Privacy Statement
CUP REVOLUTION KFT. – DATA PROTECTION AND DATA MANAGEMENT POLICY
Cup Revolution Kft. (registered office: HU-1037 Budapest, Törökkő utca 1., tax number: 26791805-2-41, email:
info@cuprevolution.hu, registration court: Company Registry Court of the Budapest-Capital Regional Court, company
registration number: 01 09 345059, hereinafter referred to as the ‘Operator’) has the following
primary objective:
– to ensure the protection of the personal data provided by the visitors of its website at www.cuprevolution.eu
(hereinafter referred to as the ‘Website’), the users of the RevoToken application (hereinafter referred to as the
‘Application’ or the ‘Mobile Application’), those who register in the Application, as well as those who visit the
Operator's personal customer service in person (hereinafter referred to as the ‘Users’) while filling in the partner
forms, electronic information requests, registering in the Application, or while being present in the customer
service area.
– to ensure the protection of personal data provided in connection with partner participation in the ‘Cup
Revolution’ and ‘Cupler’ reusable cup systems (hereinafter referred to as the ‘System’) operated by the Operator as
a contractor, as set out in the Cup Revolution and Cupler Reusable Cup System for Catering Units and Events –
Partner Specific Agreement (hereinafter referred to as the ‘Partnership Agreement’) and by the parties designated as
Partners (hereinafter referred to as the ‘Partners’) during the performance of the Partner Agreement, and the
assurance of the Users’ right to informational self-determination, as provided for in this Policy.
Our company strictly complies with applicable data protection laws in the use and management of personal data. We
only process personal data in accordance with the applicable data protection legislation.
Our company reserves the right to amend this Policy at any time and will notify affected parties by posting the new
Policy on its website.
1. Definition and Contact Details of the Data Controller
The Data Controller is Cup Revolution Kft. (hereinafter referred to as the ‘Data Controller’ or the
‘Company’)
Contact Details:
Company Name: Cup Revolution Korlátolt Felelősségű Társaság, Tax Number: 26791805-2-41
Registered Office and Postal Address: HU-1037 Budapest, Törökkő utca 1.
Email: info@cuprevolution.hu
Website: www.cuprevolution.eu
The Data Controller acknowledges the content of this Policy as binding on itself and undertakes to ensure that all
elements of this Policy have been formulated in accordance with and comply with the requirements of the applicable
laws in force in Hungary and the EU.
2. Definition of Personal Data, Data Subjects, and Data Processing Personal data is any data or information that,
either alone or in combination with other data or information, directly or indirectly identifies a specific person.
Data subjects are primarily interested parties, customers, natural persons using the services of the Data
Controller, the Data Controller’s own employees, natural person partners of the Data Controller, representatives and
contact persons of its non-natural person partners,
and potentially other employees. The exact categories of data subjects are defined for each data processing
activity. Data processing means any operation carried out on personal data, such as collecting, storing, using,
organising, transferring, modifying, combining with other data, deleting, or destroying the data. Apart from the
mandatory data processing required to comply with statutory and legal obligations, the data processing activities
carried out by the Data Controller are based on the voluntary consent of the data subject in accordance with legal
requirements.
3. Data Processing Related to Services
3.1. One-time Information Request
The Data Controller allows data subjects to request information from the Data Controller by providing the data
detailed below, for example, regarding the Data Controller's services. Legal basis for data processing: the
information request is based on the voluntary consent of the data subject. Scope of data subjects: any natural
person who contacts the Data Controller by phone, email, or through the Data Controller's website and requests
information by providing their personal data. Scope of Data Processed and Purpose of Use:
Name: identification; Telephone number: contact; Email address: contact; Content of the questions and any other
data provided by the data subject: responding to inquiries.
Purpose of data processing: to provide relevant information to the data subject and to maintain contact with
them.
Activities and processes concerned by the data processing:
– The data subject may consult with the Data Controller about the Data Controller's services and/or other related
matters through any means or methods made available by the Data Controller.
– The Data Controller shall respond to the data subject's inquiry and send the response via the same method through
which the information request was received, unless the data subject specifies otherwise.
– In line with the purpose of the data processing, the data subject voluntarily consents to be contacted by the
Data Controller via the contact details provided during the information request, in order to clarify or answer the
question. Duration of Data Processing: until the purpose is fulfilled. If the request for information and/or the
provision of information has legal implications or significantly impacts the data subject or the Data Controller,
the Data Controller shall process the data for the duration of the applicable limitation period.
