Privacy Policy for the Revora App

Last updated: May 2026

Scope: This Privacy Policy applies to the Revora mobile iOS application.

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Matteo Heck
c/o Büro für deutsche Vermögensberatung / Tino Heck
Landsberger Allee 366
12681 Berlin
Germany

Email: contact@revora.support
Website: revora.support

2. Data Processing Principles

We only process personal data to the extent necessary to provide the app's features, or where a legal basis exists. Below we transparently inform you about what data we collect, for what purpose and on what legal basis we process it, and how long we retain it.

Automated decision-making or profiling within the meaning of Article 22 GDPR does not take place.

3. Registration and User Account

3.1 Data Collected

Creating a user account is required to use the app. Depending on the chosen registration method, we process the following data:

  • Email and password: Email address, password hash (never stored in plain text)
  • Sign in with Apple: User ID and, where applicable, email address transmitted by Apple, as well as OAuth metadata
  • Sign in with Google: User ID, email address, and OAuth metadata transmitted by Google

Additionally, onboarding data is collected during registration (e.g. reading goal, preferred reading time, display language).

3.2 Legal Basis

Article 6(1)(b) GDPR (performance of a contract) — processing is necessary to provide the user account and app features.

3.3 Service Provider: Supabase

Authentication and database operations are handled by Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992. User data is stored on servers in the EU-Central-1 region (Frankfurt, Germany). Data transfers between the app and Supabase are encrypted via HTTPS/TLS. For more information: supabase.com/privacy.

4. User Data Stored in the App

4.1 In Our Database (Supabase Postgres)

We store the following data per user account:

  • Profile: Display name, onboarding data, reading goal, preferred reading time, notification settings
  • Library: Books, folders, ISBN, title, author, cover image, page count
  • Reading activity: Reading progress, reading sessions
  • Learning content: Flashcards, review events, generated quizzes, questions and quiz runs
  • App usage: AI usage counters and events, subscription status (mirrored from RevenueCat)
  • Support: Support messages, email delivery status
  • Other: Account deletion requests

All data stored in your account is retained until your account is deleted (see Section 14).

4.2 In Supabase Storage

  • Book cover images uploaded by you (from your device gallery)
  • Temporary audio recordings for the transcription feature (deleted after processing — see Section 6)

4.3 Stored Locally on Your Device

The following data is stored exclusively on your device and is not transmitted to our servers:

  • Offline and guest data (SQLite database)
  • App settings, language selection, selected book
  • Timer and notification state
  • Pending transcription files (temporary)

4.4 Legal Basis

Article 6(1)(b) GDPR (performance of a contract).

5. Hosting and Technical Infrastructure

5.1 Website Hosting (Vercel)

The landing website revora.support is hosted on the infrastructure of Vercel Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA. When the website is accessed, technical access data (IP address, timestamp, pages visited) is recorded in server logs. Vercel may use a global CDN (Content Delivery Network). For more information: vercel.com/legal/privacy-policy.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in the secure and performant operation of the website).

5.2 App Backend (Supabase)

The app's backend runs on Supabase (see Section 3.3). All data transfers are encrypted via HTTPS/TLS.

6. Use of Artificial Intelligence (OpenAI)

6.1 Data Processed

For the following AI-powered features, content is transmitted to OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA:

  • Transcription: Your voice recording (Active Recall) is transmitted to OpenAI for conversion into text.
  • Flashcard generation: The transcribed text is transmitted to OpenAI for the automatic creation of learning cards.
  • Quiz generation (Pro): Transcript text and flashcard content are transmitted to OpenAI for the creation of quiz questions.
  • AI Chat (Pro): Your messages in the in-app chat are transmitted to OpenAI together with the content of the relevant flashcard (front, back, explanation) as well as the book title and author.

6.2 No Permanent Storage by Us

We only store voice recordings temporarily during processing. The raw transcript is retained in our database for a maximum of approximately 24 hours and then automatically deleted. Flashcards or quizzes generated from it remain permanently in your account until you delete them or your account.

6.3 Processing by OpenAI

OpenAI processes transmitted data in accordance with its own privacy policy. For API users, OpenAI does not use the data to train its models by default. For more information: openai.com/policies/privacy-policy.

6.4 Legal Basis

Article 6(1)(b) GDPR (performance of a contract, as AI features are an essential component of the app).

7. Microphone and Camera

7.1 Microphone

For the Active Recall feature, the app records a voice input on your explicit command. This recording is processed for transcription (see Section 6) and then deleted. No recording takes place without your active interaction.

7.2 Camera and Photo Library

The camera may be used to scan ISBNs when manually adding books. The scanned ISBN is transmitted to the Open Library API (openlibrary.org) to retrieve metadata (title, author, cover); no personal data is shared in this process. Alternatively, a book cover can be uploaded from your photo library. Scanned images are not stored; uploaded book covers are stored in Supabase Storage (see Section 4.2).

