collecting, sharing or selling your consumer health data;
- Withdraw your consent to our collection and sharing of your consumer health data;
- Have your consumer health data deleted;
- Receive a list of all third parties (including affiliates) with whom we have shared or to whom we have sold your consumer health data, along with their contact information.
We do not sell consumer health data and we do not share it for purposes other than providing the Service. A Washington-specific Consumer Health Data Privacy Policy is available on request.
13. AI, automated processing & transparency
RevAIved is an AI-powered service. When you chat with a persona, your message is processed by an artificial-intelligence language model (currently provided by OpenAI) to generate the reply, and by an AI moderation system to detect crisis content. We disclose this to you under Article 50 of the EU AI Act and equivalent transparency rules in California (AB 2013), New York, Utah and other jurisdictions.
AI-generated content may be inaccurate, fabricated, or inconsistent with what the actual person would have said. Do not treat persona replies as factually reliable, medically informed, legally informed, financially informed, or as the actual views of the person they emulate. They are not.
We do not use solely automated processing to make decisions with legal or similarly significant effects on you (no credit, insurance, hiring or housing decisions). The AI generates conversational text; human-affecting decisions about your account (e.g., suspension for AUP violation) are made by a human operator after review.
14. Data about deceased persons
When you create a persona, you provide information about a deceased person — descriptions, photos, and content reflecting their voice and writing. Under GDPR Recital 27, GDPR does not directly apply to data of deceased persons, but Member State law may. As a Slovenian controller, we apply the explicit framework in Article 79 of ZVOP-2, which protects personal data of the deceased for 20 years after death and allows processing only on one of four bases: (a) statutory authorisation, (b) consent of a person with parental responsibility, spouse, registered partner or descendant, (c) consent given by the deceased before death, or (d) where a person has a legitimate interest and there is no contrary indication from the deceased.
By creating a persona, you represent that you fall within one of those bases — typically as a next-of-kin / heir who consents on behalf of the deceased — and that you have the authority to use the deceased person's name, image, voice and personal information for the private remembrance purpose of the Service. We comply equivalently with the corresponding Member State rules where they apply (France, Germany, Italy and others) and with US state post-mortem-publicity laws (California Civil Code § 3344.1 as amended by AB 1836, Tennessee ELVIS Act, New York Civil Rights Law §§ 50-f / 50-g) for users and personas with US connections.
Family members, heirs or estate representatives who believe a persona has been created without proper authorisation may contact legal@revaived.com with proof of relationship; we will review and remove on substantiated request, typically within 14 days.
15. Security
- All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 on our managed Postgres and object storage).
- Row-level security isolates your data to your account; even our administrators cannot read your messages without privileged access controls.
- API credentials with elevated privileges are stored only on the backend and never shipped in the mobile app.
- Access to production systems is limited to a small number of personnel under written confidentiality obligations.
- We monitor for unauthorised access and apply security patches on a regular cadence.
No system is perfectly secure. If you believe your account has been compromised, contact support@revaived.com immediately.
16. Breach notification
If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Slovenian Information Commissioner (IP-RS) within 72 hours as required by Article 33 GDPR, and we will notify you without undue delay where the breach is likely to result in a high risk to you (Article 34 GDPR). For US users where the FTC Health Breach Notification Rule applies, we will notify within the required 60 days. Where state breach-notification laws (e.g., California Civil Code §1798.82) apply, we comply with each.
17. Children
RevAIved is not designed for, marketed to, or intended for anyone under 18. We do not knowingly collect personal data from children under 18. If we learn we have collected such data, we will delete it promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact privacy@revaived.com and we will take action.
18. Cookies, local storage & mobile SDKs
Our website uses only the technical cookies strictly necessary to deliver the page you requested (under ePrivacy Directive Art. 5(3) "strictly necessary" exemption). We do not use third-party analytics, advertising cookies or tracking pixels on the marketing site. Our mobile applications do not embed third-party advertising or behavioural analytics SDKs.
19. Other jurisdictions (brief notice)
If you are in Canada, your rights under PIPEDA and (for Quebec residents) Law 25 apply. If you are in Brazil, your rights under the LGPD apply. If you are in Australia, the Privacy Act 1988 (as amended in 2024) applies. If you are in Japan, APPI applies. If you are in India, the Digital Personal Data Protection Act 2023 applies as it enters into force. If you are in South Korea, PIPA applies. In each case, you may exercise the local equivalents of access, correction, deletion, portability and objection rights by contacting privacy@revaived.com; we respond within the statutory time limit of the applicable law.
20. Changes to this Policy
We will update this Policy when our practices change, when we add or replace a processor whose role materially affects you, or when a new law requires it. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify you in-app the next time you open the app, and (for paying subscribers) by email. Continued use of the Service after a material change means you accept the updated Policy; if you do not, you should delete your account.
21. Complaints & contact
We try to resolve concerns directly. Email privacy@revaived.com and we will respond as quickly as we can. You always have the right to complain to a supervisory authority — for Slovenian and EU residents, the Slovenian Information Commissioner (IP-RS) or the authority in your country of residence; for UK residents, the Information Commissioner's Office; for California residents, the California Privacy Protection Agency or the California Attorney General.