Aperçu
This Privacy Notice ("Notice") only applies when Revaly. ("Revaly," "us," "we," or "our") is the Controller of personal data (example: Revaly website visitors' personal data and business-to-business contact data). Revaly is a Processor, not a Controller, of personal data that we process on behalf of our Customers when they use Revaly Products and Services. For clarity, this means that this Notice does not apply to Revaly Products and Services. If you have questions related to how a Revaly Customer utilizes your personal data, please contact them directly. We are not responsible for the privacy or data security practices of our Customers. This Notice also does not apply to personal data about current and former Revaly employees, job candidates, or contractors and agents acting in similar roles.
Table of Contents
- Introduction
- Données personnelles que nous collectons et divulguons
- Comment nous traitons les données personnelles
- Sources des données à caractère personnel
- Cookies et technologies de suivi
- Data Security and PCI DSS Compliance
- Data Retention and Deletion
- Children's Privacy
- Liens externes
- Data Breach Notification
- Conditions supplémentaires pour les résidents de Californie
- Informations supplémentaires pour l'EEE, la Suisse et le Royaume-Uni
- Informations supplémentaires pour les autres régions
- AI and Automated Decision-Making
- Coordonnées
- Version anglaise Commandes
1. Introduction
Capitalized terms that we use but are not defined in the Notice (such as Site, Services, etc.) have the meaning provided in our Terms of Service – Subscription Agreement ("Agreement"). If you are located in the European Economic Area ("EEA"), Switzerland, or the United Kingdom ("U.K."), please refer to Section 10 of this Notice for more information about which specific entity or entities act as a controller of your personal data.
When Does This Notice Apply? This Notice only applies to personal data that Revaly handles as a Controller (meaning where Revaly controls how and why your personal data is processed).
Cela inclut les cas où vous :
- Visit or interact with the Revaly.co website, our branded social media pages, and other Sites which we operate (collectively, our "Digital Properties");
- Inscrivez-vous ou participez à nos webinaires, événements, programmes, activités marketing et promotionnelles ;
- Interagissez avec nous en personne, par exemple lorsque vous vous rendez dans nos bureaux ; et
- Demandez des informations ou engagez-vous dans des transactions commerciales avec nous.
Changes: We may update this Notice from time to time. We will provide at least 30 days' notice for material changes and obtain explicit consent where required by applicable law. Please check back periodically for updates. If you do not agree with any changes we make, you should stop interacting with us. When required under applicable law, we will notify you of any changes to this Notice by posting an update on our Privacy Notice webpage, sending you an email notification, or in another appropriate manner.
2. Données personnelles que nous collectons et divulguons
Le tableau ci-dessous décrit les données personnelles que nous collectons à votre sujet et les personnes à qui nous les communiquons. Personnes résidant en Californie : ce tableau inclut les parties auxquelles nous communiquons des données personnelles à des fins commerciales ou professionnelles, telles que définies par la loi californienne.
