Resources
Our compliance commitments for data protection.
ReviveShots processes personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”) and applicable national legislation. This notice sets out the purposes, lawful bases, and safeguards surrounding the data you entrust to us.
ReviveShots SAS, 10 Rue de Charonne, 75011 Paris, France, acts as the data controller (Article 4(7) GDPR). You may reach our privacy desk at hello@reviveshots.store or by post to the address above for any request concerning your personal data.
We rely on Article 6(1)(b) GDPR (performance of a contract) to process imagery and payment metadata necessary to deliver the services you purchased. Certain processing (fraud prevention, infrastructure security) is based on Article 6(1)(f) GDPR (legitimate interest). We do not use your content for advertising or unrelated profiling.
Image data is processed on Google Cloud Platform (Vertex AI, region us-central1) and stored on Supabase Storage with server-side encryption in the configured region. Payment details are collected and processed exclusively by Stripe Payments Europe, Ltd., which acts as an independent controller. All processors are bound by data processing agreements compliant with Article 28 GDPR.
Operational copies of uploads are automatically deleted five minutes after delivery. Order metadata (e.g., transaction IDs, email correspondence) is retained for up to six years to satisfy accounting and statutory obligations. You may request early erasure where retention is not legally mandated.
You enjoy the rights granted by Chapter III GDPR: access, rectification, erasure, restriction, objection, and portability. Submit your request to hello@reviveshots.store; we acknowledge within 72 hours and fulfil valid requests no later than 30 days, extendable once under Article 12(3). Proof of identity may be required.
Data is encrypted in transit via TLS 1.2+ and at rest with AES-256. Access to processing environments is restricted to vetted personnel with MFA. Automated logging detects anomalous usage, and quarterly penetration testing is conducted with certified vendors (Article 32 GDPR).
When data leaves the EEA (e.g., processing on Google Cloud in the United States), transfers are safeguarded through Standard Contractual Clauses adopted by the European Commission, supplemented by encryption and access controls.
Our services target adult family members acting as lawful guardians. If we learn that a child under 16 submitted personal data without consent, we will delete it promptly and advise the guardian.
You have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL) or with your local supervisory authority. We encourage you to contact us first so we can resolve any issues directly.