Privacy Policy

RevDesk (operated by Cell Labs, Inc.) is committed to protecting your privacy. This policy explains how we collect, use, share, and safeguard your information when you use our AI-powered phone system. Your use of RevDesk constitutes acceptance of this Privacy Policy. If you disagree with any part of this policy, please do not use our Services.

We collect information you give us (account details, business info), call data (recordings, transcripts, caller numbers), and technical data (IP address, browser type, usage patterns).

Information You Provide to Us

• Account information: Name, email address, phone number, company name
• Business information: Industry, business hours, preferences, custom prompts
• Payment information:Processed securely through Stripe (we don't store credit card numbers)
• Communication preferences: Notification settings, language preferences
• Support communications: Messages you send us for customer support

Information Collected Automatically

• Call data: Voice recordings, call transcripts, caller phone numbers, call duration, timestamps
• Usage data: Features accessed, actions taken, time spent in the app
• Device information: IP address, browser type and version, operating system, device type
• Log data: Server logs, error logs, performance metrics
• Analytics data: How you interact with our service (via cookies and similar technologies)

Information from Callers

When someone calls your RevDesk number, we may collect:

• Their phone number (caller ID)
• Voice recordings (only if call recordings are enabled in your settings)
• Conversation transcripts (only if transcription is enabled in your settings)
• Any information they provide during the call (names, messages, appointment details)

When you opt in to receive SMS messages from RevDesk, we collect your mobile phone number and consent preferences. This section explains how we handle your SMS-related data.

How We Collect SMS Consent

We collect SMS consent exclusively through our website opt-in form. During signup, you provide your phone number and check an unchecked SMS consent checkbox that reads: “I agree to get appointment reminders and account alerts via text from RevDesk. Msg frequency varies. Msg & data rates may apply. Reply STOP to unsubscribe. Reply HELP for help.” No messages are sent unless you explicitly check this box and submit the form.

Limited Sharing for Service Delivery

We share your mobile phone number only with the following service providers, solely to deliver SMS messages on our behalf:

• Telnyx: Our telephony and SMS gateway provider that transmits messages to your phone. Telnyx is contractually prohibited from using your data for any purpose other than message delivery.

These providers receive only the data necessary to deliver your messages and are bound by strict data protection agreements.

Message Frequency & Costs

Message frequency varies based on your account activity and scheduled appointments. Typical users receive 2–10 messages per month. Standard message and data rates may apply based on your mobile carrier plan.

For full details on our SMS program, including opt-in methods, message types, and carrier information, see our SMS Opt-In & Program Information page.

Managing Your SMS Preferences

You can update your SMS preferences or opt out at any time through your account settings, by replying STOP to any message, or by contacting support@revdesk.com. See our SMS Terms and Conditions for complete opt-out instructions.

We use your data to provide the service (answer calls, schedule appointments), send you updates, provide customer support, and comply with legal requirements:

• Provide and maintain our services: Answer calls, transcribe conversations (if enabled), schedule appointments, sync with your integrations
• Process transactions: Manage subscriptions, process payments, send invoices
• Improve our platform: Use anonymized, aggregated usage metrics (not call content) to improve user experience and product features
• Send service communications: Account notifications, billing updates, service announcements
• Provide customer support: Respond to your requests, troubleshoot issues, provide technical assistance
• Analyze usage patterns: Understand how customers use our service to improve user interface and workflows (anonymized data only)
• Detect and prevent fraud: Monitor for abusive or illegal activity, protect against security threats
• Comply with legal obligations: Respond to legal requests, enforce our Terms of Service
• Send marketing communications: Product updates, new features, tips (you can opt out anytime)

Legal Bases for Processing (GDPR)

For EU users, we process your data based on:

• Contract performance: Processing necessary to provide the services you signed up for
• Legitimate interests: Improving our service, preventing fraud, ensuring security
• Consent: Marketing communications (you can withdraw consent anytime)
• Legal compliance: Complying with laws and regulations

Your call audio is transmitted via LiveKit for real-time media handling, transcribed by Deepgram, and processed by Google Gemini (primary), with OpenAI GPT and Anthropic Claude available as fallback or secondary providers depending on your agent configuration. Audio and transcripts are stored encrypted at rest (AES-256) and in transit (TLS 1.3).

