Privacy Policy

Effective Date: March 23, 2026

Last Updated: March 23, 2026

1. Introduction

Welcome to Revel's Privacy Policy. This document explains how we collect, use, store, and protect your personal information when you use the Revel platform at letsrevel.io.

Data Controller:

Biagio Distefano

Graumanngasse 10/4, 1150 Vienna, Austria

Email: [email protected]

Revel is committed to protecting your privacy and giving you full control over your personal data. We operate under the principles of transparency, data minimization, and user autonomy. We are based in Austria and comply with the General Data Protection Regulation (GDPR).

Our Privacy Commitments:

We collect only the data necessary to provide our services
We never sell or share your data for marketing purposes
We do not use tracking cookies or analytics
You have full control over your data with GDPR rights
Your data is stored securely in the European Union

2. Information We Collect

2.1 Information You Provide Directly

Account Information

When you create an account, we collect:

Email address (required for authentication and communication)
Password (stored in hashed form, never in plaintext)
Name (first and last name, optional)
Preferred name (optional)
Profile picture (optional)

User Profile Information

You may optionally provide:

Preferred city (for distance-based event sorting)
Dietary restrictions (allergies, intolerances, preferences)
- Restriction type (allergy, intolerance, preference)
- Public/private visibility setting
- Custom notes
Dietary preferences (vegetarian, vegan, gluten-free, etc.)
Language preference (English, German, Italian)

Two-Factor Authentication (2FA)

If you enable 2FA:

TOTP secret key (stored encrypted)

Event and Organization Content

When you create or interact with events and organizations:

Event details (name, description, location, dates, capacity, pricing)
Organization details (name, description, contact information)
Uploaded files (photos, documents, logos)
Tags and categories
RSVP responses (Yes, No, Maybe)
Questionnaire submissions (answers to screening questions)
Potluck item assignments

Payment Information

For ticket purchases:

Payment information is collected and processed by Stripe (not by Revel)
We store only:
- Stripe transaction ID
- Ticket purchase details (event, tier, quantity, price)
- Payment status (pending, completed, refunded)
- Payment method type (online, offline, at-door, free)

We never store credit card numbers, bank account details, or other sensitive payment data.

Referral Program (Referrers Only)

If you participate in the referral program, we additionally collect:

Billing name (legal name for invoicing)
Billing address
VAT ID (optional, validated against the EU VIES register if provided)
Self-billing agreement (consent to Revel issuing invoices on your behalf)

This data is used solely for payout processing and tax-compliant statement generation.

Communications

We may collect:

Support inquiries sent to [email protected]
Notification preferences (in-app, email, Telegram)
Unsubscribe tokens for email management

2.2 Information Collected Automatically

Technical Information

When you use Revel, we automatically collect:

IP address (used transiently for geolocation, not stored)
Device information (browser type, operating system)
Session information (login time, JWT token metadata)
Request metadata (request ID for debugging and support)

Cookies and Local Storage

We use only essential cookies required for the Platform to function:

Session cookies (JWT authentication tokens)
Invitation cookies to automatically let you join organizations and events
Referral code cookie (stores a referring user's code for 30 days, for referral attribution at registration)
Language preference
CSRF protection tokens

We do not use:

Analytics cookies (Google Analytics, etc.)
Advertising cookies
Tracking pixels
Third-party tracking technologies

Usage Information

We collect minimal usage data for service operation:

Login/logout events (for security)
Error logs (for debugging and reliability)
Background task execution (Celery tasks)

We do not track:

Page views
Click behavior
User navigation patterns
Time spent on pages

2.3 Information from Third Parties

Geolocation Data

IP2Location database is used to suggest your city based on IP address
This data is used transiently during the request and never stored
No IP address data is associated with your account

Stripe

We receive transaction confirmation data from Stripe:

Payment success/failure notifications
Refund confirmations
Transaction IDs

Telegram (Optional)

If you link your Telegram account to Revel:

Telegram username (for bot communication)
Telegram user ID (for message delivery)
Language preference (for i18n)

We do not access your Telegram messages, contacts, or other data beyond what's necessary for notification delivery.

