360REV
Solutions How it works Modules Pricing
Log in Get started
Solutions How it works Modules Pricing
Log in Get started

Use of Data Policy

Effective 2026-06-29

This Use of Data Policy ("Policy") explains how 360REV, Inc. ("360REV", "we", "us", "our") collects, uses, processes, shares, retains, and protects data in connection with the 360REV platform and related services (the "Service"). It is written to be transparent and fair to our subscribers while also protecting 360REV and its Agents (defined below). This Policy works alongside — and is incorporated into — our Privacy Policy, Terms of Service, Sub-processors list, and Data Processing Addendum. Where this Policy and the Privacy Policy address the same topic, read them together; where the Terms of Service governs the commercial relationship, the Terms control on commercial matters.

1. Scope and definitions

  • "360REV" means 360REV, Inc., a Texas company.
  • "Agents" means 360REV's owners, founders, officers, directors, members, managers, employees, contractors, service providers, affiliates, successors, assigns, and stakeholders. Protections, disclaimers, and limitations in this Policy that apply to 360REV apply equally to each of its Agents.
  • "Subscriber" (also "you", "your") means the organization or individual that contracts for the Service; "Authorized Users" are the people a Subscriber permits to use the Service under its account.
  • "Personal data" means information relating to an identified or identifiable person. "Customer Data" means data a Subscriber or its Authorized Users submit to or generate within the Service.
  • "Platform Data" means data received from a third-party identity or integration provider (for example, the Meta user ID, email address, and basic profile received through Facebook Login).

This Policy applies to all data processed through the Service. It does not apply to third-party products you connect to the Service, which are governed by their own terms.

2. What we collect and why

We collect only what we need for a stated, legitimate purpose:

  • Account and sign-in data — name, email address, and (for social sign-in) the minimum profile fields the provider returns. When you sign in with Facebook Login, we request only the public_profile and email scopes — never your friends, posts, photos, or any other permission we do not need.
  • Customer Data — the records, content, messages, contacts, files, and configuration you create or upload while using the Service.
  • Usage and diagnostic data — logs, device and browser metadata, and feature usage, used to operate, secure, and improve the Service. Diagnostic captures are redacted of tokens, credentials, and password-like values before storage.
  • Billing data — subscription, plan, and payment-status information handled by our payment processor; we do not store full card numbers.

We do not collect data speculatively "in case it is useful later."

3. How we use data

We use data to:

  • provide, maintain, secure, and improve the Service;
  • authenticate users and create and manage accounts;
  • power AI and automation features you invoke (see Section 4);
  • process billing and subscriptions;
  • provide support and respond to your requests;
  • detect, prevent, and investigate fraud, abuse, and security incidents;
  • comply with law and enforce our agreements.

Purpose limitation. Data collected for one purpose is not repurposed for an incompatible one. We do not sell personal data, and we do not use Customer Data to train external, third-party AI models for unrelated purposes.

4. AI and automated processing

The Service includes AI features (collectively, "REVai"). When you use them:

  • your prompts and the data you direct the feature to act on are processed to produce the requested output;
  • Customer Data is not used to train external or publicly-shared AI models; platform-managed inference runs through the sub-processor identified on our Sub-processors list, and where you bring your own model key, processing occurs under your own provider account;
  • AI output is provided "as-is" and may be inaccurate, incomplete, or unsuitable for a particular purpose. You are responsible for reviewing AI output before relying on, sending, publishing, or acting on it. 360REV and its Agents are not liable for decisions made in reliance on AI output (see Sections 11–13).

5. Sharing and sub-processors

We share data only as needed to run the Service and only with parties bound by data-protection obligations. We do not sell personal data. Our current sub-processors are:

Sub-processor Purpose Location
NeonPostgres database hosting (account identity and Customer Data)us-east-2, ap-southeast-1
Google Cloud (GCP)Compute hosting (runs the application and identity layer)us-central1
Cloudflare R2Subscriber file storageglobal edge
StripePayment processing and subscription billingUS/EU
BrevoTransactional and subscriber-managed emailEU
TwilioVoice and SMS carrier (default; subscribers may bring their own)US/EU/global
GroqLLM inference (platform-managed)US

Identity and authentication run on self-hosted software (Keycloak) operated by 360REV on the GCP infrastructure above; it is part of our own stack rather than an external vendor. We bind every sub-processor by a written agreement with data-protection obligations, assess vendors before onboarding, and provide at least 30 days' notice before adding a new sub-processor. EU/UK transfers rely on Standard Contractual Clauses per our Data Processing Addendum. The authoritative, always-current list is at /legal/sub-processors.

6. Government and law-enforcement requests

This section states how 360REV responds to requests from any government, law-enforcement, national-security, regulatory, court, or other public authority ("Requesting Authority") for user personal data, including Platform Data received through Facebook Login. It applies to all Agents and to every such request in any jurisdiction. It does not cover ordinary user-initiated requests (access, erasure, portability), which are handled under our Privacy Policy and Section 10.