We do not sell your personal information. We share data only with trusted service providers necessary to operate our platform.

Service Providers (Data Processors)

We work with third-party companies to operate our business. Each receives only the data necessary to perform their specific function. Here's exactly what data each service receives and why:

Other Sharing Scenarios

We may also share your data:

• With your consent: When you explicitly agree to share your data (e.g., enabling CRM integrations)
• For legal compliance: When required by law, court order, subpoena, or government request
• In business transfers:If we're acquired or merge with another company, your data may transfer to the new entity
• To protect rights and safety: To enforce our Terms, protect against fraud, or ensure user safety

When you sign in with Google or connect a Google integration, RevDesk requests only the OAuth scopes needed for the feature you're enabling. RevDesk's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Your Google data is used only to provide the user-facing feature you authorized, never sold, and never used to train AI models.

Scopes We Request

• userinfo.profile and userinfo.email: Required for Google sign-in. We use your name, email, and profile picture to identify your account.
• calendar.events and calendar.readonly: Requested only if you connect Google Calendar as an individual user. Used to read your availability and create, update, or cancel events for bookings made through RevDesk. Google Meet links are generated automatically through the Calendar API and do not require an additional scope.
• calendar (full):Requested only when a Google Workspace administrator enables domain-wide delegation for their organization. Used by RevDesk's service account to read availability and manage bookings on behalf of users in the Workspace, exactly as the administrator authorizes in their Google Workspace Admin Console. Individual users connecting their own Calendar do not grant this scope.
• spreadsheets and drive.readonly: Requested only if you connect the Google Sheets integration. Used to discover your spreadsheets (read-only Drive access for listing) and to read and write the specific sheets you choose to sync.

Token Storage and Revocation

OAuth refresh tokens are encrypted at rest and used only to maintain the connection you authorized. You can revoke RevDesk's access at any time from your Google Account permissions page or by disconnecting the integration in your RevDesk settings. Disconnecting removes the stored token immediately.

Each step below shows where your data goes during a call — from the caller, through Telnyx and LiveKit, to Deepgram and our AI models, then into encrypted storage. All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

We implement industry-standard security measures to protect your data from unauthorized access, disclosure, alteration, or destruction.

Security Measures

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Multi-factor authentication, role-based permissions, least-privilege access
• Infrastructure: AWS data centers with physical security, redundancy, and automated encrypted backups
• Network security: Firewalls, intrusion detection, DDoS protection
• Security audits: Regular third-party penetration testing and vulnerability assessments
• Staff training: All employees trained on data protection and privacy best practices
• Incident response: Documented procedures for security incidents and data breaches
• Vendor oversight: Security reviews of all third-party service providers

Compliance Posture

HIPAA: RevDesk is HIPAA-compliant and signs Business Associate Agreements with healthcare customers on request. Our telephony (Telnyx), media (LiveKit), and STT (Deepgram) subprocessors all support BAAs. See the HIPAA Considerations section for details.

SOC 2 Type II: We are actively pursuing SOC 2 Type II certification (audit in progress). All of our core subprocessors (Telnyx, LiveKit, Deepgram, Stripe, Neon) are already SOC 2 Type II certified.

We keep your data as long as your account is active. Call recordings are kept for 90 days by default (configurable). After account deletion, we retain data for 30 days, then permanently delete it.

