Privacy Policy
Last updated: 8 April 2026.
1. Data controller details
| Company name | DMB Soft Kft. |
| Registered office | 2616 Keszeg, Alkotmány út 59., Hungary |
| info@dmbsoft.hu |
DMB Soft Kft. (hereinafter: Data Controller) operates the kuppo digital loyalty card and coupon management service. This policy describes what personal data we collect when you use the service, how and on what legal basis we process it, to whom we transfer it, how long we retain it, and what rights you have as a user.
The processing is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.).
2. Categories of personal data processed
2.1. Account data (identification and authentication)
When the user logs in, we obtain the following data from the OAuth identity provider (Google, GitHub or Facebook / Meta Platforms):
| Data | Source |
|---|---|
| E-mail address | OAuth provider |
| Full name | OAuth provider profile |
| Profile picture URL | OAuth provider profile |
| Authentication provider identifier | System |
When accessing the Service as an anonymous (guest) user, no personal identification data is provided; the guest account has only an internal unique identifier. An anonymous account may be linked to an OAuth account at any time, at which point the data above is recorded.
2.2. Loyalty programme data
| Data | Description |
|---|---|
| Stamp card points and status | How many points the user has collected in which merchant’s campaign |
| Redeemed rewards | When and at which merchant the card was redeemed |
| Issued coupons | Coupon type, issuance and expiry date, redemption time and the redeeming merchant |
| Date of joining | When the user joined the given merchant |
| Time of last activity | The time of the most recent activity recorded on the stamp card (used for inactivity-based coupons) |
2.3. Consent and settings data
| Data | Description |
|---|---|
| Time of accepting the privacy policy | When the user accepted this policy |
| Time of accepting the age declaration | When the user declared that they have reached the age of 16 |
| Marketing consent flag | Whether the user has consented to receive marketing-related notifications |
2.4. Push notification subscription data
If the user enables push notifications, we store the device identifier token (device token) received from the Firebase Cloud Messaging (FCM) service, linked to the relevant merchant. The token does not directly contain personally identifiable data, but it qualifies as a unique device identifier.
2.5. Data relating to merchant users
For users with merchant accounts (owners), in addition to the data listed in section 2.1, the following data is also recorded:
- Which customer they granted points to or redeemed for, and when
- Campaigns and coupon templates belonging to the merchant (these do not contain customer data)
3. Purpose and legal basis of processing
| Purpose | Data processed | Legal basis (GDPR) |
|---|---|---|
| Account creation and identification | E-mail address, name, profile picture | Performance of a contract – Article 6(1)(b) |
| Operation of the loyalty programme | Stamp cards, rewards, coupons, joining date | Performance of a contract – Article 6(1)(b) |
| Automatic issuance of inactivity-based coupons | Time of last activity | Legitimate interest – Article 6(1)(f) |
| Documentation of consent and age declaration | Acceptance timestamps | Legal obligation – Article 6(1)(c) |
| Sending push notifications | FCM token, merchant identifier | Consent – Article 6(1)(a) |
| Marketing communication | E-mail address, marketing consent flag | Consent – Article 6(1)(a) |
| Logging of merchant activity | Data of redemption operations | Legitimate interest – Article 6(1)(f) |
| System security and abuse prevention | All data processed | Legitimate interest – Article 6(1)(f) |
| Compliance with legal or regulatory obligation | Data specified as required | Legal obligation – Article 6(1)(c) |
Legitimate interest balancing: For automatic issuance of inactivity-based coupons and logging of merchant operations, the Data Controller has carried out the legitimate interest balancing test. The interests of the data subject are not disproportionately affected, since the data use remains strictly within the scope of the service used, and the data subject may object to the processing at any time (see section 7).
4. Data transfers and processors
The Data Controller engages the following data processors and third parties:
| Data processor / Third party | Registered seat | Data transferred | Role |
|---|---|---|---|
| Supabase, Inc. | United States (data stored on EU servers) | All user and application data | Database and authentication infrastructure (data processor) |
| Google LLC | United States | Authentication token, e-mail, name, profile picture; FCM push token | OAuth identity provider, push notification channel |
| GitHub, Inc. | United States | Authentication token, e-mail, name, profile picture | OAuth identity provider |
| Meta Platforms, Inc. (Facebook) | United States | Authentication token, e-mail, name, profile picture | OAuth identity provider (Facebook Login) |
| Google Firebase | United States | FCM device identifier token, notification content | Push notification delivery infrastructure |
| Google Firebase Hosting | United States | No personal data (static application code only) | Static web application hosting |
Facebook OAuth (Meta Platforms): The kuppo service uses Facebook Login as one of the supported sign-in methods. When a user authenticates via Facebook, Meta Platforms, Inc. acts as the OAuth identity provider and shares with us the authentication token, e-mail address, name and profile picture URL associated with the user’s Facebook account. We do not access any other Facebook data, do not post on the user’s behalf and do not access the user’s friend list. Users may revoke this connection at any time from their Facebook account settings.
