Privacy Policy

Effective Date: June 1, 2026
Version dated June 1, 2026

0. Privacy Policy – Overview

This Privacy Policy explains how localoyal GmbH processes personal data in connection with the Revenipe website, marketing pages, dashboard, accounts, support, communications and operation of the Service, to the extent Provider acts as controller. For Customer Data processed on behalf of customers, the customer is generally the controller and the DPA applies.

• Provider: localoyal GmbH, Mercatorstrasse 62, 49080 Osnabrück, Germany, registered with the Local Court of Osnabrück under HRB 218235
• Contact: hello@revenipe.com
• Support Contact: support@revenipe.com
• Sub-processors / service providers: see the DPA and the current processor and sub-processor list made available by Provider
• Technical Parameters: plans, limits, pricing, retention periods and technical specifications are set out on www.revenipe.com, in the ordering process, in the dashboard or in the documentation

1. Controller, Contact, Data Protection Officer and Supervisory Authority

1.1 Controller: localoyal GmbH, Mercatorstrasse 62, 49080 Osnabrück, Germany.

1.2 E-mail: hello@revenipe.com. Support: support@revenipe.com.

1.3 Data Protection Officer: no data protection officer appointed. Privacy inquiries may be sent to the contact address above.

1.4 Competent supervisory authority: The competent supervisory authority for Provider's establishment in Lower Saxony is Der Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover, Germany, e-mail: poststelle@lfd.niedersachsen.de, website: www.lfd.niedersachsen.de.

2. Scope, Roles and Affected Groups

2.1 This Privacy Policy applies to persons who interact directly with Provider, including website visitors, marketing-page visitors, prospects, newsletter subscribers, account owners, administrators, Authorized Users, support contacts, applicants or other business contacts.

2.2 For Customer Data processed by customers through the Service, the relevant customer is generally the controller. Provider processes such data as processor under the DPA unless Provider determines purposes and means for a specific processing activity.

2.3 End Users of a Customer's Connected Application should primarily refer to the privacy notice of the relevant customer. Provider may process End User identifiers, usage events, entitlement states, credit balances, usage keys, subscription status, purchase metadata, webhook metadata and similar data as processor for the customer under the DPA.

2.4 Third-Party Services such as Stripe and, if and when supported, RevenueCat, may process personal data as independent controllers or processors under their own terms and privacy notices, depending on the configuration and relationship.

3. Processing Activities by Context

Context / affected group	Typical data	Purpose	Legal basis
Website and marketing-page visitors	IP address, device and browser data, referrer, page views, consent status, cookie identifiers where used.	Provision of the website, security, analytics where consented, marketing attribution where consented.	Art. 6(1)(f) GDPR for technically necessary operation and security; Art. 6(1)(a) GDPR for optional analytics or marketing cookies where required.
Prospects and business contacts	Name, business e-mail, company, role, communications, meeting notes and CRM metadata where used.	Responding to inquiries, sales communication, product demos, contract preparation and relationship management.	Art. 6(1)(b) GDPR for pre-contractual steps; Art. 6(1)(f) GDPR based on legitimate interests in B2B communication and customer acquisition.
Customers, account owners, administrators and Authorized Users	Name, e-mail address, company, role, account ID, authentication data, plan, dashboard activity, API usage, security logs.	Account administration, authentication, provision of dashboard access, Service operation, security and contract performance.	Art. 6(1)(b) GDPR where the data subject is party to the contract; otherwise Art. 6(1)(f) GDPR based on legitimate interests in administering business accounts and providing the Service.
Support contacts	Support tickets, e-mails, chat (e.g. Discord) messages, screenshots, logs, call notes, feedback and related metadata.	Providing support, troubleshooting, error analysis, product improvement and documentation of support history.	Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR based on legitimate interests in supporting customers and improving the Service.
Billing contacts	Billing address, tax information, invoice data, payment status, payment method metadata and transaction references for Provider's own fees.	Billing, invoice issuance, payment collection for Provider's own fees, accounting, tax compliance and receivables management.	Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR for legal obligations, and Art. 6(1)(f) GDPR for payment security and receivables management.
End Users of Customer applications	End-user IDs, customer IDs, entitlement states, usage keys, credit balances, subscription or trial status, usage and consumption events, webhook metadata, purchase/session metadata.	Processing on behalf of the customer for monetization configuration, entitlement management, usage tracking, access control, webhook processing and synchronization.	Customer is generally controller; Provider generally processes this data as processor under the DPA. Provider may process limited operational logs under Art. 6(1)(f) GDPR for security and reliability where Provider acts as controller.