3.2. Ongoing, Regular Communication with Data Subjects
The Data Controller ensures that the data subject can maintain continuous or regular contact with them through
various means and channels. Examples include electronic communication methods such as email, chat provided on the
website, or postal and telephone communication. This could include, for example, correspondence with the Data
Controller about its services or discussions prior to entering into a partnership agreement. The legal basis for
data processing is the voluntary consent of the data subject. In the event that the Data Controller and the data
subject enter into an agreement, such as for the provision of a service by the Data Controller, the legal basis for
data processing shall hereinafter be based on the conclusion of a contract. Contact and communication, including the
processing of relevant data, may be based on the legitimate interests of the data subject, of a third party or of
the Data Controller, as well as on other legal bases as defined by law. For example, it may also be required by law
(see the ‘Legal Basis and Legality’ section of the Policy). The Data Controller shall inform the data subject, upon
request, of the legal basis on which their data is processed. Scope of Data Subjects: All natural persons, including
those acting on behalf of a legal entity—such as a company or organisation—who maintain contact with the
Data
Controller on a continuous or regular basis beyond a one-time request for information. Scope of Data Processed and
Purpose of Use:
Name: identification; Telephone number: contact; Email address: contact; Content of the questions and any other
data provided by the data subject: responding to inquiries.
The purpose of the data processing is to maintain contact with the data subject and to address and resolve any
questions, requests and other issues that may arise. Activities and processes concerned by the data
processing:
– The data subject may consult with the Data Controller about the Data Controller's services and/or other related
matters through any means or methods made available by the Data Controller. In order to use the chat application
available on the website, the data subject provides their email address.
– Based on the content of the communication and in accordance with laws and internal regulations, the Data
Controller shall take the necessary steps and, by way of example, inform the data subject.
– In line with the purpose of the data processing, the data subject voluntarily consents to be contacted by the
Data Controller via the contact details provided during the information request, in order to clarify or answer the
question.
3.3. Handling of Customer Data in Connection with Service Use
The Data Controller provides its Partners with the opportunity to place orders, request delivery, and settle
payment for goods and services through its website, mobile application, or telephone customer service. The legal
basis for the data processing is the voluntary consent of the data subject, as well as the Data Controller's
legitimate interest, as the data processing is necessary for the fulfilment of the customer order/contract [pursuant
to Article 6(1)(b) of the GDPR and Section 169 (2) of the Accounting Act]. Scope of Data Subjects: All natural
persons, including those acting on behalf of a legal entity—be it a company or an organisation—who use the Data
Controller's services, including, for example, ordering reusable cups via the Data Controller's
website.
Scope of Data Processed and Purpose of Use: In case of registration on the website – purpose of data use name –
Identification Phone Number – Contact Email Address – Contact Question, Content of Question, Other Data Provided by
the Data Subject – Response Apple ID (if the user uses their Apple ID for registration/login) – Identification Email
Address Used on Facebook (if the user uses Facebook login for registration/login) – Identification – Publicly
Available Information from the User’s Completed Facebook Profile – Creating Statistics / Address or Delivery Address
Provided for Receiving the Shipment – Purchase / Service Fulfilment / Names and Quantities of
Purchased
Products – Purchase/Service Fulfilment / Purchase Habits Statistical Analysis, Profile Creation Bank Card Details –
Payment
Scope of Data Processed and Purpose of Use
Scope of data processed in case of registration on the website or in the application:
Name – Identification / Phone Number – Contact / Email Address – Contact / Question, Content of Question, Other
Data Provided by the Data Subject – Response / Apple ID (if the user uses their Apple ID for registration/login) –
Identification / Email Address Used on Facebook (if the user uses Facebook login for registration/login) –
Identification / Publicly Available Information from the User’s Completed Facebook Profile – Creating Statistics /
Email Address Used for Google Account (if the user uses Google login
for registration/login) – Identification / Business Address or Delivery Address Provided for Receiving the Shipment
– Purchase/Service Fulfilment / Names and Quantities of Purchased Products – Purchase/Service Fulfilment /
Statistical Analysis of Purchasing Habits, Profile Creation Bank Card Details – Payment
The purpose of data processing includes: Processing purchases made through the Data Controller's service (website,
mobile application); issuing invoices; maintaining records of Partners and Consumers, and distinguishing between
them; documenting purchases and payments; fulfilling accounting obligations; maintaining contact; analysing habits;
providing more targeted service to Partners and Consumers.
