The REVOLUTion: Still Think You’re In Control?

--

Press enter or click to view image in full size

. You downloaded Revolut because the exchange rate was better than your bank’s or maybe a friend sent a referral link. Maybe you just liked that the card came in black and the app didn’t look like it was designed in 2003. Somehow, somewhere during sign-up. between entering your passport details and setting your PIN you tapped “I Agree” on a privacy policy longer than most short novels. And just like that, they got you!

. This is what you agreed to in simple terms; Revolut may collect, analyse, share, and retain a remarkably complete picture of your financial life. Every transaction. Every merchant. Every time you send money at 2am. Every paycheck that lands in your account. Every currency swap, every failed payment, every time you move money into your savings accoutn then out back into your checking account within the same hour. All of it goes in. None of it just sits there doing nothing.

. Revolut now has 68.3 million retail customers worldwide. In 2025 alone, it processed $1.7 trillion in transactions, that’s up 65% from the year before. Which also means it holds one of the most detailed collections of financial behavioural data ever assembled on ordinary private individuals and most of those individuals have absolutely no idea.

This is what Revolut actually knows about you and what it does with that knowledge once it has it.

WHAT GOES IN

. Start with what you hand over directly. Full name, home address, email, phone number, date of birth, and government-issued ID documents. That’s normal for any financial institution nothing surprising there. The interesting part is what comes next.

Their privacy policy updated as recently as December 2025 explicitly states that Revolut collects information from your device, including your IP address and GPS location. Not just when you’re making a payment abroad but whenever the app is active. They also pull data from third parties like credit reference agencies, fraud prevention companies, social media platforms, and partner organisations you may never have heard of.

. Here is the sentence that deserves your full attention. Buried between two paragraphs about anti-money laundering compliance, in their own words:

“We also create new information about you based on how you use the Revolut app.” ( Revolut Customer Privacy Policy, December 2025)

Read that carefully. They don’t just collect what you hand over. They actively create entirely new data about you derived, inferred, and computed from patterns in your behaviour. You aren’t a customer with a bank account. You are a raw input into a machine that produces a financial portrait of who your entire life, history and possible future outcomes

. Asides the usual details like your full name, home address, email, phone number, and passport or driving licence; here are some interesting information Revolut gets from you:

Every transaction gives them the merchant name, category, amount, exact time, and location

Paycheck timing and amount, they know your salary schedule and roughly what you earn

Device GPS location and IP address, logged throughout app use

Spending patterns, categorised and continuously analysed by AI models

Credit reference agency data your credit score, outstanding debts, and repayment history

Your name and email, hashed and shared with Meta and other ad platforms for audience targeting

. Biometric identifiers if you use face ID or fingerprint authentication. Data from any third-party integration you connect. including Google and Microsoft accounts

An inferred risk profile, generated from all of the above and updated continuously

And if you have a Revolut Junior account; the product aimed at children between the ages of 7 and 17, your children’s transaction data is part of this dataset too. Still think you have control?

THE NUMBERS

. Before going further, here is the scale of what we are talking about.

68.3 million retail customers actively profiled across 40+ countries as of end-2025

$1.7 trillion in transactions processed in 2025. every single one a data point in someone’s profile

50,150 customers had their names, addresses, phone numbers, and partial card data accessed by hackers in the 2022 breach, that could’ve been any one of you reading this right now

7 years; no, not how long it takes you to get a girlfriend. It’s the length of time Revolut retains your data after you close your account, as required by banking law

That last number matters more than people realise. Closing your account does not end the relationship between Revolut and your data. It just changes the tense.

WHO GETS YOUR DATA

. This is the section most people skip. Revolut’s privacy policy contains a heading that asks if they share your personal data with anyone else and the answer is a very long yes, followed by a list that sometimes takes a maw degree to fully understand

Revolut shares your data with financial institutions, insurance providers, government authorities, law enforcement agencies, tax authorities, fraud prevention agencies, credit reference agencies (naming Experian specifically), advertising partners, social media platforms, and co-brand promotional partners. That is not a dramatic summary. That is the list, nearly verbatim, from the horse’s mouth.

. Think about what that list means in the real world. Insurers use spending data to assess risk i.e a pattern of late-night transactions at certain merchant categories, or income that looks irregular, can influence the premium you’re quoted, or whether you’re offered coverage at all. Lenders increasingly use transaction history alongside, or even instead of, traditional credit scores. Advertisers use your profile to follow you across the internet in ways that feel inexplicably accurate. In some markets, employers have begun integrating financial wellness platforms that tell a structurally similar story.

