Privacy

1. Information we collect

What you give us directly. Account information (name, business name, email, password — stored only as a salted hash by our authentication provider), restaurant operational details you choose to enter (locations, vendors, leases, contracts, uploaded documents such as invoices and statements), and any messages you send us by email or in-app.

Waitlist and marketing submissions. If you join the waitlist or subscribe to reveal. news, we receive the name, restaurant name, and email you submit. We use these only to contact you about reveal. and the news feed you signed up for.

Information we receive from Plaid on your behalf. When you connect a bank account, we use Plaid Inc. as our bank-connectivity provider. With your explicit consent, Plaid acts as your data-access agent and provides Reveal with account metadata (institution, account name and type, masked account number), transaction records (date, amount, merchant, category, pending status), and recurring-payment summaries. You enter bank credentials directly inside Plaid Link — Reveal never sees or storesyour online-banking username or password. Plaid's handling of this information is also governed by Plaid's End User Privacy Policy.

Information we receive from your POS. When you connect a point-of-sale provider such as Clover, we receive sales, payment, employee, and inventory records for the locations you authorize.

Information collected automatically. Structured application logs of actions you take inside the Service (with personal data minimized), IP address, browser type, and timestamps needed for security and abuse prevention. On the marketing site we use Vercel Analytics (page views, referrer, country — no personal data) and PostHog (anonymous event tracking — page views, modal opens, form submissions; memory-only persistence, no cross-session cookies, no session recording). We identify a visitor by email only after they submit a form to us, so we can attribute which content led to which sign-up.

2. How we use it

• Provide, operate, and improve the Service — including running reconciliation, generating findings, and surfacing audit insights.
• Authenticate you and protect your account.
• Diagnose problems and respond to support requests.
• Communicate with you about your account, service updates, and material changes to this policy.
• Comply with legal obligations and enforce our agreements.

We do not sell your personal information, and we do not use bank or POS data for advertising.

3. How we share it

We share personal information only with: (a) service providers acting on our instructions and bound by confidentiality and security obligations — Plaid (bank connectivity), Supabase (database and authentication), Vercel (hosting and analytics), Google Workspace (corporate email), Clover (when used as your POS), GitHub (source control), and PostHog (aggregate marketing-site analytics); (b) authorities or other parties when legally required; and (c) successors in the event of a merger, acquisition, financing, or sale of assets, with notice to you and a continued obligation to honor this policy. We do not share, rent, or sell personal information for marketing purposes.

4. Plaid-specific disclosures

• Consent. You authorize Reveal to access bank data through Plaid by completing the in-app consent flow that precedes Plaid Link. Your authorization can be withdrawn at any time (see §6).
• Scope.Reveal requests only the Plaid product scopes necessary to operate the Service. At v1.0 this is the Transactions product for the accounts you choose to connect. We'll update this disclosure if additional Plaid products are enabled.
• Storage. Plaid access_token values returned by Plaid Link are encrypted with AES-256-GCM before storage. Raw bank credentials are entered inside Plaid Link and are never transmitted to Reveal.
• Independent processing by Plaid.Plaid is an independent data processor; its collection and use of your information are also governed by Plaid's policies. You can contact Plaid directly via Plaid Portal or privacy@plaid.com to manage or delete data Plaid holds about you.

5. How long we keep it

We retain personal information for as long as your account is active and as needed to provide the Service, then on the following schedule:

• Active account data, including Plaid- and POS-sourced records: life of the account plus 90 days after closure.
• Plaid access_token after a bank Item is disconnected: deleted within 30 days.
• Application logs: 30 days hot, then up to 365 days archived.
• Authentication and security audit logs: 13 months (required for fraud and abuse investigations).
• Database backups: managed by our database provider per the active plan's stated retention window.
• Tax, financial, and legal records that we are required to keep by law: up to 7 years.
• Marketing and waitlist contacts: until you unsubscribe or after 24 months of inactivity.

6. Your rights and choices

• Access the personal information we hold about you by emailing chayadol@reveallabs.co.
• Correct information you believe is inaccurate.
• Disconnecta connected bank from inside the Service. Disconnection revokes Reveal's Plaid access_token and stops further pulls.
• Delete your account and associated data. On request, we delete or de-identify what we hold within 30 days of verification, subject to limited legal-exception retention (tax records, fraud-prevention logs, and backups, which expire on their normal cycle).
• Withdraw consent for data flows that depend on your authorization (Plaid, POS).
• Unsubscribe from marketing email using the link in any message we send.

Residents of California, Colorado, Virginia, Connecticut, Utah, and other states with comprehensive privacy laws have additional rights, including the right to know, delete, correct, port, and opt out of certain processing. Submit any such request to chayadol@reveallabs.co; we will respond within the statutory window.

If you would like Plaid itself to delete data it holds, you can do so directly via Plaid Portal or by emailing privacy@plaid.com.

7. Security

We protect personal information with TLS 1.2+ in transit, AES-256-GCM for stored Plaid and POS credentials, platform encryption at rest for the database, tenant-isolated access via row-level security keyed on a verified JWT claim, multi-factor authentication on administrative accounts, and a documented incident-response process. We rely on managed-platform patching (Vercel, Supabase, Google Workspace) and on GitHub Dependabot for dependency vulnerability alerts. No system can be 100% secure; we work continuously to improve our posture. To report a security concern, contact security@reveallabs.co.

8. Cookies and tracking

The Service uses strictly necessary cookies to maintain your authenticated session and to remember non-sensitive interface preferences. We do not use cross-site advertising cookies and we do not record or replay your screen activity.

9. Children's privacy

The Service is not directed to individuals under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. International users

The Service is operated from the United States. If you access it from outside the U.S., you understand that your information will be processed in the United States and other locations where our providers operate.

11. Changes to this policy

We'll update this policy when our practices change. If a change is material, we'll notify you by email or through the Service before it takes effect. The effective date at the top reflects the most recent revision.

12. Contact us

Privacy questions and rights requests: chayadol@reveallabs.co

Security and incident reports: security@reveallabs.co

Mail: Reveal Labs LLC, 6728 W Adriatic Ave, Lakewood, CO 80227