REVAULT LOGO
19.01.2026

Privacy

Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Vault Fleet Solutions GmbH (Revault)
Wiesenstr. 46
20255 Hamburg
Website: https://revaultapp.co
Email: privacy@revaultapp.co
Represented by Managing Director Belal Suma.

If we appoint a Data Protection Officer, their contact details will be published on this page as well.

2. Purposes and legal bases of processing

We process personal data when you visit our website and use our services for the following purposes:

  • Providing and technically delivering the website revaultapp.co.
  • Ensuring stability, performance and IT security (e.g. defending against attacks).
  • Handling contact requests and general communication.
  • Preparing and performing contractual relationships (in particular B2B SaaS contracts for the Revault platform).
  • Optionally: sending information about our products and services, where you have consented.

Legal bases:

  • Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract).
  • Art. 6(1)(f) GDPR (legitimate interests such as operating a secure and functional website, improving our services).
  • Art. 6(1)(a) GDPR (consent, e.g. for optional cookies or newsletters).
  • Art. 6(1)(c) GDPR (compliance with legal obligations, e.g. retention duties).

We do not intentionally process special categories of personal data (Art. 9 GDPR) via the website unless you voluntarily provide such data in exceptional cases.

3. Visiting our website (server log files)

When you access https://revaultapp.co, our web server automatically records the following information:

  • IP address of the requesting device.
  • Date and time of access.
  • Requested URL and HTTP status code.
  • Amount of data transferred.
  • Referrer URL (previously visited page, if transmitted).
  • Browser type, browser version and operating system.

This data is technically necessary to display the website, ensure stability and security, and detect and investigate potential attacks or malfunctions.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating a secure and stable website).

Storage period: Log data is generally stored for 30 to a maximum of 90 days and then deleted, unless a longer retention period is necessary in an individual case (e.g. for investigating a security incident).

4. Contacting us (form, email, phone)

If you contact us (e.g. via a contact form on the website, by email or by phone), we process the data you provide:

  • First and last name.
  • Contact details (e.g. email address, phone number).
  • Company name (if applicable).
  • Content of your message or request.

Purposes:

  • Handling and responding to your enquiry.
  • Communication in the context of existing or potential contractual relationships.

Legal bases:

  • Art. 6(1)(b) GDPR (pre‑contractual or contractual communication).
  • Art. 6(1)(f) GDPR (legitimate interest in efficiently handling enquiries).

Storage period: We store this data for as long as necessary to handle your request and for any follow‑up questions, provided there are no conflicting statutory retention obligations. For business‑related correspondence, we generally retain data in line with commercial and tax law retention periods (usually 6 or 10 years).

5. Cookies and similar technologies

Our website may use cookies and similar technologies (e.g. local storage). Cookies are small text files stored on your device.

Types of cookies:

  • Strictly necessary cookies: Required to provide core functionalities of the website (e.g. session cookies, security cookies, language settings). Without these cookies the website may not function properly.
  • Optional cookies (e.g. analytics, marketing): Help us understand how the website is used or optimise marketing efforts. These cookies are used only with your prior consent.

Legal basis:

  • Strictly necessary cookies: Art. 6(1)(f) GDPR (legitimate interest in providing a functional website).
  • Optional cookies: Art. 6(1)(a) GDPR (consent).

You can manage your preferences via the consent banner and withdraw consent at any time with effect for the future. You can also disable or delete cookies in your browser settings, but in that case some parts of the site may not function correctly.

If you use a specific analytics tool (e.g. Plausible, Matomo), you should add a dedicated subsection describing that tool’s purpose, data collected, storage period and opt‑out options.

6. Use of the Revault platform (B2B SaaS)

Where access to the Revault platform (e.g. demo or live accounts) is initiated via the website, we process, in the context of the contractual relationship in particular:

  • Contact and account data of business users (name, business contact details).
  • Login data (login email, hashed passwords, roles/permissions).
  • Usage and metadata (e.g. last login, features used, technical logs).

Purposes:

  • Setting up and managing customer accounts.
  • Providing the agreed SaaS services.
  • Ensuring availability, performance and security of the platform.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract) with our business customers, and Art. 6(1)(f) GDPR with respect to administrative and security‑related processing.

Details of data processing within the Revault platform (including tenant data uploaded by our customers) are further governed by separate Data Processing Agreements (DPA/AVV) with our business customers.

7. Recipients of data / processors

To provide our website and services, we use carefully selected service providers acting as processors on our behalf. They are contractually bound under Art. 28 GDPR to process data only in accordance with our instructions and to implement appropriate technical and organisational measures.