4. Categories of Personal Data

Category	Examples
Account and contract data	Name, e-mail address, company name, role, account ID, plan, billing address, tax information, login information and authentication data.
Usage, telemetry and security data	Technical events, log data, timestamps, IP address, device and browser data, error reports, API usage, dashboard activity, security logs, rate-limit and misuse-prevention data.
Monetization configuration and entitlement configuration metadata	Product IDs, plan IDs, subscription status, trial status, entitlement states, usage keys, consumption events, usage records, one-time purchase metadata, webhook metadata and similar metadata, where processed through the Service.
Support and communication data	Support tickets, e-mails, chat messages, call notes, feedback, attachments, screenshots and related metadata.
Billing data	Invoices, payment status, payment method metadata and transaction references for Provider's own fees. Provider does not store full card numbers or bank account credentials.
Website, cookie and analytics data	Cookie IDs, consent status, page views, referrer, campaign parameters, analytics data and similar identifiers where used.
Newsletter and marketing data	E-mail address, name, company, subscription status, consent records, opening/click statistics where used and communication preferences.

5. Purposes, Legal Bases and Legitimate Interests

Purpose	Legal basis / legitimate interest
Account administration, authentication, dashboard access and contract performance	Art. 6(1)(b) GDPR where the data subject is party to the contract; otherwise Art. 6(1)(f) GDPR based on Provider's and Customer's legitimate interest in administering business accounts and providing access to the Service.
Billing, invoices, payment collection for Provider's own fees and accounting	Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR for legal obligations, and Art. 6(1)(f) GDPR based on legitimate interests in payment security, fraud prevention and receivables management.
IT security, abuse prevention, fraud prevention, logging, incident detection and service stability	Art. 6(1)(f) GDPR based on legitimate interests in secure and reliable operation of the Service, protection of systems, prevention of unauthorized access and enforcement of contractual rights.
Support, troubleshooting, customer communication and product improvement	Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR based on legitimate interests in supporting customers, resolving incidents, improving documentation and improving the Service.
Website analytics and product analytics not strictly necessary for operation	Art. 6(1)(a) GDPR where consent is required. Where consent is not required, Art. 6(1)(f) GDPR may apply based on legitimate interests in understanding and improving website and product usage.
Newsletter and direct marketing	Art. 6(1)(a) GDPR for consent-based newsletter subscriptions. Art. 6(1)(f) GDPR may apply for B2B communications or existing customer communications where permitted by law. Consent may be withdrawn at any time.
Legal compliance and defense of legal claims	Art. 6(1)(c) GDPR for legal obligations and Art. 6(1)(f) GDPR based on legitimate interests in establishing, exercising or defending legal claims.

6. Recipients, Processors and Tool Register

6.1 Provider may share personal data with processors and service providers used for hosting, infrastructure, database hosting, monitoring, support, e-mail delivery, customer communication, analytics, consent management, payment collection for Provider's own fees, accounting, legal compliance and security.

6.2 Processors are bound by data-processing agreements where required.

Provider / tool	Purpose	Role	Location / transfer mechanism
Webflow, Inc.	Website hosting, content delivery and server log processing.	Processor.	US; SCC
MongoDB Atlas / MongoDB, Inc.	Database hosting and storage of Service data, depending on the selected deployment and region.	Processor / sub-processor, as applicable.	EU/US; DPF/SCC
Stripe	Payment collection for Provider's own fees and, where configured by Customer, billing-provider integration for Customer's own Stripe account.	Independent controller and/or processor depending on the relevant data flow and contract relationship.	EU/US; DPF/SCC
RevenueCat, if and when supported	Subscription, app-store purchase and entitlement-related integration if enabled by Customer.	Independent controller and/or processor depending on configuration.	EU/US; DPF/SCC
Google	Transactional e-mails, account notifications, support or marketing e-mails where used.	Processor.	EU/US; DPF/SCC
Discord	Support tickets, customer communication, CRM, chat or helpdesk workflows where used.	Processor.	EU/US; DPF/SCC
Firebase	Dashboard analytics, product analytics, campaign analytics where used.	Processor / independent controller depending on tool.	EU/US; DPF/SCC
Ionos Cloud	Application hosting, logging, monitoring and infrastructure.	Processor / sub-processor.	EU

6.3 Data may be disclosed to authorities, courts, advisors, auditors, insurers or counterparties where required by law or necessary to establish, exercise or defend legal claims.

