Fines up to €20,000,000 or 4% of global turnover

Legal

Privacy Policy

Information pursuant to Articles 13 and 14 GDPR · Effective 24 May 2026 · Version v1.0

This Privacy Policy explains how Usantis processes personal data when you visit our website, create an account, contact us, or interact with the Service. It is intended to satisfy the information duties under Articles 13 and 14 GDPR.

1. Who is responsible (Controller)

The controller within the meaning of Article 4(7) GDPR is:

Revis-1 LLC, trading as Usantis
2645 Executive Park Drive, 33331 Weston, Florida, United States of America
Represented by: Manuel Horn, Managing Director
Email: [email protected]

2. EU representative (Article 27 GDPR)

As a service operator established outside the European Union, we have designated the following representative in the EU pursuant to Article 27 GDPR:

Manuele Fink
Bohlstrasse 2, 78579 Mahlstetten, Germany
Email: [email protected]

You may contact our EU representative for any data-protection matter, including the exercise of your rights as a data subject, in any official language of the European Union.

3. Data protection contact

For all data-protection matters and to exercise your rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making), please contact [email protected].

4. What data we process, why and on what legal basis

We process personal data for the following purposes; the table summarises the scope, legal basis, retention and source for each.

PurposeCategories of personal dataLegal basis (Art. 6 GDPR)Retention
Website operation and securityIP address, user-agent, request URL, referrer, timestamps.(f) legitimate interest — securing the serviceServer logs 14 days; error events 90 days
Cookieless analyticsAggregated page-view data (no individual profile, no IP storage).(f) legitimate interest — reach measurement; § 25(2) Nr. 2 TDDDG (no consent required)Aggregated indefinitely
Account creation and managementAuthorised user name, email, role, phone; company data (legal name, registered address, VAT-ID); hashed credentials.(b) performance of a contractFor the duration of the account, plus 90 days
Identity verification and sanctions screening at onboardingID document image, selfie, name, date of birth, address, sanctions-screening result.(f) legitimate interest in fraud prevention, onboarding integrity and sanctions compliance12 months after end of mandate
Billing and invoicingBilling contact name and email; billing address; tax ID; payment instrument data (tokenised).(b) performance of a contract, (c) tax law10 years (§ 147 AO)
Electronic signature of Power of AttorneySignatory name, email, IP address, signature audit trail, signed document.(b) performance of a contractDuration of the mandate plus 10 years (evidence retention)
Data-subject request intake (Article 27 duty)Identification of the data subject, request content, correspondence.(c) legal obligation under Art. 27 GDPRUntil closed plus 3 years; audit trail kept longer per Art. 30
Authority correspondence handlingContent of letters, decisions and enquiries; metadata.(c) legal obligation under Art. 27 GDPR10 years (alignment with authority case retention)
Customer supportConversation transcripts, contact name, email.(b) contract, (f) legitimate interest in service quality24 months after last interaction
Marketing (opt-in only)Email address, name, behavioural metadata (open/click).(a) consent (Art. 6(1)(a) GDPR; § 7(2) UWG)Until opt-out; suppression list kept indefinitely
Application security monitoringAuthentication events, admin actions, failed logins, IP address.(f) legitimate interest in IT securityAudit log 7 years (tamper-evident); raw events 12 months

We do not knowingly process special categories of personal data (Article 9 GDPR) unless we agree this in writing with you in advance.

5. Where the data comes from

  • Directly from you (account information, onboarding data, support correspondence).
  • From third parties acting on your behalf (e.g. your authorised signatory uploading documents during onboarding).
  • From technical sources (your browser when you visit the website, our application logs).
  • From our identity-verification provider (Stripe Identity) when you verify your identity.

6. Service providers (sub-processors)

We use carefully selected processors that are bound by written data-processing agreements with technical and organisational measures equivalent to ours. The critical processing path is hosted in the European Union.

Sub-processorPurposeLocation
Hetzner Online GmbHHosting infrastructure, backupsGermany / Finland
Cloudflare, Inc.Edge proxy, CDN, DNS (TLS termination, DDoS protection)USA
Stripe, Inc.Payment processing, Stripe Tax, identity verification (Stripe Identity)USA
Resend Inc.Transactional email (EU region)EU / USA
Skribble AG (Skribble Deutschland GmbH)Electronic signature (SES) for Power of AttorneyGermany hosting (IONOS) / Switzerland seat
DeepL SETranslation of data subject requestsGermany
Functional Software EU GmbH (Sentry)Application error monitoring (EU region)Germany
Plausible Insights OÜCookieless analyticsEstonia
Crisp IM SASCustomer helpdeskFrance

The current sub-processor list is also set out in Annex 2 of our DPA. Customers are notified of changes in line with our DPA.

