What Revvye can — and cannot — touch.
Revvye is a public-surface diagnostic. It reads the same pages any visitor or search crawler can see. It never signs in, never collects credentials, and never reaches private systems. This page describes how we keep that boundary and how to report a problem.
Last updated: June 30, 2026
Public-page-only scanning
The scanner is scoped to public surfaces by design.
Revvye fetches public HTML, robots.txt, sitemaps, structured data, Open Graph metadata, and performance signals from the URLs you submit. It does not access password-protected content, customer accounts, CRMs, payment systems, booking-platform internals, or any private data. There is no credential entry anywhere in the scan flow.
Because scans are public-surface only, running a scan against a URL exposes nothing a visitor could not already see. We do not bypass access controls or scrape protected areas.
No credential collection
We never ask for, store, or transmit login credentials for the sites we scan.
Account passwords for Revvye itself are handled by Supabase Auth and stored only as a hash — we never see plaintext passwords. If you sign in via OAuth, we receive only the profile fields the provider exposes.
Payments
Card data is handled entirely by Stripe.
All payments run through Stripe-hosted checkout. PCI compliance is Stripe’s responsibility; Revvye never sees, stores, or transmits full card numbers. We retain only the receipt-level metadata Stripe returns.
Data handling and retention
Concrete retention, mirrored from the Privacy Policy.
Scan data and public-page artifacts are retained for 12 months from the date of the scan, or until you request deletion, whichever comes first. Account data is kept while your account is active plus 90 days after a deletion request, except records we are legally required to retain. The full list of vendors that process data is on the sub-processors page.
Abuse prevention and rate limiting
The scanner is not an open crawler.
There is a per-account quota that prevents abusive or high-volume use. Submitted targets are normalized and validated; internal and private network addresses are not scannable. You are responsible for using scans lawfully and not for bypassing access controls, overloading sites, or misrepresenting ownership.
Responsible disclosure
If you find a security issue, tell us and we will work with you.
Report suspected vulnerabilities to security@revvye.com. Please give us a reasonable window to investigate and fix before any public disclosure. We do not pursue legal action against good-faith research that respects user privacy and avoids service disruption.
Known limitations
We do not overstate our posture.
Revvye is a small operation. We do not currently hold formal compliance certifications (for example SOC 2 or ISO 27001) and do not claim them. Our security posture rests on a narrow data footprint, public-only scanning, reputable infrastructure vendors, and least-privilege access to production systems.