Privacy policy

Privacy Statement 

CUP REVOLUTION KFT. – DATA PROTECTION AND DATA MANAGEMENT POLICY

Cup Revolution Kft. (registered office: HU-1037 Budapest, Törökkő utca 1., tax number: 26791805-2-41, email: info@cuprevolution.hu, registration court: Company Registry Court of the Budapest-Capital Regional Court, company registration number: 01 09 345059, hereinafter referred to as the ‘Operator’) has the following primary objective: 

– to ensure the protection of the personal data provided by the visitors of its website at www.cuprevolution.eu (hereinafter referred to as the ‘Website’), the users of the RevoToken application (hereinafter referred to as the ‘Application’ or the ‘Mobile Application’), those who register in the Application, as well as those who visit the Operator's personal customer service in person (hereinafter referred to as the ‘Users’) while filling in the partner forms, electronic information requests, registering in the Application, or while being present in the customer service area. 

– to ensure the protection of personal data provided in connection with partner participation in the ‘Cup Revolution’ and ‘Cupler’ reusable cup systems (hereinafter referred to as the ‘System’) operated by the Operator as a contractor, as set out in the Cup Revolution and Cupler Reusable Cup System for Catering Units and Events – Partner Specific Agreement (hereinafter referred to as the ‘Partnership Agreement’) and by the parties designated as Partners (hereinafter referred to as the ‘Partners’) during the performance of the Partner Agreement, and the assurance of the Users’ right to informational self-determination, as provided for in this Policy. 

Our company strictly complies with applicable data protection laws in the use and management of personal data. We only process personal data in accordance with the applicable data protection legislation. 

Our company reserves the right to amend this Policy at any time and will notify affected parties by posting the new Policy on its website. 

1. Definition and Contact Details of the Data Controller 

The Data Controller is Cup Revolution Kft. (hereinafter referred to as the ‘Data Controller’ or the ‘Company’) 

Contact Details: 

Company Name: Cup Revolution Korlátolt Felelősségű Társaság, Tax Number: 26791805-2-41 

Registered Office and Postal Address: HU-1037 Budapest, Törökkő utca 1. 

Email: info@cuprevolution.hu 

Website: www.cuprevolution.eu 

The Data Controller acknowledges the content of this Policy as binding on itself and undertakes to ensure that all elements of this Policy have been formulated in accordance with and comply with the requirements of the applicable laws in force in Hungary and the EU. 

2. Definition of Personal Data, Data Subjects, and Data Processing Personal data is any data or information that, either alone or in combination with other data or information, directly or indirectly identifies a specific person. Data subjects are primarily interested parties, customers, natural persons using the services of the Data Controller, the Data Controller’s own employees, natural person partners of the Data Controller, representatives and contact persons of its non-natural person partners, 

and potentially other employees. The exact categories of data subjects are defined for each data processing activity. Data processing means any operation carried out on personal data, such as collecting, storing, using, organising, transferring, modifying, combining with other data, deleting, or destroying the data. Apart from the mandatory data processing required to comply with statutory and legal obligations, the data processing activities carried out by the Data Controller are based on the voluntary consent of the data subject in accordance with legal requirements. 

3. Data Processing Related to Services 

3.1. One-time Information Request 

The Data Controller allows data subjects to request information from the Data Controller by providing the data detailed below, for example, regarding the Data Controller's services. Legal basis for data processing: the information request is based on the voluntary consent of the data subject. Scope of data subjects: any natural person who contacts the Data Controller by phone, email, or through the Data Controller's website and requests information by providing their personal data. Scope of Data Processed and Purpose of Use: 

Name: identification; Telephone number: contact; Email address: contact; Content of the questions and any other data provided by the data subject: responding to inquiries. 

Purpose of data processing: to provide relevant information to the data subject and to maintain contact with them. 

Activities and processes concerned by the data processing: 

– The data subject may consult with the Data Controller about the Data Controller's services and/or other related matters through any means or methods made available by the Data Controller. 

– The Data Controller shall respond to the data subject's inquiry and send the response via the same method through which the information request was received, unless the data subject specifies otherwise. 


– In line with the purpose of the data processing, the data subject voluntarily consents to be contacted by the Data Controller via the contact details provided during the information request, in order to clarify or answer the question. Duration of Data Processing: until the purpose is fulfilled. If the request for information and/or the provision of information has legal implications or significantly impacts the data subject or the Data Controller, the Data Controller shall process the data for the duration of the applicable limitation period. 

