Rechtliches
Datenschutz.
Stand · 14. Juli 2026
This notice describes how REVERCE GmbH processes personal data when you use CRESTAG (workspace accounts, image uploads, C2PA provenance verification, the derivative editor, signed exports and transactional email).
Controller
REVERCE GmbH
Hofaue 35, 42103 Wuppertal, Germany
Email: hello@crestag.io
What we process and why
We process personal data only where we have a legal basis under the GDPR and in line with our legitimate interests in operating CRESTAG and supporting our customers.
- Account and profile — sign-in and account data handled by our authentication subsystem (email address, password secret as stored by the auth provider, session and token records) plus profile fields you enter, such as a display name. Purpose: performing the contract with you as a registered user and securing access (Art. 6(1)(b); preventing abuse, Art. 6(1)(f) GDPR).
- Workspaces, memberships and invitations — which workspaces you belong to, your role, and invitations you send or redeem (invitee email address, invitation state, expiry). Purpose: operating multi-tenant access control (Art. 6(1)(b) GDPR).
- Image uploads and provenance verification — the image files you upload, their metadata (filename, type, size) and the provenance information extracted from embedded C2PA manifests during verification, which can include signer and certificate details and declared source types of the material. Purpose: providing the verification and library features you request (Art. 6(1)(b) GDPR).
- Derivatives and signing — the derivative specifications you create (crop, format, labelling choices), the rendered output files and the C2PA signing metadata attached to them (signing identity of the workspace, timestamps, certificate serials). Purpose: producing the signed exports you request (Art. 6(1)(b) GDPR).
- Audit trail — we record signing, verification and download events (who triggered what, when, with which policy state) to provide a verifiable provenance and compliance trail, which is a core promise of the product. Purpose: performance of contract and our legitimate interest in a tamper-evident audit history (Art. 6(1)(b) and (f) GDPR).
- Transactional email — messages such as workspace invitations are delivered through our mail provider and processed with your contact identifier (Art. 6(1)(b) GDPR).
- Technical operation — our hosting providers process connection metadata (IP addresses, timestamps, HTTPS artefacts) necessary to route requests, curb abuse and secure the service (legitimate interests, Art. 6(1)(f) GDPR).
CRESTAG does not use analytics or marketing trackers. We do not sell personal data.
Processors and recipients
We use carefully selected service providers. Depending on your use of the product, data may be processed by:
- Supabase — authentication and the application database (accounts, workspaces, provenance records).
- Hetzner — server hosting and S3-compatible object storage for uploaded images and rendered derivatives (EU data centres).
- Resend — delivery of transactional emails.
- GitHub — source code hosting, version control and deployment integration used to operate and maintain the service.
Where a provider processes data outside the EU in countries without an adequacy decision, we rely on appropriate safeguards such as the EU Commission's standard contractual clauses, as offered by our providers.
Storage and cookies
We use strictly necessary technical storage (browser storage and cookies) to keep you signed in and to remember interface state such as sidebar layout. No third-party or marketing cookies are used. If that ever changes, we will update this notice and, where required, ask for consent.
Retention
We retain personal data only as long as needed for the purposes above, the duration of your account and workspace membership, and statutory retention periods. Uploaded image files and rendered derivatives are subject to the workspace's configurable retention policy: after the retention period the binary files are permanently deleted while the provenance and audit records are kept as evidence.
Your rights
Subject to applicable law, you have the right to access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. You may also lodge a complaint with a supervisory authority. You can contact us at hello@crestag.io or our data protection officer at the address above.