Privacy Policy

Last updated: June 19, 2026

Prova ("we", "us", or "our") operates the Prova mobile applications (Customer and Merchant) and the website at www.prova.fyi. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

1. Information We Collect

Account Information

• Customers: Phone number (for OTP verification), name, email address (optional), and profile preferences such as search radius.
• Merchants: Name, email address, password, business name, business address, phone number, and verification documents.
• Employees: Name and email address (provided by the merchant who invites them).

Payment Information

We use Stripe to process payments for surprise bag purchases. We do not store your credit card number, CVV, or full card details on our servers. Stripe handles all payment data in accordance with PCI DSS standards. We store only the transaction reference, amount, and status.

Location Information

We collect your zip code and preferred search radius to show you nearby restaurants. Merchant addresses are geocoded using Google Places API to enable location-based discovery. We do not continuously track your real-time location.

Device Information

We collect your device token (Firebase Cloud Messaging) to send push notifications about offers, reservation updates, and other service-related alerts. We also collect basic device identifiers for crash diagnostics.

Usage Information

We collect information about how you interact with the app, including offers claimed, merchants followed, reservations made, ratings given, and punch card activity.

Media

Merchants may upload images (store photos, offer images, surprise bag photos) and verification documents. These are stored on our servers and served via our CDN.

2. How We Use Your Information

• To create and manage your account
• To verify merchant identity and business legitimacy
• To process surprise bag payments and issue refunds
• To send push notifications about new offers from merchants you follow
• To display nearby restaurants and offers based on your location preferences
• To facilitate QR code-based offer redemptions, punch card tracking, and surprise bag pickups
• To calculate and distribute merchant payouts via Stripe Connect
• To provide customer support and respond to inquiries
• To improve our services and develop new features
• To detect and prevent fraud or abuse

3. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

• With merchants: When you claim an offer, make a reservation, or earn punches, the relevant merchant can see your name and activity related to their business.
• With Stripe: Payment and payout processing. Stripe's privacy policy governs their use of your data.
• With Twilio: Your phone number is shared with Twilio to deliver SMS verification codes.
• With Google: We use Google Places API for address autocomplete and geocoding. Google's privacy policy applies to their processing.
• With Firebase (Google): Device tokens and notification delivery are handled by Firebase Cloud Messaging.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.

4. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal information within 30 days, except where we are required to retain it for legal, financial, or fraud prevention purposes. Transaction records may be retained for up to 7 years for tax and accounting compliance.

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encrypted data transmission (TLS/HTTPS)
• Hashed and salted passwords
• JWT-based authentication with token rotation
• Access controls limiting employee and admin access to data

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Your Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and personal data
• Opt out of push notifications (via device settings or in-app preferences)
• Request a copy of your data in a portable format

To exercise any of these rights, contact us at hello@prova.fyi.

7. Push Notifications

We send push notifications to customers when merchants they follow post new offers. You can disable notifications at any time through your device settings or the in-app notification preferences screen.

8. Children's Privacy

Our services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

9. Third-Party Links

Our app and website may contain links to third-party services. We are not responsible for the privacy practices of those services. We encourage you to review their privacy policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. Your continued use of Prova after changes are posted constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Prova
Email: hello@prova.fyi
Website: www.prova.fyi