Personal Data Protection and Privacy Policy
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (GDPR Art. 4(1); KVKK Art. 3(1)(d)) |
| Controller | The natural or legal person that determines the purposes and means of processing personal data (GDPR Art. 4(7); KVKK Art. 3(1)(ı)) |
| Processor | A natural or legal person that processes personal data on behalf of the controller (GDPR Art. 4(8); KVKK Art. 3(1)(ğ)) |
| Processing | Any operation performed on personal data, including collection, recording, storage, transfer, etc. (GDPR Art. 4(2)) |
| Data Subject | The natural person to whom the personal data relates (GDPR Art. 4(1); KVKK Art. 3(1)(e)) |
| GDPR | EU General Data Protection Regulation (EU) 2016/679 |
| KVKK | Law No. 6698 on the Protection of Personal Data (Turkey) |
| SCC | Standard Contractual Clauses under GDPR Art. 46(2)(c) |
2. Scope
This Policy applies to the website and SaaS platform ("Platform") operated by RevBP under the domain revbp.com and its subdomains. The Platform is directed exclusively at commercial customers (B2B); no services are offered directly to individual consumers.
This Policy does not cover third-party websites or services to which the Company may provide links. RevBP is not responsible for the privacy practices of such third parties.
3. Identity and Contact Details of the Data Controller
Company name: Revolution Brand Protection
Short name: RevBP
Data protection contact: privacy@revbp.com
All requests, questions, and complaints regarding the processing of your personal data should be directed to the e-mail address above.
4. Personal Data Processed, Purposes, and Legal Bases
The Company processes the categories of personal data listed below for the stated purposes and on the stated legal bases. No personal data is processed for longer or to a greater extent than the purpose requires.
| Category | Data Elements | Purpose | Legal Basis |
|---|---|---|---|
| Identity & account data | Name, corporate e-mail address, hashed password | Authentication, account management, and Platform access control | Performance of contract — GDPR Art. 6(1)(b); KVKK Art. 5(2)(c) |
| Usage & technical data | IP address, browser type, session duration, pages accessed | Platform security, abuse detection, service quality improvement | Legitimate interests — GDPR Art. 6(1)(f); KVKK Art. 5(2)(f) |
| Brand & monitoring data | Customer-defined brand names, logo URLs, scan results, detected infringement records | Brand infringement detection, takedown management, and reporting | Performance of contract — GDPR Art. 6(1)(b); KVKK Art. 5(2)(c) |
| Communication data | E-mail correspondence, support requests, notification content | Customer support, service notifications, and operational communications | Performance of contract — GDPR Art. 6(1)(b); KVKK Art. 5(2)(c) |
| Billing & payment data | Billing address, tax identification number; payment card data is not processed by RevBP | Invoicing, accounting, and statutory reporting obligations | Legal obligation — GDPR Art. 6(1)(c); KVKK Art. 5(2)(ç) |
5. Disclosure and International Transfer of Personal Data
The Company does not sell or transfer personal data to third parties for commercial purposes. Personal data is shared solely with the processors listed below and exclusively for the purpose of delivering the service. Each processor is bound by a data processing agreement under GDPR Art. 28 or the equivalent KVKK instrument.
| Processor | Service | Location | Transfer Safeguard |
|---|---|---|---|
| Resend Inc. | E-mail delivery (takedown notifications, system alerts) | USA | Standard Contractual Clauses (SCC) — GDPR Art. 46(2)(c) |
| OVHcloud SAS | Infrastructure hosting and server services | EU / France (Roubaix, Gravelines) | Intra-EU processing; GDPR applies directly |
| Cloudflare Inc. | DDoS protection, content delivery network (CDN), DNS management | USA | Standard Contractual Clauses (SCC); Cloudflare GDPR Compliance Certificate |
Personal data may be disclosed to competent public authorities upon written request or where required by law or judicial order. Where feasible, the data subject will be notified when such disclosure occurs.
