What we do, and don't, with your data.
Five plainspoken statements. The rules, in our words.
Orevlo acts only when you ask. It can draft, send email, and manage your calendar — but never on its own, and it never moves money. Every send is one you approved.
Encrypted at rest and in transit. AES-256 for data we store, TLS 1.3 for everything that moves between you and us.
Never used to train AI models. Not ours, not anyone else's. Your data is for your briefings only.
Disconnect at any time. Your data leaves the moment you do — fully removed within 30 days, with email confirmation.
Built and operated by Orevlo LLC. Audited by an independent security assessor authorized by Google.
What we connect to.
Orevlo connects to your email and calendar (Gmail, Outlook), and your financial data (Plaid, or direct accounting integrations like QuickBooks and Xero). Every connection is granted by you and is revocable from your account settings or directly from the provider. The email and calendar permissions let Orevlo read, organize, and — only when you ask — send mail and manage events; we never request the ability to permanently delete email, and we do not request OAuth scopes we don't need.
Where it lives.
Production data is hosted in US-based data centers. Backups are encrypted with separate keys and stored in a separate region.
Who can see it.
On Solo, just you — and only you. Your inbox, your transactions, your briefings.
On Team and Business, every seat has its own connections. Your inbox stays your inbox; your teammates' inboxes stay theirs. The owner sees a high-level view across the team — who has connected what, who is briefing daily — but never the contents of anyone else's mail or transactions.
On Company, the same per-seat privacy applies. Administrators have an audit-log view of connections and access, but not content. Shared mailboxes (info@, sales@, support@) are the only inboxes more than one person can read — and that's their whole point. Role-based access controls let admins decide which employees can ask Orevlo about which document libraries.
Internally, Orevlo employees only access your data with your written permission, for support purposes — never to browse, never to sample, never to inspect message content.
What we never do.
We never sell your data. We never share it with advertisers. We never train AI models on it. We never let one customer see another customer's data. We never retain content after you disconnect, beyond what tax law requires us to keep about the relationship itself.
How to ask.
Security questions, vulnerability reports, and DPA requests go to security@orevlo.com. We respond within one business day. Vulnerability reports made in good faith are not subject to legal action — see our security disclosure policy.