Privacy Notice

Effective date: 26 April 2026 · Last updated: 26 April 2026

1. About this service

The Viva Middleware (operated at viva.bitron.hu) is the backend service for the Integration for Viva Payment and WooCommerce WordPress plugin, distributed by BitronDev Kft on wordpress.org. The middleware receives payment requests from WooCommerce shops with the plugin installed, routes them to Viva Payments, and returns the resulting transaction status.

BitronDev Kft is a certified Viva Payments Independent Software Vendor (ISV) partner. Routing payment requests through this middleware under BitronDev's ISV identity is what enables the ISV fee that compensates BitronDev for ongoing plugin development, support, and operation of the middleware.

The ISV fee is currently 0.3% of each transaction amount. It is charged in addition to Viva Payments' standard processing fees, not bundled with them. Merchants installing the plugin should be aware that this fee applies on every transaction routed through the middleware. Full commercial terms are part of the merchant agreement between the shop and BitronDev.

The service is operated by BitronDev Kft, a company registered in Hungary. Contact: info@bitron.hu.

This notice describes what personal data the middleware processes, on what legal basis, who it is shared with, how long it is kept, and how data subjects can exercise their rights under the EU General Data Protection Regulation (GDPR).

2. Roles under the GDPR

BitronDev Kft acts in two distinct roles, depending on the data category:

Processor for end-customer payment data forwarded on behalf of the merchant (the WooCommerce shop owner). The merchant is the controller of this data and remains responsible for fulfilling data subject requests from their customers.
Controller for merchant account data — the credentials and configuration that the merchant supplies to register their shop with the middleware.

3. Data we process

Merchant account data (BitronDev as controller)

WordPress site URL and webhook callback URL
Optional contact email for security incident notifications
The merchant's Viva Payments API credentials, encrypted at rest
A bcrypt hash of the per-site API key (the plaintext is held only by the merchant's plugin)
A randomly generated webhook secret, encrypted at rest
Viva merchant account identifier and connected-account status
Sandbox / production environment flag

Forwarded payment data (BitronDev as processor)

Order amounts, currency, order codes
Customer information supplied by the WooCommerce shop (name, email, billing details — only as much as the merchant chooses to forward)
Viva transaction identifiers and payment status
Card token references (opaque tokens issued by Viva — never raw card numbers, which are not seen or stored by the middleware)

Operational and audit data

API request log: HTTP method, URL, status code, duration, the requesting IP address, and request/response bodies with sensitive values automatically redacted (see Section 7)
Admin access log: IP address, user agent, and route accessed for every administrative action performed on the middleware backend

4. Legal bases (GDPR Art. 6)

Purpose	Legal basis
Forwarding payment data to Viva Payments	Art. 6(1)(b) — performance of a contract between the merchant and Viva
Audit logging (API and admin)	Art. 6(1)(f) — legitimate interest in fraud prevention, security monitoring, and debugging
Database backups	Art. 6(1)(f) — legitimate interest in disaster recovery
Storing the merchant's contact email	Art. 6(1)(b) — performance of the data processing agreement (incident notification)

The middleware does not process personal data for analytics, profiling, marketing, product development, or any purpose beyond those listed above.

5. Recipients and sub-processors

Personal data processed by the middleware may be transmitted to the following entities:

Entity	Role	Location
Viva Payments	Sub-processor (and independent controller for payment / PSD2 / AML purposes)	Greece (EU)
Hetzner Online GmbH	Sub-processor — infrastructure (hosting and storage)	Helsinki, Finland (EU/EEA)
Let's Encrypt (ISRG)	TLS certificate issuance via the ACME protocol — receives only the domain name, no personal data	United States

The middleware does not use any analytics provider, monitoring SaaS (such as Sentry, Datadog, or Rollbar), log shipping service, content delivery network, or web application firewall in front of the public endpoint.

6. Storage location and retention

All persistent data resides on a single Hetzner Cloud server located in Helsinki, Finland (EU/EEA). No personal data is transferred outside the EEA by BitronDev (transfers to Viva Payments stay within the EU; the Let's Encrypt relationship does not involve personal data).

Data category	Retention
Registered site record	Until the merchant deregisters the site (see Section 9)
API request log	90 days, then automatically deleted
Admin access log	90 days, then automatically deleted
Encrypted database backups	30 days, then automatically deleted
Application error log files	14 days (rolling daily files)
Web server access log	Held only in volatile container memory; lost on restart

7. Security measures

Encryption in transit

All inbound traffic to viva.bitron.hu is served over TLS 1.3 with a certificate issued by Let's Encrypt.
All outbound traffic to Viva Payments uses TLS 1.3 with certificate verification enabled.
Internal traffic between the application and its database / cache stays within an isolated container network not exposed to the public internet.

Encryption at rest

Merchant Viva API credentials and webhook secrets are encrypted at the application layer using AES-256 (Laravel Crypt with the application key).
Database backups are encrypted with AES-256-CBC (PBKDF2 key derivation) before being written to disk; the encryption key is held separately from the backup files.
Per-site API keys are bcrypt-hashed (one-way) and cannot be recovered.
Disk-level encryption (LUKS) and database-level transparent encryption (TDE) are not currently enabled. Confidentiality at the host level relies on operating system access controls and the security of the hosting provider.

Logging redaction

The API request log automatically redacts the following field names (case-insensitive) from request and response bodies before they are written:

api_key, password, token, secret, client_secret, merchant_api_key, webhook_secret, card_token, card_number, pan, cvv, cvc, access_token, refresh_token, authorization, key.

HTTP headers (including Authorization) are not logged.

Access controls

The administrative web interface requires password authentication and every administrative action (login attempts, page views, deletions) is recorded in the admin access log.
Database backups and application log files reside on the host filesystem. BitronDev Kft personnel with infrastructure access (currently one person) are technically able to read all stored data; access at the operating system level is not separately audited. Hetzner Online GmbH, as the hosting provider, has infrastructure-level access (storage, snapshots) inherent to their service.

8. Data subject rights

Under the GDPR, data subjects have rights of access, rectification, erasure, restriction, portability, and objection. How to exercise these depends on the data category:

End customers (cardholders, shop visitors)

Please contact the WooCommerce shop you transacted with. They are the controller of your data and will work with us if access to forwarded data is required.

Merchants (registered sites)

Two channels are available:

Self-service via the plugin: GET /api/export-site-data returns all data the middleware holds about the requesting site; POST /api/deregister-site permanently erases all such data, including request logs and order mappings.
Email: info@bitron.hu. Identity verification will be required before any export or erasure is performed via this channel.

9. Security incident notification

If BitronDev becomes aware of a personal data breach affecting the middleware:

A preliminary notification will be sent to each affected merchant's registered contact email within 72 hours of awareness, even if the investigation is still ongoing.
A full report (root cause, scope, remediation) will follow within 7 days.
For sites that have not provided a contact email, notification will be attempted via the registered webhook URL on a best-effort basis.

10. Data Protection Officer

BitronDev Kft is not required to designate a Data Protection Officer under GDPR Art. 37 and has not done so. Data protection inquiries are handled by company management at info@bitron.hu.

11. Changes to this notice

Material changes will be reflected in the "Last updated" date at the top of this page. For substantive changes affecting the rights of data subjects or the scope of processing, registered merchants will additionally be notified by email at the address on file.