1. Introduction
REALIS OÜ (Estonia) ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our website and in our products. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.
We are a GDPR-native organization. Your data privacy is not an afterthought—it is built into our product architecture from day one.
2. What Information We Collect
We collect information you provide directly and information generated through your use of our services:
- Account Information: Name, email, company, phone, billing address, CRM credentials (via OAuth)
- CRM Data: Deal data, contact records, activity logs, sales rep profiles—only what your OAuth scope permits
- Usage Data: Pages visited, features used, API calls, timestamps, device information, IP address
- Communication Data: Support tickets, emails, chat transcripts, call recordings (with consent)
- Payment Data: Processed securely via Stripe. We do not store full card details
3. Legal Basis for Processing
Under GDPR, we process your personal data on the following legal bases:
- Contractual Necessity: To deliver our services and perform your subscription agreement
- Legitimate Interest: To improve our product, prevent fraud, and maintain security
- Consent: For marketing communications (you can opt out anytime)
- Legal Obligation: To comply with tax, financial, and regulatory requirements
4. Data Processor vs. Controller
You are the Data Controller. You own your CRM data. We are a Data Processor. Your data flows like this:
- Your CRM (HubSpot, Salesforce, Pipedrive) is the primary data source
- You authorize REALIS via OAuth to read specific data scopes
- We process that data to generate realism scores, coaching insights, and pipeline analytics
- We never sell, share, or monetize your data with third parties
- You retain full ownership and can revoke our access at any time
5. Data Residency & Security
All REALIS customer data is stored in EU data centers (currently Frankfurt, Germany). We never transfer data outside the EU without explicit consent.
Security Measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- ISO 27001 certified infrastructure
- Regular penetration testing and security audits
- OAuth 2.0 for secure CRM authentication (no API keys stored)
- Role-based access control (RBAC) for team members
- Automatic backups with encryption
6. Data Retention
We retain data for as long as necessary to provide our services:
- Active Subscription: All data retained for service delivery
- After Cancellation: 30 days to allow data export; then deleted
- Backups: Retained for 90 days for disaster recovery, then destroyed
- Legal Hold: Retained if required by law or legal proceedings
7. GDPR Rights of Data Subjects
As a data subject, you have the following rights under GDPR:
- Right of Access: Request a copy of all data we hold about you
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your data (subject to legal obligations)
- Right to Restrict Processing: Limit how we process your data
- Right to Data Portability: Export your data in a structured, machine-readable format
- Right to Object: Opt out of specific processing activities (e.g., marketing)
- Right to Lodge a Complaint: File a complaint with your local data protection authority
To exercise any of these rights, email privacy@realis.io with your request. We will respond within 30 days.
8. GDPR Compliance Details
Data Protection Officer: privacy@realis.io
Data Processing Agreement: We provide a standard DPA compliant with GDPR Article 28 to all customers. Contact us for execution.
Sub-Processors:
- AWS (Frankfurt) for cloud infrastructure
- Stripe for payment processing
- SendGrid for transactional email
- All sub-processors are located in the EU and GDPR compliant
9. Cookies & Tracking
We use minimal cookies:
- Session Cookies: To keep you logged in
- Analytics: Plausible Analytics (privacy-respecting, no consent required)
- No Third-Party Tracking: We do not use Google Analytics or Facebook Pixel
You can disable cookies in your browser, though this may impact functionality.
10. Marketing & Communications
We will only send marketing emails to customers who opt in. You can unsubscribe anytime by clicking the "Unsubscribe" link in any email.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by prominently posting the new policy on our website. Your continued use of our services constitutes acceptance of the updated policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
- Email: privacy@realis.io
- Mail: REALIS OÜ, Estonia (contact form on website)
- Response Time: Within 30 days