In the case of bank card payments, the card details and the payment transaction data are processed by OTP Mobil
Szolgáltató Korlátolt Felelősségű Társaság (short name: OTP Mobil Kft., registered office: HU-1143 Budapest,
Hungária körút 17-19., tax number: 24386106-2-42, company registration number: 01 09 174466).
Activities and processes concerned by the data processing:
– The data subject uses the services provided by the Data Controller through the available channels, for example,
by ordering a reusable cup from the Data Controller.
– The Data Controller provides the service in accordance with its General Terms and Conditions based on the
order.
– During the purchasing process, an analysis of customer habits is also conducted, thus the purchasing habits are
analysed. On the website or within the mobile application, advertisements or personalised/partner offers are
displayed based on automated decision-making. The logic used in automated decision making includes the personal data
provided by the data subject, geographical location, external factors (e.g. weather, time of day) and data from the
user's activities, which are used to target advertising and display personalised marketing messages. Duration of
data processing: in accordance
with Section 169 (2) of the Accounting Act, eight years. Automated decision-making, profiling: This occurs in
connection with data processing.
Impact of profiling on the data subject: Different, personalised messages, including marketing content if consented
to, will be displayed to individual users. The data subject, under Article 22(3) of the GDPR, may request human
intervention from the Data Controller, express their opinion, or lodge an objection to the decision. Data
transfers:
– In the case of payment by bank card, the payer's identifier, the transaction amount, the date, and time will be
transferred to OTP Mobil Szolgáltató Korlátolt Felelősségű Társaság (Short name: OTP Mobil Kft., registered office:
1143 Budapest, Hungária körút 17-19., tax number: 24386106-2-42, company registration number: 01 09
174466).
– For home delivery of purchased products: Data is transferred to the delivery partners contracted with the Data
Controller. Legal basis for data transfer: the processing is necessary for the performance of a contract [Article
6(1)(b) of the GDPR].
3.4. Data processing during payment by bank card
The Data Controller does not process any payment-related data; for payments, the OTP Mobil Kft. SimplePay payment
portal service is used, during which the bank card and payment transaction data are not stored in the Data
Controller's IT system. Legal basis for data processing: voluntary consent, and the processing is necessary for the
performance of a contract [Article 6(1)(b) of the GDPR].
Scope of data subjects: All natural persons who have placed an order with the Data Controller and have made payment
by bank card. Scope of data processed: In connection with the sale of products and the provision of services as a
data processing purpose, data related to purchases are transferred through the OTP Mobil Kft. SimplePay payment
portal’s card acceptance network for the purposes of financial transaction processing, transaction security, and
transaction tracking. Scope of transferred data includes: last name, first name, delivery address, billing address,
telephone number, email address, and data related to the payment transaction. Personal data processed for the
purpose of online payment: bank card details*. Payment-related data is not stored by the Data Controller; it is
provided directly for payment and only OTP Mobil Kft. has access to it. If the data marked with an asterisk (*) is
not provided, no contractual relationship will be established between the Data Controller and the data subject, as
the payment cannot be processed by the data controllers. Purpose of data processing: Payment of the order. Duration
of data processing: 8 years following the fulfilment of the service. Data processing procedure: The customer submits
their order through the Data Controller’s website or mobile application and provides the data necessary for
the
payment of the order. Method of data processing: Electronically. Source of data: Directly from the data
subject.
Use of a data processor: For online payments, the Data Controller uses the following data processor: OTP Mobil
Szolgáltató Korlátolt Felelősségű Társaság (Short name: OTP Mobil Kft., registered office: 1143 Budapest, Hungária
körút 17-19., tax number: 24386106-2-42, company registration number: 01 09 174466).
4. IT-related Data Processing
4.1. Logging of the www.cuprevolution.eu website server and the Application servers
In order to ensure the safe and continuous operation of the Data Controller's website and mobile application, user
data is recorded which, if analysed, may lead to the identification of the specific user. Browsing the website
without user registration or completing a purchase does not record data directly suitable for identifying the data
subject. Legal basis for data processing: The legitimate interest of the Data Controller. [Article 6(1)(f) of the
GDPR], as well as Act CVIII of 2001, Section 13/A (3). Scope of Data Subjects: Individuals who browse the Data
Controller’s website available at www.cuprevolution.eu or use the mobile application. Scope and purposes of the
processed data: IP address, operating system, and internet browser data, time of website visit, duration of time
spent on the website, time of mobile application usage, duration of mobile application usage, geolocation data of
the data subject (if the data subject authorises their use on the given device), ensuring IT operations and service
provision.