Then there is this, pulled word for word from Revolut’s own policy:

“We may share your personal data with other financial institutions, or Revolut customers, if you ask us to. We may also share your personal data with other financial institutions, or Revolut customers, where you do not ask us to”

. That second sentence is not a typo my dear friend. Revolut reserves the right to share your personal financial data with third-party institutions or other Revolut users. without your request and without your explicit consent. Their stated legal basis for this is “legitimate interests”: a GDPR provision that essentially means the company decided the benefit to them outweighed the privacy cost to you.

. Revolut also transmits your name, email address, and in-app event data to social media platforms including Meta, specifically to identify and reach “people with a similar profile to yours” for advertising purposes. The data is hashed before sending — technically anonymised. But the purpose is plain: your financial behaviour is being used to construct advertising audience segments, not only for Revolut’s own promotions, but for third-party brands paying to reach people who look like you.

THE AI THAT JUDGES YOU

. There is a section of Revolut’s privacy policy that most users will never find, sitting between the clauses about credit reference agencies and the table of legal processing bases. It addresses automated decisions. And it reads as follows:

“Depending on the Revolut products or services you use, we may make automated decisions about you. Some of these decisions are made using artificial intelligence without any initial human input. We may also use technology to evaluate your personal circumstances and other factors to predict risks or outcomes.”

(Revolut Customer Privacy Notice, UK, March 2026)

. What this means is that their own policy offers a specific example of what these decisions include: deciding whether to lock, restrict, or permanently close your account if the AI detects behaviour that resembles fraud or a terms violation. Imagine this, an algorithm flags your pattern as anomalous, no human reviews it first, your account is frozen and your money becomes inaccessible and anyone who has spent an afternoon trying to navigate Revolut’s customer support will understand, how frightening that scenario is.

. The implications run deeper than account closures. The phrase “predict risks or outcomes” in the context of comprehensive financial data is not neutral language. It means Revolut is actively building predictive models of you, estimating your financial reliability, your default risk and your spending psychology. These models do not only influence which products appear in your app. They can feed into the broader financial ecosystem that determines your insurance rates, your loan approvals, and the invisible profile that follows you through the financial system.

It is important to note that you have the right under GDPR to request human review of any automated decision that significantly affects you. However, exercising that right requires knowing the decision was made in the first place. Revolut is not required to notify you proactively when the algorithm has rendered a verdict on your financial character.

THE FACEBOOK PROBLEM

. In 2020, a security researcher published a detailed technical investigation of Revolut’s Android application. What he found: Revolut had integrated Facebook’s SDK which is the development toolkit that allows apps to share behavioural analytics with Meta’s advertising infrastructure and had not disabled the automatic data-sharing that activates the moment a user installs the app.

. Under GDPR, developers are required to delay this data transmission until users explicitly consent to tracking. Facebook’s own SDK provides a setting to enable this delay. Revolut had not turned it on. User behaviour, app launches, in-app actions, device advertising identifiers were all being transmitted to Meta before users had agreed to any privacy policy at all.

As the researcher documented:

“All data is typically shared with a unique identifier (Advertising ID), to allow advertisers to link data about user behaviour from different apps into a comprehensive profile… Unfortunately, Revolut doesn’t seem to have implemented the consent delay, as I have analysed on my research environment.”

(Hugo Batista, security researcher, Medium / The Startup, October 2020)

. Revolut did not publicly respond. Whether a data protection authority formally reviewed it remains unconfirmed publicly. What is not disputed is that a financial application was feeding user behaviour into Meta’s infrastructure before users had been given the option to say no.

WHEN THE WALLS CAME DOWN; The 2022 Breach

. On 11 September 2022, an attacker used social engineering. exploiting human behaviour rather than software vulnerabilities. to gain access to Revolut’s internal database. By the time Revolut isolated the intrusion the following morning, the personal data of 50,150 customers across more than 20 countries had been accessed.

. The exposed data included full names, home addresses, email addresses, phone numbers, and partial payment card information.

Revolut sent an email to affected customers. They issued no public statement. Users who received the notification described the language as deliberately vague — reassuring in tone, non-specific about exactly what had been accessed. People who hadn’t received any email turned to Reddit to figure out what had happened. One user wrote, simply: “I just want to know what data was leaked.”

. Within days, a phishing SMS campaign launched targeting Revolut customers — including users who had not been part of the breach at all. Messages directed recipients to a site called revolut-card-cancel.com and walked them through a four-step credential harvesting process. The criminals didn’t need to breach Revolut again. The ambient panic was sufficient.

