Product: Ravela (the "Services")
Provider: 6th Sense Interactive LLC (doing business as "Ravela") ("Ravela," "we," "us," or "our")
Effective date: July 2, 2026
Last updated: July 2, 2026
1. Introduction and Scope
This Privacy Policy explains how Ravela collects, uses, shares, and protects personal information in connection with the Ravela websites, applications, APIs, and related services (the "Services"). It also explains the privacy rights you may have and how to exercise them.
This Policy applies to:
- Account users — the creators, brands, businesses, and their team members who register for and use the Services (our "Customers"); and
- Website visitors — people who visit our marketing website.
This Policy also describes how we handle End-User data (information about your audience — for example, Instagram followers who message you, recipients of your automated messages or emails, people who submit your hosted forms or enter your promotions, and customers of your storefront). For most End-User data, we act as a processor/service provider on behalf of our Customers; see Section 4.
This Policy does not govern the privacy practices of our Customers, of Connected Platforms (such as Instagram/Meta), of Stripe, or of any other third party. If you are an End User and have questions about how a creator uses your data, please contact that creator directly.
Capitalized terms not defined here have the meaning given in our Terms of Service.
2. Who We Are and How to Contact Us
Controller / business: 6th Sense Interactive LLC (doing business as "Ravela"), New Jersey, United States. A mailing address for legal notices is available on written request to [email protected].
Privacy contact: [email protected] (subject line "Privacy Request")
Data deletion requests: [email protected] (see Section 17 for step-by-step instructions)
EU / UK representatives (GDPR / UK GDPR Article 27): We have not appointed an EU or UK representative at this time, and we do not currently target the EU or UK markets. Individuals in those regions may contact [email protected] with any privacy inquiry.
Data Protection Officer / privacy lead: We have not appointed a formal Data Protection Officer. Privacy matters are handled by our privacy lead, reachable at [email protected].
3. A Note on Our Dual Role: Controller and Processor
The Services involve two relationships, and our responsibilities differ in each:
- We are a controller of the personal information of our Customers and their team members — for example, account, billing, and usage data. For this data, we decide the purposes and means of processing, and this Policy governs.
- We are a processor / service provider for most personal information about our Customers' End Users that our Customers collect, import, or generate through the Services — for example, the content of direct messages, contact records, captured emails, and storefront orders. For this data, our Customer is the controller and decides how it is used. We process it on the Customer's behalf, under our Terms of Service and, where applicable, a Data Processing Addendum (DPA). If you are an End User, direct privacy requests to the relevant Customer; we will assist that Customer in responding as required by law.
4. Personal Information We Collect
We collect the categories of personal information below. We tell you which relate to our Customer-controller role and which relate to our processor role for End-User data.
4.1 Information you provide to us (Customers)
- Account and profile data: name, email address, password (stored only as a hashed value), display name, preferences (timezone, language, interface theme, notification settings), browser push-notification subscriptions (a push endpoint and related keys for browsers where you enable push notifications), and any profile details you add.
- Authentication and security data: multi-factor authentication settings, recovery/backup codes (stored hashed), and email verification and password-reset tokens.
- Workspace and team data: workspace names, team-member roles and permissions, and invitation details.
- Billing data: plan selection, subscription status, billing email, and a payment-processor customer/subscription identifier. We do not collect or store full payment card numbers, CVV codes, or bank-account details — those are handled by Stripe (see Section 5).
- Support and communications: messages you send us and the content of your communications with our team.
4.2 Information from your Connected Platforms (Customers)
When you connect a Connected Platform account (such as an Instagram professional account), we access and store information based on the permissions you grant, which may include:
- platform user ID, username, and profile information (such as profile picture);
- access and refresh tokens for the connected account (stored encrypted — see Section 9);
- media identifiers and metadata needed to configure automations (for example, which posts a trigger listens to);
- webhook events that the platform sends us (such as comments, messages, and story interactions) used to run your automations.