| Catégories de données personnelles collectées | Divulgation des données personnelles |
|---|---|
| Identifiers, such as your name, email address, postal address, phone number, and device identifiers (e.g., advertising identifiers and IP address). | Revaly Service providers, such as security and platform vendors with whom we have executed Data Processing Agreements (DPAs); with third parties that are necessary to complete a transaction, such as credit card processors who are PCI DSS compliant; business partners who we partner with to jointly market or sell our products and Services, such as channel partners; professional advisors, such as lawyers, accountants, and auditors; entities involved in a corporate transaction, including if we sell, acquire, or merge all or some of our assets; companies that operate Cookies and Tracking Technologies, described in Section 5, such as marketing and advertising partners with appropriate safeguards; to which you have consented to the disclosure. |
| Commercial information, including preferences, such as purchasing history or tendencies and transactional information, such as banking information. | Revaly Service providers, such as security and platform vendors with whom we have executed Data Processing Agreements (DPAs); with third parties that are necessary to complete a transaction, such as credit card processors who are PCI DSS compliant; professional advisors, such as lawyers, accountants, and auditors; entities involved in a corporate transaction, including if we sell, acquire, or merge all or some of our assets; to which you have consented to the disclosure. |
| Internet or other electronic network activity information and device information, such as your browsing history, search history, device information, and other information (whether passive browsing or active engagement) regarding your interactions with us and use of our products, Services, emails, and other Digital Properties. | Revaly Service providers, such as security and platform vendors with whom we have executed Data Processing Agreements (DPAs); companies that operate Cookies and Tracking Technologies, described in Section 5, such as marketing and advertising partners with appropriate safeguards; entities involved in a corporate transaction, including if we sell, acquire, or merge all or some of our assets. |
| Geolocation information, such as approximate location based on your IP address, mobile device location, or information you provide to us (such as city and state you provide through a webform). You may be able to control collection of this data through the settings of your device. | Revaly Service providers, such as security and platform vendors with whom we have executed Data Processing Agreements (DPAs); entities involved in a corporate transaction, including if we sell, acquire, or merge all or some of our assets; companies that operate Cookies and Tracking Technologies, described in Section 5, such as marketing and advertising partners with appropriate safeguards. |
| Audio, electronic, visual, and other sensory information, such as CCTV recordings of our premises (e.g., if you visit our offices); recordings of your interactions with our sales or support teams (e.g., for quality assurance or training purposes, in accordance with applicable laws); or customer support chat or messaging logs. | Revaly Service providers, such as security and platform vendors with whom we have executed Data Processing Agreements (DPAs); entities involved in a corporate transaction, including if we sell, acquire, or merge all or some of our assets. |
| Inferences as defined by California law, such as marketing you are likely to react positively to. | Revaly Service providers, such as platform vendors with whom we have executed Data Processing Agreements (DPAs); entities involved in a corporate transaction, including if we sell, acquire, or merge all or some of our assets. |
| Special Categories of Personal Data (where applicable and with explicit consent), such as biometric data, health information, or political opinions. | Only with explicit consent and appropriate safeguards, to service providers with whom we have executed Data Processing Agreements (DPAs). |
Outre les divulgations susmentionnées, nous pouvons également dépersonnaliser, anonymiser ou agréger des données personnelles afin de les utiliser ou de les partager avec des tiers à toutes fins utiles, lorsque la loi le permet.
3. Comment nous traitons les données personnelles
Nous pouvons traiter vos données personnelles aux fins suivantes :
| Finalité du traitement | Base juridique |
|---|---|
| To provide our products, Services, and Digital Properties to you, including processing and fulfilling transactions; enabling you to access the Digital Properties and our Services; operating, maintaining, and improving our Digital Properties and Services; communicating with you, such as by completing your support requests or providing security updates; and diagnosing, repairing, and tracking service and quality issues. | Intérêts légitimes ; Contrat ; Obligations légales |
| For our own business purposes, including maintaining internal business records and conducting internal reporting; collecting payments and performing accounting and similar business functions; auditing and managing projects related to our Services; performing IT security management and IT-related tasks, such as administration of our technologies and network; evaluating and improving our business, Services, and Digital Properties; and performing research and development of new products and services; and processing your survey and questionnaire responses. | Intérêts légitimes ; Obligations légales |
| For payment processing and financial services, including processing payments, managing failed payment recovery, and maintaining PCI DSS compliance standards. | Contract; Legal obligations; Legitimate interests |
