What we see, what we don't, and what stays yours.

Reveliers is operated by Reveliers LLC, a California limited liability company. The app is currently available in the United States. For privacy questions or data requests, contact information is at the bottom of this page.

Reveliers builds and operates the Reveliers app and this website. Your collection data (every wear log, service record, price, story, insurance detail, measurement, custom watch, and photo) is encrypted on your device with a key that lives in your iCloud Keychain. The Reveliers server holds opaque ciphertext for those records. We can't read them. Only you can.

The community side of the app (posts, comments, reactions, follows, the profile you choose to show) lives on the server in plaintext because other collectors need to see it. The rest of this page spells out exactly what falls into which bucket.

These categories are end-to-end encrypted with AES-256-GCM before they leave your phone. The key is generated on your iPhone and syncs to your other Apple devices through iCloud Keychain. The Reveliers server stores the encrypted bytes and the absolute minimum metadata needed to sync them (record type, an opaque per-record identifier, a lamport counter, and a tombstone flag). The server has no key.

• Wear logs: which watch you wore on which day
• Service records: dates, shops, costs, notes
• Purchase records: prices, dealers, dates
• Acquisition stories: how each watch came to you
• Timegrapher readings: accuracy measurements over time
• Insurance details: values, policy numbers, deductibles, condition notes, storage notes
• Custom watches: manually-entered references not in the catalog
• Hidden collection preferences: which curated collections you chose to dismiss
• Your collection itself: the watches you own, your nicknames for them, serial numbers, purchase metadata
• User-supplied photos of your watches

If a database breach ever happened, what an attacker would see is opaque bytes. If a future engineer joined Reveliers, they wouldn't be able to read this data either. If you reinstall the app on a new device signed into the same Apple ID, your iCloud Keychain delivers the key and the vault decrypts.

The honest tradeoff: if you lose access to your Apple ID with no other Apple devices and no recovery contact, the vault is gone. That is the cost of "even Reveliers can't see it." No backup of the key lives on our servers because then we'd be able to decrypt your data.

These pieces of the app exist precisely so other collectors can see them. We store them in plaintext on Cloud SQL (Postgres) and Google Cloud Storage so the community features work.

• Your profile: username, display name, optional bio, optional avatar image, whether you've verified your email
• Your community posts: the photos you posted, the captions, the watch reference you tagged
• Comments you wrote, reactions you left, accounts you follow, posts you bookmarked
• Saved searches (Pro+) and direct messages (when shipped). Saved searches are stored in plaintext because the new-match alerts need server-side matching against the catalog; the contents of a saved search reveal what you're hunting for, not what you own.
• Shared collection summary (only the watches you opted to make public, nothing more)
• Identifier for Sign in with Apple, so we can recognize you across sessions
• Subscription status (Free, Pro, Collector, Founders) from the StoreKit verification
• Feedback submissions you sent through the in-app feedback sheet
• Reports you filed on other users' content
• Reference edits you contributed to the public catalog

None of this is shared with advertisers. None of it powers ad targeting. There are no ads in Reveliers.

If you submit your email on the website to request a private beta invite, we store that email until you join the app, ask us to remove it, or for at most twelve months after the public beta closes. We use it only to send your invite and essential beta updates (a launch announcement, a notice if the invite list itself shuts down). We never share waitlist emails with third parties, sell them, or use them for marketing beyond the invite.

To be removed from the waitlist, email support@reveliers.com.

Reveliers uses Sign in with Apple as the only way to make an account. From Apple, we receive a stable identifier (a long string Apple calls "sub") and an optional email address (or Apple's relay address, if you chose to hide your real one). We never receive your Apple ID password. We store the identifier so we can recognize you across sessions and so the App Attest middleware can verify that requests come from the genuine Reveliers app installed on a real Apple device.

Reveliers handles photos in three distinct paths:

• Vault photos (Pro+): photos of watches in your collection. Encrypted on your phone with the vault key, uploaded as opaque bytes to a private Google Cloud Storage bucket. Even the per-photo metadata (filename, parent watch, original size) is encrypted. Read access requires a short-lived signed URL the backend issues only after confirming you own the record.
• Community post photos: photos you choose to publish to the feed. Stored in plaintext in a separate Google Cloud Storage bucket. Visible to other Reveliers users when they view your post. Deleted when you delete the post.
• Identify photos: when you tap Identify and take a photo of a watch dial, that image is sent to the watch-collector backend (which we also operate) to match it against the catalog. The image is processed for the identification response and is not retained beyond that response, unless you separately post it to the community feed.

When you subscribe to Pro, Collector, or claim a Founders spot, Apple's StoreKit handles the payment. We never see your payment card. Apple sends Reveliers a signed receipt (technically a JWS) confirming the purchase. We verify that receipt, store the transaction id and product id, and use them to determine your subscription tier. The tier is what unlocks the vault writes, exports, and other paid features.