4.3 End-User data we process on our Customers' behalf (Processor)
When your audience interacts with you through the Services, we process — on your behalf, as your processor — information such as:
- Contact records: the End User's platform user ID and username, display name, channel, tags, and custom fields that you define (custom fields may contain data the End User provides, such as an email address, a quiz answer, or other input you collect);
- Message content: the text, attachments, and structured content (buttons, quick replies, carousels) of direct messages sent to or from the End User through the Services;
- Form and input responses: answers and information End Users submit through hosted intake forms or in-chat input prompts that you configure (the content collected depends on the questions you ask);
- Consent and preference records: email-capture consent events (including the prompt shown, the response, the consent text and privacy-policy URL presented at capture time) and direct-message automation opt-out/opt-in records (for example, STOP/START-style requests);
- Email-automation data: recipient email addresses, send/delivery/open/click events, unsubscribe and suppression records;
- Engagement events: events generated when an End User interacts with your content through the Services — for example, raffle entries, tracked-link clicks, and views or downloads of files and assets you share;
- Storefront and order data: a storefront customer's email address (and whether it was verified), order status, amounts and currency, and order/session identifiers from Stripe. We do not store full payment card details.
4.4 Information we collect automatically (Customers and visitors)
- Device and connection data: IP address, browser type, operating system, and approximate location derived from IP address (city/country level), where available.
- Session and usage data: session records (including device, browser, and OS information and the time of activity), security audit events (such as logins, logouts, password changes, and MFA events), and product usage and analytics events.
- Cookies and similar technologies: see Section 7. We use a small number of strictly necessary cookies for authentication and security.
4.5 AI feature inputs
If you use optional AI-assisted features, the inputs you provide or designate — which, for certain inbox features, may include the recent messages in a conversation — are processed to generate outputs. These features are optional and may be off by default. See Sections 5 and 6.
4.6 Sensitive information
We do not seek to collect special-category/sensitive personal information (such as government IDs, health, biometric, or precise geolocation data) about Customers in the ordinary course. Please do not store sensitive personal information in free-text or custom fields unless necessary, and only where you have a lawful basis to do so.
5. How We Share Personal Information — Service Providers (Sub-Processors)
We share personal information with service providers ("sub-processors") who process it on our behalf to operate the Services, under contracts that require appropriate safeguards. We share only what is necessary for the relevant purpose. Our current categories of service providers include:
| Service provider | Role / purpose | Data involved |
|---|---|---|
| Meta Platforms, Inc. (Instagram Graph API) | Core platform integration: authentication, sending/receiving messages and comments, receiving webhooks, refreshing tokens | Connected-account tokens (used to make API calls), message content sent to / received from the platform, profile and media metadata |
| Stripe, Inc. | Payment processing for (a) our subscription billing and (b) Customer storefronts (Stripe Connect) | Billing/customer identifiers, subscription and order metadata, storefront customer email and amounts. Stripe — not us — collects and stores full payment details. |
| Railway Corporation | Application hosting and databases — our application servers, PostgreSQL database, and Redis job/queue/cache infrastructure run on Railway | The data described in this Policy, as needed to operate the Services |
| Amazon Web Services, Inc. | File storage (Amazon S3) for uploaded media, images, asset libraries, and product files; transactional and automation email delivery (Amazon SES) | Files and images you or your audience upload or that automations generate; email addresses and email content |
| Cloudflare, Inc. | DNS, content delivery, email routing, and security | Technical and connection data processed when the Services are accessed (such as IP addresses and request metadata) |
| Anthropic, PBC | AI-assisted features, where enabled | The inputs you provide or designate for AI features, which for certain inbox features may include recent message content |
| OpenAI, L.L.C. | AI-assisted features, where enabled | The inputs you provide or designate for AI features, which for certain inbox features may include recent message content |
| Functional Software, Inc. (Sentry) | Error monitoring and application diagnostics | Technical event data such as error traces, device and browser metadata, and identifiers needed to diagnose failures |
(The specific providers and their locations may change as the Services evolve. We will keep this list current and, where we act as your processor, provide notice of changes consistent with our DPA. The current sub-processor list is maintained in our Data Processing Addendum at getravela.com/terms/dpa.)