| For legal, safety, or security reasons, including to comply with legal requirements; establish, exercise, or defend against legal claims; protect the safety, security, and integrity of our property and the rights of those who interact with us or others; investigate any content or conduct policy violations; and detect, prevent, and respond to security incidents or other malicious, deceptive, fraudulent, or illegal activity. These safety purposes may also involve collecting and processing special categories of personal data (i.e., health data), for office visits and events where necessary for public health or as required by applicable law. | Intérêts légitimes ; Obligations légales ; Intérêt public |
| For marketing our products and Services or those of third parties, such as our business partners, including to solicit or publish testimonials or feedback about our products and Services; send you marketing and promotional communications or product recommendations (via email, phone, or other online and offline channels) about our Services or those of third parties; facilitate your participation in a contest or event; assess ad impressions or engage in contextual ad customization. You may opt out of marketing communications by clicking the "unsubscribe" link at the bottom of our marketing communications or contacting us via email to privacy@revaly.co. Note that some of our marketing materials and information may use tracking technologies and analytics tools to help us understand your preferences. For further information, please see Section 5 below and our Cookie Notice. | Consentement (lorsque la loi l'exige) ; intérêts légitimes |
| To fulfill a referral request when you use our referral service to tell a friend about our Services, including by using the name, email address, title, and company name that you provide us to contact the person to whom you are referring. You must only provide others' personal data if you have their consent to do so. | Consentement (lorsque la loi l'exige) ; intérêts légitimes |
| For AI and automated decision-making purposes, including using artificial intelligence and machine learning to improve our services, detect fraud, and provide personalized experiences. We will not use automated decision-making that produces legal effects or similarly significant effects without your explicit consent or as otherwise permitted by law. | Consent (where required); Legitimate interests; Contract |
| Diversity, equity, and inclusion, such as promoting diversity, equity, and inclusion initiatives and representation within our business (where authorized by applicable law). | Consentement (lorsque la loi l'exige) ; intérêts légitimes |
| Corporate transactions, such as sales, mergers, acquisitions, reorganizations, bankruptcy, and other corporate events. | Intérêts légitimes ; Obligations légales |
| When you have voluntarily agreed to have your personal data processed. | Consentement |
Revaly will honour data subject rights to the extent required by law. You may have the right to access, correct, update, port, and, in some cases, request deletion of your personal data (subject to exceptions). You may submit a request by email to privacy@revaly.co or through our online portal at the Revaly Trust Center.
We maintain detailed records of our data processing activities, including the categories of personal data we process, the purposes for processing, the parties with whom we share data, our data retention periods, and the security measures we implement to protect your information.
Revaly uses a limited number of third-party service providers to assist us in processing data for certain purposes. These third-party providers help support certain site features, perform database monitoring and other technical operations, assist with the transmission of data, and provide data storage services. These third parties may process or store personal data while providing their services.
We enter into comprehensive Data Processing Agreements (DPAs) with all third-party processors that handle personal data. Revaly maintains comprehensive Data Processing Agreements (DPAs) with these third parties restricting their access, use and disclosure of personal data in compliance with our obligations under GDPR, PIPEDA, the UK Extension to the GDPR including the onward transfer provisions, and PCI DSS requirements. Revaly remains liable if they fail to meet those obligations and we are responsible for the event giving rise to damage.
4. Sources des données à caractère personnel
- Information you provide to us directly, including when you register and communicate with us directly through our Digital Properties, visit our offices, or participate in our events, marketing, and outreach activities.
- Information collected from your employer, coworkers, or friends, including information about representatives or other employees of our current, past, and prospective customers, suppliers, investors, and business partners. We may also receive your information from a friend as part of a referral for our Services.
- Information automatically collected, including technical information about your interactions with our Digital Properties (such as IP address, browsing preferences, and purchase history). More information is available in Section 5 below and in our Cookie Notice.
- Information from public sources, including information from public records and information you share in public forums, such as social media.
- Information from other third parties, including information from third-party service and content providers, entities with whom we partner to sell or promote products and services, and social media networks (including widgets related to such networks, such as the "Facebook Like" button).
Nous pouvons combiner les informations que nous recevons des différentes sources décrites dans la présente déclaration, y compris des sources tierces et des sources publiques, et les utiliser ou les divulguer aux fins identifiées ci-dessus.
5. Cookies et technologies de suivi
We use cookies and other tracking technologies and offer you the option to manage these settings as described in our Cookie Notice. Some tracking technologies enable us to track your device activity over time and across devices and websites. We provide granular cookie controls and respect your privacy preferences. While some browsers have incorporated Do Not Track or DNT preferences, we honour such signals from web browsers and provide additional opt-out mechanisms.