6. Retention and Erasure of Personal Data
Personal data is retained only for as long as required by the processing purpose. Once the retention period expires or the legal basis ceases to exist, data is irreversibly erased or anonymised.
| Category | Retention Period |
|---|---|
| Account and identity data | For the duration of the active account; erased within 30 days of account deletion |
| Scan and detection records | Maximum 2 (two) years from the termination of the service agreement |
| Access and security logs | Maximum 90 (ninety) calendar days |
| Invoicing and accounting records | 10 (ten) years pursuant to applicable tax and accounting legislation |
| Cookie consent records | Until consent is withdrawn or account is deleted; in any event not exceeding 3 (three) years |
| Support correspondence | 2 (two) years from the last communication |
7. Technical and Organisational Security Measures
The Company is obliged to implement appropriate technical and organisational measures to protect personal data under GDPR Art. 32 and KVKK Art. 12. The principal measures applied include:
- End-to-end encryption of all data transmissions using TLS 1.2 or higher
- Password hashing using the bcrypt algorithm; no plaintext passwords are stored
- Authentication via short-lived JWT bearer tokens; no cookie-based session management
- Database access restricted to authorised services only, in accordance with the principle of least privilege
- Regular penetration tests and vulnerability scans
- Mandatory data privacy training and confidentiality agreements for all staff
- Maintenance and periodic audit of access logs
For procedures applicable in the event of a security incident, see Section 13.
8. Rights of Data Subjects
Data subjects have the following rights under GDPR Arts. 15–22 and KVKK Art. 11:
To exercise your rights, please write to privacy@revbp.com with information sufficient to verify your identity. Requests will be responded to within thirty (30) calendar days in accordance with GDPR Art. 12 and KVKK Art. 13; this period may be extended to sixty (60) days where the request is complex, with reasons given.
9. Cookies and Similar Tracking Technologies
As at the effective date of this Policy, the RevBP Platform does not use HTTP cookies.
Session identifiers are stored in the user's browser localStorage as an encrypted
JWT; this storage method is not technically a cookie and is not subject to Art. 5(3) of
Directive 2002/58/EC (the ePrivacy Directive).
| Cookie Type | Current Status | Legal Basis | Maximum Duration | Termination |
|---|---|---|---|---|
| Strictly necessary | Not in use | — | — | — |
| Analytics cookies | Not yet active | If introduced: Explicit consent — GDPR Art. 6(1)(a); KVKK Art. 5(1) | Maximum 13 (thirteen) months | Immediately upon withdrawal of consent |
| Marketing cookies | Not in use | — | — | — |
| Third-party cookies | Not in use | — | — | — |
Should the cookie practices change, this Policy will be updated and, where required, fresh consent will be obtained from data subjects.
10. Third-Party Resources and External Content Loading
The Platform loads third-party resources such as Google Fonts only after the data subject has given explicit cookie consent. Before consent is obtained, no personal data — including IP addresses — is transmitted to external servers. This practice is consistent with the ruling of the Munich Regional Court (Landgericht München, 20 January 2022, ref. 3 O 17493/20) and GDPR Arts. 44 et seq.
11. Automated Decision-Making and Profiling
RevBP does not carry out automated decision-making or profiling that produces legal effects or similarly significantly affects individuals within the meaning of GDPR Art. 22. Brand infringement scans and risk scoring performed by the Platform constitute auxiliary analytical outputs reviewed under human supervision; they do not directly produce legal or equivalent effects.
12. Data Relating to Minors
The Platform is directed exclusively at commercial customers and their authorised representatives. It is not intended for individuals under the age of 18. The Company does not knowingly collect personal data from minors. Where personal data of a minor is discovered on the Platform, such data will be deleted immediately.
13. Personal Data Breach Notification
In the event of a personal data breach, the Company will notify the competent supervisory authority within 72 (seventy-two) hours of becoming aware of the breach, in accordance with GDPR Art. 33. Where the breach is likely to result in a high risk to data subjects, affected individuals will also be notified without undue delay pursuant to GDPR Art. 34 and KVKK Art. 12(5).
If you become aware of a potential security vulnerability, please report it to privacy@revbp.com in accordance with responsible disclosure principles.
14. Policy Changes
The Company reserves the right to revise this Policy in line with changes to applicable legislation or updates to the scope of services. Material changes will be communicated to data subjects at least thirty (30) days in advance via their registered e-mail addresses. Where changes relate to cookie consent, a new consent mechanism will be activated. The current version of the Policy is always available at revbp.com/privacy, and the "Last updated" date at the top of the page is authoritative.
15. Governing Law and Competent Authorities
Disputes arising from this Policy are governed by Turkish law and subject to the jurisdiction of Turkish courts. Data subjects in EU member states retain the right to lodge a complaint with the supervisory authority of their country of residence.