6. How We Use Personal Information
We use personal information for the following purposes. For Customers and visitors (where we are the controller), the table also identifies the legal bases under the GDPR/UK GDPR; for End-User data, we act on our Customer's instructions as their processor.
| Purpose | Examples | GDPR/UK GDPR legal basis (controller data) |
|---|---|---|
| Provide the Services | Create and manage your Account and Workspaces; run your automations; deliver messages and emails you configure; operate storefronts; process payments | Performance of a contract (Art. 6(1)(b)) |
| Authenticate and secure | Logins, MFA, session management, fraud and abuse prevention, rate limiting, security audit logging | Legitimate interests (Art. 6(1)(f)) — securing the Services; legal obligation (Art. 6(1)(c)) where applicable |
| Communicate with you | Service, security, and transactional notices; responses to support requests; billing and account communications | Performance of a contract; legitimate interests; legal obligation |
| Billing and payments | Process Subscriptions, overages, invoices, and taxes | Performance of a contract; legal obligation |
| Improve and develop | Understand usage, troubleshoot, develop features, and maintain quality and reliability | Legitimate interests — improving and securing the Services |
| Marketing (our own) | Send you product updates and marketing where permitted; you can opt out at any time | Consent where required (Art. 6(1)(a)); otherwise legitimate interests |
| Legal and compliance | Enforce our Terms, comply with law, respond to lawful requests, establish or defend legal claims | Legal obligation; legitimate interests |
| Process End-User data | Operate the features our Customers configure, on the Customer's instructions | We act as processor; the Customer is responsible for the legal basis |
We do not use End-User data we process on a Customer's behalf for our own independent marketing.
7. Cookies and Similar Technologies
We use a limited set of cookies and similar technologies:
- Strictly necessary cookies: We set secure,
httpOnlyauthentication cookies (a short-lived access token and a longer-lived refresh token) that are required to log in and keep you signed in, and to protect the Services. These are essential and cannot be turned off through the Services. - Analytics/marketing technologies: We do not currently use third-party advertising cookies, ad pixels, or cross-site tracking cookies in the Services. We may use product analytics generated by the Services themselves and optional error monitoring to operate and secure the Services. We will update this section and deploy any required consent controls before adding third-party analytics, advertising pixels, retargeting tags, or other non-essential tracking technologies.
Your choices and global signals. You can control cookies through your browser settings; blocking strictly necessary cookies may prevent you from using the Services. Where we use technologies that qualify as a "sale" or "sharing" or as targeted advertising under applicable law, we honor recognized opt-out preference signals such as Global Privacy Control (GPC) as a valid opt-out for the browser/device on which they are received.
8. Data Retention
We retain personal information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. We apply retention controls that may include, by default and subject to your configuration:
| Data | Indicative retention |
|---|---|
| Account data | For the life of your Account, then deleted or anonymized within a reasonable period after closure (subject to legal/financial recordkeeping) |
| Inbox messages | Approximately 180 days (configurable) |
| Flow run records | Approximately 120 days (configurable) |
| Analytics events | Approximately 180 days (configurable) |
| Connected-platform webhook events | Approximately 30 days |
| Security audit logs | Approximately 90 days |
| Session/auth tokens | Short-lived (access ~15 minutes; refresh ~7 days); revoked on logout, password reset, or security events |
| Billing records | As required for tax, accounting, and legal purposes |
Where we act as a processor, retention of End-User data is also governed by our Customer's instructions and our DPA. When a Customer deletes a Contact, Workspace, or Account, associated data is deleted or cascaded for deletion as described in Section 17, subject to limited backup retention and legal requirements.
9. How We Protect Information
We use technical and organizational measures designed to protect personal information, including:
- Encryption of sensitive credentials at rest: Connected-platform access/refresh tokens and stored integration credentials are encrypted using strong, industry-standard encryption (AES-256-GCM with per-credential initialization vectors).
- Password protection: account passwords are stored only as salted hashes (bcrypt); we never store passwords in plain text.
- Encryption in transit: the Services are served over HTTPS/TLS.
- Access controls: role-based access within Workspaces, administrative access controls, and audit logging of security-relevant events.