Key processors include in particular:

  • Amazon Web Services EMEA SARL (AWS)
    Purpose: Cloud infrastructure (Infrastructure‑as‑a‑Service / Platform‑as‑a‑Service) for hosting, databases, storage and other fundamental services required to run the Revault platform and this website.
    Location/region: Data is processed in data centre regions within the EU, currently eu‑central‑1 (Frankfurt).
    Responsibilities: AWS is responsible for the security of the underlying cloud infrastructure (“security of the cloud”), while we are responsible for the configuration and data processing within that infrastructure (“security in the cloud”).
    Safeguards: International data transfers within the AWS group are governed by Standard Contractual Clauses and/oder Binding Corporate Rules, as set out in AWS’s data processing terms.
  • Render Services, Inc.
    Purpose: Additional cloud infrastructure (hosting specific services/components of the Revault platform).
    Processing: Primarily within the EU; any international transfers are protected by suitable safeguards (in particular Standard Contractual Clauses and, where applicable, Binding Corporate Rules).
  • Twilio Ireland Limited (SendGrid)
    Purpose: Delivery of transactional emails (e.g. system notifications, confirmation emails) triggered by the Revault platform on behalf of our customers.
    Data processed: Email addresses, subject lines, email content and delivery/usage metadata.
    Safeguards: Twilio relies inter alia on the EU‑U.S. Data Privacy Framework as well as Standard Contractual Clauses and, where applicable, Binding Corporate Rules for data transfers outside the EEA.
  • Functional Software, Inc. (Sentry)
    Purpose: Real‑time error tracking, crash reporting and performance monitoring of our web applications to improve stability and quality.
    Data processed: Primarily technical usage data (e.g. anonymised or pseudonymised user identifiers, IP address, URL, timestamps, stack traces). We configure Sentry to minimise the amount of personal data processed (data minimisation, scrubbing).
    Safeguards: Sentry is certified under the EU‑U.S. Data Privacy Framework and additionally relies on Standard Contractual Clauses as a legal mechanism for international transfers.

We may provide an up‑to‑date list of processors upon request. In our contracts with business customers, we set out notification and objection rights in relation to changes to our sub‑processor list.

8. Data transfers to third countries

Some of the service providers mentioned above are located outside the European Union (EU) or the European Economic Area (EEA), particularly in the United States. In such cases, we ensure an adequate level of data protection before any personal data is transferred:

  • Existence of an adequacy decision by the European Commission (e.g. EU‑U.S. Data Privacy Framework).
  • Use of the current EU Standard Contractual Clauses, supplemented by additional contractual, technical and organisational safeguards.
  • Where appropriate, pseudonymisation and encryption of data before transfer.

You may contact us at any time for more information about the safeguards applied to specific transfers.

9. Storage periods and deletion

We process and store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations.

Criteria for storage periods include:

  • Purpose limitation: when the original purpose no longer applies (e.g. once your enquiry has been fully processed).
  • Statutory obligations: commercial and tax law retention periods (usually 6 or 10 years).
  • Limitation periods: in order to assert or defend legal claims, data may be retained temporarily for the duration of relevant limitation periods.

Once the respective legal bases or retention periods no longer apply, the data will be deleted or, where deletion is not technically feasible, anonymised.

10. Your rights as a data subject

Under the GDPR, you have in particular the following rights:

  • Right of access (Art. 15 GDPR): to obtain confirmation whether we process personal data relating to you and, if so, access to that data.
  • Right to rectification (Art. 16 GDPR): to have inaccurate data corrected and incomplete data completed.
  • Right to erasure (Art. 17 GDPR): to request the deletion of your personal data under certain conditions (“right to be forgotten”).
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR): to receive certain data in a structured, commonly used and machine‑readable format or to have it transmitted to another controller.
  • Right to object (Art. 21 GDPR): to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR): to withdraw your consent at any time with effect for the future.
  • Right to lodge a complaint (Art. 77 GDPR): to lodge a complaint with a data protection supervisory authority if you believe that processing your data infringes data protection law.

You can exercise your rights at any time by contacting us via the contact details provided above.

11. Obligation to provide data

Some data (e.g. IP address, browser data) is technically necessary to access and use our website. Without this data, the website cannot be provided.

When using contact forms or email, certain information is required to process your request (mandatory fields).

In the context of contractual relationships, provision of certain personal data may be necessary because we would otherwise be unable to enter into or perform the contract.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example if legal requirements or our data processing activities change. The current version will always be available on https://revaultapp.co.