Reva
Back to home
Privacy

Your data is yours.

No dark patterns, no data brokers, no surprises. Here's exactly what we collect, why we collect it, and how to take it back at any time. Written so you don't need a lawyer.

Last updated · May 14, 2026

Reva is a local rewards network for local businesses. To make that work we have to remember a little about you — like that you've scanned at Café Luna three times this month. We don't collect anything beyond what the product needs to function, and we never sell what we do collect.

The short versionWe store a random device ID, your reward progress at each partner location you've scanned, and — only if you choose to save your card — your email and name. Business owners see their own customers' activity. Nobody else does. You can delete everything in one click.

1. Who runs Reva

Reva is operated by the Reva team. If you need to reach a human about anything in this policy, write to privacy@reva.app. A founder reads every message.

2. What we collect

If you're a customer scanning a QR

  • A device identifier — a random ID generated the first time you open a loyalty card. It is not your name, your phone number, or your IP. It lives in your browser's storage.
  • Your loyalty progress — how many stamps you have at each participating business, which rewards you've redeemed, and the timestamps of those events.
  • Optional: email and display name — only if you tap "Save my card" to sync across devices. We use this to send you a magic login link, nothing else.

If you're a business owner or admin

  • Account info — email, hashed password, optional display name.
  • Business info — name, category, logo, accent color, the rewards you set up.
  • Aggregated analytics on your own customers — return rate, redemption stats, visit frequency.

What we don't collect

  • We don't collect your precise location. We never ask for GPS.
  • We don't collect what you ordered, ate, drank, or paid. Reva doesn't touch POS data.
  • We don't share data between businesses. Café Luna can't see who scans at Oak Barber, ever.
  • We don't use third-party advertising trackers. There's no Facebook pixel, no Google Ads pixel, no TikTok pixel.

3. Why we collect it

Two reasons, and only these two:

  • To run the loyalty program you opted into — track stamps, deliver rewards, prevent abuse.
  • To give the business owner anonymous aggregates about their own customer base. They see numbers, not your name.

That's it. We don't profile you. We don't score you. We don't sell to data brokers. We don't train AI on your behavior.

4. Who can see what

  • You — see everything that's yours, from the customer card screen and the rewards history.
  • The business you scanned at — sees that you exist (as an anonymous device, or as the name you chose to attach), what you've earned at their location, when you last visited. Nothing about your visits to other businesses.
  • Reva platform admins — a small internal team has access to operational logs to keep the platform secure. We don't look at individual cards casually; we look when something is wrong (abuse, bugs, fraud).
  • Nobody else. Not advertisers, not data brokers, not social networks, not your bank.

5. How long we keep it

  • Customer loyalty data — for as long as the program is active at that business. If the business closes, we delete your card within 30 days.
  • Account data — until you delete your account.
  • Anonymous logs — kept for 30 days for debugging and fraud detection, then erased.

6. Your rights (GDPR & beyond)

Wherever you are, you have these rights with us. If you're in the EU/UK, they are guaranteed by law.

  • Access — ask for a copy of everything we have on you.
  • Correction — fix anything that's wrong.
  • Deletion — erase your account or a specific loyalty card. We comply within 7 days. Some anonymized aggregates may remain (these can't be traced back to you).
  • Portability — download your data in a machine-readable format.
  • Withdraw consent — anytime, no questions asked.

Email privacy@reva.app with the subject line of the right you're exercising. We don't hide behind a form.

7. Cookies

We use the minimum cookies needed to keep you signed in and to remember your loyalty progress. No advertising cookies, ever. We don't need a 30-button cookie banner because there's nothing for you to opt out of.

8. Security

Authentication, payments, and customer data are hosted on Supabase and Vercel — both SOC 2 Type II audited. We encrypt data in transit (TLS) and at rest. Passwords are hashed with bcrypt. We don't store credit card numbers ourselves; that's handled by Stripe.

9. Children

Reva is not intended for children under 16. We don't knowingly collect data from them. If you're a parent and think your child has a Reva card, email us and we'll delete it on the spot.

10. Changes to this policy

If we change anything material, we'll email registered users at least 14 days before it takes effect, and pin a banner on the dashboard. We won't change retroactively to make things worse for you.

Questions?privacy@reva.app — a real person, responding within one business day.