Privacy Policy

Last updated · May 3, 2026

This Privacy Policy explains what data Pannly (pannly.getrevlio.com) collects, why, and how we handle it. It applies to anyone visiting the site, creating an account, or paying for a brief or Pro subscription.

The TL;DR

  • We collect what we need to run a paid idea-brief service: your email, display name, avatar (optional), and a record of what you've unlocked or shipped.
  • We don't sell your data.
  • We don't run third-party advertising trackers or marketing pixels.
  • We use one session cookie to keep you signed in. No cross-site tracking.
  • You can ask for a copy of your data or for it to be deleted by emailing support@getrevlio.com.

1. What we collect

Account data

  • Your email address.
  • Your display name (optional, but recommended).
  • Your avatar image (optional).
  • A bcrypt hash of your password — never stored, transmitted, or logged in clear text.
  • Account flags: when you joined, your last login time, whether your email is verified, your Pro subscription status, and an internal admin flag we use for ourselves.

Usage data

  • Which idea briefs you've unlocked or claimed via Pro, and the state of each (unlocked, building, submitted, approved, refunded, rejected).
  • Build artefacts you submit when claiming a refund: the live URL, a screenshot (stored on Cloudflare R2), product name, optional category, and any write-up you provide.
  • Server access logs (request line, status code, IP, user-agent) rotated every 14 days, used for security and debugging.

Payment data

  • We use Dodo Payments to process every transaction. Dodo handles your card details directly — we never see them.
  • We store the Dodo customer ID, payment IDs, amounts, currency, status, refund status, and minimal event metadata. This is what we need to power the customer portal, issue refunds, and keep accurate records.

Communications

If you write to support@getrevlio.com or use the in-app contact form, we keep the message and your email address so we can reply and follow up.

What we don't collect

  • We don't ask for your phone number, postal address, or government ID.
  • We don't run third-party advertising tags (no Google Ads, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or similar).
  • We don't fingerprint browsers.

2. How we use your data

  • Run the service. Authenticate your sessions, show your unlocks and submitted builds, gate briefs by access tier.
  • Process payments. Tell Dodo who's paying and what for; receive webhooks back to track outcome.
  • Send transactional email. Sign-up verification codes, password reset codes, refund confirmations, build review decisions. Sent through Resend.
  • Public surfaces. When we approve a shipped build, your build name, your display name (or initials only if you haven't set a display name), and the live URL appear on the public /built gallery and the public refund ledger on /refunds. Your email never appears on the public site.
  • Service improvement. Aggregated counts of what's getting unlocked, refund rates, and signal acceptance — to improve our scoring and brief generation.
  • Security and fraud prevention. Detect and block abuse and fraudulent refund attempts.

We do not use your personal data to train AI models. The LLM passes that filter signals and write briefs only see public Reddit and Hacker News content — never your account data, your build write-ups, or your communications.

3. Who we share data with

We share the minimum necessary with these third-party processors, each used for a specific purpose:

  • Dodo Payments (payments) — receives the data you enter at checkout plus transaction metadata so we can charge you and issue refunds.
  • Resend (transactional email) — receives your email address and the email body when we send you a transactional message.
  • Cloudflare R2 (object storage) — your avatar and build screenshots are stored on R2's S3-compatible storage.
  • Cloudflare (CDN and DNS) — sits in front of every request. Cloudflare logs are short-lived.
  • OpenRouter (LLM API gateway) and Voyage AI (embeddings) — receive only public Reddit and Hacker News post content for filtering and brief generation. We do not send them user account data, build artefacts, or contact-form messages.
  • Plausible Analytics — if and when we enable analytics, we use Plausible. Plausible doesn't use cookies, doesn't store full IPs, and doesn't track you across sites. We aggregate page-view counts only.

We don't sell, rent, or trade your personal data. We will only disclose data to law enforcement if compelled by a valid legal request, and we'll push back on overly broad requests where the law allows.

4. Cookies

Pannly uses one cookie:

  • pannly_session — an HMAC-signed session token. HttpOnly, Secure in production, SameSite=Lax, with a 30-day rolling expiry. The actual session payload lives server-side in Redis; the cookie carries only an opaque signed reference. We need this to keep you signed in.

We don't use marketing or advertising cookies.

5. Data retention

  • Account data is kept for as long as your account exists. After account closure we delete or anonymise it within 30 days.
  • Build artefacts on /built are retained indefinitely as part of the public ledger. The build name, your display name (or initials), and the live URL stay visible even after you close your account — this is the trade you make when you publish to a public gallery.
  • Payment records are retained for 7 years to comply with tax and accounting law.
  • Email logs at our email provider (Resend) are retained per their own policy — typically around 30 days.
  • Server access logs rotate every 14 days.

6. Your rights

You can ask us to:

  • Access the personal data we hold about you.
  • Correct inaccurate information.
  • Delete your account and the personal data tied to it, subject to the retention limits above.
  • Export your data in a machine-readable format (JSON).
  • Object to or restrict certain uses (e.g. analytics).

Email support@getrevlio.com to exercise any of these. We respond within 30 days.

If you're in the EU or UK, you also have the right to lodge a complaint with your local data protection authority. If you're in India, you can contact the Data Protection Board.

7. International transfers

Pannly is operated from India. Several of our processors (Dodo Payments, Resend, Cloudflare, OpenRouter, Voyage AI) are headquartered outside India, primarily in the US and EU. Your data may be transferred to and processed in those regions. We rely on each processor's stated transfer safeguards (Standard Contractual Clauses or equivalent) where required by law.

8. Children

Pannly is not directed at children under 16. We don't knowingly collect data from minors. If you believe a minor has registered an account, email us and we'll delete it.

9. Security

We use industry-standard practices: TLS for all traffic, bcrypt password hashing, HttpOnly + Secure session cookies, server-side session storage in Redis, scoped API keys for every third-party service, CSRF-lite checks on every mutating request. No system is perfectly secure — if a breach affects your data, we'll notify you within 72 hours of discovery.

10. Changes to this policy

We may update this Privacy Policy. Material changes will be announced by email and posted here at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Privacy questions, deletion requests, or anything else: support@getrevlio.com.