- Abuse and intrusion protections: rate limiting, brute-force lockouts, multi-factor authentication, webhook signature verification, and safeguards against server-side request forgery for outbound requests you configure.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials confidential and for the security of your own systems and Connected Platform accounts.
10. International Data Transfers
We are based in the United States, and we and our service providers may process personal information in the United States and other countries that may have different data-protection laws than your own.
Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, we rely on appropriate safeguards, which may include the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum for UK transfers). We are not currently certified under the EU–U.S. Data Privacy Framework. You may request a copy of the relevant safeguards by contacting [email protected].
11. Your Privacy Rights and Choices
Depending on where you live and our role, you may have some or all of the following rights regarding your personal information:
- Access / know — request confirmation of, and access to, the personal information we hold about you, and information about how we process it.
- Correction / rectification — request that we correct inaccurate or incomplete information.
- Deletion / erasure — request that we delete your personal information.
- Portability — request a copy of certain information in a portable format.
- Restriction / objection — restrict or object to certain processing, including processing based on legitimate interests.
- Withdraw consent — where we rely on consent, withdraw it at any time (without affecting prior processing).
- Opt out of marketing — unsubscribe from our marketing emails via the link in those emails or by contacting us.
- Opt out of "sale"/"sharing" and targeted advertising; limit sensitive-information use — where applicable (see Sections 13–14).
- Non-discrimination — we will not discriminate against you for exercising your rights.
- Appeal / complain — appeal a decision (where applicable) and lodge a complaint with a regulator (see Sections 13–16).
How to exercise your rights. Contact us by emailing [email protected] with the subject "Privacy Request". We will verify your request (for example, by confirming control of the relevant email/Account) and respond within the timeframes required by applicable law. You may use an authorized agent where the law permits.
If you are an End User: much of the data about you is controlled by the Customer (creator) you interact with. If you ask us to exercise rights over data we process as a processor, we will refer you to, and assist, the relevant Customer.
12. AI Features and Automated Processing
Some optional features use automated systems and AI service providers to generate suggestions or content based on inputs you provide or designate. These features do not make decisions that produce legal or similarly significant effects about individuals without human involvement. AI outputs may be inaccurate and should be reviewed before use. We do not authorize our AI providers to train their models on inputs or outputs you submit through these features except as permitted by our agreements with those providers and applicable law. You can choose whether to use AI features. If you configure automated or AI-assisted communications with End Users, you are responsible for providing any bot, automation, or AI-interaction disclosures required by law and by the relevant Connected Platform's policies.
13. Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the CPRA.
Categories of personal information. In the past 12 months, we may have collected the following statutory categories: identifiers (such as name, email, IP address, account/platform IDs); commercial information (such as subscription and transaction records); internet/network activity (such as usage and device data); approximate geolocation (city/country from IP); professional information (such as your role/brand); and audio/electronic information (such as message content processed on a Customer's behalf). The sources, purposes, and recipients are described in Sections 4–6.
We do not "sell" personal information for money. We do not knowingly "share" personal information for cross-context behavioral advertising. If we add advertising or analytics technologies that qualify as a "sale" or "sharing," we will update this statement and provide the required opt-out mechanisms. We do not knowingly sell or share the personal information of consumers under 16.
Your California rights: to know/access; to delete; to correct; to opt out of sale/sharing; to limit the use of sensitive personal information; and to non-discrimination. To exercise these rights, email [email protected] with the subject "Privacy Request"; to stop marketing email from us, use the unsubscribe link included in every marketing email. We also honor Global Privacy Control signals. You may use an authorized agent and may appeal a denial by contacting [email protected].
Retention. We retain personal information as described in Section 8.
14. Other U.S. State Privacy Rights
If you are a resident of a U.S. state with a comprehensive privacy law (for example, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Kentucky, Indiana, Rhode Island, and others as they take effect), you may have rights to access, correct, delete, and obtain a portable copy of your personal information, and to opt out of targeted advertising, the sale of personal information, and certain profiling.
To exercise these rights, email [email protected] with the subject "Privacy Request". We honor recognized universal opt-out mechanisms (such as Global Privacy Control) where required. If we deny your request, you may appeal by contacting [email protected]; if your appeal is denied, you may contact your state attorney general.
