Privacy Policy

Last updated: 13 August 2025

This Privacy Policy describes how revviews UG (haftungsbeschränkt) ("we", "us", or "our") collects, uses, and protects your personal data when you use our services at revviews.org, including the Marketplace and Review Assistant.

1. Controller

Data Controller: revviews UG (haftungsbeschränkt)

Address: Alleebüchelweg 15, 82538 Geretsried, Germany

Managing Director: Dr. Dominik Lentrodt

Contact: [email protected]

2. Personal Data We Process

2.1 Account and Identity Data

  • Email address, name, and profile information (via Supabase Auth)
  • Account preferences and settings
  • Login credentials and authentication data

2.2 Payment and Financial Data

  • Payment method information (processed by Paddle Billing)
  • Transaction history and billing information
  • Tax identification numbers (for business users)
  • Bank account details (for payouts to reviewers)

Payment processing: Payments are securely processed by Paddle. We do not store full credit card numbers on our servers. We retain only transaction identifiers and billing metadata required for accounting and tax compliance.

2.3 Content and Usage Data

  • Documents uploaded for review (manuscripts, reviews)
  • AI prompts and generated content
  • Usage patterns and feature interactions
  • Communication with other users (marketplace)

2.4 Technical Data

  • IP addresses and device information
  • Browser type and version
  • Operating system and device identifiers
  • Error logs and performance data

3. Purposes and Legal Bases

3.1 Marketplace Services

  • Contract Performance (Art. 6(1)(b) GDPR): Processing payments, facilitating review transactions, managing escrow
  • Legal Obligation (Art. 6(1)(c) GDPR): Tax reporting, invoice generation, financial record keeping
  • Legitimate Interest (Art. 6(1)(f) GDPR): Fraud prevention, security monitoring, service improvement

3.2 Review Assistant Subscription

  • Contract Performance (Art. 6(1)(b) GDPR): Providing AI services, managing subscriptions
  • Legitimate Interest (Art. 6(1)(f) GDPR): Service optimization, usage analytics

3.3 Marketing and Communication

  • Consent (Art. 6(1)(a) GDPR): Marketing emails, newsletters
  • Legitimate Interest (Art. 6(1)(f) GDPR): Service announcements, security updates

3.4 Service Analytics and Improvement

  • Legitimate Interest (Art. 6(1)(f) GDPR): Aggregate and anonymized analysis of feature usage and performance to improve the Service. Personal content is not used to train foundation models.

4. Data Processors and Third-Party Services

4.1 Essential Service Providers

  • Paddle (UK): Payment processing and financial services
  • Supabase Inc. (USA): Cloud hosting and database services
  • Anthropic (USA): AI processing services (only with user input)
  • Resend, Inc. (USA/EU): Transactional email delivery
  • Cloudflare, Inc. (USA): Cloud hosting, CDN, DNS, and security services

4.2 Data Transfer Safeguards

For transfers outside the EU/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs)
  • Additional technical and organizational safeguards
  • Regular security assessments

4.3 AI Processing and Data Use

When you use AI features, your prompts and content are transmitted to our AI providers (e.g., OpenAI, Anthropic) to generate responses. We do not permit these providers to use your data submitted via API for training their foundation models. Providers may retain logs for a limited period to monitor abuse and ensure service reliability, as described in their privacy policies.

5. Data Retention Periods

5.1 Account Data

  • Active accounts: Retained until account deletion
  • Inactive accounts: Deleted after 12 months of inactivity
  • Financial records: Retained for 10 years (legal requirement)

5.2 Content Data

  • AI processing data: Deleted after 30 days unless saved by user
  • Uploaded documents: Retained until user deletion or account closure
  • Review content: Retained for 12 months after transaction completion

6. Your Rights (GDPR Art. 15-22)

  • Right of Access: Request information about your personal data
  • Right of Rectification: Correct inaccurate or incomplete data
  • Right of Erasure: Request deletion of your personal data
  • Right of Restriction: Limit processing of your data
  • Right of Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing communications

7. Cookies and Tracking

We use cookies for:

  • Essential cookies: Authentication, CSRF protection, session management
  • Analytics cookies: Service improvement (only with consent)
  • Marketing cookies: Personalized content (only with consent)

8. Security Measures

  • Encryption of data in transit and at rest
  • Regular security audits and penetration testing
  • Access controls and authentication mechanisms
  • Incident response procedures

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via email or through our website. Continued use of our services after changes constitutes acceptance of the updated policy.

10. Contact Information

For questions about this Privacy Policy or to exercise your rights, contact us:

  • Email: [email protected]
  • Address: Alleebüchelweg 15, 82538 Geretsried, Germany
  • Supervisory Authority: You have the right to lodge a complaint with your local data protection authority

11. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Children's Privacy

Our services are not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will take appropriate action.

13. Automated Decision-Making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. Fraud and abuse monitoring may involve automated signals, followed by human review where necessary.