3.2. Ongoing, Regular Communication with Data Subjects 

The Data Controller ensures that the data subject can maintain continuous or regular contact with them through various means and channels. Examples include electronic communication methods such as email, chat provided on the website, or postal and telephone communication. This could include, for example, correspondence with the Data Controller about its services or discussions prior to entering into a partnership agreement. The legal basis for data processing is the voluntary consent of the data subject. In the event that the Data Controller and the data subject enter into an agreement, such as for the provision of a service by the Data Controller, the legal basis for data processing shall hereinafter be based on the conclusion of a contract. Contact and communication, including the processing of relevant data, may be based on the legitimate interests of the data subject, of a third party or of the Data Controller, as well as on other legal bases as defined by law. For example, it may also be required by law (see the ‘Legal Basis and Legality’ section of the Policy). The Data Controller shall inform the data subject, upon request, of the legal basis on which their data is processed. Scope of Data Subjects: All natural persons, including those acting on behalf of a legal entity—such as a company or organisation—who maintain contact with the Data 

Controller on a continuous or regular basis beyond a one-time request for information. Scope of Data Processed and Purpose of Use: 

Name: identification; Telephone number: contact; Email address: contact; Content of the questions and any other data provided by the data subject: responding to inquiries. 

The purpose of the data processing is to maintain contact with the data subject and to address and resolve any questions, requests and other issues that may arise. Activities and processes concerned by the data processing: 

– The data subject may consult with the Data Controller about the Data Controller's services and/or other related matters through any means or methods made available by the Data Controller. In order to use the chat application available on the website, the data subject provides their email address. 

– Based on the content of the communication and in accordance with laws and internal regulations, the Data Controller shall take the necessary steps and, by way of example, inform the data subject. 

– In line with the purpose of the data processing, the data subject voluntarily consents to be contacted by the Data Controller via the contact details provided during the information request, in order to clarify or answer the question. 

3.3. Handling of Customer Data in Connection with Service Use 

The Data Controller provides its Partners with the opportunity to place orders, request delivery, and settle payment for goods and services through its website, mobile application, or telephone customer service. The legal basis for the data processing is the voluntary consent of the data subject, as well as the Data Controller's legitimate interest, as the data processing is necessary for the fulfilment of the customer order/contract [pursuant to Article 6(1)(b) of the GDPR and Section 169 (2) of the Accounting Act]. Scope of Data Subjects: All natural persons, including those acting on behalf of a legal entity—be it a company or an organisation—who use the Data Controller's services, including, for example, ordering reusable cups via the Data Controller's website. 

Scope of Data Processed and Purpose of Use: In case of registration on the website – purpose of data use name – Identification Phone Number – Contact Email Address – Contact Question, Content of Question, Other Data Provided by the Data Subject – Response Apple ID (if the user uses their Apple ID for registration/login) – Identification Email Address Used on Facebook (if the user uses Facebook login for registration/login) – Identification – Publicly Available Information from the User’s Completed Facebook Profile – Creating Statistics / Address or Delivery Address Provided for Receiving the Shipment – Purchase / Service Fulfilment / Names and Quantities of Purchased 

Products – Purchase/Service Fulfilment / Purchase Habits Statistical Analysis, Profile Creation Bank Card Details – Payment 

Scope of Data Processed and Purpose of Use 

Scope of data processed in case of registration on the website or in the application: 

Name – Identification / Phone Number – Contact / Email Address – Contact / Question, Content of Question, Other Data Provided by the Data Subject – Response / Apple ID (if the user uses their Apple ID for registration/login) – Identification / Email Address Used on Facebook (if the user uses Facebook login for registration/login) – Identification / Publicly Available Information from the User’s Completed Facebook Profile – Creating Statistics / Email Address Used for Google Account (if the user uses Google login 

for registration/login) – Identification / Business Address or Delivery Address Provided for Receiving the Shipment – Purchase/Service Fulfilment / Names and Quantities of Purchased Products – Purchase/Service Fulfilment / Statistical Analysis of Purchasing Habits, Profile Creation Bank Card Details – Payment 

The purpose of data processing includes: Processing purchases made through the Data Controller's service (website, mobile application); issuing invoices; maintaining records of Partners and Consumers, and distinguishing between them; documenting purchases and payments; fulfilling accounting obligations; maintaining contact; analysing habits; providing more targeted service to Partners and Consumers. 

