Privacy Policy
Last updated: 26 June 2026
Reevolt operates a multi-tenant e-commerce platform at reevolt.co. We provide the infrastructure for vendors to build online stores and for customers to shop within them. This policy explains what personal data we collect, how we use it, and what rights you have over it.
If you have any questions about this policy, contact us at reevolt.co@gmail.com.
1. Who This Policy Covers
This policy applies to two groups of people who interact with Reevolt:
- Vendors — business owners who register on Reevolt to build and manage an online store via the dashboard.
- Customers— shoppers who create accounts or place orders on a vendor's storefront. Customer accounts are scoped to the individual store they register with.
2. Data We Collect
Vendors
When you register as a vendor, we collect your email address, first and last name, and a password. Passwords are stored as bcrypt hashes — your original password is never stored and cannot be retrieved by anyone, including us.
If you choose to sign in with Google, we receive your name, email address, and profile picture from Google. We request only the email and profile scopes — nothing more. We also store the store information you provide: store name, product listings, settings, and theme choices.
If a store admin invites someone to their team, we store the invited person's email address in our database before that person creates a Reevolt account, so the invitation can be matched when they sign up or log in. We use this address only to deliver and manage the invitation (in-app notification once they have an account, and a transactional email when a mail provider is configured). If the invitation is revoked or declined, the pending record is removed or marked inactive; we do not use invited emails for marketing.
Customers
When you register as a customer or place an order on a storefront, we collect your email address, name, and phone number (passwords are bcrypt-hashed as above). We collect your delivery addresses and order history, including the items purchased, amounts paid, and the payment transaction ID (TRX ID) you provide.
Payment note. Reevolt uses Cash on Delivery and manual mobile-money transfers (bKash, Nagad). We store only the transaction ID and sender number you enter as evidence. We never collect, process, or store credit card numbers or bank account details.
Automatically Collected
For each request to our servers we record technical metadata — IP address, browser type (user agent), and the endpoint accessed. This is written to rotating application log files, which are automatically deleted after 7 days, and to a database audit log that we retain for security, abuse prevention, and operational integrity.
On vendor storefronts we record lightweight visit data to produce traffic and visitor statistics for the store owner. Each record contains your IP address, an anonymous session identifier, and the page path. Raw visit records are deleted after 7 days and replaced with aggregated daily visitor counts that contain no personal data.
3. How We Use Your Data
We use the data we collect to operate, improve, and develop the platform:
- To create and maintain your account
- To authenticate you securely
- To process and fulfil orders
- To enable vendors to manage their store, products, and orders
- To deliver and manage team invitations when a vendor adds collaborators
- To provide traffic and visitor analytics to store owners
- To retain order records as required by law
- To analyse, improve, and develop our products and services — including training machine-learning / AI features using vendor and operational store data and de-identified data
We do not sell your personal data, and we do not use it for third-party advertising. When we train AI or develop product features, we use de-identified data and vendor/store operational data — we do not use customers' personal information to train our models (see also our Terms of Service).
4. Storage and Security
All data is stored on servers we operate (a VPS). All data is transmitted over HTTPS. Passwords are stored as bcrypt hashes and cannot be reversed.
The primary database is not encrypted at rest. Delivery addresses, order details, and payment transaction IDs are stored in plaintext in the database. We are transparent about this because our VPS provider operates the underlying hardware and has hypervisor-level access to the server disk.
Nightly database backups run at 02:00 UTC. Before storage, each backup is compressed and encrypted with AES-256-GCM. Backups are stored in a private Cloudflare R2 bucket and automatically deleted after 30 days.
5. Third Parties
We do not use third-party analytics platforms, advertising networks, or data brokers. Below are the third parties we work with and exactly what they receive.
- Cloudflare (R2) stores vendor product images (served via a public CDN) and encrypted database backup files. Cloudflare does not receive customer or vendor account data directly.
- Our VPS provider hosts the physical server hardware and, as noted above, has hypervisor-level access to the disk that holds the database.
- Google is used for optional vendor sign-in via OAuth only. Google sends us your name and email during sign-in. We do not send your data back to Google and use no Google advertising or analytics products.
- Vercelhosts our frontend code and serves the website. Standard request metadata (such as IP) passes through Vercel's edge network to deliver pages.
- Meta (Facebook) — vendor-optional only. See Section 6.
We do not currently offer Facebook/Meta login. Sign-in with a third party is available through Google only.
6. Vendor-Configured Analytics & Facebook Pixel
Vendors may optionally connect analytics and marketing integrations to their store — for example by entering a Facebook (Meta) Pixel ID. When a Pixel is enabled, Meta's script loads on that vendor's public storefront and collects visitor behaviour data — such as page views and actions — directly between the visitor's browser and Meta. That data is processed by Meta under Meta's own Privacy Policy.
Where a vendor connects such integrations (for example the Meta Pixel / Conversions API or other third-party analytics APIs), Reevolt may receive aggregated analytics and conversion metrics about storefront activity in order to display them to the vendor in the dashboard. We use this data only to provide analytics to the store owner. If you wish to prevent pixel tracking while browsing a storefront, you may use a browser extension that blocks tracking scripts.
7. Data Retention
- Vendor and customer accounts — retained until deletion is requested.
- Order records, customer records, addresses, and invoices — retained indefinitely. We are legally required to maintain complete records for tax and financial compliance, and this data is preserved even when a store is deleted.
- Application log files — deleted after 7 days.
- Database audit logs — retained for security and operational integrity.
- Raw storefront visit data (including IP address) — deleted after 7 days; only anonymous aggregated counts are kept long-term.
- Database backups — automatically deleted after 30 days.
- OAuth sign-in state tokens — expire after 10 minutes.
8. Cookies and Local Storage
Reevolt does not set tracking or advertising cookies. Authentication is handled with a JWT (JSON Web Token) stored in your browser's local storage, not a cookie. Note that if you browse a vendor storefront that has enabled a Facebook Pixel (Section 6), Meta may set its own cookies on that storefront, outside Reevolt's control.
9. Your Rights
You have the following rights over your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — update your name, phone number, or password from your account settings at any time.
- Deletion — request deletion of your store/account by emailing reevolt.co@gmail.com, or by deleting your store from the dashboard. When a store is deleted it is first soft-deleted with a 30-day recovery window, then permanently removed. After permanent deletion we keep only a minimal archive record (store name, slug, owner email, and order/storage totals).
Important limitation. Deletion does not remove order records, customer records, addresses, or invoices. We are legally required to retain this transactional data for tax and financial compliance, and it is preserved even after a store is deleted.
If you are in the EU or EEA, you additionally have the right to data portability, restriction of processing, and to lodge a complaint with your national supervisory authority.
10. Children
Reevolt is not directed at children under the age of 13 and we do not knowingly collect their data. If you believe a child has provided us with personal data, contact us at reevolt.co@gmail.com and we will delete it.
11. Changes to This Policy
We will update the "Last updated" date above whenever this policy changes. For material changes that affect how we handle your data, we will notify vendors by email before the changes take effect.
12. Contact
For privacy questions, data access requests, or account deletion: reevolt.co@gmail.com.