Access to the microphone, camera, and photo library requires your consent via iOS system permissions. You can revoke these permissions at any time in your iOS settings.

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

8. Subscription Management (RevenueCat)

Subscriptions (Revora Pro) are processed through the Apple App Store. We use RevenueCat, Inc., 633 Tasman Drive, San Jose, CA 95134, USA, to manage subscription status, purchases, and webhooks.

RevenueCat processes transaction-related data (internal app user ID (Supabase UUID), purchase IDs, subscription status). Subscription status is additionally mirrored in our Supabase database. Purchases themselves are processed exclusively through the Apple App Store; payment data (credit card details, etc.) never reaches us or RevenueCat.

For more information: revenuecat.com/privacy.

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

9. Email Communication

We use the following services for sending emails:

9.1 Resend

Transactional emails (welcome email, account deletion code, support confirmations) are sent via Resend, Inc. Your email address and the content of the respective message are transmitted to Resend. For more information: resend.com/legal/privacy-policy.

9.2 Supabase Auth

Authentication emails (password reset, email verification) are sent directly via Supabase Auth (see Section 3.3).

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

10. App Analytics (PostHog)

We use PostHog Cloud to analyze app usage (PostHog, Inc., 965 Mission Street, San Francisco, CA 94103, USA).

10.1 Events Captured

We capture anonymized usage events (e.g. screens visited, features used, onboarding steps, purchase completions). All events are assigned to a randomly generated, anonymous analytics ID that cannot be linked back to your user account. No flashcard content, transcripts, or other user-generated content is transmitted to PostHog.

10.2 Session Replay

To improve the user experience, we use PostHog's session replay feature. This captures screen interactions — in particular tap and swipe gestures as well as the current state of the screen — as events. No video is recorded; PostHog reconstructs a visual playback of the session from these events, which helps us identify navigation issues and improve the app. Passwords and payment data are not captured. Recordings are linked exclusively to the anonymous analytics ID (see Section 10.1).

10.3 Right to Object

As this processing is based on our legitimate interest, you have the right to object at any time under Article 21 GDPR. Please send your objection by email to contact@revora.support; we will then exclude your analytics ID from further collection.

PostHog processes data in accordance with its own privacy policy. For more information: posthog.com/privacy.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in improving app quality and user experience).

11. Push Notifications

The app uses local notifications on your device (e.g. reminders for reading sessions or review repetitions). These notifications are triggered exclusively locally by the app; no data is transmitted to external push services. You can disable notifications at any time in your iOS settings.

12. International Data Transfers

The following service providers process data outside the EU/EEA, in particular in the USA:

Provider Purpose Safeguard
OpenAI AI features EU Standard Contractual Clauses
Supabase Database, Auth, Storage (data stored in Frankfurt, EU) EU Standard Contractual Clauses
RevenueCat Subscription management EU Standard Contractual Clauses
Resend Email delivery EU Standard Contractual Clauses
PostHog App analytics, Session Replay EU Standard Contractual Clauses
Vercel Website hosting EU Standard Contractual Clauses

Transfers are made on the basis of Article 46(2)(c) GDPR (Standard Contractual Clauses adopted by the European Commission).

13. Your Rights as a Data Subject

You have the following rights against the data controller:

  • Right of access (Art. 15 GDPR): You may request information about the personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your data, unless legal retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you may request that processing be restricted.
  • Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You may object at any time to processing based on legitimate interests — in particular to analytics processing as described in Section 10.3.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent you have given at any time with effect for the future.

To exercise these rights, please contact: contact@revora.support.

You also have the right to lodge a complaint with the competent data protection supervisory authority. In Germany, this is the data protection commissioner of the relevant federal state.

14. Account Deletion

You can delete your account at any time directly within the app. The process is as follows:

  1. Request a 6-digit deletion code by email (code valid for 15 minutes)
  2. Enter the code in the app to confirm
  3. Your user account and all associated data will then be permanently and irreversibly deleted

The following will be removed upon deletion: your Supabase Auth user account, all user-related database entries (cascading), book cover images you uploaded from Storage, and all local app data on your device.

Note on residual data: External providers (RevenueCat, PostHog, OpenAI, Resend) may retain anonymized or transaction-related data in accordance with their own retention periods. We have no direct control over these periods.

15. Data Security

We implement technical and organizational measures to protect your data against unauthorized access, loss, or misuse. All data transfers are encrypted via HTTPS/TLS. Passwords are stored exclusively as hashes. User data is hosted on servers within the European Union (Frankfurt, Germany).

16. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy when the app or legal requirements change. We will notify you of material changes by email or through a notice in the app. The current version is always available in the app and at revora.support.

17. Contact and Data Controller

For questions about data protection or to exercise your rights, please contact:

Matteo Heck
c/o Büro für deutsche Vermögensberatung / Tino Heck
Landsberger Allee 366
12681 Berlin
Germany
Email: contact@revora.support

This Privacy Policy was last updated in May 2026.