2.4 Information We Do NOT Collect

We explicitly do not collect:

Precise geolocation or GPS coordinates
Browsing history outside Revel
Device identifiers (IDFA, Android ID, etc.)
Biometric data
Social media activity
Health information (beyond dietary preferences)
Financial account details

3. How We Use Your Information

3.1 Service Provision

We use your personal data to:

Create and manage your account
Authenticate your identity (login, 2FA)
Process event registrations, RSVPs, and ticket purchases
Facilitate communication between organizers and attendees
Send transactional notifications (event updates, ticket confirmations, RSVP confirmations)
Display events and organizations according to your preferences
Calculate distances between events and your preferred city
Manage dietary preferences for event planning
Enable questionnaire submissions and evaluations
Coordinate potluck assignments

3.2 Platform Operation

We process data to:

Maintain platform security (detect fraud, prevent abuse)
Troubleshoot technical issues (debug errors, investigate bugs)
Improve platform reliability (monitor performance)
Scan uploaded files for malware (ClamAV)

3.3 Legal Compliance

We may process data to:

Comply with legal obligations (tax reporting, law enforcement requests)
Retain financial records as required by Austrian law (typically 7 years)
Respond to legal processes (court orders, subpoenas)
Protect our rights (enforce Terms of Service, defend legal claims)

3.4 Communication

We send only transactional emails necessary for service operation:

Account verification emails
Password reset emails
Event invitation emails
Ticket confirmation emails
RSVP confirmation emails
Questionnaire result emails
Notification emails (if enabled in preferences)

We do not send:

Marketing emails
Newsletters
Promotional materials
Advertisements

You can control which transactional emails you receive in your notification preferences.

3.5 What We DO NOT Do

We never:

Sell your personal data to third parties
Share your data for advertising or marketing purposes
Use your data to build advertising profiles
Track you across other websites or apps
Send unsolicited marketing communications

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on:

4.1 Contractual Necessity (Art. 6(1)(b) GDPR)

Processing necessary to provide services you've requested:

Account creation and management
Event registration and ticketing
RSVP and attendance management
Payment processing (via Stripe)

4.2 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate interests:

Platform security and fraud prevention
Technical troubleshooting and error resolution
Service improvement and reliability

4.3 Consent (Art. 6(1)(a) GDPR)

Processing based on your explicit consent:

Telegram notifications (you choose to link your account)
Optional profile information (dietary preferences, preferred city)

You may withdraw consent at any time by adjusting your settings or contacting us.

4.4 Legal Obligation (Art. 6(1)(c) GDPR)

Processing required by law:

Financial record retention (Austrian tax law)
Responding to law enforcement requests
Reporting illegal content (e.g., CSAM)

4.5 Special Categories of Personal Data (Art. 9 GDPR)

Revel is an event platform that may be used for events related to lifestyle, identity, or sexuality. By registering for such events or providing related information in questionnaires, you may reveal special category data (e.g., data concerning sexual orientation or health) as defined by Art. 9 GDPR.

We process such data only with your explicit consent (Art. 9(2)(a) GDPR), given when you:

Voluntarily register for events whose nature may reveal special category data
Submit questionnaire responses containing such information

Additional safeguards for special category data:

We apply the same security measures described in Section 6.2 to all data, including special category data
Event organizers are bound by our Terms of Service to handle attendee data responsibly
You can withdraw consent at any time by cancelling your registration or deleting your account

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal data to third parties for marketing or any other purpose.

5.2 Sharing Within the Platform

Your data is shared within Revel according to your privacy settings:

Public Information

Visible to all users (including non-registered visitors):

Public events and their details
Public organizations and their details
Your name (when you attend public events or belong to public organizations)

Organization Members

Visible to members of organizations you belong to:

Your profile information (as configured)
Your event attendance (for organization events)
Your dietary preferences (if made public, for event planning)

Event Organizers

Visible to organizers of events you attend:

Your name and email
Your RSVP status
Your ticket information
Your questionnaire submissions
Your dietary restrictions/preferences (for meal planning)
Your potluck item assignments

Other Attendees

Depending on event settings, other attendees may see:

