Revelion is an autonomous penetration testing platform. It uses AI agents to perform real security assessments against your systems - the same techniques a human pentester would use, but available on demand.

How is this different from a vulnerability scanner?

Scanners check for known signatures. Revelion thinks. It chains vulnerabilities together, adapts its approach based on what it finds, and exploits weaknesses to prove they're real - not just flag them as theoretical risks.

Does Revelion replace human pentesters?

No. Revelion is a tool for security professionals, not a replacement. It handles the repetitive, time-consuming work so pentesters can focus on complex logic flaws and business context that require human judgement.

What do I need to get started?

A target URL or IP address and a Docker container running on your machine. Setup takes about 5 minutes.

Why does the agent run on my machine?

The execution agent runs locally in a Docker container so all testing traffic originates from your infrastructure. Our cloud brain coordinates the strategy, but the actual testing happens on your side.

How much does it cost?

Pay-as-you-go means you only use what you pay for - minimum purchase for credits is 10,000 (£10). Pro subscription is £99/month with 125,000 credits included (25% bonus). No long-term contracts.

The execution agent runs on your infrastructure. Findings and mission data are stored in your account with row-level security isolation. We use Supabase (SOC 2 Type II certified) for data storage.

What can Revelion test?

Anything you point it at. Web apps, APIs, internal networks, external infrastructure, cloud services. The agent runs on your machine so it can reach whatever your network can reach.

Privacy Policy

Effective Date: 17 February 2026

Revelion Limited ("Company", "we", "us", "our") operates the Revelion platform ("Service", "Platform"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller
Platform Architecture & Data Flows
Data We Collect
How We Use Your Data
Data Sharing
Data Security
Data Retention
Your Rights (UK GDPR)
International Transfers
Cookies and Tracking Technologies
Automated Decision-Making
Business Customers
Children
Third-Party Links
Changes to This Policy
Data Protection Impact Assessment
Contact Us

1. Data Controller

Revelion Limited

167–169 Great Portland Street, 5th Floor, London, England, W1W 5PF

Email: privacy@revelion.ai

Website: https://revelion.ai

For data protection enquiries, contact our Data Privacy Lead: privacy@revelion.ai

1.1 Data Privacy Lead

Our Data Privacy Lead can be contacted at:

Email: privacy@revelion.ai
Post: Data Privacy Lead, Revelion Limited, 167–169 Great Portland Street, 5th Floor, London, England, W1W 5PF

The Data Privacy Lead is responsible for overseeing our data protection strategy and ensuring compliance with UK GDPR.

2. Platform Architecture and Data Flows

Revelion operates a split architecture that affects how and where your data is processed:

(a) Cloud Brain (Company-hosted). The AI orchestration layer — including strategic decision-making, agent coordination, analysis, and reporting — runs on infrastructure managed by the Company. Personal data processed by the Cloud Brain is our responsibility.

(b) Execution Layer (User-hosted). The security testing tools that interact with your Targets run inside Docker containers deployed on your own hardware and network. Data generated by the Execution Layer resides on your infrastructure. We do not have access to this data unless it is transmitted to the Cloud Brain as part of normal Platform operation.

This distinction is important for understanding our respective data protection responsibilities throughout this Policy.

3. Data We Collect

3.1 Account Data

When you register, we collect:

Full name
Email address
Organisation name (optional)
Password (hashed, never stored in plaintext)
Billing information (processed by Stripe; we do not store card details)

3.2 Cloud Brain Usage Data

When you use the Platform, we collect and process within the Cloud Brain:

Mission configurations (Target IPs/domains, scope settings, Custom Methodologies)
AI agent decisions, analysis results, and findings
Reports generated by the Platform
Credit usage and transaction history
Platform interaction logs (pages visited, features used, timestamps)

3.3 Technical Data

Automatically collected:

IP address
Browser type and version
Device information
Cookies and similar technologies (see Section 10)

3.4 Execution Layer Data (Your Responsibility)

During missions, the Execution Layer running on your hardware may capture:

Raw tool output and scan logs
Network topology information
Service and application details
Credentials or sensitive data exposed through vulnerabilities

This data resides on your infrastructure. We are not the data controller for Execution Layer data that remains on your hardware. Only data transmitted to the Cloud Brain (such as summarised findings and agent analysis) enters our infrastructure.

3.5 Data Transmitted from Execution Layer to Cloud Brain

During normal operation, the Execution Layer transmits the following to the Cloud Brain:

Tool output summaries (used by AI agents for analysis and decision-making)
Discovered findings and vulnerability details
Execution status and metadata

Note: Tool output transmitted to the Cloud Brain may incidentally contain personal data found on Targets (e.g., usernames, email addresses). We process this solely for the purpose of providing the Service and generating your reports. We employ automated redaction where possible, but you acknowledge that such incidental personal data may be present in your mission results.

