Reva is a local rewards network for local businesses. To make that work we have to remember a little about you — like that you've scanned at Café Luna three times this month. We don't collect anything beyond what the product needs to function, and we never sell what we do collect.
1. Who runs Reva (data controller)
Reva is operated by the team behind revanetwork.net ("Reva", "we", "us"). For the purposes of the EU General Data Protection Regulation (GDPR), Reva is the data controller for the personal data described in this policy. If you need to reach a human about anything here — including any data request — write to contact@revanetwork.net. A founder reads every message.
2. What we collect
If you're a customer scanning a QR
- A device identifier — a random ID generated the first time you open a loyalty card, stored as a cookie in your browser. It is not your name, your phone number, or your IP.
- Your loyalty progress — how many stamps you have at each participating business, which rewards you've redeemed, and the timestamps of those events.
- Optional: email and display name — only if you tap "Save my card" to sync across devices. We use this to send you a magic login link, nothing else.
If you're a business owner or admin
- Account info — email, hashed password, optional display name.
- Business info — name, category, logo, accent color, the rewards you set up.
- Aggregated analytics on your own customers — return rate, redemption stats, visit frequency.
Technical data
- Basic request data — IP address and request timestamps are processed transiently by our hosting provider to deliver the service and prevent abuse. We don't store IP addresses against your loyalty card.
What we don't collect
- We don't collect your precise location. We never ask for GPS.
- We don't collect what you ordered, ate, drank, or paid. Reva doesn't touch POS data.
- We don't share data between businesses. Café Luna can't see who scans at Oak Barber, ever.
- We don't use third-party advertising trackers. There's no Facebook pixel, no Google Ads pixel, no TikTok pixel.
3. Why we collect it — and the legal basis
Under GDPR every use of your data needs a lawful basis. Here are ours:
- To run the loyalty program you opted into — tracking stamps, delivering rewards. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
- Optional email & name for saving and recovering your card. Legal basis: your consent (Art. 6(1)(a)), which you can withdraw at any time.
- Security, fraud prevention, and anonymous aggregates for the business owner. Legal basis: our legitimate interest (Art. 6(1)(f)) in running a safe, functioning network — balanced so it never overrides your rights.
That's it. We don't profile you. We don't score you. We don't sell to data brokers. We don't train AI on your behavior.
4. Who can see what
- You — see everything that's yours, from the customer card screen and the rewards history.
- The business you scanned at — sees that you exist (as an anonymous device, or as the name you chose to attach), what you've earned at their location, when you last visited. Nothing about your visits to other businesses.
- Reva platform admins — a small internal team has access to operational logs to keep the platform secure. We don't look at individual cards casually; we look when something is wrong (abuse, bugs, fraud).
- Nobody else. Not advertisers, not data brokers, not social networks, not your bank.
5. Sub-processors
We use a small number of trusted infrastructure providers to run Reva. Each only processes data on our instructions, and each is bound by a Data Processing Agreement (DPA) consistent with GDPR. We don't add a sub-processor that we wouldn't trust with our own data.
- Supabase — database, authentication, and storage. Holds your account data and loyalty records. SOC 2 Type II audited.
- Vercel — application hosting and delivery. Serves the Reva website and app, and transiently processes request data (including IP) to do so. SOC 2 Type II audited.
- Resend — transactional email delivery. Sends login links, email verification, and account notifications. Processes the recipient email address and message content only.
- GoDaddy — domain registration and DNS for revanetwork.net. Handles the domain name and DNS routing; it does not process customer loyalty data.
If we add or change a sub-processor in a way that affects your data, we will update this list and notify registered users as described in section 11.
6. Where your data is hosted
Reva is built for the European market and we keep data within the EU wherever possible — our database and email infrastructure are hosted in the European Union. Some providers (such as our hosting CDN) operate global edge networks; where any processing occurs outside the European Economic Area, it is covered by appropriate safeguards such as the EU Standard Contractual Clauses. We never sell or transfer your data to a third party for their own purposes.
7. How long we keep it
- Customer loyalty data — for as long as the program is active at that business. If the business closes, we delete the associated cards within 30 days.
- Account data — until you delete your account (or ask us to).
- Operational logs — kept for up to 30 days for debugging and fraud detection, then erased.
8. Your rights (GDPR)
Wherever you are, you have these rights with us. If you're in the EU/UK, they are guaranteed by law:
- Access — ask for a copy of everything we have on you.
- Rectification — fix anything that's wrong.
- Erasure ("right to be forgotten") — ask us to delete your account or a specific loyalty card. Email contact@revanetwork.net and we comply within 30 days (usually much faster). Some fully anonymized aggregates may remain — these can't be traced back to you.
- Restriction & objection — ask us to pause or stop a particular use of your data.
- Portability — get your data in a machine-readable format.
- Withdraw consent — anytime, no questions asked, for anything based on your consent.
To exercise any right, email contact@revanetwork.net with the right you're exercising in the subject line. We don't hide behind a form, and we don't charge for it.
Right to complain. If you believe we've mishandled your data, you can lodge a complaint with your local data protection authority. In Romania this is the National Supervisory Authority for Personal Data Processing (ANSPDCP). We'd appreciate the chance to fix it first — but it's your right either way.
9. Cookies
We use only the cookies strictly necessary to run the service: keeping you signed in, remembering your loyalty device ID, and storing your language preference. These are essential for the product to work, so no consent banner is required for them. We use no advertising or cross-site tracking cookies — there is nothing to opt out of.
10. Security
Account data and customer records are hosted on Supabase and Vercel — both SOC 2 Type II audited. We encrypt data in transit (TLS) and at rest. Passwords are hashed (bcrypt) and never stored in plain text. Access to production data is limited to a small admin team and logged. Reva does not process or store payment card numbers.
11. Children
Reva is not intended for children under 16. We don't knowingly collect data from them. If you're a parent and think your child has a Reva card, email us and we'll delete it on the spot.
12. Changes to this policy
If we change anything material, we'll email registered users at least 14 days before it takes effect, and pin a banner on the dashboard. We won't change retroactively to make things worse for you.