Supabase stores data in data centres located within the European Union. Transfers to a third country (United States) take place on the basis of compliance mechanisms approved by the European Commission (EU–US Data Privacy Framework, or EU Standard Contractual Clauses – SCCs).
The Data Controller transfers personal data to authorities only on the basis of a legal obligation and to the extent required.
5. Data security measures
- Data is transmitted over TLS 1.2 or higher encryption protocols.
- Database access is protected by Row Level Security (RLS) rules: every user can access only their own data.
- Cross-user data modifications are carried out exclusively through elevated-privilege database procedures (SECURITY DEFINER RPC) controlled by the Data Controller, which always verify the caller’s permissions in advance.
- Functions tied to administrator and merchant roles are protected by role-based access checks.
- Service account credentials used for Firebase Cloud Messaging are stored as encrypted environment variables and are not included in the application source code.
6. Data retention
| Data category | Retention period |
|---|---|
| Account data (e-mail, name, profile picture) | Until account deletion |
| Stamp card and reward data | Until account deletion |
| Issued coupons | Until account deletion (records of expired and redeemed coupons are retained until account deletion) |
| Consent timestamps | Until account deletion (required for legal documentation) |
| Push notification tokens | Until account deletion; automatically removed when the device registration ends |
| Inactive (uninstalled) push tokens | Automatically removed on the first failed delivery attempt |
| Campaigns and coupon templates | Marked as deleted (soft delete) instead of being removed permanently; kept separately from active user data |
When an account is deleted, all of the personal data listed above is destroyed (see section 7.3).
7. Rights of the data subject
Under Articles 15–22 of the GDPR, you are entitled to the following rights:
7.1. Right of access
You may request information on what personal data we process about you, for what purpose, on what legal basis and for how long.
7.2. Right to rectification
You may request the correction of inaccurate personal data. Please note that the name and profile picture are stored by the OAuth provider; these can be modified within the relevant provider’s interface.
7.3. Right to erasure (“right to be forgotten”)
For customer accounts: Account deletion can be initiated as a self-service action within the kuppo application, from the account settings menu. During deletion, the following data is destroyed:
- Push notification tokens
- User settings and consent records
- User role
- Stamp card records (together with the related rewards)
- Merchant-subscriber relationship records
- Authentication account record
For merchant and administrator accounts: Self-service deletion is not available, as such accounts may be linked to active merchant campaigns and customer data. Deletion requests can be submitted to info@dmbsoft.hu.
Facebook Login users: see the dedicated Facebook Data Deletion Instructions page for a step-by-step guide.
7.4. Right to restriction of processing
You may request that the processing of certain data be restricted (for example, in case of disputed data, while the matter is under investigation).
7.5. Right to data portability
You may request that personal data you have provided about yourself be made available in a structured, machine-readable format.
7.6. Right to object
You may object to processing whose legal basis is the legitimate interest of the Data Controller (Article 6(1)(f) GDPR). In such a case, processing will be terminated, unless compelling legitimate grounds justify its continuation.
7.7. Withdrawal of consent
For processing based on consent (push notifications, marketing communication), you may withdraw your consent at any time in the application settings. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
7.8. Remedies
In case of a violation of your rights, you may file a complaint with the supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH) Address: 1055 Budapest, Falk Miksa utca 9–11. Postal address: 1363 Budapest, Pf. 9. E-mail: ugyfelszolgalat@naih.hu Website: naih.hu
The Data Controller receives requests relating to data processing at info@dmbsoft.hu. The Data Controller responds within the deadline set out in Article 12 of the GDPR (as a rule, within 30 days).
8. Children’s privacy
The kuppo service is available exclusively to users aged 16 or older. The Data Controller does not knowingly collect data of persons under 16. If we learn that we are processing data of a person under 16, we will delete it without delay. The user confirms their age by accepting the declaration shown at the first login, the timestamp of which is recorded (see section 2.3).
9. Cookies and local storage
The kuppo web application stores session tokens in the browser’s local storage for authentication purposes. The application does not use third-party marketing or analytics cookies. Storage required for the technical operation of the service and for session management does not require separate cookie consent.
10. Modification of this policy
The Data Controller reserves the right to modify this policy. Users will be notified of changes at least 14 days in advance via a notice displayed in the application. Continued use of the service after such notice constitutes acceptance of the modified policy. In the case of material changes, the Data Controller will request renewed consent at the user’s next login.
11. Contact
For questions and requests relating to data processing, please contact the Data Controller:
DMB Soft Kft. 2616 Keszeg, Alkotmány út 59., Hungary E-mail: info@dmbsoft.hu