This transmitted data is processed and stored by us in accordance with this Policy.

3.6 Data We Do NOT Collect

We do not collect biometric data
We do not collect special category data (as defined in Art. 9 UK GDPR)
We do not monitor or record user keystrokes or screen activity
We do not collect data from social media profiles
We do not access data on your Execution Layer hardware unless it is transmitted to the Cloud Brain

4. How We Use Your Data

PURPOSE	LAWFUL BASIS (UK GDPR)
Providing and operating the Service	Performance of contract (Art. 6(1)(b))
Processing payments	Performance of contract (Art. 6(1)(b))
Sending service notifications	Legitimate interest (Art. 6(1)(f))
Improving the Platform	Legitimate interest (Art. 6(1)(f))
Responding to support requests	Performance of contract (Art. 6(1)(b))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))
Marketing communications (only with consent)	Consent (Art. 6(1)(a))
Fraud prevention and abuse detection	Legitimate interest (Art. 6(1)(f))

4.1 Legitimate Interest Assessments

Where we rely on legitimate interest as a lawful basis, we have conducted balancing tests to ensure our interests do not override your rights and freedoms. You may request copies of these assessments by contacting privacy@revelion.ai.

We do not:

Sell your personal data to third parties
Use mission data for any purpose other than providing the Service to you
Train AI models on your mission data or findings
Share your vulnerability findings with anyone

We share data only with:

5.1 Sub-processors

SUB-PROCESSOR	PURPOSE	LOCATION	DATA PROCESSED
Supabase	Database and authentication	EU (Frankfurt)	Account data, mission metadata, findings
Fly.io	Cloud Brain compute infrastructure	Global (region varies)	AI orchestration data
Stripe	Payment processing	US (EU data processing)	Billing information
Anthropic	AI model provider (agent reasoning)	US	Mission analysis prompts

All sub-processors are bound by data processing agreements. We evaluate their security practices regularly.

5.2 AI Model Provider Data Handling (Anthropic)

When our AI agents process your mission, prompts containing target information are sent to Anthropic's API. Key protections:

No training: Anthropic does not use API inputs or outputs to train their models (per their commercial API terms)
Limited retention: Prompts and responses are retained by Anthropic for a maximum of 30 days for safety monitoring, then deleted
No mission data is persistently stored by Anthropic
We send the minimum data necessary for agent reasoning

5.3 Sub-processor Changes

We will notify you at least 30 days before adding or replacing a sub-processor. You may object to the change by contacting us within that period. If we cannot reasonably accommodate your objection, you may terminate your account.

5.4 Legal Requirements

We may disclose data when required by:

Court order or legal process
Law enforcement request (verified and lawful)
Regulatory requirements

We will notify you of such requests where legally permitted.

6. Data Security

6.1 Cloud Brain Security (Our Responsibility)

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access to production systems is restricted to authorised personnel with multi-factor authentication
We conduct regular security assessments of our own infrastructure
Each customer's Cloud Brain data is logically isolated with no cross-tenant access
Custom Methodologies are stored encrypted and accessible only to the account that created them

6.2 Execution Layer Security (Your Responsibility)

The Execution Layer runs on your hardware in Docker containers
You are responsible for securing your hardware, network, and Docker environment
Raw scan data on your infrastructure is your responsibility to protect
We do not have remote access to your Execution Layer unless you explicitly grant it for support purposes

6.3 Data Breach Response

In the event of a data breach affecting Cloud Brain data, we will:

Notify the ICO within 72 hours where required
Notify affected users without undue delay
Document the breach and remediation steps

We are not responsible for data breaches occurring on your Execution Layer infrastructure, though we will assist with investigation where possible if the breach relates to Platform functionality.

7. Data Retention

DATA TYPE	RETENTION PERIOD	LOCATION
Account data	Duration of account + 12 months after deletion	Cloud Brain
Mission results and findings	12 months from mission date (auto-deleted)	Cloud Brain
Mission orchestration logs	90 days	Cloud Brain
Payment records	7 years (UK tax requirements)	Stripe / Cloud Brain
Support correspondence	24 months	Cloud Brain
Marketing consent records	Duration of consent + 12 months	Cloud Brain
Execution Layer data (raw scan output)	Your responsibility	Your hardware

You may request deletion of your Cloud Brain data at any time (see Section 8). Some data may be retained where we have a legal obligation to do so.

