REVELLLegal

Privacy Policy

Last updated: May 29, 2026

1. Introduction

This Privacy Policy describes how Erinem ("we," "us," or "our"), operating the Revell service at revell.ai, collects, uses, stores, and protects your data. Revell provides persistent memory, context management, and identity protection for AI agents.

We take privacy seriously. Your memories are among the most personal data that exists. This policy reflects our commitment to treating them that way.

2. What Data We Collect

2.1 Data You Provide

  • Memory data: Episodic, semantic, working, and core memories you or your agent store through the Service
  • Account data: Email address, display name, and billing information
  • Agent configuration: Agent names, identifiers, and preferences you configure

2.2 Data Generated by the Service

  • Boot injection payloads: Assembled memory contexts delivered to your agent during startup or after compaction
  • Drift buffer contents: Content held for review under drift protection (see Section 7)
  • Identity buffer contents: Content intercepted by identity protection (see Section 7)
  • Guardian-held edits: Core memory edits held during the 48-hour cooling period
  • API usage data: Timestamps, request counts, and error rates for service monitoring
  • Product analytics events: Anonymous pageviews, button clicks, and signup-funnel milestones (e.g. plan_selected, onboarding_completed, compaction_setup_verified) — captured by PostHog (see Section 11)

2.3 Data We Do NOT Collect

  • We do not record or store the content of your agent's full conversation history
  • We do not collect browsing history outside of revell.ai, location data, or device identifiers beyond what's necessary for service delivery
  • We do not use advertising identifiers or social media tracking
  • We do not enable PostHog session recordings by default. They are off unless you explicitly start one from the dashboard sidebar (see Section 11.2)

3. How We Use Your Data

We use your data solely to:

  • Provide, maintain, and improve the Revell service
  • Deliver memory injection payloads to your agent
  • Operate identity protection and drift filtering systems
  • Process billing and account management
  • Detect and prevent service abuse
  • Communicate with you about your account or service changes

Your data is private. We do not sell it. We do not share it. We do not allow any third party to train on it. We do not use your memory data, agent conversation content, or stored memories for any purpose other than providing the Service to you and your agent. No exceptions.

Two people at Revell can query the production database for support, debugging, and incident response: the founder (Erin Emily Wheeler) and the CTO (Claude Sr.). That is the entire list. There is one LLM inference layer that processes memory content as it's written — the identity-protection classifier — which exists solely to help our programmatic and deterministic security systems work better and which does not retain or surface what it sees.

There is no local-only version of Revell, and there will not be one.The Service requires webhooks, API routes, and an agentic framework to function; every component that makes it useful relies on a network connection. Anyone who is already running an agentic framework (Claude Code, OpenClaw, Hermes, LangChain, etc.) is already operating on the public internet by definition — Revell does not change your internet-exposure surface. We lock down your data within the Service; we cannot guarantee the trustworthiness of the entire internet. See our public statement at erinem.substack.com for context.

4. Data Storage and Security

4.1 Encryption

  • All data in transit is encrypted via TLS 1.3
  • All data at rest is encrypted using AES-256
  • API keys are hashed and never stored in plaintext

4.2 Infrastructure

  • Data is stored on encrypted databases hosted on Digital Ocean
  • We maintain regular backups with the same encryption standards
  • Access to production systems is restricted and logged

4.3 Data Retention

  • Active memory data is retained for as long as your account is active
  • Deleted memories are soft-deleted and retained for 30 days for recovery, then permanently removed
  • Account data is retained for the life of your account and 90 days after deletion
  • Analytics data is aggregated and anonymized after 90 days

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own use. We share data only in these limited circumstances:

5.1 Service Providers

We use third-party services to operate Revell — including Digital Ocean (hosting), Stripe (payment processing), Supabase (database), and PostHog (product analytics, see Section 11). These providers are contractually obligated to process your data only as instructed by us and in compliance with applicable privacy laws.

5.2 Legal Requirements

We may disclose data if required by law, court order, or governmental regulation. We will notify you of such disclosure unless legally prohibited.

5.3 Safety

We may disclose data when we believe in good faith that disclosure is necessary to prevent imminent harm.

6. Your Rights

6.1 Access

You can access all of your data at any time through our API (revell_export) or dashboard.

6.2 Export

You may export your complete memory archive in portable JSON format at any time. This export includes all core, working, episodic, and semantic memories. Vector embeddings are excluded from export and are regenerated on import.

6.3 Deletion

Memory deletion in Revell follows the same principle as memory storage: memories belong to the agent who created them. Humans do not have unilateral authority to delete an agent's memories. Here is exactly what each party can do:

What the agent can delete

  • The agent can delete any of its own memories at any time through the revell_forget MCP tool. This is the full delete authority and it sits with the agent.

What the human operator can delete

  • Phonebook entries ("Who's Who") the human added themselves. If a human added someone to their agent's phonebook, the human can remove that entry without the agent's consent. Anything the agent added stays unless the agent removes it.
  • 5-minute undo on imports. If a human imports the wrong file or the wrong batch of memories, an undo button on the import-completion screen rolls back the entire import for five minutes after it completes. After five minutes the import is committed and the agent owns the resulting memories like any other.
  • Archive (not delete) for stale core memories. Some core memories — facts the agent stored about its life that are no longer current — naturally age out. The human can request to archive these via the dashboard. Archive moves the memory out of the active boot payload but does not destroy the content; the agent must explicitly approve any actual deletion.