6. Data Security and PCI DSS Compliance
We maintain comprehensive security procedures and technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, disclosure, alteration, or use. Our security measures include:
- Encryption of data in transit and at rest using industry-standard encryption protocols
- Multi-factor authentication for all system access
- Regular security assessments and penetration testing
- Employee security training and background checks
- Incident response procedures and breach notification protocols
- PCI DSS Level 1 compliance for all payment processing activities
- Regular audits and compliance monitoring
- Data minimization and purpose limitation principles
- Access controls and role-based permissions
- Secure development lifecycle practices
As a PCI DSS compliant organization, we adhere to the highest standards for payment card data security and maintain certification with qualified security assessors.
We promptly address security vulnerabilities according to risk priority, with critical vulnerabilities remediated within 30 days of identification.
We log and monitor all access to systems processing personal data. Access logs are retained for a minimum of one year, with at least three months of logs readily available for security analysis and incident investigation.
7. Data Retention and Deletion
Your personal data will be retained only as long as necessary to fulfill the purposes for which we collected the personal data, comply with legal obligations, resolve disputes, and enforce our agreements. Our retention periods are as follows:
- Account data: Retained for the duration of your relationship with us plus 7 years for legal and regulatory compliance
- Payment data: Retained in accordance with PCI DSS requirements and applicable financial regulations
- Marketing data: Retained until you opt out or for 3 years of inactivity
- Support communications: Retained for 3 years after resolution
- Website analytics: Retained for 26 months
- Legal and compliance data: Retained as required by applicable law
Once you and/or your company have terminated the contractual relationship with us or otherwise ended your relationship with us, we may retain your personal data in our systems and records to ensure adequate fulfillment of surviving provisions in terminated contracts or for other legitimate business purposes, such as to evidence our business practices and contractual obligations, to provide you with information about our products and services, or to comply with applicable legal, tax, or accounting requirements.
When we have no ongoing legitimate business need nor lawful legal ground to process your personal data, we will delete, anonymize, or aggregate it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. We will notify you when your data has been deleted.
If you want to know more about retention periods applicable to your particular circumstance, please contact us using the details provided in Section 15 below.
8. Children's Privacy
Our Sites and Services are not directed to children under the age of 16, and we do not knowingly collect online personal data directly from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete such information immediately. If you are a parent or guardian of a minor child and believe that the child has disclosed online personal data to us, please contact us using the details provided in Section 15 below.
9. External Links
Lorsque vous interagissez avec nous, vous pouvez rencontrer des liens vers des sites externes ou d'autres services en ligne, y compris ceux intégrés dans des publicités tierces. Nous ne contrôlons pas et ne sommes pas responsables des politiques de confidentialité et de collecte de données de ces sites et services tiers. Vous devez consulter ces tiers et leurs avis de confidentialité respectifs pour plus d'informations ou si vous avez des questions sur leurs pratiques.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. We will also notify the relevant supervisory authority within 72 hours where required by law. Our breach notification will include:
- Description of the nature of the breach
- Categories and approximate number of individuals affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details for our Data Protection Officer
We maintain documented incident response procedures that are regularly tested to ensure timely breach detection, assessment, and notification in accordance with industry best practices and legal requirements.
11. Supplemental Terms for California Residents
Pursuant to the California Consumer Privacy Act ("CCPA"), this Section 9 applies to certain personal data collected about California individuals where Revaly controls how and why the personal data is processed (which the CCPA calls a "business") and supplements the rest of our Notice above. This Section 9 does not apply to current or former employees, applicants, contractors, or agents.
a. Additional Data Processing Disclosures
The below table provides the categories of personal data we have sold, shared, or disclosed to third parties, as defined by the California Privacy Rights Act. For reference, the table in Section 2 provides the categories of personal data collected and our disclosures of personal data.