Pricing, refunds, family sharing, and cancellation are all governed by Apple. If you want to cancel, do it through Settings on your iPhone (Subscriptions). We can see whether you are currently subscribed, but we cannot bill you, refund you, or change your card on file.

If you turn on notifications, we register your device's APNs token with Apple's notification service and use it to send alerts (someone followed you, your saved search matched a new reference, your trial is ending). We store the token so we can send those alerts. Turn them off in iOS Settings and the token gets deregistered.

When you send feedback through the in-app feedback sheet, we store: the kind you picked (bug, feedback, review), an optional title, the body text, an optional star rating, and the app version, iOS version, and hardware identifier of your phone. The hardware bits help us reproduce bugs. A classifier (planned for a future release) may eventually categorise feedback to make triage easier; if we add that, this policy will be updated.

When you report another user's post or comment, we store the target, reason, and any detail you typed so the moderation queue has context.

• Apple: Sign in with Apple, StoreKit, push notifications, App Attest, and iCloud Keychain (which holds your vault key on your behalf). Apple's privacy policy governs anything Apple sees independently.
• Google Cloud Platform: the Reveliers backend runs on Cloud Run, the database is Cloud SQL Postgres, and photos live in Cloud Storage. Google sees encrypted-at-rest and in-transit data on our behalf; Reveliers is the data controller.
• Google Workspace: provides the support@, admin@, press@, and hello@reveliers.com mailboxes. Messages you send to those addresses (including waitlist invites and support replies) pass through Google Workspace.
• Cloudflare: hosts this marketing site (reveliers.com) and handles DNS for the domain.

That is the complete list. We do not use third-party analytics, advertising networks, marketing automation, or cross-site tracking. There are no cookies on this site beyond what Cloudflare uses to route requests.

Everything is hosted in the United States, in Google Cloud's us-west1 region. Reveliers is currently available in the United States only. If you sign up while travelling or use the site from another country, your data is processed in the US. We will expand availability to the EU, UK, and other regions once the privacy and international-transfer work for those jurisdictions is complete. We honor deletion, access, and portability requests from any jurisdiction in the meantime.

• Account, profile, posts, comments, follows, bookmarks: until you delete the account or remove the specific item.
• Vault records (encrypted): until you delete them in the app, delete the account, or reset your vault key. Tombstoned rows stay briefly so the delete can propagate to your other devices, then are removed by a garbage-collection pass.
• Subscription receipts: as long as the subscription is active, plus the period Apple's records cover. Required by Apple for purchase verification.
• Identify usage logs: 90 days for quota and rate-limit enforcement, then dropped.
• Feedback you sent: indefinitely, unless you ask us to delete a specific submission.
• Reports and moderation actions: indefinitely, for accountability.
• Backend logs (request lines, error traces): 30 days.

You can:

• See most of your data right in the app (your profile, your collection, your community history).
• Export your insurance-ready records as PDF or CSV from the Insurance tab and the Insurance export sheet (Pro+). Wear logs, service records, prices, stories, measurements, photos, and policy details all included.
• Edit or delete individual records (posts, watches, wear days, service entries, insurance details) directly in the app.
• Reset your vault key from Settings, which makes every existing server-side ciphertext permanently undecryptable.
• Delete your entire Reveliers account in the app: Profile, then 'Delete account' at the bottom of the account card. The server purges your account and every record tied to it (community posts, comments, follows, vault entries, photo blobs in our private bucket, more) immediately. Email us if you need help.
• Request a copy of your data, ask us to correct something, or ask us to stop processing it. Email is the channel.

For users in the EU/UK, California, or other jurisdictions with formal data subject rights (GDPR, CCPA/CPRA), the rights above cover access, rectification, erasure, portability, restriction, and objection. Reveliers is the controller for everything we store. You also have the right to complain to a supervisory authority, although we'd rather you email us first so we can fix whatever's bothering you.

Reveliers is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a minor signed up, email us and we will delete the account.

All traffic between the app and the server is TLS-encrypted. Vault records use AES-256-GCM end-to-end encryption with the key in iCloud Keychain. Photos in the vault bucket are stored as opaque ciphertext; the bucket has uniform access and public-access prevention enabled. Sign in with Apple means we never handle passwords. App Attest middleware (rolling out) verifies that requests come from a genuine installation of the app on a real Apple device.

If you spot a vulnerability, please email us directly instead of disclosing it publicly. We will respond within 72 hours.

When this policy changes materially (new data category, new third party, new retention rule), we'll update the "Last updated" date and, if the change affects your data substantively, send a notice through the app before it takes effect.

support@reveliers.com for general questions, account deletion, data export, or anything covered above. admin@reveliers.com for security reports.