Privacy Policy

Last updated: May 29, 2026

Revstep ("we", "us", "our") operates the Revstep Workspace application at app.revstep.com ("Service"). This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and how we share it.

Information we collect

From visitors to app.revstep.com:

• Contact information you provide (name, email, company) when you submit a contact form
• Standard server logs (IP address, user agent, request timestamps) for security and operational purposes

From clients who engage Revstep Workspace:

• Identification information sufficient to manage the contractual relationship (business name, contact information for designated personnel, billing details)
• Amazon Seller Central account data accessed via Amazon's Selling Partner API under explicit per-client OAuth authorization. This includes:
  • Product listing content (titles, bullets, descriptions, attributes, A+ content references)
  • Pricing and offer information
  • Aggregate sales and traffic reports
  • Inventory availability, FBA inventory status, aggregate order metrics
  • Aggregate Brand Analytics reports (search-query performance and search-term data) for the client's own brand
• Revstep does not request or store buyer personally identifiable information (buyer names, addresses, phone numbers, or shipment-level buyer data).

How we use information

• To deliver the account-management workflows agreed in our services contract with each client
• To generate listing audits, optimization recommendations, and weekly performance reports for the authorizing client
• To submit client-approved listing updates back to Amazon via Amazon's Listings Items API
• To respond to contact-form submissions and support requests
• To operate, secure, and improve the Service

How we store and protect information

• All data transmitted to and from app.revstep.com and the Revstep Workspace application is encrypted in transit using TLS 1.2 or higher.
• Application data is stored in a managed Postgres database (Supabase) with AES-256 encryption at rest and row-level isolation per client.
• SP-API authorization tokens are encrypted at the application layer using AES-256 envelope encryption with keys managed in a dedicated key management system. Token decryption is restricted to server-side worker processes.
• Employee access requires Google Workspace SSO with mandatory two-factor authentication; access is scoped by job duty.
• All access to Amazon-derived data is logged to an internal audit log retained for at least 12 months.

How we share information

Revstep shares client-specific Amazon data only with the authorizing client. Revstep uses the following service providers ("subprocessors") to operate the Service:

• Vercel (application hosting)
• Supabase (managed Postgres database)
• Inngest (background job orchestration)
• Anthropic (AI inference for listing optimization drafting; receives listing content and aggregate performance summaries only — never buyer PII, tokens, or secrets)
• OpenAI (AI inference for image generation; receives listing content and product imagery only — never buyer PII, tokens, or secrets)
• Google Workspace (employee identity and email)
• Google Drive (Shared Drive, Revstep staff only — storage of prepared client deliverables such as PDF/doc exports; live SP-API data is stored in Supabase, not Drive)
• AskElephant (internal CRM lookups — no Amazon data sent)
• Rainforest API (public Amazon marketplace data for competitive research — no authenticated Seller Central data sent)
• Jina Reader (public brand-website text extraction — no Amazon data sent)

Revstep does not opt AI subprocessors into using submitted data for model training where account or contract controls allow data-use restriction. Revstep does not share data with advertising networks, data brokers, or any third party for marketing, resale, or model improvement.

Retention

• Non-PII Amazon Information: retained as long as needed to provide contracted services and purged or anonymized no later than 18 months unless longer retention is legally required.
• Audit logs: retained for at least 12 months.
• Contact-form submissions: retained for as long as needed to respond and reasonably follow up.

Your rights

Clients may request access to, correction of, or deletion of personal data Revstep holds about them under the engagement. Contact privacy@revstep.com to make such a request.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to current clients in writing.

Contact

Privacy questions: privacy@revstep.com
General support: support@revstep.com
Security: security@revstep.com