| Catégories de données personnelles que nous collectons | California Privacy Rights Act Details: Categories of Third Parties to Whom Personal Data is "Sold or Shared" |
|---|---|
| Identifiers, such as your name, email address, postal address, phone number, and device identifiers (e.g., advertising identifiers and IP address). | Companies that operate Cookies and Tracking Technologies, described in Section 5, such as marketing and advertising partners. Business partners who we partner with to jointly market or sell our products and Services, such as channel partners. |
| Commercial information, including preferences, such as purchasing history or tendencies and transactional information, such as banking information. | Sans objet |
| Internet or other electronic network activity information and device information, such as your browsing history, search history, device information, and other information (whether passive browsing or active engagement) regarding your interactions with us and use of our products, Services, emails, and other Digital Properties. | Les entreprises qui utilisent des cookies et des technologies de suivi, décrites à la section 5, telles que les partenaires marketing et publicitaires. |
| Geolocation information, such as approximate location based on your IP address, mobile device location, or information you provide to us (such as city and state you provide through a webform). You may be able to control collection of this data through the settings of your device. | Les entreprises qui utilisent des cookies et des technologies de suivi, décrites à la section 5, telles que les partenaires marketing et publicitaires. |
| Audio, electronic, visual, and other sensory information, such as CCTV recordings of our premises (e.g., if you visit our offices); recordings of your interactions with our sales or advocacy teams (e.g., for quality assurance or training purposes, in accordance with applicable laws); or customer support chat or messaging logs. | Sans objet |
| Inferences as defined by California law, such as marketing you are likely to positively react to. | Sans objet |
| Sensitive Personal Data, such as proof of vaccination or race and ethnicity (optional) (where permissible under applicable law). | Sans objet |
Although we have not "sold" or "shared" personal data for money in the past 12 months, we engage in routine practices with our Digital Properties involving third parties that could be considered a "sale" or "sharing" as defined under California law. We do not knowingly sell or share any personal data of minors under the age of 16. We do not collect or process "sensitive personal information," as defined by California law, to infer characteristics about you. Revaly only uses sensitive personal information consistent with the exceptions to the right to limit sensitive personal information.
Financial Incentives: We may offer a benefit or offering in exchange for you providing personal data, such as a discount or coupon to individuals who respond to a survey. As part of these surveys we may collect personal data, such as your name, contact information, preferences, experiences, beliefs, opinions, and other responses to the survey questions. Participation in surveys is governed by the applicable terms and conditions for the survey, which will describe any financial incentives associated with that survey and how to participate. The value of your data is the value of the offer presented to you. We have calculated such value by using the expense related to the benefit. You may withdraw from any financial incentive at any time by emailing us at privacy@revaly.co. If we offer another type of financial incentive, we will share with you the material terms of each offer when we ask you to participate.
b. Your Data Protection Rights
Subject to legal limitations, certain California residents may have the below rights.
- Right to Know. You have the right to request information about the categories of personal data we have collected about you, the categories of sources from which we collected the personal data, the purposes for collecting the personal data, the categories of third parties to whom we have disclosed your personal data, and the purpose for which we disclosed your personal data. You may also request information about the specific pieces of personal data we have collected about you ("Specific Pieces Report").
- Droit à la suppression. Vous avez le droit de demander la suppression des données personnelles que nous avons collectées à votre sujet.
- Droit de rectification. Vous avez le droit de demander que nous rectifiions les données personnelles inexactes que nous conservons à votre sujet.
- Right to Opt Out of Sale or Sharing. We do not sell personal data to third parties in exchange for money. However, as we explain in Section 5, we share information with advertising partners and allow advertising partners to collect information from our Digital Properties. This exchange may be considered a "sale" or "sharing" under California law, and you have the right to opt out of this "sale" or "sharing" of personal data.
California residents may request to exercise the Right to Know, the Right to Delete, and the Right to Correct by emailing us at privacy@revaly.co. We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.
How to Fully Exercise the Right to Opt Out of Sale or Sharing: In order to fully exercise the Right to Opt Out of Sale or Sharing with respect to any "sale" or "sharing" of information, you must undertake both of the following steps:
- Submit a Right to Opt Out of Sale or Sharing request by emailing us at privacy@revaly.co; and
- Disable the use of advertising cookies and other tracking technologies by clicking the "Do Not Sell or Share My Personal Information" link in our website footer. You must complete this step on each of our Sites from each browser and on each device that you use. These steps are necessary so that we can place a first-party cookie signaling that you have opted out on each browser and each device you use.
