Loading Revisit...

Privacy Policy

Effective: 2025-10-07

This Privacy Policy describes how Leveloper Kft. ("we", "us", "our") processes personal data in the Revisit dashboard/API and in the Revisit Recorder used on customer websites.

Controller and contact

  • Controller: Leveloper Kft.
  • Registered address: 2310 Szigetszentmiklós, Gerle utca 1., Hungary
  • Email: [email protected]

Scope and roles

  • For your dashboard account and use of Revisit, Leveloper Kft. is the data controller.
  • For visitor/session data recorded on your own website(s) using the Revisit Recorder, you are the controller and we act as your processor.

What we collect

Account and security (controller)

  • Name, email, password (bcrypt-hashed), email verification status.
  • Optional MFA (2FA); trusted devices (hashed tokens).
  • Login sessions (time, IP, user-agent), audit logs.
  • Integrations (GitHub/Jira) tokens encrypted at rest (AES‑256‑GCM).

Recorder/visitor data on your website (processor)

  • Session identifiers, timestamps, user-agent, IP, language/timezone, device/screen/viewport sizes, referrer, UTM.
  • Client-side events for session replay; optional metadata you send.
  • Optional MP4 replay generated from session data.
  • DNT/GPC honored: when present, recorder does not set identifiers or start recording.

Optional AI analysis (processor)

  • If enabled, session recordings may be analyzed via OpenRouter using sampled video frames; outputs (summary/timeline/optional issue suggestions) are stored.
  • If enabled, optional GitHub/Jira issue creation uses your encrypted tokens.

Legal bases (EEA/EU)

Dashboard/account data (controller)

  • Contract (provide the service you signed up for).
  • Legitimate interests (security, service operation/improvement, record‑keeping).
  • Legal obligation (honor data subject requests and compliance records).

Recorder on your sites (you as controller, we as processor)

  • You determine the lawful basis: legitimate interests (with masking and DNT/GPC) or consent via your banner/CMP.

Cookies and CSRF

  • Dashboard uses strictly‑necessary cookies for auth and CSRF (double‑submit `rv_csrf` + `X‑CSRF‑Token`).
  • The recorder uses a first‑party visitor cookie on your site. See Cookies Policy for details.

Do Not Track and Global Privacy Control

We honor DNT and GPC signals: when detected, the recorder does not persist identifiers or start recording; server ingestion and WebSocket handling respect these signals.

Data retention

  • Project session/events and MP4s: retained until you delete (no auto purge currently).
  • Account/profile, sessions/devices, integrations: retained while you use the service.
  • Application logs: deleted roughly every month; DSAR records retained for compliance.
  • Data export ZIP links: valid 1 week and then removed.

Sharing and processors

  • Self‑hosted at our HQ in Szigetszentmiklós, Hungary.
  • Email from our infrastructure.
  • Optional (if enabled): OpenRouter, GitHub, Jira.
  • No advertising technology; we do not sell/share personal data for cross‑context behavioral advertising.

International transfers

We operate in the EU (Hungary). If you enable AI (OpenRouter), OpenRouter and/or its upstream model providers may process data outside the EEA. Use appropriate safeguards (e.g., SCCs) or keep AI disabled for EEA data until in place.

Security

  • TLS/HSTS; HttpOnly cookies; CSRF double‑submit.
  • Passwords hashed with bcrypt; integration tokens encrypted at rest (AES‑256‑GCM).
  • Session and trusted device revocation in Settings.

Your rights

  • Access/portability, rectification, erasure, restriction, objection (where applicable).
  • Download account data and request erasure from Settings; exports valid 1 week.
  • For visitor data on your sites, you provide the mechanisms; we support you as processor.

Children

Intended for users aged 18+; we do not knowingly collect children’s data.

Changes

We may update this policy and will notify where changes materially affect your rights.

Plain‑English explainer

  • “Legal basis” is the reason the law allows processing: account = run your account securely; recorder = your choice of legitimate interests (with minimization) or consent (banner).
  • “International transfers/SCCs” = if data leaves the EEA (e.g., US service), use Standard Contractual Clauses or keep that feature off until in place.
Privacy Policy·Cookies·CCPA·Terms·DPA·Subprocessors·Acceptable Use·Security