Execution Layer data on your hardware is outside our control. You are responsible for its retention and deletion.

8. Your Rights (UK GDPR)

You have the right to:

Access — request a copy of the personal data we hold about you in the Cloud Brain
Rectification — request correction of inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Restriction — request that we limit processing of your data
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — withdraw consent for marketing at any time

To exercise any of these rights, contact: privacy@revelion.ai

We will respond within one calendar month of receiving your request, as required by UK GDPR.

Note: These rights apply to data we hold in the Cloud Brain. We cannot action rights requests for data residing solely on your Execution Layer hardware, as we do not have access to it.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: https://ico.org.uk
Phone: 0303 123 1113

9. International Transfers

Some of our sub-processors operate outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the ICO
Adequacy decisions where applicable
Supplementary measures where required

10. Cookies and Tracking Technologies

10.1 Our Approach to Cookies

We respect your privacy and comply with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). We implement Google Consent Mode v2 to ensure that no analytics or advertising cookies are set, and no tracking occurs, until you have given your explicit consent.

10.2 Cookie Consent

When you first visit our website, you will see a cookie consent banner. You may choose to:

Accept — Analytics cookies will be enabled, allowing us to understand how visitors use our site
Reject — Only strictly necessary cookies will be used; no analytics data will be collected

Your choice is stored in your browser's local storage and remembered for future visits. You can change your preference at any time by clicking "Cookie Settings" in the website footer.

10.3 Types of Cookies We Use

CATEGORY	COOKIES	PURPOSE	CONSENT REQUIRED
Strictly Necessary	cookie_consent (localStorage)	Stores your cookie consent preference	No
Strictly Necessary	Session cookies	Authentication and session management when logged in	No
Analytics	_ga, _ga_* (Google Analytics 4)	Distinguish unique visitors, track page views and site usage patterns	Yes

10.4 Google Analytics and Consent Mode v2

We use Google Analytics 4 (GA4) to analyse website traffic and improve our services. GA4 is configured with Google Consent Mode v2, which operates as follows:

Before consent: The GA4 tag loads but all consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) are set to "denied". No cookies are set and no personally identifiable data is collected.
After accepting: Consent signals are updated to "granted", enabling standard GA4 functionality including cookies for returning visitor recognition.
After rejecting: Consent signals remain "denied" for the duration of your session and on future visits until you change your preference.

Google may process data as described in their Privacy Policy. You can opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on.

10.5 Third-Party Cookies

We do not use advertising, retargeting, or social media tracking cookies. The only third-party cookies on this website are those set by Google Analytics when you have given consent.

10.6 Managing Your Preferences

You can manage your cookie preferences in the following ways:

Cookie Settings link: Click "Cookie Settings" in the footer to reset your preference and see the consent banner again
Browser settings: Most browsers allow you to refuse or delete cookies. Please note that blocking all cookies may affect website functionality
Clear local storage: Your consent preference is stored in localStorage; clearing your browser data will reset it

Disabling strictly necessary cookies may prevent the Platform from functioning correctly when you are logged in.

11. Automated Decision-Making and Profiling

11.1 The Platform uses AI agents to conduct automated penetration testing. This constitutes automated processing but does not produce decisions with legal or similarly significant effects on individuals (Art. 22 UK GDPR).

11.2 AI-generated findings (vulnerabilities, risk ratings) are technical assessments of systems, not evaluations of individuals.

11.3 We do not use profiling to make decisions about service access, pricing, or account status.

12. Business Customers — Data Processing

12.1 Where you use the Platform to test systems containing personal data of your employees, customers, or users, you are the Data Controller for that data and we act as a Data Processor for any such data that reaches the Cloud Brain.

12.2 For data that remains on your Execution Layer, you are both Data Controller and Data Processor. We have no processing role for that data.

12.3 We offer a Data Processing Agreement (DPA) to business customers on request. Contact privacy@revelion.ai.

12.4 As a Processor (for Cloud Brain data), we will:

Process data only on your documented instructions
Ensure persons authorised to process the data are under confidentiality obligations
Assist you with Data Subject Access Requests relating to data discovered during missions
Delete or return all data at the end of the retention period or on your request
Make available information necessary to demonstrate compliance

13. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

14. Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

Email notification to registered users
Dashboard notification within the Platform
Updated "Last Updated" date at the top of this policy

16. Data Protection Impact Assessment (DPIA)

Given the nature of the processing (automated security testing that may discover personal data), we have conducted a DPIA in accordance with Art. 35 UK GDPR. A summary is available on request from privacy@revelion.ai.

17. Contact Us

For any privacy-related questions or requests: