Privacy Policy — ReviewBooster

This notice describes how Hypin Kft. (operator of ReviewBooster) processes personal data, under Regulation (EU) 2016/679 (GDPR), Hungarian Act CXII of 2011 on Informational Self-Determination, and other applicable laws.

1. Controller

Company	Hypin Kft.
Registered office	1133 Budapest, Gogol utca 26., Hungary
Company registry no.	01-09-357234
Tax ID (HU)	14782714-2-41
EU VAT ID	HU14782714
Representative	Levente Tanai, Managing Director
Privacy contact	hello@reviewbooster.hu
Website	reviewbooster.hu

2. Data Protection Officer (DPO)

The conditions set out in Art. 37(1) GDPR are not met (we do not conduct large-scale, regular and systematic monitoring, and we do not process large volumes of special-category data). ReviewBooster therefore is not required to appoint a DPO and has not done so. Data-protection enquiries may be sent to hello@reviewbooster.hu or by post to 1133 Budapest, Gogol utca 26., Hungary.

3. Data sources and role

We collect personal data from the following sources:

Directly from the Subscriber: registration, profile fill-in, support communications.
From End Users (the Subscriber's customers) via the review form: optional name, optional email, star rating, free-text feedback.
Automatically, by technical means: server logs, IP address, device/browser metadata, security events.
From processors: Stripe (payment events), Resend (email delivery, bounce/complaint events), Számlázz.hu (invoice numbers, timestamps).

Role: for Subscriber data we act as an independent controller. For End-User data we act as processor on behalf of the Subscriber (Art. 28 GDPR); the Subscriber is the controller for that data. The details of the processor relationship are in §17 of the Terms (DPA).

4. Personal data processed

4.1. Subscribers

Data	Purpose	Legal basis	Retention
Name, email, password (hashed)	Registration, sign-in	Contract (Art. 6(1)(b))	Account lifetime + 30 days
Company name, address, tax ID, EU VAT ID	Invoicing	Legal obligation (Art. 6(1)(c))	8 years (Hungarian Accounting Act §169)
Payment card (tokenised, not stored by us)	Payment	Contract (Art. 6(1)(b))	Managed by Stripe (PCI DSS L1)
Invoice history	Accounting retention	Legal obligation (Art. 6(1)(c))	8 years
Email preferences, communication log	Transactional and service email	Contract (Art. 6(1)(b)) + legitimate interest (Art. 6(1)(f))	2 years from last interaction
Support messages	Support, complaint handling	Contract + legitimate interest	5 years (Hungarian Consumer Protection Act)
IP address, device/browser metadata	Security, abuse prevention	Legitimate interest (Art. 6(1)(f))	90 days

4.2. End Users (reviewers)

Data	Purpose	Legal basis
Name (optional)	Feedback identification, reply	Consent (Art. 6(1)(a))
Email (optional)	Reply from business, conflict resolution	Consent (Art. 6(1)(a))
Star rating, free-text message	Feedback content	Legitimate interest (Art. 6(1)(f)) — Subscriber's business interest
IP address (during submission, short-term)	Rate limiting, abuse prevention	Legitimate interest (Art. 6(1)(f))

Providing name and email is strictly optional and is only possible after the End User ticks a separate consent checkbox on the review form. Without that consent the submission is fully anonymous.

5. Special categories, children's data

We do not intentionally collect or process special-category data (Art. 9 GDPR: health, political opinions, religion, sexual orientation, etc.). If an End User enters such data in the free-text field, we apply minimisation and deletion together with the Subscriber.

The Service is not intended for persons under 16. We do not knowingly collect data from End Users under 16. Should we learn that we hold such data, we delete it within 30 days.

6. Automated decision-making and profiling

We do not carry out solely automated decisions with legal or similarly significant effects within the meaning of Art. 22 GDPR. The star-threshold split offered by the Service (e.g. 4–5★ → Google, 1–3★ → private) is based only on the End User's own rating and produces no legal or similarly significant effect. We do not profile for marketing purposes and we do not sell data to third parties.

7. Direct and transactional email

Transactional email (invoices, account activity, security alerts) is necessary for performance of the contract and cannot be unsubscribed from while the account is active.
Onboarding / product-guidance email during the first weeks: based on the Provider's legitimate interest (Art. 6(1)(f)), with an unsubscribe link in every message; opt-out is respected automatically.
Product and marketing email (new features, offers): only with separate consent (Art. 6(1)(a)), withdrawable with one click at any time.

8. Security (technical and organisational measures, TOMs)

HTTPS (TLS 1.2+) for all connections.
Database-level encryption at rest (AES-256, Supabase Postgres).
Passwords stored as salted hashes (bcrypt), via the Supabase Auth layer.
Role-based access control (RBAC), Supabase Row-Level Security (RLS).
Payment-card data handled exclusively within Stripe (PCI DSS Level 1); we only hold a tokenised reference.
Security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy) on the application; API rate limiting.
Auditable logging of critical actions (sign-in, account change, plan change, deletion).
Confidentiality obligations on all personnel; need-to-know access only.
Daily automated database backups, 30-day retention.
At least annual security and dependency review.
Incident response plan with 72-hour internal escalation SLA.