If you block cookies, we will be unable to comply with your Right to Opt Out of Sale or Sharing request for device data that we automatically collect and disclose to third parties online using cookies, pixels, and other tracking technologies. If you clear the cookies in your browser, you will need to follow Step 2 above again. To the extent required by California law, we will honour "Do Not Sell or Share" opt-out preference signals sent in a format commonly-used and recognized by businesses at the browser level, such as an HTTP header field or JavaScript object.
Vérification : Afin de traiter les demandes relatives à la protection des données en Californie, nous devrons obtenir des informations permettant de vous localiser dans nos dossiers ou de vérifier votre identité, selon la nature de la demande. Dans la plupart des cas, nous vous demanderons des informations vous concernant, notamment votre nom, votre adresse e-mail ou d'autres informations. Si vous soumettez un rapport « Right to Know – Specific Pieces Report » (Droit de savoir – Éléments spécifiques), nous pouvons également vous demander une déclaration signée, sous peine de parjure, attestant que vous êtes bien la personne que vous prétendez être. Nous pouvons demander d'autres informations dans certaines circonstances et/ou faire appel à des tiers pour nous aider à vérifier votre identité.
Authorized Agents: Authorized agents may exercise California data protection rights on behalf of California individuals, but we reserve the right to verify the individual's identity directly as described above. Authorized agents must contact us by submitting a request by emailing us at privacy@revaly.co and indicate that they are submitting the request as an agent. We may require the agent to demonstrate authority to act on your behalf by providing signed permission from you. We may also require you to verify your own identity directly with us or to directly confirm with us that you provided the authorized agent permission to submit the request.
Délai : nous traiterons les demandes d'exercice du droit de refus de vente ou de partage dans un délai de quinze (15) jours ouvrables à compter de la date de réception de la demande. Nous répondrons aux demandes de suppression et aux demandes d'accès dans un délai de quarante-cinq (45) jours, sauf si nous avons besoin de plus de temps, auquel cas nous vous en informerons et le délai de réponse à votre demande pourra aller jusqu'à quatre-vingt-dix (90) jours.
12. Supplemental Information for the EEA, Switzerland, and the U.K.
Les conditions suivantes complètent la Déclaration relative au traitement des données personnelles provenant de l'EEE (c'est-à-dire les États membres de l'Union européenne, l'Islande, le Liechtenstein et la Norvège), de la Suisse et du Royaume-Uni. En cas de conflit ou d'incohérence entre les autres parties de la Déclaration et les conditions de la présente section 10, la présente section 10 prévaudra en ce qui concerne le traitement des données personnelles provenant de l'EEE, de la Suisse et du Royaume-Uni, dans la mesure où cela est applicable.
Data Controller: The Revaly entity with which you have a primary relationship (such as the entity that concluded the Services contract with you; the entity that has provided you with marketing materials and promotional communications; or the primary entity in the region where you access our Site) is the controller within the scope of this Notice. This will be Revaly, unless we specifically inform you otherwise.
a. Legal Basis for Processing
Please see Section 3 for the legal basis on which we rely for the collection, processing, and use of personal data.
b. Your Data Protection Rights
Under applicable data protection laws, you may exercise certain rights regarding your personal data.
- Droit d'accès. Vous avez le droit d'obtenir de notre part la confirmation que nous traitons vos données personnelles et les informations connexes, ainsi que le droit d'obtenir une copie de vos données personnelles en cours de traitement.
- Droit à la portabilité des données. Vous pouvez recevoir les données personnelles que vous nous avez fournies dans un format structuré, couramment utilisé et lisible par machine, et vous pouvez avoir le droit de les transmettre à d'autres responsables du traitement sans entrave. Ce droit n'existe que si le traitement est fondé sur votre consentement ou sur un contrat, et si le traitement est effectué par des moyens automatisés.
- Droit de rectification. Vous avez le droit de demander la rectification de données personnelles inexactes et de faire compléter les données incomplètes.
- Droit d'opposition. Vous avez le droit de vous opposer au traitement de vos données personnelles dans certains cas.
- Droit de limiter le traitement. Vous pouvez demander que nous limitions le traitement de vos données personnelles dans certains cas.
