revievv

Privacy Policy

revievv.io

Effective date: 10 March 2026

Version: 2.1

§1. Data Controller

The data controller is: Tomstack Tomasz Turek, with its registered address at: ul. Szkolna 2K, 42-512 Preczów, Poland, Tax ID (NIP): 6010041104

Contact: [email protected]

§2. What Data We Collect

2.1 User Account Data

  • Email address (required upon registration)
  • Password (stored exclusively as a bcrypt hash)
  • Username / display name
  • Organisation data (name, role within the organisation)

2.2 Data Generated During Use of the Service

  • Files uploaded by the user (STEP models, PDF documents, images)
  • Comments, pins, and discussion threads within a Review
  • Review metadata (title, description, access settings, expiration date)
  • Activity logs (login dates, IP addresses, browser type and operating system)

2.3 Data of Persons Invited to a Review (Reviewers)

Persons accessing a Review via link without holding an account do not provide us with any personal data, unless they enter their name or nickname in a comment or have been invited by email. In the case of an email invitation, we collect only the Reviewer's email address.

2.4 Technical Data and Cookies

  • Session cookies (essential) — only on app.revievv.io (authentication, session)
  • DataFast analytics cookies (require consent) — only on revievv.io (marketing website)
  • Cookie consent logs: managed by Cookiebot (Cybot A/S, Denmark) — only on revievv.io

2.5 No Content Monitoring

The Service Provider does not monitor, scan, analyse, or evaluate the content of files uploaded by users to the Service. Files are stored, converted, and shared solely at the user's instruction for the purpose of providing the service.

§3. Legal Bases and Purposes of Processing

  • Performance of a contract (Art. 6(1)(b) GDPR) — account management, service provision, payments
  • Legitimate interest (Art. 6(1)(f) GDPR) — security, logs, abuse detection, marketing to existing customers
  • Consent (Art. 6(1)(a) GDPR) — marketing to non-customers; analytics cookies
  • Legal obligation (Art. 6(1)(c) GDPR) — tax and accounting regulations

§4. Data Processors (Sub-processors)

In order to provide the service, we entrust data to the following entities:

  • Hetzner Online GmbH – VPS (Helsinki, Finland, EU)
  • Cloudflare, Inc. – Cloudflare R2 (Europe), CDN/WAF. DPF certified + SCC
  • Resend, Inc. – transactional email; USA. DPF certified + SCC
  • Stripe, LLC (formerly Stripe, Inc.) – payments; USA. DPF certified + SCC. EMEA: Stripe Payments Europe, Limited (SPEL), Ireland
  • DataFast (JustShipIt Pte. Ltd.) – analytics; Singapore. SCC. Requires cookie consent
  • Cybot A/S (Cookiebot) – cookie consent management; Denmark (EEA)

Each entity processes data solely on our instruction and in accordance with a data processing agreement.

§5. Data Transfers Outside the EEA

Application server (VPS) — Finland (EU), no transfer.

Cloudflare, Stripe, Resend (USA) — EU-U.S. Data Privacy Framework (DPF) certification + SCC as an additional safeguard.

DataFast / JustShipIt Pte. Ltd. (Singapore) — no full adequacy decision. Transfer safeguarded by SCC.

Cookiebot / Cybot A/S — EEA, no transfer.

Note: The DPF Adequacy Decision (2023/1795) is in effect as of the date of publication. Confirmed by the EU General Court judgment (T-553/23, Latombe). The appeal to the CJEU (C-703/25 P) does not suspend its validity.

§6. Data Retention Periods

  • Account data: for the duration of the account + up to 5 years for accounting records
  • Files uploaded to a Review: deleted promptly upon deletion of the Review or the account
  • System logs: 90 days
  • Backups: automatically rotated and deleted after 30 days. Used solely for full system recovery in the event of a failure; not used for restoring individual records. After account/Review deletion, data may remain in backups for up to 30 days.
  • Analytics data (DataFast): 3–5 years; marketing data: until consent is withdrawn

§7. Data Subject Rights

You have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time

Requests: [email protected]

Right to lodge a complaint: President of the Personal Data Protection Office, ul. Stanisława Moniuszki 1A, 00-014 Warszawa.

§8. Cookies

8.1 Essential Cookies

Session cookies for authentication and session management. No consent required (Art. 399(3) of the Electronic Communications Law — necessary for the provision of the service requested by the user).

8.2 Analytics Cookies — DataFast (revievv.io only)

The DataFast tool operates exclusively on the marketing website revievv.io. Analytics cookies:

  • Activated only after consent (Cookiebot banner);
  • Collect anonymised traffic and conversion data;
  • Linked to Stripe revenue data (attribution);
  • Not used for profiling or behavioural advertising;
  • Do not track activity on app.revievv.io.

Legal basis: Art. 399(1)-(2) of the Electronic Communications Law in conjunction with Art. 400 ECL (reference to GDPR standards — Art. 6(1)(a) GDPR).

Change preferences: 'Cookie settings' in the website footer.

8.3 Consent Management — Cookiebot

Cookie banner: Cookiebot (Cybot A/S, Copenhagen, Denmark). Consent logs stored in the EEA.

§9. Data Security

  • All communication via HTTPS/TLS
  • Files on Cloudflare R2 with server-side encryption
  • Passwords hashed with bcrypt
  • Data isolation between organisations
  • Session and permission verification on every API request
  • VPS server in Finland (EU), managed by Hetzner
  • No automatic scanning of file contents — processing is strictly technical

§10. Changes to the Privacy Policy

We will notify you of material changes by email or by an in-app notification at least 14 days in advance.

§11. Contact

  • Email: [email protected]
  • Address: Tomstack Tomasz Turek, ul. Szkolna 2K, 42-512 Preczów, Poland