9. Storage location and international transfers

Personal data is primarily stored in the EU, on Supabase (Frankfurt, eu-central-1). Some subprocessors may also process data in the United States (Stripe, Resend, Vercel edge). For these transfers we rely on the safeguards in Art. 46 GDPR:

The EU Commission's Standard Contractual Clauses (SCC, Implementing Decision 2021/914) with every relevant subprocessor;
Where the subprocessor is certified, the EU-US Data Privacy Framework (DPF) (Stripe, Vercel, Resend are DPF-certified).

A copy of the applicable safeguards can be requested at hello@reviewbooster.hu.

10. Subprocessors

Provider	Purpose	Location / safeguard
Supabase Inc.	Database, authentication, file storage	EU (Frankfurt)
Vercel Inc.	Application hosting, CDN, edge	EU + global / SCC + DPF
Stripe Payments Europe Ltd.	Card payment processing	EU (Ireland) + USA / SCC + DPF
Resend, Inc.	Transactional and system email	EU + USA / SCC + DPF
KBOSS.hu Kft. (Számlázz.hu)	Electronic invoicing, NAV reporting	Hungary

11. Your rights (GDPR Art. 15–22)

Access (Art. 15) — a copy of the personal data we hold.
Rectification (Art. 16) — correction of inaccurate or incomplete data.
Erasure (Art. 17, "right to be forgotten") — within 30 days.
Restriction of processing (Art. 18).
Data portability (Art. 20) — in a structured, machine-readable format.
Objection (Art. 21) — to processing based on legitimate interest.
Withdraw consent (Art. 7(3)) — at any time, without affecting prior processing.
Rights regarding automated decisions (Art. 22) — see §6.

How to exercise your rights: write to hello@reviewbooster.hu. We reply within 30 days; complex or voluminous requests may be extended by up to 60 days (Art. 12(3) GDPR).

We verify the requester's identity before disclosing sensitive data.

12. Complaints and redress

If you believe your data is being processed unlawfully you may:

Lodge a complaint with the Hungarian DPA (NAIH): 1055 Budapest, Falk Miksa u. 9-11 | naih.hu | ugyfelszolgalat@naih.hu | +36 (1) 391-1400.
Lodge a complaint with your own supervisory authority (EU): data subjects in other EU Member States may also contact their national DPA (e.g. Germany: BfDI and the relevant Landesbeauftragter; Austria: Datenschutzbehörde).
Seek judicial remedy: before the court of your habitual residence or the court where the controller has its seat (Art. 79 GDPR).

13. Personal data breaches

On becoming aware of a breach, we notify the NAIH within 72 hours (Art. 33 GDPR) and, where the breach poses a high risk, inform affected individuals without undue delay (Art. 34). Affected Subscribers are contacted at the email on file. The breach log is retained for 5 years.

14. Cookies and local storage

ReviewBooster uses only strictly necessary technical storage. No marketing, analytics, advertising or tracking cookies or pixels are set.

Strictly necessary storage is permitted without consent under the ePrivacy Directive (2002/58/EC, Art. 5(3)) and the GDPR, so no cookie banner is shown.

Technology	Purpose	Expiry
`sb-<project>-auth-token` (browser localStorage)	Stores sign-in token (Supabase Auth)	Access token: 1 hour; refresh token: until sign-out or manual deletion
Stripe-set cookies (checkout page only)	Fraud prevention, payment session	Per Stripe's own policy

You can clear browser local storage at any time via browser settings; this has the same effect as signing out.

15. Applicable laws

Regulation (EU) 2016/679 (GDPR)
Hungarian Act CXII of 2011 on Informational Self-Determination (Info tv.)
Act V of 2013 (Hungarian Civil Code)
Act C of 2000 (Accounting Act) — 8-year invoice retention
Act CVIII of 2001 (E-Commerce Act)
Act C of 2003 (Electronic Communications Act)
Directive 2002/58/EC (ePrivacy), Art. 5(3)

16. Changes

We may update this notice from time to time. Material changes (new purpose, new subprocessor, new data source) are announced at least 15 days before the effective date by email and by banner on the site. The current version is always available at reviewbooster.hu/en/privacy.

17. Version history

v1.2 (2026-04-18): DPO status clarified; data sources and role added; special categories / children; automated decision-making; international transfer with SCC + DPF detail; Számlázz.hu added; direct / transactional marketing section; TOMs expanded; cookies / localStorage corrected to reflect real technology; rights to lodge complaints with local EU DPAs; version history; aligned effective date with Terms.
v1.0 (2026-03-25): initial version.