Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

ROMAN DRUZYK PR BEOGRAD (a sole proprietor registered in the Republic of Serbia)
trading as Revenome

• Registered address: Resavska 33, 11100 Belgrade, Serbia
• Tax identification number (PIB): 114858775
• Company registration number: 67908651
• Contact email: roman@revenome.com

2. Scope of This Policy

This Policy applies to:

• Visitors to our website
• Account holders (“Customers”, “Merchants”) who sign up for the Service
• Third-party connections you authorize (such as Shopify stores, Google Ads accounts, and Meta advertising accounts)
• End-customer data of Merchants that flows through our Service (where we act as a data processor on behalf of the Merchant)

When you, as a Merchant, connect your e-commerce store to Revenome, you remain the data controller for your end-customers' data, and Revenome acts as your data processor. The processing terms are governed by our Data Processing Agreement, which forms part of our Terms of Service.

3. Personal Data We Collect

3.1 Data You Provide Directly

• Account information: name, email address, password (stored hashed), company name, billing address
• Communication data: messages, support requests, feedback
• Payment information: processed by our payment provider; we do not store full card numbers

3.2 Data Collected From Connected Platforms

When you connect a third-party platform via OAuth, we receive the data you authorize:

Shopify:

• Store details (shop name, domain, currency, timezone, plan)
• Order data (order ID, value, line items, fulfillment status, timestamps)
• Customer data of your end-shoppers (name, email, shipping/billing address, order history) — processed on your behalf
• Product, inventory, and discount data
• Marketing event and analytics data

Google Ads (via Google Ads API):

• Account structure (manager and client account IDs)
• Campaign, ad group, ad, and keyword performance metrics
• Conversion action configuration

Meta (Facebook & Instagram, via Meta Marketing API):

• Public profile information (name, profile picture) — only for authentication
• Email address used for Meta login
• Ad account structure and campaign performance metrics
• Page-level performance metrics for pages you authorize

3.3 Data Collected Automatically

• Technical data: IP address, browser type, operating system, device identifiers, time zone
• Usage data: pages visited, features used, session duration, referring URL
• Cookies: see Section 11

4. How We Use Your Data and Legal Bases (GDPR Article 6)

We do not use your personal data for automated decision-making or profiling that produces legal effects on you.

5. Platform-Specific Disclosures

5.1 Google API Services — Limited Use

Revenome's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google Ads data only to provide the user-facing analytics features you explicitly requested. We do not transfer Google Ads data to third parties for advertising purposes, retargeting, or personalized advertising.

5.2 Meta Platform Terms

Revenome accesses Meta data only with your explicit OAuth authorization. We comply with Meta Platform Terms.

You can revoke access at any time by disconnecting in Revenome (Settings → Integrations → Meta → Disconnect) or at facebook.com/settings. To request deletion of Meta-derived data, email roman@revenome.com.

5.3 Shopify Privacy Webhooks

Revenome implements Shopify's mandatory privacy webhooks:

• customers/data_request — we provide all stored personal data within 30 days
• customers/redact — we delete personal data within 30 days
• shop/redact — we delete all shop data within 30 days of app uninstall

6. Sub-processors and Data Sharing

We do not sell, rent, or trade your personal data.

6.1 Sub-processors

All customer data is hosted exclusively on infrastructure located in Germany. We do not transfer customer data outside the EEA for storage.

6.2 Third-Party Platforms

We exchange data with platforms you explicitly connect. Their privacy policies:

• Shopify Privacy Policy
• Google Privacy Policy
• Meta Privacy Policy

6.3 Legal Disclosures

We may disclose personal data when legally required or to protect the rights, property, or safety of Revenome, our users, or others.

7. International Data Transfers

All personal data is stored and processed within the European Union (Germany). Where personal data is transferred outside the EEA (for example, when you connect a US-based platform), the transfer is governed by the receiving platform's own safeguards, including EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

8. Data Retention

After the applicable retention period, data is securely deleted or irreversibly anonymized.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Hashed passwords using industry-standard algorithms
• Role-based access control with the principle of least privilege
• Network isolation, firewalls, and intrusion detection
• Encrypted backups with restricted access

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours and, where required, notify affected data subjects without undue delay.

10. Your Rights

Under GDPR and the Serbian Law on Personal Data Protection, you have the following rights:

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your data
• Right to restriction of processing — limit how we use your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing for direct marketing or based on legitimate interest
• Right to withdraw consent — at any time, without affecting prior lawful processing

To exercise any of these rights, email roman@revenome.com. We will respond within 30 days.

Right to Lodge a Complaint

• Serbia: Commissioner for Information of Public Importance and Personal Data Protection — poverenik.rs
• EU residents: the supervisory authority of your country of residence — EDPB member list

11. Cookies and Tracking Technologies

• Strictly necessary cookies (authentication, session, CSRF) — required for the Service; no consent needed
• Functional cookies (language and UI preferences) — set with your consent
• Analytics cookies (privacy-respecting product analytics) — set only with explicit consent

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking. You can manage preferences through the cookie banner or your browser settings.

12. Children's Privacy

The Service is intended for business use by individuals aged 18 or older. We do not knowingly collect personal data from children under 16. If you believe we have, please contact roman@revenome.com.

13. Changes to This Privacy Policy

We may update this Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect, and by posting the updated Policy at revenome.com/privacy with a revised date. Continued use of the Service after changes take effect constitutes acceptance.

14. Contact Us

For any questions about this Privacy Policy or to exercise your rights:

ROMAN DRUZYK PR BEOGRAD (Revenome)
Resavska 33, 11100 Belgrade, Serbia

Privacy inquiries: roman@revenome.com
General inquiries: roman@revenome.com

We aim to respond to all privacy-related requests within 30 days.