15. Canadian Privacy Rights (PIPEDA / CASL)
If you are in Canada, we handle personal information consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial privacy laws where they apply. You may request access to, correction of, or deletion of personal information we control by emailing [email protected] with the subject "Privacy Request". We will explain our practices, verify and respond to requests as required, and identify the privacy lead responsible for our compliance.
For commercial electronic messages sent by us or by Customers through the Services, the sender must comply with Canada's Anti-Spam Legislation (CASL), including consent, sender-identification, and unsubscribe requirements. If you receive a Customer's email through the Services, use the unsubscribe link in that message or contact the Customer directly; we will assist the Customer where required.
16. EU/EEA, UK, and Swiss Privacy Rights (GDPR / UK GDPR)
If you are in the EEA, the UK, or Switzerland, you have the rights described in Section 11 (access, rectification, erasure, restriction, objection, portability, and withdrawal of consent). The legal bases on which we rely are set out in Section 6.
- Right to object to legitimate-interests processing and to direct marketing at any time.
- Right to lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to address your concerns first — please contact [email protected].
- EU/UK representatives: see Section 2.
- International transfers: see Section 10.
Where we process your personal information as a processor on a Customer's behalf, please direct your request to that Customer; we will assist them as required.
17. Data Deletion — How to Request Deletion of Your Data
We provide multiple ways to delete data, including data obtained through Connected Platforms such as Instagram/Meta:
A. Customers — delete your Account and Workspace data.
- Sign in and go to Account settings → Delete account (or contact [email protected]).
- Follow the on-screen confirmation steps. If you solely own one or more Workspaces, you will be asked to confirm deletion of those Workspaces and their data.
- On deletion, we delete or deactivate your Account and cascade deletion to associated Workspace data (including contacts, messages, consent records, storefront customer records, and orders), and we purge associated stored files, subject to limited backup retention and legal requirements.
B. Disconnect a Connected Platform. In Settings → Connected accounts, disconnect the relevant account. We clear the stored access credentials for that connection. We will also delete or stop processing platform data on request as described below.
C. Request deletion of platform-sourced data (including Instagram/Meta data). Email [email protected] with the subject line "Data Deletion Request" and include the Account email and the connected platform username. We will delete the platform-sourced personal information we hold, except where we are required or permitted by law to retain it, and confirm completion. We also delete platform-sourced data when a Connected Platform notifies us of a user's deletion request or when access is revoked.
D. End Users. If you interacted with a creator who uses the Services and want your data deleted, contact that creator (the controller). You may also contact us at [email protected] and we will assist the relevant creator in handling your request.
Deletion requests are handled within the timeframes required by applicable law. Some information may remain in backups for a limited period and may be retained where required for legal, tax, security, or fraud-prevention purposes.
18. Children's Privacy
The Services are intended for creators, brands, and businesses, and are not directed to children under 13. We do not knowingly collect personal information from children under 13. As described in our Terms of Service, users between 13 and the age of majority may use the Services only with verifiable parental or guardian consent and supervision, and payment/payout features require users to be 18 or older (or the age of majority).
If you believe a child under 13 has provided us personal information, contact [email protected] and we will take appropriate steps to delete it. Creators are responsible for not targeting children through the Services and for complying with laws protecting minors, including in any data they collect from their own audience.
19. Third-Party Links and Services
The Services may link to or integrate with third-party websites and services (including Connected Platforms and Stripe). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies. Information you provide directly to a third party is governed by that third party's policy.
20. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice (for example, by email or in-product notice) and update the "Last updated" date above. Changes take effect when posted unless stated otherwise. Your continued use of the Services after an update means you acknowledge the updated Policy, to the extent permitted by law.
21. How to Contact Us
- Privacy questions and rights requests: [email protected] (subject line "Privacy Request")
- Data deletion requests: [email protected] (subject line "Data Deletion Request") — see Section 17
- Mailing address: 6th Sense Interactive LLC, New Jersey, United States. A mailing address for legal notices is available on written request to [email protected].
- EU / UK representatives: none appointed at this time (see Section 2); individuals in those regions may contact [email protected] with any privacy inquiry.