Privacy Policy

Account Information: When you create an account, we collect your email address, company name, and a password hash. This information is required to provide you with a personalised dashboard.

Stripe Integration Data: After you connect your Stripe account, we fetch and store your subscription, invoice, charge, and customer data from Stripe. This data is necessary for the AI diagnosis and analytics we provide.

Usage Data: We may collect non‑identifiable analytics about how you interact with the application (e.g., pages visited, features used). This helps us improve the service.

Email Communications: If you agree, we send insight reports, alerts, and occasional product updates to the email address you provided. You can opt out at any time.

We use the collected information to:

• Provide the core revenue intelligence services (dashboard, insights, alerts).
• Analyse your Stripe data to generate AI‑powered diagnoses and recommendations.
• Maintain your account, process upgrades, and send billing‑related communications.
• Improve and optimise the application based on aggregated usage patterns.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell or share your personal data with third parties for their own marketing purposes.

We take security seriously. Here’s how we protect your data, especially your Stripe API keys:

• AES‑256 Encryption for Stripe Keys: Your Stripe secret key is encrypted using the AES‑256 standard before it ever touches our database. The original key is never stored in plain text, and only your encrypted key is persisted.
• Encrypted Data in Transit: All communication between your browser, our servers, and Stripe’s API is secured with TLS (Transport Layer Security).
• Database Security: Your data is stored in a Supabase database that enforces Row‑Level Security (RLS). Each company’s data is isolated so that one user cannot accidentally access another’s records.
• Authentication & Sessions: We use custom JWT authentication with httpOnly cookies. Sessions expire after 7 days and can be revoked at any time by logging out.
• Admin Access: A small number of authorised personnel have access to the database for maintenance purposes, but they cannot decrypt your Stripe key because we do not store the decryption password.

While no method of electronic storage is 100% secure, we follow industry best practices and regularly review our security posture.

We rely on the following trusted third‑party providers to deliver our service. Each provider has its own privacy policy and security measures:

• Stripe: We integrate with the Stripe API to fetch your revenue data and to process subscription payments. Your payment information is handled entirely by Stripe, and we never see your credit card details. (Stripe Privacy Policy)
• Supabase: We use Supabase as our database and authentication provider. Your data is stored in a secure PostgreSQL instance with encryption at rest. (Supabase Privacy Policy)
• NodeMailer / SMTP: We send email notifications (insight reports, alerts) via a third‑party SMTP service. Only your email address is shared for delivery purposes.
• AI Model (Claude by Anthropic): When generating insights, we send anonymised, aggregated revenue metrics to Anthropic’s API. No personally identifiable customer data is shared.

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Access: You can request a copy of the data we hold about you.
• Correction: You can update your stripe information (stripe key) from the Settings page.
• Deletion: You can request that we delete your account and associated data. To do so, contact us at the email below.
• Data Portability: You can export your metrics and insights via the dashboard’s Export function.
• Opt‑Out of Emails: You can unsubscribe from marketing or report emails using the link in any email or by updating your preferences in Settings.

To exercise any of these rights, please contact us at privacy@revenuemd.online.

We use only essential cookies required for the application to function. Specifically, we set an httpOnly session cookie named revenuemd_session after you log in. This cookie contains a signed JWT and is used to authenticate subsequent requests. No tracking or advertising cookies are employed.

You can configure your browser to reject cookies, but doing so will prevent you from logging in.

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or by displaying a notice within the application. The latest version will always be available at this URL.