Our Privacy Policy

1. Introduction and Identity of the Data Controller

This Privacy Policy explains how Revelation Marketing Ltd ("we", "us", "our"), a company incorporated in

England and Wales, collects, uses, stores, and protects personal data in connection with the Verity

platform and associated services ("Services"). Verity is a B2B reputation management platform designed

exclusively for business clients operating in the hospitality sector.

We are the Data Controller for the purposes of the UK General Data Protection Regulation (UK GDPR)

and the Data Protection Act 2018 (DPA 2018). For clients located in the United States, we also comply

with applicable US privacy laws including the California Consumer Privacy Act (CCPA) as amended by

the California Privacy Rights Act (CPRA), and other applicable state privacy laws.

Contact details for data protection enquiries:

• Company: Revelation Marketing Ltd

• Email: zc@revelationmarketing.uk

• Website: https://www.v3rity.co.uk

2. Scope of This Policy

This Policy applies to:

• Authorised representatives and employees of our business clients ("Client Users") who access

and use the Verity platform;

• Prospective clients who contact us regarding our Services;

• Visitors to our website.

This Policy does not apply to the end customers or review authors of our clients' businesses. Verity

processes publicly available review data submitted by third parties to Google. We are not responsible for

the privacy practices of Google or any other third-party platform.

3. Data We Collect

3.1 Data Collected Directly from Client Users

When you register for or use Verity, we may collect:

• Full name and job title;

• Business email address;

• Business name, address, and contact information;

• Google Business Profile credentials and OAuth access tokens (see Section 4);

• Billing and payment information (processed by third-party payment processors; we do not store

full card details);

• Usage data including log-in times, feature usage, and interaction history;

• Communications you send to us, including support requests.

Google Business Profile credentials and OAuth access tokens (see Section 4);

• Billing and payment information (processed by third-party payment processors; we do not store

full card details);

• Usage data including log-in times, feature usage, and interaction history;

• Communications you send to us, including support requests.

3.2 Data Processed on Behalf of Clients (Processor Role)

In providing the Verity Services, we process the following categories of data on behalf of our clients:

• Publicly available Google Reviews pertaining to our clients' business locations, including reviewer

display names, review text, star ratings, and associated metadata;

• AI-generated response content created by the platform;

• Sentiment and policy violation analysis outputs.

This data is processed for the purposes of providing the contracted Services and is not used for any other

purpose without explicit instruction from the client.

3.3 Automatically Collected Technical Data

When you access our platform or website, we may automatically collect:

• IP address and device identifiers;

• Browser type and operating system;

• Pages visited, time spent, and referring URLs;

• Cookie data (see Section 11).

4. Google OAuth and API Data Access

Verity integrates with Google Business Profile via Google's OAuth 2.0 authorisation framework. When you

connect your Google Business Profile account to Verity:

• You will be directed to Google's secure authorisation page to grant Verity access to your

business profile data;

• We receive and securely store OAuth access tokens and refresh tokens solely for the purpose of

providing the Services;

• We access your Google Business Profile data only to the extent necessary to provide review

monitoring, response generation, and reporting functions;

• We do not use Google user data to train machine learning models or for advertising purposes;

• You may revoke our access at any time via your Google Account security settings at

myaccount.google.com/permissions.

Our use and transfer of information received from Google APIs adheres to the Google API Services User

Data Policy, including the Limited Use requirements.

5. Legal Basis for Processing (UK/EU GDPR)

We rely on the following lawful bases under UK GDPR Article 6:
Contract Performance (Art. 6(1)(b)): Processing necessary to perform our contract with you,

including account management, service delivery, and billing;

• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests,

including fraud prevention, platform security, service improvement, and direct marketing to

existing clients, where these interests are not overridden by your rights;

• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including tax

and accounting obligations;

• Consent (Art. 6(1)(a)): Where we have obtained your explicit consent, such as for certain

marketing communications.

6. How We Use Your Data

We use the personal data we collect for the following purposes:

• Providing, maintaining, and improving the Verity platform and Services;

• Account registration, authentication, and management;

• Processing payments and managing billing;

• Sending service-related notifications, including alerts and reports generated by the platform;

• Responding to your enquiries and providing customer support;

• Monitoring platform security and preventing fraud or abuse;

• Complying with our legal and regulatory obligations;

• Sending marketing communications about our Services where you have consented or where we

have a legitimate interest to do so.

We will never sell your personal data to third parties. We do not use your data for automated decision-

making that produces significant legal effects without human oversight.