In the case of bank card payments, the card details and the payment transaction data are processed by OTP Mobil Szolgáltató Korlátolt Felelősségű Társaság (short name: OTP Mobil Kft., registered office: HU-1143 Budapest, Hungária körút 17-19., tax number: 24386106-2-42, company registration number: 01 09 174466). 


Activities and processes concerned by the data processing: 

– The data subject uses the services provided by the Data Controller through the available channels, for example, by ordering a reusable cup from the Data Controller. 

– The Data Controller provides the service in accordance with its General Terms and Conditions based on the order. 

– During the purchasing process, an analysis of customer habits is also conducted, thus the purchasing habits are analysed. On the website or within the mobile application, advertisements or personalised/partner offers are displayed based on automated decision-making. The logic used in automated decision making includes the personal data provided by the data subject, geographical location, external factors (e.g. weather, time of day) and data from the user's activities, which are used to target advertising and display personalised marketing messages. Duration of data processing: in accordance 

with Section 169 (2) of the Accounting Act, eight years. Automated decision-making, profiling: This occurs in connection with data processing. 

Impact of profiling on the data subject: Different, personalised messages, including marketing content if consented to, will be displayed to individual users. The data subject, under Article 22(3) of the GDPR, may request human intervention from the Data Controller, express their opinion, or lodge an objection to the decision. Data transfers: 

– In the case of payment by bank card, the payer's identifier, the transaction amount, the date, and time will be transferred to OTP Mobil Szolgáltató Korlátolt Felelősségű Társaság (Short name: OTP Mobil Kft., registered office: 1143 Budapest, Hungária körút 17-19., tax number: 24386106-2-42, company registration number: 01 09 174466). 

– For home delivery of purchased products: Data is transferred to the delivery partners contracted with the Data Controller. Legal basis for data transfer: the processing is necessary for the performance of a contract [Article 6(1)(b) of the GDPR]. 

3.4. Data processing during payment by bank card 

The Data Controller does not process any payment-related data; for payments, the OTP Mobil Kft. SimplePay payment portal service is used, during which the bank card and payment transaction data are not stored in the Data Controller's IT system. Legal basis for data processing: voluntary consent, and the processing is necessary for the performance of a contract [Article 6(1)(b) of the GDPR]. 

Scope of data subjects: All natural persons who have placed an order with the Data Controller and have made payment by bank card. Scope of data processed: In connection with the sale of products and the provision of services as a data processing purpose, data related to purchases are transferred through the OTP Mobil Kft. SimplePay payment portal’s card acceptance network for the purposes of financial transaction processing, transaction security, and transaction tracking. Scope of transferred data includes: last name, first name, delivery address, billing address, telephone number, email address, and data related to the payment transaction. Personal data processed for the purpose of online payment: bank card details*. Payment-related data is not stored by the Data Controller; it is provided directly for payment and only OTP Mobil Kft. has access to it. If the data marked with an asterisk (*) is not provided, no contractual relationship will be established between the Data Controller and the data subject, as the payment cannot be processed by the data controllers. Purpose of data processing: Payment of the order. Duration of data processing: 8 years following the fulfilment of the service. Data processing procedure: The customer submits their order through the Data Controller’s website or mobile application and provides the data necessary for the 

payment of the order. Method of data processing: Electronically. Source of data: Directly from the data subject. 

Use of a data processor: For online payments, the Data Controller uses the following data processor: OTP Mobil Szolgáltató Korlátolt Felelősségű Társaság (Short name: OTP Mobil Kft., registered office: 1143 Budapest, Hungária körút 17-19., tax number: 24386106-2-42, company registration number: 01 09 174466). 


4. IT-related Data Processing 

4.1. Logging of the www.cuprevolution.eu website server and the Application servers 

In order to ensure the safe and continuous operation of the Data Controller's website and mobile application, user data is recorded which, if analysed, may lead to the identification of the specific user. Browsing the website without user registration or completing a purchase does not record data directly suitable for identifying the data subject. Legal basis for data processing: The legitimate interest of the Data Controller. [Article 6(1)(f) of the GDPR], as well as Act CVIII of 2001, Section 13/A (3). Scope of Data Subjects: Individuals who browse the Data Controller’s website available at www.cuprevolution.eu or use the mobile application. Scope and purposes of the processed data: IP address, operating system, and internet browser data, time of website visit, duration of time spent on the website, time of mobile application usage, duration of mobile application usage, geolocation data of the data subject (if the data subject authorises their use on the given device), ensuring IT operations and service provision. 