Attendee lists (if enabled by organizer)
Your dietary summary (aggregated, for potlucks)

5.3 Third-Party Service Providers

Stripe (Payment Processing and Referral Payouts)

When you purchase tickets:

Your payment information is sent directly to Stripe
Stripe processes payments on behalf of event organizers
Stripe's Privacy Policy applies: https://stripe.com/privacy
We receive only transaction confirmations, not payment details

When you participate in the referral program:

Referrers connect a Stripe Express account to receive payouts
Stripe handles identity verification and bank account setup directly
We store only the Stripe account ID and connection status — not bank details or identity documents

Financial data retention: Transaction records are stored on Stripe as required by Austrian tax law (typically 7 years). This data remains on Stripe even after you delete your Revel account.

Telegram (Optional Notifications)

If you enable Telegram notifications:

Telegram username and user ID are stored
Notifications are sent via Telegram's Bot API
Telegram's Privacy Policy applies: https://telegram.org/privacy
We do not access your Telegram messages or contacts

Cloudflare (CDN and Security)

All traffic to Revel is routed through Cloudflare's network:

Purpose: DDoS protection, TLS termination, and content delivery
Data exposed: All data transmitted between your browser and our servers transits through Cloudflare's infrastructure
Cloudflare is a US company with a global network of data centers
Safeguards: Cloudflare provides a Data Processing Agreement (DPA) as part of their service terms and is certified under the EU-US Data Privacy Framework
Privacy Policy: https://www.cloudflare.com/privacy/

Important: While your data is stored in the European Union (see Section 6.1), it transits through Cloudflare's network for delivery. Cloudflare may process request data (including IP addresses, headers, and request bodies) on servers outside the EU.

Brevo (Email Delivery)

Transactional emails (e.g., ticket confirmations, event updates) are delivered via Brevo (formerly Sendinblue):

Data sent: Recipient email address, email content
Brevo is an EU company (headquartered in Paris, France)
Safeguards: Brevo complies with GDPR and provides a Data Processing Agreement (DPA)
Privacy Policy: https://www.brevo.com/legal/privacypolicy/

We use Brevo solely for transactional email delivery. We do not use Brevo's marketing, analytics, or contact management features.

Note: Brevo applies anonymous link tracking to transactional emails (e.g., click-through redirects). This tracking is anonymized and does not identify individual users. We do not use this data. We are currently unable to disable this feature.

Hetzner (Infrastructure Hosting)

All Revel services (application, database, background tasks, monitoring, and logging) are hosted by Hetzner Online GmbH:

Hetzner is an EU company (headquartered in Gunzenhausen, Germany)
Data location: Germany
Safeguards: Hetzner complies with GDPR and provides a Data Processing Agreement (DPA)
Privacy Policy: https://www.hetzner.com/legal/privacy-policy/

5.4 Legal Disclosures

We may disclose your information if required by law:

Law enforcement requests (with valid legal process)
Court orders or subpoenas
Reporting illegal content (e.g., CSAM to authorities)
National security requests (if legally required)

We will notify you of legal requests unless prohibited by law.

5.5 Business Transfers

If Revel is acquired, merged, or undergoes a business transition:

Your data may be transferred to the successor entity
We will notify you before your data is transferred
The successor must honor this Privacy Policy

5.6 With Your Consent

We may share data for other purposes with your explicit consent.

6. Data Storage and Security

6.1 Data Location

Your data is stored in the European Union, specifically in Germany, hosted by Hetzner Online GmbH (an EU company based in Germany), ensuring GDPR compliance and strong privacy protections.

Data in transit: Traffic between your browser and our servers is routed through Cloudflare's global network for security and performance (see Section 5.3). While data at rest remains in the EU, data in transit may pass through Cloudflare infrastructure outside the EU.