Purpose of data processing: To ensure the secure and continuous operation of the Data Controller’s website and
mobile application. Duration of data processing: One year. Method of data processing: Conducted electronically and
automatically through an IT system. Automated decision-making, profiling: This does not occurs in connection with
data processing. Source of data: Directly from the data subject. Use of data processors:
– Web Hosting: Wix.com Inc. (Headquarters: 500 Terry A. Francois Boulevard, 6th Floor, San Francisco, CA, 94158,
United States)
– App Hosting: DigitalOcean, LLC. 101 Avenue of the Americas, 10th Floor, New York, NY 10013. UNITED STATES. Phone:
+1 888 890 6714 fax: email: noc (at) digitalocean (dot) com.
– Email sending: Twilio Inc. 1801 California Street Suite 500 Boulder, CO 80202 United States ; WEBSITE.
www.sendgrid.com
– Application Analytics: Google Firebase, Crashlytics
– Login: Meta Platforms Ireland Limited / Google LLC
4.2. Cookie Management
The management of cookies is governed by the cookie policy of the Data Controller.
5. Data Security Measures, Data Protection Officer
Data Security Measures
The Operator exercises the utmost care in handling and storing the personal data provided by the data subjects. In
the field of IT security, the Operator uses the most efficient and advanced tools and procedures reasonably
available.
The Data Controller designs and carries out data processing operations in such a way as to ensure the protection of
the privacy of the Users concerned. The Operator ensures the security of the data and takes the necessary technical
and organisational measures, and has established the procedural rules necessary for the enforcement of the
Information Act and other data and secrecy protection regulations.
– The Operator takes appropriate measures to protect the data, in particular against unauthorised access,
alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage,
and against becoming inaccessible due to changes in the technology used.
– To protect electronically managed data files in various registers, the Operator ensures, through appropriate
technical solutions, that the data stored in the registers cannot be directly linked or assigned to the affected
User—except where permitted by law.
– The Operator selects and operates the IT tools used for the provision of the service in such a way that the
personal data managed are accessible to authorised persons (availability);
o its authenticity and verifiability is ensured (data processing authenticity);
o its immutability can be verified (data integrity);
o it is protected against unauthorised access (data confidentiality).
– The Operator ensures the security of data processing by means of technical, organisational, and structural
measures that provide a level of protection appropriate to the risks associated with data processing.
– The Operator's IT system and network are protected against computer-assisted fraud, espionage, sabotage,
vandalism, fire and flood, as well as computer viruses, hacking, and denial-of-service attacks. The Operator ensures
security by means of protective procedures at server and application level.
– Electronic messages transmitted over the Internet, regardless of the protocol (such as email, web, FTP, etc.),
are vulnerable to network threats that could lead to unfair activities or the disclosure and modification of
information. To protect against such threats, the Operator takes all reasonable precautions. Systems are monitored
to record any security discrepancies and to provide evidence in the event of a security incident. However, it is
well known—and understood by the Users
—that the Internet is not one hundred percent secure. The Operator shall not be held liable for any potential
damages caused by unavoidable attacks that occur despite exercising the highest level of care.
Data Protection Officer
The Operator declares that it is not required by the GDPR to appoint a Data Protection Officer and therefore does
not employ one.
6. Consumer Complaints
– The Operator's customer service handles complaints related to the Operator's service and user inquiries via the
email address info@cuprevolution.hu, as well as in person at the customer service office (HU-1037 Budapest, Törökkő
u. 1).
– A User submitting a complaint may seek legal remedy or lodge a complaint with the competent local court or the
National Authority for Data Protection and Freedom of Information (NAIH): HU-1024 Budapest, Szilágyi Erzsébet fasor
22/C. (www.naih.hu).
7. Compliance with Official Requests
– The court, the public prosecutor, the investigating authority, the administrative authority, the data protection
commissioner or other bodies authorised by law may contact the Operator to provide information, disclose data,
transfer data or make documents available.
– The Operator shall disclose personal data to the authorities only if the authority specifies the exact purpose
and scope of the data requested and only to the extent strictly necessary to achieve the purpose of the
request.
If you do not agree to the above, please do not use the Website or the Application.
If you have any further questions about data protection, please contact our staff.
This Policy is publicly available on the Website from the date of its publication and is effective from that
date.
Last modification: 13.09.2022