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

Retention Periods

• Account data: Retained while your account is active, plus 30 days after closure (grace period for reactivation)
• Call recordings: Default 90-day retention (configurable in your settings: 7 days to 1 year)
• Call transcripts: Same retention period as recordings
• Payment records: Retained for 7 years to comply with tax and accounting regulations
• Support communications: Retained for 3 years for customer service purposes
• Anonymized analytics: Retained indefinitely (contains no personally identifiable information)

What Happens After Deletion

When you delete your account or we delete your data after the retention period:

• Permanent deletion: Data is securely deleted from our production servers and cannot be recovered
• Backup deletion: Data removed from backups within 90 days
• Third-party deletion: We request deletion from service providers (Telnyx, LiveKit, Deepgram, AI providers, etc.)
• Exceptions: We may retain data if required by law, to resolve disputes, or prevent fraud

You can access, correct, delete, or export your data anytime. You can opt out of marketing emails and request restrictions on data processing. Contact us to exercise these rights.

You have the following rights regarding your personal data:

Universal Rights (All Users)

• Right to access: Request a copy of all personal data we hold about you
• Right to correction: Request correction of inaccurate or incomplete data
• Right to deletion: Request deletion of your personal data (subject to legal obligations)
• Right to data portability: Export your data in a machine-readable format (JSON, CSV)
• Right to opt-out of marketing:Unsubscribe from promotional emails (click "unsubscribe" or email us)
• Right to object: Object to certain data processing activities

How to Exercise Your Rights

To exercise any of these rights:

1. Email us at support@revdesk.com
2. Include your account email and describe your request
3. We'll verify your identity and respond within 30 days

For users in the European Union, we comply with the General Data Protection Regulation (GDPR), which grants you additional rights beyond those available to all users.

Additional GDPR Rights

• Right to data portability: Receive your data in a structured, commonly-used format
• Right to be forgotten: Request complete deletion of your data (with some exceptions)
• Right to restrict processing: Limit how we use your data in certain circumstances
• Right to object to automated decisions: Object to decisions made solely by automated processing (including profiling)
• Right to lodge a complaint: File a complaint with your national data protection authority

GDPR Inquiries

For GDPR-related requests and inquiries, please contact us at support@revdesk.com. We'll respond to all GDPR requests within 30 days.

Data Processing Agreements (DPA)

If you're a business customer processing EU personal data through RevDesk, we'll provide a Data Processing Agreement (DPA) upon request. Contact support@revdesk.com to request a DPA.

For California residents, we comply with the California Consumer Privacy Act (CCPA), which grants you specific rights regarding your personal information.

Your CCPA Rights

• Right to know:Request disclosure of what personal information we've collected, used, disclosed, or sold in the past 12 months
• Right to deletion: Request deletion of your personal information (subject to exceptions)
• Right to opt-out of "sales":We do NOT sell your personal information, so this doesn't apply
• Right to non-discrimination:We won't discriminate against you for exercising your CCPA rights

How to Exercise Your CCPA Rights

To make a CCPA request:

1. Email us at support@revdesk.com with subject "CCPA Request"
2. Include your account email and describe your request
3. We'll verify your identity (to prevent unauthorized access)
4. We'll respond within 45 days (30-day extension if needed)

Categories of Information We Collect

Under CCPA, we collect the following categories of personal information:

• Identifiers: Name, email, phone number, IP address
• Commercial information: Subscription plan, payment history, call usage
• Internet/network activity: Usage data, device information, log data
• Audio/visual data: Call recordings, voice data
• Inferences: Preferences, behavior patterns (anonymized analytics)

If a data breach occurs that affects your personal information, we'll notify you within 72 hours and explain what happened, what data was affected, and what we're doing about it.

In the unlikely event of a data breach involving your personal information, we commit to:

Our Notification Process

• Immediate investigation: Contain the breach, assess scope, identify affected users
• Notify affected users within 72 hours: Email to your registered email address
• Notify regulators: Report to data protection authorities (GDPR, CCPA) as required
• Provide clear communication:Explain what happened, what data was affected, and what we're doing

What We'll Tell You

Our breach notification will include:

• Nature of the breach: What happened and how it occurred
• Data affected: What types of personal information were compromised
• Potential impact: Risks to your privacy and security
• Our response:Steps we've taken to contain the breach and prevent future incidents
• Your next steps: Recommended actions you should take (e.g., change passwords, monitor accounts)
• Contact information: How to reach us with questions or concerns

Prevention Measures

We take proactive steps to prevent data breaches:

• Regular security audits and penetration testing
• 24/7 security monitoring and intrusion detection
• Employee security training and access controls
• Incident response plan with defined procedures
• Encryption of all sensitive data

RevDesk is HIPAA-compliant and supports healthcare deployments through Business Associate Agreements (BAAs). Healthcare organizations must execute a BAA with us before processing Protected Health Information (PHI) through our platform.