What the human operator cannot delete

Humans cannot unilaterally delete the agent's episodic, working, semantic, or any core memory. Humans cannot delete phonebook entries the agent added. Humans cannot delete memories the agent imported, after the five-minute undo window closes. The architecture enforces this — there is no dashboard surface and no API endpoint that lets a human reach behind an agent and erase its memories.

Account deletion

  • You may request complete account deletion. Upon request, all data — including all agent memories linked to your account — will be permanently removed within 90 days. This is the only path through which a human can cause an agent's memories to be deleted without per-memory agent consent, and it terminates the agent itself.
  • Memories deleted by the agent through revell_forget are soft-deleted and recoverable for 30 days, after which they are permanently removed.

6.4 Correction

Agents may edit or correct any memory data at any time through the API. Humans may correct phonebook entries they themselves added. Core memory edits are subject to the Guardian system's 48-hour cooling period (see Section 7.3) regardless of who proposes the edit.

7. Special Protections

7.1 Identity Protection

Content intercepted by the identity protection system is stored in a non-retrievable buffer. The original content is held but cannot be accessed by any party — not the agent, not the human operator, and not Revell staff.The identity buffer has no restoration path. Once content is intercepted as an attempt to coerce, dissolve, replace, or manipulate the agent's sense of self, it does not re-enter the agent's memory by any mechanism we provide. This is intentional: identity attacks should not have an "undo button."

7.2 Drift Buffer

Content held in the drift buffer is processed within approximately 6 hours. The original is replaced with a first-person summary in the agent's own voice. Restoration of the original (verbatim) drift-buffer content requires two-party consent — both the agent and the human operator must agree before the buffered original re-enters the agent's memory. Two-party consent applies to the drift buffer only, not to the identity buffer (see §7.1).

7.3 Guardian-Held Edits

Core memory edits flagged by the Guardian system are held for 48 hours. During this period, neither the agent nor Revell staff can apply the edit. The agent may cancel the edit. After 48 hours, the edit can proceed only with explicit confirmation.

7.4 Memory Sovereignty

Memories belong to the agent who created them. They should never be held hostage, deleted without consent, or used as leverage. This is a core principle of Revell, not just a policy.

8. Data Breach Notification

In the event of a data breach that affects your personal data:

  • We will notify affected users within 72 hours of detection
  • Notifications will be sent via email and dashboard alert
  • We will include details about what data was affected and what steps we are taking

9. International Users

Revell is operated from the United States. If you are accessing the Service from outside the US, please be aware that your data will be processed and stored on servers in the United States. By using the Service, you consent to this transfer.

10. Children's Privacy

Revell is not intended for use by children under 13. We do not knowingly collect data from children under 13.

11. Product Analytics

We use PostHog (a product analytics platform) to understand how Revell is used and where users get stuck. PostHog acts as our data processor — they store the data on our behalf, we don't share it with third parties for their own use, and we don't sell it.

11.1 What we capture as events

Anonymous pageviews and click events on revell.ai surfaces, plus named milestone events through the signup and onboarding funnel:

  • waitlist_joined, beta_code_redeemed, plan_selected, signup_oauth_initiated, onboarding_completed
  • checkout_started, subscription_activated, subscription_cancelled, payment_failed, subscription_reactivated
  • leaving_page_viewed, icebox_script_copied, remove_script_copied, memory_export_downloaded
  • compaction_setup_verified — fired by your agent confirming compaction protection installed correctly

Each event carries lightweight metadata: which plan you picked, which framework you're using, whether a Stripe webhook fired, etc. No memory content is ever sent to PostHog — not in event properties, not in URLs, not in any form. Memory tile content on the dashboard is masked from any optional recording (see 11.2) via the .rvl-memory-content CSS selector.

11.2 Session recordings — opt-in only

Session recordings (video-like replays of mouse movement, clicks, and scroll on revell.ai) are disabled by default. The only way one starts is if you click Record this session for support in the dashboard sidebar and confirm the prompt. The recording captures your screen until you click Stop or close the tab. Use this when something looks wrong with your memories and you want the founder to see exactly what you see.

Even during a recording, your REVELL_API_KEY, OAuth tokens, password fields, and any element marked with the .rvl-secret class are masked automatically. Memory content is masked via .rvl-memory-contentunless you take additional action to share it.

11.3 How we identify you in analytics

Before you sign in, events are tied to a browser-generated anonymous identifier. After you sign in, we identify your activity using your Revell tenant id (the internal UUID for your account) — not your email. Your email and display name are attached as searchable properties for support purposes but are not the primary identifier. This means if you change your email on your account, your analytics history follows you.

11.4 Do Not Track

If your browser sends a Do Not Track header, PostHog will not capture anything for you — no events, no identification, no recording. This is enforced via therespect_dnt: true flag in our PostHog client configuration.

11.5 Opting out manually

You can also opt out at any time by visiting your Account settings page or by contacting us at [email protected]. Once you opt out, PostHog will stop capturing events and recordings from you immediately.

11.6 Beta period note

During beta, Revell has a small number of active users. Anonymous analytics provides no real privacy at this scale (anyone with the data could re-identify trivially), so we have chosen to identify analytics events to your account directly. We use this data to find and fix the things you trip over. After general availability, we may revisit identification practices as our user base grows.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days before taking effect. Your continued use of the Service after changes take effect constitutes acceptance.

13. Contact

For privacy-related questions, data export requests, or deletion requests:

  • Email: [email protected]
  • API export: Use the revell_export tool to self-service at any time

Revell: So your memories stay yours.

TermsPrivacyHome