7. International transfers

We keep the critical processing path (application, database, backups) within the European Union (Hetzner, Germany and Finland). Some service providers are located in, or transfer data to, third countries. For transfers to the United States we rely on the EU-US Data Privacy Framework where the recipient is certified (for example Cloudflare and Stripe, including Stripe Identity), supplemented by the European Commission’s Standard Contractual Clauses (2021/914) as a fallback. A Transfer Impact Assessment is performed and is available on request.

Application data at rest is stored in the European Union. Website traffic is routed through Cloudflare’s edge network, which terminates TLS and may process connection metadata and transient request content in the United States; no application data is stored there. The eSignature provider is Skribble (data hosted in Germany via IONOS; Skribble AG seat in Switzerland under the EU adequacy decision); hosting is Hetzner in Germany and Finland; analytics run on Plausible in Estonia.

8. How long we keep data

We keep personal data only as long as necessary for the purpose for which it was collected, and then delete or anonymise it. Where statutory retention obligations apply (in particular German tax law), we retain data for the statutory minimum period. Specific retention periods are listed in the table in Section 4.

Account data is removed in line with the schedule in our Information Security Policy (default: anonymisation 30 days after termination of the mandate; full deletion 90 days after termination, subject to retention obligations).

9. Your rights as a data subject

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — obtain confirmation of and a copy of your personal data and the information required by Art. 15(1).
  • Right to rectification (Art. 16) — have inaccurate personal data corrected without undue delay.
  • Right to erasure (Art. 17) — have your personal data erased in defined circumstances.
  • Right to restriction of processing (Art. 18) — limit how we process your data.
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21) — including against processing based on legitimate interests and against direct marketing at any time.
  • Right not to be subject to a decision based solely on automated processing (Art. 22) — we do not currently apply automated decision-making with legal effects.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email [email protected]. We respond within one (1) month; this period may be extended by up to two further months for complex requests, in which case we will inform you.

Right to lodge a complaint with a supervisory authority (Art. 77): You have the right to lodge a complaint with the data protection authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of national authorities is maintained by the European Data Protection Board (edpb.europa.eu).

10. Cookies and analytics

We keep cookies to the minimum needed to run the Service and use cookieless analytics (Plausible). We do not use advertising, retargeting, social-plugin or third-party tracking cookies. Details are in our Cookie Policy.

11. Security

We apply technical and organisational measures appropriate to the risk, including:

  • Encryption in transit (TLS 1.3) and at rest.
  • Field-level encryption (AES-256-GCM) for sensitive personal data (addresses, emails, VAT-IDs).
  • Role-based access control with mandatory multi-factor authentication for administrative access.
  • Append-only audit log with a cryptographic hash chain for tamper-evidence.
  • Daily encrypted backups with quarterly restore tests.
  • Annual external penetration tests and quarterly vulnerability scans.

A more detailed description is available in our Technical and Organisational Measures document on request via [email protected].

12. Automated decisions, profiling, AI

We do not currently apply automated decision-making with legal or similarly significant effects on you (Article 22 GDPR). Identity-verification scoring by our KYC provider produces a recommendation that is reviewed by a human before any onboarding decision is made. We do not train AI models on Customer personal data and do not pass Customer personal data to third-party generative AI providers.

13. Sources for data we did not receive from you

Where we receive personal data about you that did not come from you directly (in particular: identification data of beneficial owners of our Customer; sanctions-list matches; details forwarded by your authorised representative), the categories and sources are described in Section 5 and the legal bases are in the table in Section 4. We comply with Article 14 GDPR for indirect collection.

14. Changes to this policy

We may update this policy as the Service evolves. The current version is always available at usantis.com/privacy. Material changes that affect account holders are notified by email. For other changes, the updated version takes effect with publication.

15. Contact

Controller: Revis-1 LLC (trading as Usantis), 2645 Executive Park Drive, 33331 Weston, Florida, USA. General: [email protected].

EU representative: Manuele Fink, Bohlstrasse 2, 78579 Mahlstetten, Germany.

Data protection: [email protected].

Changelog

  • v1.0 (24 May 2026) — Initial publication as standalone document. Reflects Skribble as eSignature sub-processor and the EU-only hosting architecture.

Language / Sprachregel: This document exists in English and German. In line with § 20 of the Terms of Service, the German version prevails for Customers domiciled in the German-speaking area; the English version prevails for all other Customers. Translations into other languages are for convenience only.

← Back to homepage