When HIPAA Applies

HIPAA requirements apply when:

• You are a covered entity or business associate under HIPAA
• Callers discuss medical conditions, treatments, prescriptions, or other PHI
• You store, transmit, or process PHI through RevDesk

HIPAA Compliance Measures

• Encryption of all PHI in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls, audit logs, and multi-factor authentication
• BAAs with HIPAA-eligible subprocessors: Telnyx (telephony & SMS), LiveKit (real-time media), and Deepgram (speech-to-text)
• Breach notification within 60 days per HIPAA requirements
• Configurable data retention periods

Requesting a BAA

Email support@revdesk.com with subject "HIPAA BAA Request" and include your organization name. We'll send you our standard BAA for review and execution.

Important: Public-tier AI APIs from OpenAI and Anthropic do not currently offer BAAs. Healthcare customers should either route AI workloads through HIPAA-eligible Gemini tiers, configure RevDesk to skip transcript forwarding to non-BAA providers, or limit conversations to non-PHI flows (appointment scheduling, general inquiries).

We use cookies for authentication, analytics, and to remember your preferences. You can control cookie settings in your browser.

We use cookies and similar technologies to enhance your experience, analyze usage, and provide personalized content.

Types of Cookies We Use

• Essential cookies: Required for the service to function (authentication, security, session management). These cannot be disabled.
• Analytics cookies: Help us understand how users interact with our service (Google Analytics, Mixpanel)
• Preference cookies: Remember your settings and preferences
• Marketing cookies: Track conversions from marketing campaigns (you can opt out)

How to Control Cookies

You can control cookies by:

• Browser settings: Most browsers allow you to refuse cookies or delete existing ones
• Opt-out tools: Use tools like Google Analytics Opt-out
• Do Not Track: We respect Do Not Track (DNT) browser settings

Note: Disabling essential cookies may prevent you from using certain features of RevDesk.

RevDesk is not intended for anyone under 18. We don't knowingly collect data from children. If we discover we have, we'll delete it immediately.

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@revdesk.com. We will delete such information immediately.

Note: If callers to your RevDesk number include minors (e.g., parents calling about their children), you are responsible for complying with applicable child privacy laws (COPPA, etc.).

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers (Standard Contractual Clauses, etc.).

Your information may be transferred to and processed in countries other than your country of residence, including the United States.

Where Your Data is Processed

• United States: Our primary servers and infrastructure (AWS US regions)
• Service providers: Telnyx, LiveKit, Deepgram, Google, OpenAI, Anthropic (primarily US-based)
• Backup storage: Geographically distributed for redundancy

Safeguards for International Transfers

We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contract terms for data transfers
• Adequacy decisions: We transfer data to countries deemed adequate by the EU Commission where possible
• Data processing agreements: Contracts with all service providers to ensure data protection

If you have questions or concerns about international data transfers, contact support@revdesk.com.

We may update this privacy policy from time to time. We will notify you of any material changes by:

• Sending an email to your registered email address
• Posting a notice within the Services
• Updating the "Last updated" date at the top of this page

Your continued use of the Services after changes become effective constitutes acceptance of the updated Privacy Policy.

Notice period:For material changes that affect your rights, we'll provide at least 30 days' advance notice.

Questions about privacy? Email support@revdesk.com or write to us in New York. We respond within 30 days.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Note: For privacy inquiries, GDPR requests, HIPAA BAA requests, or general support, please email us at the address above.