6.2 Security Measures

We implement industry-standard security measures:

Technical Safeguards

Encryption in transit: All data transmitted over HTTPS/TLS
Encryption at rest: Database and file storage encryption
Secure authentication: JWT tokens with expiration, 2FA support
Password hashing: Passwords stored using Django's secure hashing (PBKDF2)
Malware scanning: All uploaded files scanned with ClamAV
Input validation: Protection against XSS, SQL injection, CSRF

Organizational Safeguards

Access controls: Limited access to production data
Regular updates: Security patches applied promptly
Monitoring: Error tracking and security logging
Backup systems: Regular backups for disaster recovery

File Security

Malware scanning: ClamAV scans all uploaded files
Quarantine system: Suspicious files are isolated and flagged
Notifications: Uploader, organizers, and platform staff are notified of malware detections

6.3 Data Retention

We retain your personal data only as long as necessary:

Active Accounts

Data retained while your account is active
You can delete data manually at any time

Deleted Accounts

Personal data deleted immediately upon account deletion
Financial records retained on Stripe as required by Austrian law (typically 7 years for tax purposes)
Anonymized data may be retained for aggregated statistics (no personal identifiers)

Specific Retention Periods

Session tokens: Expire after inactivity
Email verification tokens: Expire after 24 hours
Password reset tokens: Expire after 1 hour
2FA backup codes: Retained until used or 2FA is disabled
Transactional emails: Retained in logs for 90 days for support purposes
Error logs: Retained for 30 days for debugging

6.4 Data Breach Notification

In the event of a data breach:

We will notify affected users within 72 hours (as required by GDPR)
We will report the breach to the Austrian Data Protection Authority if required
We will provide details on the nature of the breach and steps taken to mitigate harm

7. Your Rights Under GDPR

As a user in the European Union, you have the following rights:

7.1 Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you.

How to exercise:

Log in to your account and go to Account Privacy and data > Data Export
Request data export via email: [email protected]

You will receive a machine-readable file (JSON format) containing all your data.

7.2 Right to Rectification (Art. 16 GDPR)

You can correct inaccurate or incomplete personal data.

How to exercise:

Update your profile in Account Profile
Contact us at [email protected] for data you cannot edit directly

7.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data.

How to exercise:

Go to Account Privacy and data > Delete Account
Follow the two-step deletion process (email confirmation required)

Exceptions: We may retain data when required by law (e.g., financial records for tax compliance).

7.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we limit how we process your data.

How to exercise: Contact [email protected] with your request.

7.5 Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, commonly used, machine-readable format.

How to exercise:

Use the Data Export feature in Account Settings
You'll receive a JSON file containing all your data

7.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests.

How to exercise: Contact [email protected] explaining your objection.

7.7 Right to Withdraw Consent (Art. 7(3) GDPR)

For processing based on consent (e.g., Telegram notifications), you can withdraw consent at any time.

How to exercise:

Disable features in Account Settings > Notification Preferences
Contact [email protected]

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority.

Austrian Data Protection Authority:
Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien, Austria
Email: [email protected]
Website: https://www.dsb.gv.at

7.9 Exercising Your Rights

To exercise any of these rights:

Email us: [email protected]
Postal mail: Biagio Distefano, Graumanngasse 10/4, 1150 Vienna, Austria

We will respond to your request within 30 days (as required by GDPR).

8. Children's Privacy

Revel is not intended for children under 16 years old. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected]. We will delete such data promptly.

Age verification: We do not provide age verification services. Event organizers are responsible for enforcing age restrictions for their events.

9. International Data Transfers

9.1 EU Data Storage

All user data is stored in the European Union (Germany), ensuring GDPR compliance. Data in transit may pass through Cloudflare's global network (see Section 5.3 and 6.1).

9.2 Third-Party Services Outside EU

Some third-party services may process data outside the EU:

Stripe (Global)

Data sent: Payment information (sent directly from your browser to Stripe)
Safeguards: Stripe is certified under various international frameworks for data protection
Privacy Policy: https://stripe.com/privacy

Cloudflare (United States)

Data exposed: All request and response data transits through Cloudflare's network
Purpose: DDoS protection, TLS termination, content delivery
Safeguards: Cloudflare is certified under the EU-US Data Privacy Framework and provides a standard DPA
Privacy Policy: https://www.cloudflare.com/privacy/

9.3 Your Consent

By using payment processing or the platform generally (which routes traffic through Cloudflare), you acknowledge that your data may be transferred outside the EU.