7. Data Sharing and Third-Party Sub-Processors

We share personal data only in the following circumstances:

7.1 Google LLC

We transmit data to and from Google's APIs as necessary to provide the Services. Google acts as an

independent data controller in respect of your Google account data. Our access is governed by Google's

API Terms of Service and our OAuth authorisation.

7.2 Cloud Infrastructure

Our platform infrastructure is hosted on Google Cloud Platform, operated by Google LLC. Data may be

stored in data centres located in the United Kingdom, European Economic Area, or United States. Where

data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including

Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) as

applicable.

7.3 Professional Advisers

We may share data with our legal, accounting, or other professional advisers where necessary and

subject to confidentiality obligations.

7.4 Legal Requirements

We may disclose data to law enforcement, regulatory authorities, or courts where required to do so by

applicable law or valid legal process.

7.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be

transferred to the successor entity, subject to equivalent privacy protections.

8. International Data Transfers

Revelation Marketing Ltd is incorporated in the United Kingdom. We serve clients in both the United

Kingdom and the United States. Personal data may be transferred to and processed in countries outside

your country of residence.

For transfers from the UK to the United States or other third countries, we rely on:

• The UK International Data Transfer Agreement (IDTA) or Addendum to the EU Standard

Contractual Clauses where applicable;

• Adequacy decisions made by the UK Secretary of State under the DPA 2018;

• Other appropriate safeguards as permitted under UK GDPR Chapter V.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or

as required by applicable law:

• Client account data: Retained for the duration of the client relationship and for a period of seven

(7) years following termination, in accordance with UK statutory record-keeping requirements;

• Google Review and platform data: Retained for the duration of the client relationship and deleted

within ninety (90) days following contract termination, unless otherwise agreed;

• OAuth tokens: Deleted promptly upon account disconnection or contract termination;

• Technical/log data: Retained for up to twelve (12) months;

• Marketing communications records: Retained until you withdraw consent or object.

10. Your Rights

10.1 Rights Under UK GDPR (UK and EEA Residents)

You have the following rights in relation to your personal data:

• Right of access: To obtain a copy of your personal data (Subject Access Request);

Right to rectification: To have inaccurate data corrected;

• Right to erasure: To request deletion of your data in certain circumstances;

• Right to restriction: To restrict how we process your data in certain circumstances;

• Right to data portability: To receive your data in a structured, machine-readable format;

• Right to object: To object to processing based on legitimate interests or for direct marketing;

• Rights related to automated decision-making: Not to be subject to solely automated decisions

with significant effects.

To exercise any of these rights, contact us at zc@revelationmarketing.uk. We will respond within one

calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office

(ICO) at ico.org.uk.

10.2 Rights Under US Law (California and Other US Residents)

If you are a California resident, the CCPA/CPRA grants you the following rights:

• Right to know: What personal information we collect, use, share, or sell;

• Right to delete: Request deletion of your personal information;

• Right to correct: Request correction of inaccurate personal information;

• Right to opt-out: We do not sell or share personal information for cross-context behavioural

advertising;

• Right to limit use of sensitive personal information;

• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at zc@revelationmarketing.uk. We will respond within forty-five

(45) days, extendable by a further forty-five (45) days where reasonably necessary.

Residents of other US states with applicable privacy laws (including Virginia, Colorado, Connecticut,

Texas, and others) may have similar rights. We are committed to honouring applicable state privacy law

rights upon verified request.

11. Cookies

Our website and platform use cookies and similar tracking technologies. We use:

• Strictly necessary cookies: Required for the platform to function (no consent required);

• Analytics cookies: To understand how users interact with our platform (consent required);

• Functional cookies: To remember your preferences (consent required).

You may manage your cookie preferences via our cookie consent tool or your browser settings. Disabling

certain cookies may affect platform functionality.

12. Data Security

We implement appropriate technical and organisational security measures to protect personal data

against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest;

Access controls and authentication requirements;

• Regular security assessments and monitoring;

• Staff training on data protection obligations.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will

notify the ICO within 72 hours and affected individuals without undue delay, as required under UK GDPR

Article 33-34.

13. Children's Data

Verity is a B2B platform intended solely for use by businesses and their authorised adult representatives.

We do not knowingly collect personal data from individuals under the age of 18. If you become aware that

a minor has provided us with personal data, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by

email or via a prominent notice on our platform prior to the change becoming effective. The effective date

at the top of this Policy will be updated accordingly. Your continued use of the Services following

notification constitutes acceptance of the updated Policy.

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices,

please contact us:

• Email: zc@revelationmarketing.uk

• Website: https://www.v3rity.co.uk

For formal data protection complaints, you may also contact the Information Commissioner's Office (ICO):

ico.org.uk / 0303 123 1113