Purpose of data processing: To ensure the secure and continuous operation of the Data Controller’s website and mobile application. Duration of data processing: One year. Method of data processing: Conducted electronically and automatically through an IT system. Automated decision-making, profiling: This does not occurs in connection with data processing. Source of data: Directly from the data subject. Use of data processors: 


– Web Hosting: Wix.com Inc. (Headquarters: 500 Terry A. Francois Boulevard, 6th Floor, San Francisco, CA, 94158, United States) 

– App Hosting: DigitalOcean, LLC. 101 Avenue of the Americas, 10th Floor, New York, NY 10013. UNITED STATES. Phone: +1 888 890 6714 fax: email: noc (at) digitalocean (dot) com. 

– Email sending: Twilio Inc. 1801 California Street Suite 500 Boulder, CO 80202 United States ; WEBSITE. www.sendgrid.com 

– Application Analytics: Google Firebase, Crashlytics 

– Login: Meta Platforms Ireland Limited / Google LLC 

4.2. Cookie Management 

The management of cookies is governed by the cookie policy of the Data Controller. 

5. Data Security Measures, Data Protection Officer 

Data Security Measures 

The Operator exercises the utmost care in handling and storing the personal data provided by the data subjects. In the field of IT security, the Operator uses the most efficient and advanced tools and procedures reasonably available. 

The Data Controller designs and carries out data processing operations in such a way as to ensure the protection of the privacy of the Users concerned. The Operator ensures the security of the data and takes the necessary technical and organisational measures, and has established the procedural rules necessary for the enforcement of the Information Act and other data and secrecy protection regulations. 

– The Operator takes appropriate measures to protect the data, in particular against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, and against becoming inaccessible due to changes in the technology used. 

– To protect electronically managed data files in various registers, the Operator ensures, through appropriate technical solutions, that the data stored in the registers cannot be directly linked or assigned to the affected User—except where permitted by law. 

– The Operator selects and operates the IT tools used for the provision of the service in such a way that the personal data managed are accessible to authorised persons (availability); 

o its authenticity and verifiability is ensured (data processing authenticity); 

o its immutability can be verified (data integrity); 

o it is protected against unauthorised access (data confidentiality). 

– The Operator ensures the security of data processing by means of technical, organisational, and structural measures that provide a level of protection appropriate to the risks associated with data processing. 

– The Operator's IT system and network are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, hacking, and denial-of-service attacks. The Operator ensures security by means of protective procedures at server and application level. 

– Electronic messages transmitted over the Internet, regardless of the protocol (such as email, web, FTP, etc.), are vulnerable to network threats that could lead to unfair activities or the disclosure and modification of information. To protect against such threats, the Operator takes all reasonable precautions. Systems are monitored to record any security discrepancies and to provide evidence in the event of a security incident. However, it is well known—and understood by the Users 

—that the Internet is not one hundred percent secure. The Operator shall not be held liable for any potential damages caused by unavoidable attacks that occur despite exercising the highest level of care. 


Data Protection Officer 

The Operator declares that it is not required by the GDPR to appoint a Data Protection Officer and therefore does not employ one. 

6. Consumer Complaints 

– The Operator's customer service handles complaints related to the Operator's service and user inquiries via the email address info@cuprevolution.hu, as well as in person at the customer service office (HU-1037 Budapest, Törökkő u. 1). 

– A User submitting a complaint may seek legal remedy or lodge a complaint with the competent local court or the National Authority for Data Protection and Freedom of Information (NAIH): HU-1024 Budapest, Szilágyi Erzsébet fasor 22/C. (www.naih.hu). 

7. Compliance with Official Requests 

– The court, the public prosecutor, the investigating authority, the administrative authority, the data protection commissioner or other bodies authorised by law may contact the Operator to provide information, disclose data, transfer data or make documents available. 

– The Operator shall disclose personal data to the authorities only if the authority specifies the exact purpose and scope of the data requested and only to the extent strictly necessary to achieve the purpose of the request. 

If you do not agree to the above, please do not use the Website or the Application. 

If you have any further questions about data protection, please contact our staff. 

This Policy is publicly available on the Website from the date of its publication and is effective from that date. 

Last modification: 13.09.2022