Privacy Policy

Last updated: January 21, 2026

This Privacy Policy explains how RevCut ("the Service", "we") collects, processes, and protects personal data in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG). It applies to account holders, their team members, and external reviewers using the Service.

1. Responsible Entity (Controller)

The controller responsible for the processing of personal data on this Service is:
Frankie Doguet
Buschhüttener Weg 2, 13583 Berlin, Germany
Email: fd@aegir.studio
Full contact details are available in the Legal Notice (Impressum).

RevCut is operated as a sole proprietorship (Einzelunternehmen) and is not required to appoint a Data Protection Officer under § 38 BDSG. For any privacy-related question or request, please contact the email above.

2. Data We Collect & Purposes of Processing

We collect only the data strictly necessary to operate the Service.

2.1 Account Data

Data: email address, hashed password (bcrypt), display name, account creation date, subscription plan, Stripe customer ID.
Purpose: account creation, authentication, billing, customer support.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Retention: for the duration of the account. Upon deletion or subscription cancellation, account data is permanently erased within 30 days, except where statutory retention obligations apply (e.g. invoicing records under § 147 AO — 10 years).

2.2 Uploaded Content (Videos, Comments, Metadata)

Data: video files, audio, thumbnails, comments, timecode annotations, project titles, status labels.
Purpose: operating the review and collaboration workflow.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
AI training: uploaded content is never used to train machine learning or generative AI models, by us or by our sub-processors.
Retention: for the duration of the subscription, subject to the deletion events described in our Terms of Service (trial expiration, cancellation, payment failure, RevTransfer 7-day lifetime).

2.3 Reviewer Email Addresses

Data: email addresses of external reviewers invited by the account holder to view and comment on videos.
Purpose: sending share links, notifications, and digests; autocomplete of recurring recipients on share forms.
Legal basis: legitimate interest of the account holder (Art. 6(1)(f) GDPR) in operating their professional review workflow. The account holder is responsible for obtaining any necessary consent from their own reviewers under applicable law.
Retention: for the lifetime of the related project, or until the account holder removes the address or deletes their account.

2.4 Usage & Technical Data

Data: aggregate and anonymous analytics (page views, device type, referrer) via Umami; session metadata (connected device, last login); server logs at the infrastructure level (IP, request path, timestamp) via Cloudflare, retained short-term for security.
Purpose: service operation, security, abuse prevention, product improvement.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
Retention: Umami data is aggregated and cookieless; Cloudflare infrastructure logs are retained according to Cloudflare's policy (typically up to 30 days).

2.5 Blacklist (Trial Abuse Prevention)

Data: email addresses of accounts whose free trial expired without subscription, and accounts deleted via killswitch.
Purpose: preventing repeated trial abuse by the same user.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in protecting the Service from fraudulent use.
Retention: the blacklist entry is retained indefinitely unless the user requests erasure with legitimate grounds. The user may request removal at any time by contacting the controller.

2.6 Payment Data

Data: Stripe customer ID, subscription ID, invoice history, billing email.
Purpose: processing payments, issuing invoices, tax compliance.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR); compliance with legal obligations (Art. 6(1)(c) GDPR) for tax and accounting retention.
Credit card data is never seen or stored by RevCut. It is processed directly by Stripe.
Retention: invoice records are retained for 10 years in accordance with German tax law (§ 147 AO).

3. Data Hosting & Server Location

Your video files and account data are stored on Cloudflare infrastructure with the region setting restricted to "EU / Western Europe". Physical storage takes place within the European Union, primarily in Frankfurt, with possible secondary locations in Amsterdam or Paris depending on Cloudflare routing. No active user data is stored on US-based servers.

4. Sub-processors

We rely on the following sub-processors to operate the Service. All sub-processors are bound by data processing agreements under Art. 28 GDPR:

Cloudflare, Inc. (USA, with EU jurisdictional setting): infrastructure, hosting, object storage (R2), database (D1), CDN, DDoS protection. Transfers to the US, where applicable, are secured by the EU Standard Contractual Clauses (SCCs) and Cloudflare's participation in the EU-U.S. Data Privacy Framework.
Stripe Payments Europe Ltd. (Ireland, with US parent): subscription and payment processing. Cross-border transfers are secured by SCCs.
Resend (Delaware, USA): transactional email delivery (authentication links, notifications, digests). Transfers to the US are secured by SCCs.
Umami Software, Inc. (EU-hosted instance): cookieless, privacy-focused analytics. No cross-border transfer.
Instatus (Portugal, EU): public status page monitoring; does not receive personal user data.

An up-to-date list of sub-processors is maintained and available on request. A Data Processing Agreement (DPA / AVV) under Art. 28 GDPR between the account holder and RevCut is available on request for business customers.

5. International Data Transfers

Certain sub-processors are headquartered in the United States (Cloudflare, Stripe, Resend). Where such transfers occur, they are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework, in accordance with Art. 44 and following of the GDPR. RevCut has configured its infrastructure to keep active user data physically stored within the EU wherever technically possible.

6. Your Rights Under the GDPR

As a data subject, you have the following rights under Art. 15 to 22 GDPR:

Right of access (Art. 15): obtain confirmation and a copy of your personal data.
Right to rectification (Art. 16): correct inaccurate or incomplete data.
Right to erasure (Art. 17): delete your account and all associated data directly from your account settings. This action is immediate and irreversible.
Right to restriction of processing (Art. 18): request that we limit processing in specific circumstances.
Right to data portability (Art. 20): receive your data in a structured, machine-readable format, or request transmission to another controller.
Right to object (Art. 21): object to processing based on legitimate interests, including for direct marketing purposes.
Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, please email fd@aegir.studio. We respond within 30 days in accordance with Art. 12(3) GDPR.

7. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

The competent authority for RevCut is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin, Germany
www.datenschutz-berlin.de

8. Cookies, Local Storage & Tracking

RevCut does not use advertising cookies, tracking pixels, or cross-site tracking technologies.

Essential local storage: We use browser Local Storage to maintain your authenticated session (JWT) and user preferences. This is strictly necessary for the Service to function and does not require consent under § 25(2) TTDSG.
Analytics: We use Umami, a cookieless, privacy-first analytics tool hosted in the EU. No personal data and no persistent identifiers are collected. No consent banner is required.

9. Security Measures

We implement appropriate technical and organizational measures (TOM) in accordance with Art. 32 GDPR:

Data in transit: TLS 1.3 (fallback TLS 1.2), HSTS, modern cipher suites.
Data at rest: AES-256 encryption for object storage and database (Cloudflare-managed).
Passwords: bcrypt with salt; never stored in plain text.
Session management: cryptographically signed JWTs; device/session limits per plan.
Infrastructure security: Cloudflare DDoS protection, WAF, and rate limiting.
Operational security: serverless architecture (no server maintenance surface); minimal sub-processor footprint.

10. Children's Privacy

RevCut is a professional tool intended for users aged 18 or older. We do not knowingly collect personal data from children under the age of 16. If you believe a minor has created an account, please contact us so we may remove the account.

11. Data Breach Notifications

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, RevCut will notify the competent supervisory authority within 72 hours in accordance with Art. 33 GDPR, and will notify affected users directly where the breach is likely to result in a high risk, in accordance with Art. 34 GDPR.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. Material changes will be communicated by email to active account holders at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent version.

13. Contact

For any privacy-related question, request to exercise your rights, or to request a Data Processing Agreement (DPA), please contact: fd@aegir.studio