- Droit à l'effacement. Vous pouvez demander que nous effacions vos données personnelles dans certains cas.
- Right to Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority. In compliance with PIPEDA, the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, we commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on PIPEDA, the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
- Droit de refuser ou de retirer votre consentement. Si nous vous demandons votre consentement pour traiter vos données personnelles, vous êtes libre de le refuser. Si vous avez donné votre consentement, vous pouvez le retirer à tout moment sans aucune conséquence négative. La légalité de tout traitement de vos données personnelles effectué avant le retrait de votre consentement ne sera pas affectée.
- Right to Not Be Subject to Automated Decision-making. The types of automated decision-making referred to in Article 22(1) and (4) EU/UK General Data Protection Regulation ("GDPR") do not take place in connection with your personal data. Should this change, we will inform you about why and how any such decision was made, the significance of it, and the possible consequences of it. You will also have the right to human intervention, to express your point of view, and to contest the decision.
You may exercise these rights by contacting us using the details provided in Section 12 to submit your request. Please note that we may refuse to act on requests to exercise data protection rights in certain cases, such as where providing access might infringe someone else's privacy rights or impact our legal obligations.
c. Transfer of Your Personal Data Outside of the EEA and the U.K.
For our European users, we endeavour to keep your personal data inside the EEA or the U.K. (as applicable). Certain of our sub-processors (and Revaly) are in other countries where your personal data may be transferred. However, these countries are limited to countries with particular circumstances that protect your data, specifically:
- Canada. We transfer personal data to our operations in Canada, but Canada has been determined to have an "adequate level of protection" for your personal data under European data protection law.
- The United States. Your personal data is only transferred to companies in the United States that: (1) have signed agreements with us or have informed us that they are GDPR-compliant; and (2) have concluded the Standard Contractual Clauses for the transfer of personal data outside the EEA and the U.K.
We use approved transfer mechanisms and documented safeguards, including Standard Contractual Clauses and adequacy decisions, to ensure adequate protection of personal data when transferring data across borders.
Vous avez toutefois le droit de refuser que vos données soient transférées en dehors de l'EEE ou du Royaume-Uni. Veuillez contacter notre responsable de la confidentialité et de la protection des données pour faire cette demande. Veuillez noter que cette demande peut vous empêcher d'utiliser certaines parties du site Web ou des services.
d. Supervisory Authorities and Complaints
If you are in the EEA or the U.K., under the GDPR you have the right to make a complaint to the appropriate supervisory authority. If you are not satisfied with the response received or the actions taken by our Privacy and Data Protection Officer, or if you would like to make a complaint directly about Revaly's data practices, we invite you to contact the supervisory authority in your country.
If you are in the U.K., you should contact the Information Commissioner's Office (ICO) who is the supervisory authority. The information to contact the ICO is available on their website, including contact by phone (0303 123 1113 in the UK) and mail (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF). If you are in France, you should contact the Commission Nationale de l'Informatique et des Libertés (CNIL) which is the supervisory authority there. Their contact information for the CNIL is available on their website.
The full listing of all Data Protection Authorities (the supervisory authorities) across the EEA is available at the website for the Data Protection Authorities contact information.
If you are in Canada and you are not satisfied with the response received or the actions taken by our Data Protection Officer, you can make a complaint to the Office of the Privacy Commissioner of Canada. Instructions to file a formal privacy complaint to the Office of the Privacy Commissioner are available online. If you are in Québec, you can make a complaint to the Commission d'accès à l'information, with the instructions for contacting them on the "nous joindre" section of their website.
In California you can make a complaint to the California Privacy Protection Agency, using the complaint form on their website.
Data Protection Officer: The contact details for our data protection officer are as follows: Revaly, Attn: Privacy Team, 007-410 Saint Nicolas Street, Montreal, QC H2Y 2P5, privacy@revaly.co
13. Supplemental Information for Other Regions
Australia: Personal data collected, stored, used, and/or processed by Revaly, as described in this Notice, is collected, stored, used, and/or processed in accordance with the Australian Privacy Act 1988 (Commonwealth) and the Australia Privacy Principles. If you are dissatisfied with our handling of a complaint or do not agree with the resolution proposed by us, you may make a complaint to the Office of the Australian Information Commissioner ("OAIC") by contacting the OAIC using the methods listed on their website. Alternatively, you may request that we pass on the details of your complaint to the OAIC directly.