10. Cookies and Tracking Technologies

10.1 Essential Cookies Only

We use only essential cookies required for the Platform to function:

Authentication tokens (JWT): To keep you logged in
CSRF tokens: To protect against cross-site request forgery
Language preference: To display the correct language
Referral code: To attribute your registration to the referring user (expires after 30 days)

10.2 No Tracking or Analytics

We do not use:

Google Analytics or similar analytics tools
Advertising cookies
Social media tracking pixels
Third-party tracking scripts
Fingerprinting technologies

10.3 Cookie Management

Essential cookies cannot be disabled without breaking core functionality. If you block cookies:

You will not be able to log in
Your language preference will not be saved
Some features may not work correctly

10.4 Local Storage

We may use browser local storage for:

Temporary session data
UI preferences (e.g., dark mode, if implemented)

This data is stored locally on your device and is not transmitted to our servers.

11. Automated Decision-Making and Profiling

11.1 No Profiling

We do not create user profiles for:

Targeted advertising
Behavioral analysis
Predictive modeling
Personalized marketing

12. Notification Preferences

12.1 Transactional Notifications

We send transactional notifications via:

In-app notifications (notification center)
Email (transactional emails only)
Telegram (optional, if you link your account)

12.2 Notification Types

You can control notifications for:

Event updates (created, updated, cancelled, reminders)
RSVP confirmations and changes
Ticket purchases and confirmations
Invitation notifications
Questionnaire results
Potluck assignments
Organization announcements
System notifications (e.g., malware detected)

12.3 Managing Preferences

You can manage notification preferences in:

Account Settings > Notification Preferences
Email unsubscribe links (one-click unsubscribe)

Note: Some critical transactional emails (e.g., password reset, email verification) cannot be disabled as they are essential for account security.

12.4 Unsubscribe

To unsubscribe from email notifications:

Click the unsubscribe link at the bottom of any email
Your preferences will be updated via a secure token
You will still receive critical security-related emails

13. Open Source and Self-Hosting

13.1 Open Source Software

Revel's source code is available under the MIT License at:
https://github.com/letsrevel/

13.2 Self-Hosted Instances

This Privacy Policy applies only to the hosted service at letsrevel.io.

If you self-host Revel:

You are the data controller for your instance
You are responsible for GDPR compliance
You must create your own privacy policy for your users
This policy does not apply to self-hosted instances

13.3 Data Portability for Self-Hosting

You can export your data from letsrevel.io and import it into your self-hosted instance using the Data Export feature.

14. Changes to This Privacy Policy

14.1 Policy Updates

We may update this Privacy Policy from time to time. When we make material changes:

We will update the "Last Updated" date at the top
We will notify you via email or in-app notification
We will request your consent if required by law

14.2 Review of Changes

We encourage you to review this Privacy Policy periodically. Continued use of Revel after changes constitutes acceptance of the updated policy.

14.3 Objection to Changes

If you do not agree to changes:

You may delete your account via Account Settings
You may contact us at [email protected] to discuss concerns

15. Contact Us

15.1 Privacy Questions

For questions about this Privacy Policy or our data practices:

Email: [email protected]
Postal Address:
Biagio Distefano
Graumanngasse 10/4
1150 Vienna, Austria

15.2 Data Protection Requests

To exercise your GDPR rights or request data access/deletion:

Email: [email protected]
Subject line: "GDPR Request - [Your Name]"

We will respond within 30 days as required by GDPR.

15.3 Data Protection Authority

If you have concerns about our data practices, you can contact the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien, Austria
Email: [email protected]
Website: https://www.dsb.gv.at

16. Acknowledgments

16.1 Third-Party Data Sources

We use the following third-party data sources:

IP2Location LITE: IP geolocation database (https://lite.ip2location.com)
SimpleMaps World Cities Database: Geographic data (CC BY 4.0) (https://simplemaps.com/data/world-cities)

These databases are used for non-personal geolocation features and do not track individual users.

Last Updated: March 4, 2026

By using Revel, you acknowledge that you have read, understood, and agree to this Privacy Policy.