. Why this matters is because the breach was not uniquely catastrophic in scale. It was instructive in what it reveals about structural risk. A company that holds this quantity of detailed financial behavioural data on this many people is permanently one successful social engineering attempt away from handing a stranger an intimate record of someone’s life and here is the part that doesn’t end; since Revolut is legally required to retain your data for up to seven years after account closure; the breach data continues to exist in their systems and potentially in the hands of whoever accessed it. long after the news cycle moved on. You cannot opt out of this retention. There is no override. There is no way out

. This is not a conspiracy theory. It is a business model, one Revolut’s own annual report describes with justifiable pride. Revenue of £4.5 billion in 2025, pre-tax profit of £1.7 billion and a valuation of $75 billion. A company does not reach those numbers by offering free currency exchange as a philanthropic gesture. The data is the product, you are the raw material and you consented somewhere around paragraph forty-seven of the terms and conditions, on a phone screen, while half-distracted, in about eight seconds. Still Think You are in control?

SO WHAT CAN YOU DO

Request Your Data Then Actually Read It

Send an email to “[email protected]” with a Subject Access Request. Under GDPR, Revolut must provide a complete copy of everything they hold on you within 30 days. It will likely include years of categorised transaction data, your inferred risk profile, logs of automated decisions made about your account, and a list of every third party your data has been shared with. Most people who do this are unsettled by what arrives. That discomfort is the point.

Turn Off Advertising Data Sharing Now

Go to Settings then Security & Privacy in the app. Disable personalised ads and third-party marketing. This will not delete your existing profile as nothing short of regulatory compulsion will do that but it cuts the ongoing pipeline feeding your data to Meta and other ad platforms. If you have never touched this setting, it is currently on.

Understand What “Closing Your Account” Actually Means

Deleting the Revolut app removes the app from your phone. It does not touch your data. Revolut is legally required under anti-money laundering and KYC regulations to retain your complete financial records for up to seven years after account closure. Your data continues to exist in their infrastructure, under their security posture, subject to their third-party sharing arrangements, for years after you’ve moved on but you’re in the know now having read my article up to this point. You’re welcome!

Understand Why Self-Custodial Finance Changes the Equation

Every piece of data Revolut holds about you exists because the current financial system requires intermediaries. A neobank must sit between you and your money and in doing so, it records everything that passes through. Self-custodial finance removes the intermediary entirely.

1. No institution holds your transaction history.
2. 2. No behavioural profile is assembled. No AI renders automated verdicts on your financial character.
3. 3.No breach exposes your data to a stranger with a social engineering script.
4. . This is not theoretical. It is the structural difference between a financial system built on observation and one built on privacy as a default.
5. Every piece of data Revolut holds about you exists because traditional finance is structurally dependent on intermediaries. Someone must sit between you and your money, processing, recording and approving it. And anyone sitting in that position will, inevitably, build a file on you. That is not a flaw in Revolut’s character. It is a flaw in the architecture.
6. Self-custodial finance is built differently at the foundation because when you are in contro;l transactions settle directly between parties on a transparent, decentralised ledger hence no need for an institution in the middle, no behavioural profile being assembled in the background, no AI model drawing inferences about your character from your Friday night spending to be fed to Insurance and Loan companies. The network processes the transaction and nobody owns the record of it.
7. Encryption means your financial activity is mathematically protected rather than institutionally promised. There is no privacy policy to bury the important parts in. There is no “legitimate interests” clause that lets a company decide your data is theirs to distribute. There is no customer support ticket you need to file to request a human review of a decision an algorithm made about your money.
8. What Web3 infrastructure offers. at its core is a financial system where privacy is part and parcel of the technology and not a setting buried 4 menus. down that defaults to be turned off till you read this article and decide to go turn it on. You are not a profile, not a product, not just a data set but an active participant and the distinction, as this investigation makes clear, is everything.

IS FINANCIAL PRIVACY IMPORTANT?

. Your bank account is the most honest record of who you are. Everything else your social media, your CV, your public persona and even your height (I come in peace) all of these you can curate and shape. Your transactions, you simply cannot. The question is not whether Revolut is uniquely villainous. It isn’t. Every major neobank operates a version of this model. The question is whether you are comfortable with any company holding this much truth about you, indefinitely, shared with this many parties downstream, updated continuously by AI models you will never see.

. If the answer is no then that discomfort is worth something and you should act on it right now!

You could always just agree blindly and ignorantly to terms and conditions next time though, it’s your choice really.