V0.7 Last updated 12th March 2020

1       Privacy By Design

At Revoke, we care deeply about data protection and privacy.

It’s the reason we launched Revoke: the internet is broken, personal data is everywhere. We want to fix this problem by helping everybody to exercise their data protection rights.

Revoke Limited (“Revoke”, “us”, “we”, or “our”) operates the https://revoke.com website and the Revoke mobile application (the “Service”).

This page informs you of our policies regarding the collection, use and disclosure of personal data when you use our Service and the choices you have associated with that data.

We keep this Privacy Policy up to date and you can always access the latest version on the Revoke website or mobile application. When material changes are made, we will make reasonable efforts to inform you by email or notification via the Service. Your continued use of the Service constitutes your acceptance of the amended Privacy Policy.

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. Unless otherwise defined, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.

2       What Personal Data We Collect and Why

While using our Service, we ask you to provide us with certain personally identifiable information (“Personal Data”). If you choose not to provide your Personal Data, some aspects of the Service may not be available to you; for example, we may not be able to communicate effectively on your behalf with organisations in order to help you exercise your data protection rights.

2.1      Contact information

We collect your contact information (name, email address) in order to communicate with you in the context of the Service.

This includes:

  • Keeping you informed of communications with companies made on your behalf.
  • Responding to emails from you.
  • Sending you newsletters and other information that may be of interest to you. You may opt out of receiving these communications from us by following the unsubscribe link or the instructions provided in any email we send.

If you are in the European Economic Area (EEA), our legal basis for processing your contact information is:

  • It is necessary to provide the services you request,
  • Your consent,
  • It is necessary for the purposes of our legitimate interests such as marketing.

2.2      Identification information

In order to assist you to exercise your individual rights, we collect your identification information and the identification information of relevant personnel at organisations we contact. This allows us to verify your identity, inform you whether your personal data has been the subject of a data breach, detect and prevent fraud, and also allows companies to identify you when you ask us to contact them on your behalf. We may therefore ask for your:

  • Email address
    • So we can communicate with you, and in order for organisations to match you with their customer record
    • So we can carry out a search of the dark web and inform you whether your personal data has been the subject of a data breach
  • Full name
    • So we can verify your identity and communicate effectively with organisations on your behalf
  • Phone number
    • So we can communicate with you and confirm your identity
  • Date of Birth, Address, Photo ID (copy of your copy of your Passport, Driving Licence or National ID) and selfie (Biometric data):
    • So we can verify your identity and communicate effectively with organisations on your behalf and match their customer records (note: all data is hashed and encrypted and never transmitted insecurely)
    • To ensure that only you have access to any data retrieved using Revoke
    • So we can be sure of your identity in order to share personal data with you that may have been in a breach
  • Photograph (selfie)
    • To mitigate fraud and verify your identity, confirming that you are the person in the Photo ID (copy of your Passport, Driving Licence or National ID)

We encrypt all sensitive personal information. When we share this information with an organisation’s Data Protection Officer (DPO) we ensure that only the designated recipient of this information is able to access it. We have no access to your Photo ID or biometric data after your identity has been verified unless you explicitly consent to a request from a DPO for this information, as part of their process to ensure you are who you say you are.

When we communicate with organisations on your behalf, it is their responsibility to satisfy themselves that you are a customer of theirs. In order to do this, they may ask for additional information from you, such as a date or amount of a previous bill, a previous address, or a customer number. This information will be encrypted and only accessible to the organisation that has requested it, in order for them to accurately identify you.

If you are in the EEA, our legal basis for processing your identification information is:

  • It is necessary to provide the services you request,
  • Your consent,
  • It is necessary for the purposes of our legitimate interests, such as ensuring accurate identification of individuals for the purposes of making data protection requests on their behalf.

2.3      Copies of Personal Data

As a result of your use of the Service, we may receive copies of your personal data from other sources. This includes:

  • Results of access requests
  • Any personal data retrieved from organisations is received by Revoke but encrypted in such a way that only you can access it. Revoke is unable to access this data; the decryption key is stored on your phone
  • Results of dark web search
  • Any personal data retrieved as a result of our dark web search is shared with you following verification of your email address and identity.

2.4      Location Data

We require you to select a Country of Residence. We use this data to determine which organisations you are likely to want to interact with. For example, if you live in the UK, you will typically want to communicate with UK companies.

If you are in the EEA, our legal basis for processing your location information is:

  • Your consent,
  • It is necessary for the purposes of our legitimate interests, in order for us to help you to communicate with the organisations most relevant to you (i.e. those in the same area)

2.5      Payment Information

We may provide paid products and/or services within the Service. In case you choose to buy such products and/or services, you will be required to provide your payment information such as your name and credit card details.

All payments in the Service are carried out by third-party payment processors in accordance with their privacy policy. We will not access or store your payment card details. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover to help ensure the secure handling of payment information.

The payment processors we work with are:

Apple Store In-App Payments

Their Privacy Policy can be viewed at https://www.apple.com/legal/privacy/en-ww/

Google Play In-App Payments

Their Privacy Policy can be viewed at https://www.google.com/policies/privacy/

If you are in the EEA, our legal basis for processing your payment information is:

  • It is necessary to provide the services you request.

2.6      Account Activity

We use information about your account activity in order to secure your account, detect and prevent fraud, and to measure and improve the Services. This includes your:

  • IP address
  • Login, email address and password
  • Connection information, including browser type and version, and operating system
  • Device identifier
  • Cookies
    • We use a preference cookie to store your choice of language if you choose to change it from the default
    • We use session cookie if you choose to use our chatbot
  • Interaction with the Service
  • In-Service purchases

If you are in the EEA, our legal basis for processing your account activity information is:

  • It is necessary to provide the services you request,
  • It is necessary for compliance with legal obligations,
  • It is necessary for the purposes of our legitimate interests, such as measuring and improving the Service.

3       Data Sharing

3.1      Individual Rights Requests

When you make a request to a company, exercising your data protection rights, we communicate with that company on your behalf. The Data Protection Officer (DPO) of that company needs to be satisfied that you are who you say you are. We securely share personal information with that company, in order that they can correctly find your data, and act according to your preferences.

When you give your explicit permission, we share your Personal Data in encrypted form so that only the designated recipient is able to access it.

3.2      Dark Web Search

When we carry out a dark web search using your email address, our partner organisation Cyberscout receives a reference number linking to an anonymized version of your search results.  If you choose to see assistance and follow up on the results of your dark web search, your data may be shared with:

  • Cyberscout, if you separately engage them to examine your results and choose to provide them with further personal data beyond the reference number; or
  • Third parties, if you choose to make a claim or commence other legal proceedings as a result of a breach.

3.3      Third Party Service Providers

We may employ third party companies and individuals to facilitate our Service, provide the Service on our behalf, perform Service-related services or assist us in analysing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

3.4      Business Transaction

If Revoke is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will make reasonable efforts to provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

3.5      Disclosure for Law Enforcement

Under certain circumstances, Revoke may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

3.6      Legal Requirements

Revoke may disclose your Personal Data in the good faith belief that such action is necessary:

  • To comply with a legal obligation
  • To protect and defend the rights or property of Revoke
  • To prevent or investigate possible wrongdoing in connection with the Service
  • To protect the personal safety of users of the Service or the public
  • To protect against legal liability

4       Security

The security of your data is extremely important to us.

All data we store is fully encrypted with multiple layers.

You can find out more in our Security Policy.

4.1      Personal Data

When you provide us with personal data in order for us to identify you, and for a receiving DPO to identify you, we encrypt this in such a way that only the recipient of that request is able to decrypt this data.

We need to be able to decrypt certain data in order to confirm its accuracy (e.g. email address, phone number). We also need to be able to send this information to companies with whom we are interacting on your behalf.

We use multiple rotating keys to encrypt your data; there is no master key.

Your private key is never transmitted to our servers.

4.2      Data retrieved from companies

When companies respond to requests for your Personal Data that we have made on your behalf, we have no way of accessing the Personal Data sent by them.

Data retrieved from these companies is encrypted using your private key, stored on your phone. The only person who can access this data is you.

5       Transfer of Data

Your information, including Personal Data, may be transferred to – and maintained on – computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

If you are located outside the European Union and choose to provide information to us, please note that we transfer the data, including Personal Data, to the European Union and process it there.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Revoke will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information.

6       Retention of Data

Revoke will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.

Should you delete your account, we will only retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), detect and prevent fraud, resolve disputes and enforce our legal agreements and policies.

Should your account remain inactive for a period of 18 months, your account will be treated as expired. If we do not hear from you after sending you a reminder, we will delete your account and aggregate or anonymise your Personal Data.

7       Your Data Protection Rights

Where the EU General Data Protection Regulation (“GDPR”) applies, you have the following data protection rights in the circumstances set out under the GDPR and other applicable law:

The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.

The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.

The right to object. You have the right to object to our processing of your Personal Data when it relates to direct marketing, or where it is being processed on certain legal grounds.

The right of restriction. You have the right to request that we restrict the processing of your personal information in certain circumstances.

The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.

The right to withdraw consent. You also have the right to withdraw your consent at any time where Revoke relied on your consent to process your personal information.

If you wish to exercise any of the above rights, please contact us using the details listed under “Contact Us”. Please note that we may ask you to verify your identity before responding to such requests.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the EEA.

8       Contact Us

If you have any questions, comments or complaints about this Privacy Policy, or would like to exercise your individual rights, please get in touch with us via the following contact details:

Revoke Limited

App icon - download from the App Store and Google Play

Download Revoke Today

Start protecting yourself with Revoke, and take back control of your personal data.

Download on the App Store - icon Get it on Google Play - icon
Cyber Essentials certified logo

Cyber Essentials Certified

We take security seriously which is why we’ve been assessed and certified for addressing cybersecurity effectively and mitigating the risk from Internet-based threats.

View our certificate