Loading Revisit...

Privacy Policy

Effective: 2025-10-07

This Privacy Policy describes how Leveloper Kft. ("we", "us", "our") processes personal data in the Revisit dashboard/API and in the Revisit Recorder used on customer websites.

Controller and contact

  • Controller: Leveloper Kft.
  • Registered address: 2310 Szigetszentmiklós, Gerle utca 1., Hungary
  • Email: info@leveloper.io

Scope and roles

  • For your dashboard account and use of Revisit, Leveloper Kft. is the data controller.
  • For visitor/session data recorded on your own website(s) using the Revisit Recorder, you are the controller and we act as your processor.

What we collect

Account and security (controller)

  • Name, email, password (bcrypt-hashed), email verification status.
  • Optional MFA (2FA); trusted devices (hashed tokens).
  • Login sessions (time, IP, user-agent), audit logs.
  • Integrations (GitHub/Jira) tokens encrypted at rest (AES‑256‑GCM).

Recorder/visitor data on your website (processor)

  • Session identifiers, timestamps, user-agent, IP, language/timezone, device/screen/viewport sizes, referrer, UTM.
  • Client-side events for session replay; optional metadata you send.
  • Optional MP4 replay generated from session data.
  • DNT/GPC honored: when present, recorder does not set identifiers or start recording.

Optional AI analysis (processor)

  • If enabled, a session MP4 is uploaded to Google Gemini; outputs (summary/timeline/optional issue suggestions) are stored.
  • If enabled, optional GitHub/Jira issue creation uses your encrypted tokens.

Legal bases (EEA/EU)

Dashboard/account data (controller)

  • Contract (provide the service you signed up for).
  • Legitimate interests (security, service operation/improvement, record‑keeping).
  • Legal obligation (honor data subject requests and compliance records).

Recorder on your sites (you as controller, we as processor)

  • You determine the lawful basis: legitimate interests (with masking and DNT/GPC) or consent via your banner/CMP.

Cookies and CSRF

  • Dashboard uses strictly‑necessary cookies for auth and CSRF (double‑submit `rv_csrf` + `X‑CSRF‑Token`).
  • The recorder uses a first‑party visitor cookie on your site. See Cookies Policy for details.

Do Not Track and Global Privacy Control

We honor DNT and GPC signals: when detected, the recorder does not persist identifiers or start recording; server ingestion and WebSocket handling respect these signals.

Data retention

  • Project session/events and MP4s: retained until you delete (no auto purge currently).
  • Account/profile, sessions/devices, integrations: retained while you use the service.
  • Application logs: deleted roughly every month; DSAR records retained for compliance.
  • Data export ZIP links: valid 1 week and then removed.

Sharing and processors

  • Self‑hosted at our HQ in Szigetszentmiklós, Hungary.
  • Email from our infrastructure.
  • Optional (if enabled): Google (Gemini), GitHub, Jira.
  • No advertising technology; we do not sell/share personal data for cross‑context behavioral advertising.

International transfers

We operate in the EU (Hungary). If you enable AI (Gemini), Google may process data outside the EEA. Use appropriate safeguards (e.g., SCCs) or keep AI disabled for EEA data until in place.

Security

  • TLS/HSTS; HttpOnly cookies; CSRF double‑submit.
  • Passwords hashed with bcrypt; integration tokens encrypted at rest (AES‑256‑GCM).
  • Session and trusted device revocation in Settings.

Your rights

  • Access/portability, rectification, erasure, restriction, objection (where applicable).
  • Download account data and request erasure from Settings; exports valid 1 week.
  • For visitor data on your sites, you provide the mechanisms; we support you as processor.

Children

Intended for users aged 18+; we do not knowingly collect children’s data.

Changes

We may update this policy and will notify where changes materially affect your rights.

Plain‑English explainer

  • “Legal basis” is the reason the law allows processing: account = run your account securely; recorder = your choice of legitimate interests (with minimization) or consent (banner).
  • “International transfers/SCCs” = if data leaves the EEA (e.g., US service), use Standard Contractual Clauses or keep that feature off until in place.
Privacy Policy·Cookies·CCPA·Terms·DPA·Subprocessors·Acceptable Use·Security