Privacy Policy

The operator and data controller of the Revino application (hereinafter: "Service") is: Filyó Dominik E.V. Registered office: 3561, Felsőzsolca Rózsa utca 3., Hungary Email: kapcsolat@filyodev.hu Data Protection Officer (DPO): kapcsolat@filyodev.hu Data processing is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

2.1. Registration data: Last name, first name, email address, phone number (optional), password (stored in hashed form, PBKDF2-SHA256), birthday (month and day), language setting. 2.2. User profile: Profile picture (optional), user role, registration date. 2.3. Loyalty program data: Point balance, transaction history, challenge progress, streak data, gift points, external loyalty cards. 2.4. Technical data: Push notification token, session token, authentication provider identifier. 2.5. Subscription data: Stripe customer ID, Stripe subscription ID, product identifier and plan, subscription status and periods, billing name and address, tax number (for organizations, optional). 2.6. Analytics data (consent-based): Anonymous app usage data (PostHog), screen views (EU-hosted servers only). 2.7. Automated campaign data (for merchants): Campaign rules (trigger type, conditions, message template), campaign log (send timestamp, recipient, trigger type). 2.8. Benchmark and comparison data: Anonymized, aggregated performance metrics per category (min. 3 merchants). Individual merchant data is never identifiable to others. 2.9. Predictive analytics data (for merchants): Revenue/customer trend calculations, churn risk classification, best day/hour analysis, liability forecast. 2.10. Weekly reports and scheduled content: Automatic weekly summaries, story scheduling data.

3.1. Performance of contract (Art. 6(1)(b)): Account creation, loyalty program data, transaction data. 3.2. Consent (Art. 6(1)(a)): Analytics, marketing communications, birthday greetings, automated campaign messages. 3.3. Legitimate interest (Art. 6(1)(f)): Service security, abuse prevention, GDPR audit logging, benchmark comparison (anonymized, min. 3 merchants), predictive analytics (merchant's own data). 3.4. Legal obligation (Art. 6(1)(c)): Data retention, authority requests.

We share data only with GDPR-compliant data processors: - Convex, Inc. (USA) — Database and cloud service - PostHog, Inc. (EU) — Analytics: mobile app and website (consent-based; web: eu.i.posthog.com) - Google LLC (USA) — OAuth, Google Maps, Google Analytics 4 (web analytics, consent-based), Google Tag Manager (tag management) - Apple Inc. (USA) — Apple Sign-In authentication - Resend, Inc. (USA) — Transactional email - Expo (USA) — Push notifications - OpenStreetMap Foundation — Geocoding - Stripe, Inc. (USA) — Online payment provider (PCI DSS compliant) - Számlázz.hu (KBOSS.hu Kft., Hungary) — Electronic invoicing (NAV Online Számla 3.0) - Meta Platforms, Inc. (USA) — Meta Pixel conversion tracking (website, marketing consent-based only) For third country transfers, we apply Standard Contractual Clauses.

- Account data: until account deletion (30-day grace period) - Transaction data: anonymized upon account deletion - Billing data: invoices retained for 8 years (Act C of 2000 on Accounting) - Session tokens: 30 days - GDPR audit log & consent records: indefinitely - Automated campaign rules: lifetime of merchant account - Campaign logs: 90 days - Weekly reports: 12 weeks - Scheduled stories: until expiration

Under the GDPR: Right of access (Art. 15), Right to rectification (Art. 16), Right to erasure (Art. 17), Right to restriction (Art. 18), Right to data portability (Art. 20), Right to object (Art. 21), Right to withdraw consent.

7.1. No processing based solely on automated decision-making with legal effects. 7.2. Profiling (Premium subscribers): Churn risk classification (rule-based, informational, no legal effects), automated campaigns (merchant-configured, unsubscribable), benchmark comparison (anonymized, min. 3 merchants), revenue forecasting (informational). 7.3. Data Security: Passwords: PBKDF2-SHA256 (100,000 iterations). Transport: HTTPS/TLS only. Access control: role-based. On-device secrets: SecureStore.

The revino.hu website uses cookies for essential functionality and — with your consent — for analytics and marketing purposes. 8.1. Necessary cookies: essential for the site to function (session management, security features, storing cookie preferences). Legal basis: legitimate interest (GDPR Art. 6(1)(f)). 8.2. Analytics cookies: We use Google Analytics 4 (GA4) via Google Tag Manager and PostHog (EU) to collect anonymous usage data. PostHog primarily uses localStorage; Google sets cookies for GA4. Both load only after consent. Legal basis: consent (GDPR Art. 6(1)(a)). 8.3. Marketing cookies: We use Meta Pixel (Meta Platforms, Inc.) and Google Ads conversion tracking to measure subscription conversions. Meta Pixel loads in consent-revoked mode and only activates after you grant marketing consent. Legal basis: consent (GDPR Art. 6(1)(a)). 8.4. We use Google Consent Mode v2 and Meta Pixel consent management; the PostHog SDK initializes only after analytics consent. Analytics and marketing storage are denied by default until you consent. For a detailed list of cookies, management options, and how to change your preferences, please refer to our Cookie Policy: https://revino.hu/en/cookies

The Service is available exclusively to persons aged 16 and above.

Complaints: kapcsolat@filyodev.hu Hungarian DPA (NAIH): 1055 Budapest, Falk Miksa utca 9-11., ugyfelszolgalat@naih.hu This privacy policy is effective as of: 2026-03-26