Privacy Policy
This privacy policy explains which personal data we collect on https://www.revoke-button.com and how we process it. It complements our Terms of Service and our Data Processing Agreement for merchants.
1. Controller
The controller for the processing of personal data on this website within the meaning of the General Data Protection Regulation (GDPR) is:
P² Ventures UG (haftungsbeschränkt)
Krokusstr. 33
73663 Berglen
Deutschland
Email: kontakt@revoke-button.com
Please direct data protection requests to datenschutz@revoke-button.com.
2. Role assignment
On this platform, two different data-processing roles meet:
- For the withdrawal data that consumers submit via the form of a specific shop, the respective merchant is the controller (Art. 4(7) GDPR). We process this data exclusively on the merchant's behalf (Art. 28 GDPR). The conditions are set out in our Data Processing Agreement.
- For the merchant account data (login email, IP logs, shop master data, cookies), we are the controller. This processing is described below.
3. Website access (server logs)
Each time the site is accessed, our hosting provider automatically records technical data required to provide the website:
- IP address
- Date and time of the request
- URL requested and HTTP status code
- Browser type and operating system (user agent)
- Referrer URL
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a secure and stable service). Retention period: up to 30 days, then automatic deletion by the hosting provider.
4. Withdrawal form (on the merchant's behalf)
When you, as a consumer, submit a withdrawal through a shop's withdrawal form, we process the following data:
- Name
- Email address
- Order number and, if provided, order date
- Optional comment
- Audit data (IP address, user agent, time of receipt) for proof of withdrawal receipt
Purpose: Fulfilment of the merchant's statutory obligation under § 356a (1) German Civil Code (implementing Article 11 of EU Directive 2011/83/EU) to confirm receipt of your withdrawal declaration, as well as documentation for evidence purposes.
Legal basis: Art. 6(1)(c) GDPR (legal obligation of the merchant) in conjunction with Art. 28 GDPR (processing on our part). Retention period: Determined by the respective merchant (legally recommended: until the end of the warranty period or statutory tax retention period, typically 2–10 years). Personal data fields are then anonymised.
5. Receipt confirmation by email
After you submit your withdrawal, we send an automatic receipt confirmation containing the case details to the email address provided. This email is not an acknowledgement of your right of withdrawal — it serves documentation purposes only.
These emails contain no tracking pixels and no click-tracking links. It is not detectable whether or when you opened them.
6. Merchant account and login
When you, as a shop owner, create an account, we process your email address for authentication. We use a passwordless method ("magic link"): for each login, we send you a single-use sign-in link by email.
Legal basis: Art. 6(1)(b) GDPR (performance of the usage contract). Retention period: until you delete your account.
7. Cookies
We use only strictly necessary cookies required for the operation of the service:
- Session cookies (Supabase Auth): keep you logged in after authentication. Deleted as soon as you sign out or close your browser.
We do not set tracking, marketing or analytics cookies. Therefore, consent under § 25 (1) TDDDG (German Telecommunications-Telemedia Data Protection Act) is not required (exception under § 25 (2) no. 2 TDDDG).
8. Anti-spam (rate limiting)
To protect against abuse, we limit the number of requests per IP address per time period. To do so, we briefly store (max. 1 hour) a hash of your IP in an in-memory store (Upstash Redis, EU region).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against spam and denial-of-service attacks).
9. Recipients / processors
We engage the following processors (Art. 28 GDPR). We have concluded corresponding contracts with all of them:
- Vercel Inc.
- Hosting der Web-Anwendung (Next.js)
Location: Irland (EU) / USA · Privacy Policy · DPA - Supabase Inc.
- Datenbank-Hosting (PostgreSQL) und Authentifizierung
Location: Frankfurt am Main (EU) · Privacy Policy · DPA - Emailit
- Versand transaktionaler E-Mails (Eingangsbestätigungen)
Location: EU · Privacy Policy · DPA - Upstash Inc.
- Rate-Limiting (Redis), zur Spam-Abwehr
Location: EU (Irland) · Privacy Policy · DPA
10. Transfers to third countries
Where data is transferred to providers based outside the EU/EEA (e.g. Vercel, Upstash), this is done on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and additional technical measures such as encryption in transit. Data processing itself takes place primarily in EU data centres.
11. Your rights
At any time, you have the right to:
- Access to your stored data (Art. 15 GDPR)
- Rectification of incorrect data (Art. 16 GDPR)
- Erasure ("right to be forgotten", Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing (Art. 21 GDPR)
- Withdrawal of consent given, with effect for the future
For withdrawal data stored on behalf of a merchant, please contact the respective merchant first. We will forward requests as necessary.
You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Generally competent is the supervisory authority of your residence or our registered office.
12. Data security
We employ state-of-the-art technical and organisational measures: TLS encryption of all communications, encrypted storage of credentials, database-level access control (row-level security), regular backups and automatic anonymisation after retention periods expire.
13. Changes to this policy
We update this privacy policy when legal requirements or our processing activities change. The current version is always available on this page.