6.1 Core principle — no disclosure without valid compulsion

360REV does not disclose user personal data to any public authority unless compelled by valid legal process, or a narrowly-scoped emergency exception applies (Section 6.5). We do not volunteer user data, and we do not provide bulk, standing, or direct/automated access to any authority.

6.2 Required review of the legality of each request

Every request is reviewed and recorded before any response. The reviewer must confirm:

  1. Authenticity — the request genuinely originates from the stated authority.
  2. Jurisdiction and authority — the body has lawful authority over 360REV and/or the data, using the correct instrument for the data sought.
  3. Legal validity — the request is supported by proper legal process (subpoena, court order, warrant, production order, or for cross-border requests an MLAT or equivalent). A bare email, phone call, or informal demand is refused pending proper process (except emergencies).
  4. Cross-border legitimacy — a foreign authority's request is honored only through a recognized channel, not an informal foreign demand.
  5. Scope and proportionality — the data demanded is specific, relevant, and proportionate to a stated, lawful purpose.

If any element fails, the request is rejected or challenged under Section 6.3.

6.3 Challenging unlawful or overbroad requests

360REV pushes back on requests that are unlawful, defective, or overbroad, escalating as appropriate:

  • Reject requests that lack valid legal process, with a written explanation of the deficiency.
  • Demand proper process where the law requires a warrant, court order, or MLAT for the data class sought.
  • Narrow an overbroad request to the specific records lawfully required.
  • Object, move to quash, or seek protective relief through counsel where a request is unlawful or unduly burdensome.
  • Resist gag or secrecy demands that lack legal basis, so affected users can be notified.

6.4 Minimized responses and user notice

When lawfully compelled to disclose, 360REV discloses only the specific data lawfully required — never a whole account, a whole tenant, or bulk data when a narrower set satisfies the order, scoped to the named individuals, fields, and time window. Where legally permitted, we notify affected users before disclosing, so they may protect their rights; notice is delayed or withheld only where a valid order, statute, or genuine emergency prohibits it, and is given once any non-disclosure period expires.

6.5 Emergency requests

Where an authority asserts an imminent risk of death or serious physical harm, 360REV may disclose the minimum data necessary to address the emergency without full legal process, provided the request is documented (Section 6.6), the emergency is plausible on its face, and disclosure is limited to what is needed to prevent the harm.

6.6 Documentation — the Request Register

360REV maintains a Government and Law Enforcement Request Register. Every request — including those refused — is logged. The Register is access-controlled, retained for 7 years, and reviewed in our annual policy review. Each entry records at minimum:

Ref number and date receivedSequential identifier and arrival date
Requesting authorityName, country, contact
Legal instrumentSubpoena / warrant / court order / MLAT / emergency / none
Data requestedSpecific data classes and individuals named
Reviewers / actorsOwner plus any counsel involved
Legality assessmentOutcome of the Section 6.2 review and the legal reasoning
Decision and data disclosedDisclosed (what) / narrowed / challenged / rejected; exact fields released, if any
User notice and date closedGiven / delayed (basis) / withheld (basis); resolution date

6.7 National security and transparency

360REV reviews national-security requests under Sections 6.2–6.4 to the extent the law allows. Subject to legal limits, we intend to publish periodic transparency reporting on the volume and type of authority requests received. As of this Policy's effective date, 360REV has not disclosed user personal data to any public authority in response to a national-security request.

7. Data minimization

360REV collects and processes only the personal data that is adequate, relevant, and limited to what is necessary. Minimization is applied at every stage — collection, processing, access, retention, and disclosure — backed by concrete technical controls:

  • Collection. SSO requests only public_profile and email; each module collects only the fields its function requires; no speculative collection.
  • Processing and purpose limitation. Independent services each backed by their own database with no cross-service direct database access; every request is scoped to a tenant identifier derived from the authenticated token, never from client input; data is not repurposed for incompatible purposes.
  • Access (least privilege). Authentication on every route; role-based access control; cross-tenant access restricted to explicitly-authorized administrative operations; third-party credentials stored encrypted (AES-GCM) with only a last-four indicator surfaced; diagnostic logs redacted of tokens, credentials, and password-like values.
  • Retention (storage limitation). Tiered deletion (a recoverable window, then a limited legal window, then hard purge), an automated retention job that enforces these windows, a full tenant purge across the identity provider, every service database, and object storage, and security audit logs minimized to security-relevant fields.
  • Disclosure. A limited published set of sub-processors, no sale of personal data, Standard Contractual Clauses for EU/UK transfers, and minimized responses to any legal compulsion (Section 6.4).

