Privacy Policy / Datenschutzerklärung

1. Introduction / Einleitung

This Privacy Policy explains how ReviveMoments (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our website at revivemoments.co and our related services (collectively, the “Service”).

We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), and all other applicable data protection laws.

Controller / Verantwortlicher:
ReviveMoments
Tom Alexander Knüppel (Einzelunternehmen)
Schäferbrücke 9, 24568 Kaltenkirchen, Deutschland
Email: support@revivemoments.co

2. Data We Collect

2.1 Data You Provide Directly

• Email address — Account creation, service delivery, billing (Art. 6(1)(b) GDPR)
• Payment information — Processing transactions (Art. 6(1)(b) GDPR)
• Photos / Images — Core service – animation generation (Art. 6(1)(b) GDPR)
• Name (if provided) — Account personalization (Art. 6(1)(b) GDPR)
• Communication content — Support and customer service (Art. 6(1)(f) GDPR)

2.2 Data Collected Automatically

• IP address — Security, fraud prevention (Legitimate interests)
• Browser type, OS, device identifiers — Service improvement (Consent)
• Pages visited and time spent — Service improvement (Consent)
• Referring URLs — Marketing optimization (Consent)
• Cookies and similar tracking technologies — See Section 5 (Consent)
• Purchase behavior — Fraud prevention, analytics (Legitimate interests)

2.3 Photos and Media

When you upload photos to our Service:

• Photos are used exclusively to generate animated videos
• Photos are stored securely on EU servers (Supabase)
• We do not use your photos to train models
• We do not sell, license, or share your photos with third parties
• Temporary uploads not resulting in a purchase are deleted within 24 hours
• Photos are retained until you delete them or close your account

3. How We Use Your Data

Service Delivery: Processing orders, generating animated videos, delivering account access, providing support, sending transactional emails.

Billing: Processing payments, preventing fraud, maintaining billing records, sending renewal reminders.

Communications: Service notifications, renewal reminders (min. 7 days before renewal), responding to inquiries.

Analytics: Understanding user interactions, improving features, analyzing traffic, A/B testing.

Marketing: Measuring ad effectiveness, retargeting (with consent), conversion tracking.

Legal Compliance: Applicable laws, tax records, legal requests.

4. Third-Party Services

4.1 Supabase (Database & Auth)

Provider: Supabase Inc. | Data Location: EU | SOC 2 Type 2 certified, AES-256 at rest, TLS 1.2+ | Privacy Policy

4.2 Stripe (Payments)

Provider: Stripe, Inc. (EU: Stripe Payments Europe, Dublin) | PCI DSS Level 1 | We never store card data | Retention: 7 years (financial regulations) | Privacy Policy

4.3 Meta / Facebook Pixel & Conversions API

Provider: Meta Platforms Ireland Ltd. | Pixel: page views, events, hashed email (SHA-256), cookies | CAPI: hashed email, purchase events, IP | Legal Basis: Consent | Opt-Out

4.4 Google Analytics

Provider: Google Ireland Ltd. | IP anonymization enabled | Data retention: 14 months | Legal Basis: Consent | Opt-Out

4.5 Microsoft Clarity

Provider: Microsoft (EU: Microsoft Ireland) | Heatmaps, session recordings (anonymized), sensitive fields auto-masked | Legal Basis: Consent | Privacy Policy

4.6 Resend (Email)

Provider: Resend Inc. | Transactional emails via Amazon SES (EU West) | Privacy Policy

4.7 Higgsfield (Animation)

Photos transmitted solely for animation. Not used to train models. | Privacy Policy

4.8 Replicate (Upscaling & Colorization)

Photos transmitted for enhancement features. | Privacy Policy

4.9 Vercel (Hosting)

Server logs, request metadata, performance data. | Privacy Policy

5. Cookies and Tracking

Strictly Necessary (always active)

• rm_session — Session during purchase flow
• rm_variant — A/B test assignment (30 days)
• stripe_mid / stripe_sid — Fraud prevention (Stripe)

Analytics (require consent)

• _ga, _ga_*, _gid — Google Analytics
• _clck, _clsk, CLID — Microsoft Clarity

Marketing (require consent)

• _fbp, _fbc — Meta / Facebook (90 days)

6. Your Rights

GDPR (EU/UK)

• Access (Art. 15) — Request a copy of your data
• Rectification (Art. 16) — Correct inaccurate data
• Erasure (Art. 17) — Request deletion
• Restriction (Art. 18) — Restrict processing
• Portability (Art. 20) — Receive data in machine-readable format
• Object (Art. 21) — Object to legitimate interest processing
• Withdraw Consent (Art. 7(3)) — Withdraw consent at any time

Complaints: BfDI (DE) | ICO (UK)

CCPA (California)

• Right to Know — Request info about collected data
• Right to Delete — Request deletion
• Right to Opt-Out — We do not sell data. Opt out of ad sharing via cookie consent.
• Non-Discrimination — No discrimination for exercising rights

Exercise rights: support@revivemoments.co — Response within 30 days (GDPR) / 45 days (CCPA).

7. Data Retention

• Account data — Duration of account + 30 days after deletion
• Photos and videos — Until you delete them or close your account
• Purchase history — 7 years (tax/accounting)
• Email communications — 3 years
• Server logs — 90 days
• Analytics data — 14 months

8. Data Security

• TLS 1.2+ encryption in transit (HTTPS)
• AES-256 encryption at rest
• Payment data handled exclusively by Stripe (PCI DSS Level 1)
• Access restricted to authorized personnel with confidentiality agreements
• SOC 2 Type 2 compliant infrastructure
• Row-level security in database
• Breach notification within 72 hours to authorities

9. International Data Transfers

Some providers are outside the EEA. We ensure safeguards via Standard Contractual Clauses (SCCs) for: Stripe, Google, Microsoft, Meta, Resend, Vercel. Primary storage (Supabase) uses EU servers.

10. Subscription Renewals

• Reminder email at least 7 days before renewal
• Cancel anytime through account settings
• Cancellation effective at end of billing period

11. Children's Privacy

Our Service is not directed to children under 16 (13 in the US). Contact support@revivemoments.co if you believe we have collected data from a child.

12. Changes to This Policy

We may update this policy. Material changes will be posted with a new date and emailed to registered users.

13. Contact Us

ReviveMoments — Tom Alexander Knüppel
Schäferbrücke 9, 24568 Kaltenkirchen, Deutschland
Email: support@revivemoments.co

We respond to privacy inquiries within 5 business days.

14. Legal Basis Summary (GDPR)