Privacy Policy | Revstar

Revstar is a product of Revux Technologies. At Revstar (“we”, “our”, or “us”), we are committed to protecting your privacy in accordance with the Nigeria Data Protection Regulation (NDPR) and applicable international privacy standards. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our commerce platform and related services.

1. Information We Collect

1.1 Merchant Account Information

When you create a Revstar merchant account, we collect:

Full name, email address, and phone number
Business name, address, and business category
Account credentials (passwords are stored securely using one-way hashing)
Subscription tier and billing information
Team member details (name, email, role) when you invite team members to your store

1.2 KYC (Know Your Customer) Verification Data

For identity verification and regulatory compliance, we may collect:

Government-issued identification documents (e.g., NIN, international passport, driver's license)
Business registration documents (CAC certificates)
Selfie photographs for identity matching

KYC documents are stored securely and used solely for verification purposes. They are retained only as long as necessary for regulatory compliance and are not shared with third parties except as required by law.

1.3 Store and Product Data

Information you provide to set up and operate your store:

Store name, slug, description, and branding assets (logo, banners)
Product listings (names, descriptions, images, prices, inventory levels)
Appointment service configurations
Shipping zones and delivery settings
Custom domain configurations

1.4 Customer and Order Data

When customers place orders through your store, we process:

Customer name, email, phone number, and delivery address
Order details (items, quantities, totals, payment status)
WhatsApp order conversations (when using WhatsApp Orders feature)

Important: Merchants are the data controllers for their customer data. Revstar acts as a data processor on behalf of the merchant. Merchants are responsible for obtaining appropriate consent from their customers.

1.5 Payment Information

Revstar does not store credit card numbers, bank account details, or other sensitive payment credentials. All payment processing is handled by our third-party payment partners:

Paystack — for card payments, bank transfers, and USSD payments
Flutterwave — for card payments and alternative payment methods

These providers are PCI DSS compliant and handle payment data under their own privacy policies. Revstar only stores transaction references, amounts, and settlement statuses.

1.6 Automatically Collected Information

When you or your customers use our services, we automatically collect:

Device information (browser type, operating system, device type)
Log data (IP address, access times, pages viewed)
Usage analytics (features used, actions taken)

1.7 Deep Link Click Tracking

When someone clicks a Revstar tracked link (Deep Link), we collect:

A one-way hash of the visitor's IP address (the raw IP is never stored)
A browser fingerprint derived from IP hash and user agent (for unique visitor counting)
Referrer URL and detected source platform (e.g., Instagram, WhatsApp)
Device type, browser, and operating system
Approximate geographic location (country and city, derived from IP)

Deep Link attribution uses a signed JWT token stored in the visitor's browser localStorage. This token contains only opaque identifiers (no personal information) and is used solely to attribute a purchase back to the link that was clicked. It expires after 30 days.

1.8 Storefront Visit Tracking

When customers visit a merchant's storefront, we may track page views and visit patterns to provide merchants with analytics about their store traffic. This data is anonymised and aggregated where possible.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Revstar platform
Process orders, payments, and settlements to merchant bank accounts
Calculate and apply platform service charges on transactions
Provide analytics and reporting on sales, traffic, and marketing performance
Send transactional communications (order confirmations, shipping updates, payment receipts)
Send promotional communications and product updates (with your consent, and with the ability to unsubscribe at any time)
Verify merchant identity through KYC processes
Detect and prevent fraud, unauthorized access, and abuse
Improve our platform based on usage patterns and feedback
Comply with legal obligations and regulatory requirements

3. Service Charges

Revstar applies a platform service charge on orders processed through the platform. The service charge is calculated as a percentage of the order subtotal plus applicable taxes (VAT). Shipping fees are excluded from the service charge calculation. The rate varies by subscription tier and can be configured by the merchant.

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information with:

Payment Processors: Paystack and Flutterwave, to process transactions and settlements
Cloud Infrastructure Providers: For hosting and data storage (see Section 5)
Analytics Services: Google Analytics, for aggregated website usage insights
Communication Services: For sending SMS campaigns, email notifications, and WhatsApp messages on behalf of merchants
Legal Requirements: When required by Nigerian law, court orders, or to protect our legal rights
Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users

5. Data Storage and Security

Your data is stored on secure cloud infrastructure:

Database: Hosted on Neon (PostgreSQL), with encryption at rest and in transit
Media files: Stored on Amazon Web Services (AWS) S3, with server-side encryption
Application servers: Hosted on Railway, with HTTPS-only access

We implement industry-standard security measures including:

HTTPS/TLS encryption for all data in transit
Encryption at rest for stored data
HTTP-only, secure session cookies (not accessible to JavaScript)
One-way password hashing (bcrypt)
IP address hashing for deep link analytics (raw IPs never stored)
Role-based access controls for team members
Regular security assessments

6. Cookies and Local Storage

Cookies

Session cookies: HTTP-only cookies for authentication. Essential for platform operation.
Analytics cookies: Google Analytics cookies for aggregated website usage statistics. Can be controlled through browser settings.

Local Storage

Cart ID: A unique identifier for the shopping cart, enabling cart persistence across sessions.
Deep Link attribution token: A signed JWT containing only opaque identifiers (no personal data), used to attribute purchases to marketing links. Expires after 30 days.

No sensitive personal information (passwords, payment details, identification documents) is stored in cookies or browser local storage.

7. Data Retention

Account data: Retained while your account is active. Deleted upon request, subject to legal retention requirements.
Order and transaction records: Retained for a minimum of 6 years as required by Nigerian tax and commercial law.
KYC documents: Retained for the duration of the merchant relationship plus any legally required retention period.
Analytics and tracking data: Aggregated data retained indefinitely. Individual click records retained for up to 2 years.
Deleted accounts: Personal data is purged within 90 days of account deletion, except where legal retention obligations apply.

8. Your Rights Under NDPR

Under the Nigeria Data Protection Regulation, you have the right to:

Access: Request a copy of the personal information we hold about you
Rectification: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information (subject to legal retention requirements)
Objection: Object to processing of your personal information for direct marketing
Restriction: Request restriction of processing in certain circumstances
Data Portability: Request your data in a structured, machine-readable format
Withdraw Consent: Withdraw consent for optional data processing at any time

To exercise any of these rights, please contact us at privacy@userevstar.com. We will respond to your request within 30 days.

9. Third-Party Services

Our platform integrates with the following third-party services, each governed by their own privacy policies:

Paystack — Payment processing (Privacy Policy)
Flutterwave — Payment processing (Privacy Policy)
Google Analytics — Website analytics (Privacy Policy)
Amazon Web Services (AWS) — Media storage
Sanity — Blog content management

10. Children's Privacy

Revstar is a business platform intended for use by individuals aged 18 and above. We do not knowingly collect personal information from anyone under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will delete it.

11. International Data Transfers

Your information may be transferred to and processed in countries outside Nigeria, including the European Union and the United States, where our cloud infrastructure providers operate. We ensure that appropriate safeguards are in place, including standard contractual clauses and data processing agreements with our service providers, in compliance with the NDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

Posting the updated policy on this page with a revised “Last updated” date
Sending an email notification for significant changes
Displaying a notice on your merchant dashboard

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Company: Revux Technologies
Email: privacy@userevstar.com
General enquiries: hello@userevstar.com
Address: Lagos, Nigeria