8. Your responsibilities and acceptable use

You are responsible for the data you put into the Service and how you use it. You agree that:

  • you have all rights, consents, and lawful bases necessary to submit Customer Data to the Service and to have it processed as described here, including consent of any third parties whose personal data you upload;
  • you will not use the Service to store or process unlawful, infringing, harmful, or maliciously-obtained data, or in violation of any applicable law (including data-protection, anti-spam, and consumer-protection law);
  • you will keep your credentials secure, configure access for your Authorized Users appropriately, and are responsible for their actions under your account;
  • you will review AI output and automated results before relying on them.

You — not 360REV or its Agents — are responsible for the content and legality of Customer Data and for your and your Authorized Users' use of the Service.

9. Security

We protect data with administrative, technical, and physical safeguards, including authentication on every route, role-based access control, encryption of secrets at rest, encryption in transit, tenant isolation, and security logging and monitoring. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. You are responsible for safeguarding your own credentials and access. We will notify affected parties of a security incident as and where required by applicable law.

10. Retention and deletion

We retain personal data while your account is active and the data serves its purpose. After account deletion: a 90-day recoverable window (email support@360rev.com to restore), then a permanent hard-purge across the identity provider, every service database, and all Cloudflare R2 storage. Security audit logs are retained for 7 years on a separate schedule for SOC 2 and legal compliance and cannot be individually deleted. We may retain anonymized, aggregated data that cannot be linked back to you. To delete your account or data, see Data Deletion Instructions.

11. Disclaimers and limitation of liability

The Service, including all AI output, is provided "AS-IS" and "AS-AVAILABLE." To the maximum extent permitted by law, 360REV and its Agents disclaim all warranties, express or implied, including merchantability, fitness for a particular purpose, non-infringement, accuracy, and uninterrupted or error-free operation. We do not warrant that AI output is accurate, complete, or suitable for any purpose.

To the maximum extent permitted by law, 360REV and its Agents will not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, revenue, data, goodwill, or business interruption, arising out of or relating to the Service or your data, even if advised of the possibility. To the maximum extent permitted by law, the total aggregate liability of 360REV and its Agents for all claims arising out of or relating to the Service or this Policy will not exceed the amounts you paid to 360REV for the Service in the twelve (12) months before the event giving rise to the claim. These limitations apply to 360REV and to each of its Agents, and survive termination. Where law does not permit certain exclusions, the excluded liability is limited to the minimum extent the law requires.

12. Indemnification

You will defend, indemnify, and hold harmless 360REV and its Agents from and against any claims, demands, losses, liabilities, damages, costs, and expenses (including reasonable legal fees) arising out of or relating to: (a) Customer Data you submit, store, or process through the Service; (b) your or your Authorized Users' use of the Service; (c) your breach of this Policy, the Terms of Service, or applicable law; or (d) your violation of any third party's rights, including privacy or intellectual-property rights. 360REV will notify you of any such claim and may participate in its defense with its own counsel at its own expense.

13. No individual liability of Agents

The Service is provided by 360REV, Inc. as an entity. To the maximum extent permitted by law, no Agent — no owner, founder, officer, director, member, manager, employee, contractor, affiliate, or stakeholder of 360REV — bears any personal or individual liability to you arising out of or relating to the Service, your data, or this Policy. Your remedies, if any, are solely against 360REV, Inc. and are subject to the disclaimers and limitations in Sections 11–12. Each Agent may enforce the protections of this Policy as an intended third-party beneficiary.

14. Changes, governing law, and contact

We may update this Policy from time to time; material changes will be communicated by in-app notice or email, and the effective date above will be updated. This Policy is governed by the laws of the State of Texas, USA, without regard to conflict-of-law rules, and the state and federal courts located in Travis County, Texas have exclusive jurisdiction, except where applicable law grants you non-waivable rights in your place of residence.

Questions, objections to a sub-processor, or law-enforcement requests:
privacy@360rev.com (privacy) · legal@360rev.com (law-enforcement and legal)
360REV, Inc., 15511 St Hwy 71 West Ste 110-383, Bee Cave, TX 78738
Data Protection Contact: Kitch Tilo

This is an operative policy describing 360REV's current practices and protections. It is written to be fair to subscribers and to protect 360REV and its Agents; final jurisdiction-specific wording should be confirmed by counsel before reliance in litigation. Related: Privacy Policy, Terms of Service, Sub-processors, DPA, Data Deletion.

360REV

One platform. One AI brain. The work gets done.

help@360rev.com 1-888-360-REV1

Product

  • Solutions
  • How it works
  • Modules
  • Pricing

Company

  • Contact
  • About
  • Careers

Legal

  • Use of Data
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Sub-processors
  • DPA template
  • Data Deletion

Connect

  • LinkedIn
  • X / Twitter
  • YouTube

© 2026 360REV, Inc. All rights reserved.

Bee Cave, Texas.