7. Cookies and Similar Technologies

7.1 Provider uses strictly necessary cookies or similar technologies for operation, authentication, security, load balancing, fraud prevention and consent storage. The website is hosted by Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA; Webflow may set technically necessary cookies as part of its hosting infrastructure. Optional cookies and similar technologies are used only where enabled and, where required, after consent.

7.2 Details of cookies, providers, purposes, legal bases and storage periods must be specified in a cookie notice or consent banner before publication and before the relevant cookies are deployed.

Cookie / technology category	Purpose	Legal basis	Retention / provider
Strictly necessary cookies	Login sessions, dashboard access, security, fraud prevention, load balancing and technical operation.	Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. Consent is generally not required where strictly necessary.	Session or limited technical retention; provider to be completed.
Consent-management cookies	Storing consent choices and withdrawal status.	Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR; where applicable, local cookie/ePrivacy rules.	Retention and provider to be completed.
Analytics cookies / identifiers	Website or product analytics, usage statistics and performance measurement where used.	Art. 6(1)(a) GDPR where consent is required; otherwise Art. 6(1)(f) GDPR where legally permissible.	Provider, storage period and transfer mechanism to be completed.
Marketing cookies / pixels	Campaign measurement, retargeting, attribution and marketing optimization where used.	Art. 6(1)(a) GDPR where required.	Provider, storage period and transfer mechanism to be completed.

7.3 Users may withdraw or adjust cookie consent through the consent-management tool where available. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

8. Newsletter, Marketing and Product Communications

8.1 If Provider offers a newsletter or marketing communications, Provider processes contact details, consent records, communication preferences and, where used, opening and click statistics for sending and measuring such communications.

8.2 Newsletter and marketing communications based on consent are processed under Art. 6(1)(a) GDPR. Existing customer or B2B communications may also be processed under Art. 6(1)(f) GDPR where permitted by law, based on Provider's legitimate interest in informing customers and business contacts about relevant products, services and updates.

8.3 Recipients can unsubscribe from marketing communications at any time using the unsubscribe link or by contacting Provider. Service-related, contractual, security or billing communications may still be sent where necessary for the Service or legal obligations.

9. Third-Country Transfers

9.1 Where personal data is transferred outside the EU/EEA, Provider uses appropriate transfer mechanisms, such as adequacy decisions, EU Standard Contractual Clauses, the EU-U.S. Data Privacy Framework where applicable, supplementary measures where required, or other safeguards recognized under GDPR.

9.2 Details of relevant transfers, recipients, hosting regions, safeguards and links to provider privacy/security information should be listed in the processor/sub-processor overview or cookie notice before publication and kept up to date.

9.3 Third-Party Services configured by Customer, such as Stripe and, if and when supported, RevenueCat, may conduct their own international transfers under their own terms and privacy notices. Customer is responsible for assessing transfers that Customer determines or configures as controller.

10. Retention Periods

10.1 Account and contract data is retained for the duration of the customer relationship and thereafter only as long as necessary for statutory retention, evidence, accounting, security or legal claims.

10.2 Billing and invoice data is retained in accordance with statutory retention obligations.

10.3 Log data is generally retained for a limited period, for example 30 to 90 days, unless security incidents, misuse investigations, legal claims or operational needs require longer retention.

10.4 Support communications are retained for as long as necessary to provide support, maintain business records and defend legal claims.

10.5 Newsletter and marketing consent records are retained for as long as necessary to demonstrate consent or until legal claims are time-barred; marketing contact data is deleted or suppressed after withdrawal or objection, unless retention is required to document the withdrawal or objection.

10.6 Customer Data processed as processor is deleted or returned in accordance with the DPA.

11. Data Subject Rights

Data subjects have the following rights to the extent the legal requirements are met: access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), objection (Art. 21 GDPR), withdrawal of consent (Art. 7(3) GDPR) and complaint with a supervisory authority (Art. 77 GDPR). Requests may be sent to hello@revenipe.com.

Data subjects may lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The supervisory authority competent for Provider's establishment is listed in Section 1.4.

12. Security

Provider implements appropriate technical and organizational measures, including encryption in transit, access controls, logging, backups, monitoring, secrets management and tenant separation where applicable. Details may be described in the DPA and security documentation.

13. Changes to this Privacy Policy

Provider may update this Privacy Policy to reflect changes in the Service, processing activities, tools or legal requirements. The current version will be made available on the website or in the dashboard.