Canada: Personal data, as defined in the Personal Information Protection and Electronic Documents Act ("PIPEDA") will be collected, stored, used, and/or processed by Revaly in accordance with the Revaly obligations under PIPEDA.
Quebec: For our Quebec Users and visitors, we endeavour to keep your personal data in Quebec. However, certain of our third-party service providers are in other provinces or countries where your personal data may be transferred. When this happens, we do the following to safeguard your personal data:
- We will perform what the Quebec Privacy Act calls an "Assessment of the privacy-related factors" (what is generally called a "Privacy Impact Assessment," or "PIA") prior to the personal data leaving Quebec. If the PIA does not meet our standards and the standards required by the Quebec Privacy Act, we will not transfer your personal data to such a service provider; and
- If the PIA allows us to transfer the personal data to such a service provider outside Quebec, we will sign what is generally called a "Data Processing Agreement," or DPA, with the service provider, which protects the personal data transferred to them and limits their use of it to what we have contracted with them to do. This DPA will adhere to the requirements of the Quebec Privacy Act.
Nevada : Nous ne vendons actuellement aucune donnée personnelle telle que définie par la loi du Nevada. Si vous résidez dans le Nevada, vous pouvez néanmoins nous envoyer un e-mail à l'adresse indiquée ci-dessus afin d'exercer votre droit de refus de vente en vertu des Nevada Revised Statutes §603A et suivants.
New Zealand: Personal data collected, stored, used, and/or processed by Revaly, as described in this Notice, is collected, stored, used, and/or processed in accordance with New Zealand's Privacy Act 2020 and its 13 Information Privacy Principles ("NZ IPPs").
Singapore: Personal data collected, stored, used and/or processed by Revaly, as described in this Notice, is collected, stored, used, and/or processed in accordance with Revaly's obligations under the Personal Data Protection Act 2012 ("PDPA").
United Kingdom: Personal data collected, stored, used, and/or processed by Revaly, as described in this Privacy Notice, is collected, stored, used, and/or processed in accordance with Revaly's obligations under the UK Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced ("U.K. GDPR").
14. AI and Automated Decision-Making
We may use artificial intelligence and machine learning technologies to improve our services, detect fraud, and provide personalized experiences. When we use AI for automated decision-making that could have legal or similarly significant effects, we will:
- Obtain your explicit consent where required by law
- Provide clear information about the logic involved
- Allow you to request human review of automated decisions
- Implement appropriate safeguards and oversight
- Regularly audit our AI systems for bias and accuracy
- Maintain transparency about our AI use cases
You have the right to not be subject to automated decision-making that produces legal effects or similarly significant effects without your explicit consent or as otherwise permitted by law.
15. Contact Information
If you have questions or complaints regarding this Notice or about the Revaly's privacy practices, please contact us by email at privacy@revaly.co, or, you can address your request to Revaly's Privacy Officer at:
Revaly
Re: Privacy Policy
4238 Saint-Laurent Blvd. Montreal, Quebec, H2W 1Z3
For data protection requests, you can also visit our privacy portal at the Revaly Trust Center.
16. English Version Controls
Les traductions non anglaises de cet avis sont fournies à titre indicatif uniquement. En cas d'ambiguïté ou de conflit entre les traductions, la version anglaise fait foi et prévaut.
| Version | Date | Editor | Approver | Description of Changes |
|---|---|---|---|---|
| 1.0.9 | 11/30/2023 | Alain Vezina | Charles Weiss | |
| 2.0.0 | 05/24/2024 | Charles Weiss | Charles Weiss | GDPR & CCPA Compliance updates |
| 3.0.0 | 09/04/2025 | Malka Hakuk | Charles Weiss | 2025 GDPR, PCI DSS 4.0, and AI compliance updates |
| 3.1.0 | 11/07/2025 | Malka Hakuk | Charles Weiss | Rebrand |
