Privacy Policy

End-customers (customers of our customers) usually only interact with the review forest pages and the widgets. Those are especially light on data use and have their own privacy policy. You can find more general information in this article.

If you are using our widgets and/or review forest pages, these privacy policies are relevant for you:

• Privacy Policy for widgets
• Privacy Policy for review forest pages

1. Introduction and General Information

We appreciate your interest in our company. Data protection is particularly important for ReviewForest GmbH. The use of our website is generally possible without providing personal data.

1.1 Controller

ReviewForest GmbH
Großbeerenstr. 11
10963 Berlin
Email: mail@reviewforest.org

1.2 Data Protection Officer

Leon Heuser
Email: privacy@reviewforest.org

2. General Information on Data Processing

2.1 Scope of Processing

We process personal data of our users only to the extent necessary to provide a functional website and our content and services. The processing of our users’ personal data takes place regularly only with the user’s consent or in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

2.2 Legal Basis

When we obtain consent from the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis. For the processing of personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required for pre-contractual measures. Where processing of personal data is required to comply with a legal obligation, Article 6(1)(c) GDPR serves as the legal basis. In cases where vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis. If processing is necessary to protect the legitimate interests of our company or a third party and the interests, fundamental rights, and freedoms of the data subject do not override the former interests, Article 6(1)(f) GDPR serves as the legal basis for processing.

3. Website Provision and Log Files

3.1 Hosting and Content Delivery Network (CDN)

Our website is hosted by various service providers:

Cloudflare Pages: Our website is hosted by Cloudflare Inc. (101 Townsend St, San Francisco, CA 94107, USA) on the Cloudflare Pages platform with edge servers worldwide. Processing is based on our legitimate interests (Art. 6(1)(f) GDPR) in providing our online services efficiently and securely. Cloudflare is certified under the EU-U.S. Data Privacy Framework. For more information: https://www.cloudflare.com/privacy/

4. Use of Services and Tools

4.1 Analytics

PostHog: We use PostHog to analyze the use of our website (e.g. page views, referring sources, device type, and aggregated usage patterns) in order to understand and improve our offering. For this purpose, PostHog stores a first-party cookie and comparable information in your browser. The legal basis is Art. 6(1)(f) GDPR (our legitimate interest in analyzing and improving our services). You can object to this collection at any time — for example via the “Do Not Track” setting in your browser or by emailing privacy@reviewforest.org.

The service provider is PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA; the data is processed on servers in the USA. To reduce the number of external requests, traffic is routed via a subdomain of our own (a “reverse proxy”); the data is nevertheless processed by PostHog in the USA. PostHog participates in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data of EU citizens to the USA, and additionally relies on the EU Commission’s Standard Contractual Clauses (Art. 46(2) and (3) GDPR) to ensure European data protection standards. For more information: https://posthog.com/privacy

4.2 User Authentication

Firebase: We use Firebase for managing user accounts and storing email addresses when users register on our website. The service provider for the European region is Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). Google processes data in the USA. Google participates in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. For more information, visit https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

Google also uses Standard Contractual Clauses (= Art. 46(2) and (3) GDPR). These are template agreements provided by the EU Commission to ensure that your data complies with European data protection standards even when transferred and stored in third countries (such as the USA). Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Google commits to maintaining European data protection standards when processing your relevant data, even when the data is stored, processed, and managed in the USA. You can find these clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

The Google Ads Data Processing Terms, which reference the Standard Contractual Clauses, can be found at https://business.safety.google/intl/en/adsprocessorterms/. For more information about the data processed through Firebase, please see the Privacy Policy at https://policies.google.com/privacy

4.3 Marketing

Firstpromoter: We use Firstpromoter for our affiliate marketing program. Processing is carried out for the execution of the affiliate program (Art. 6(1)(b) GDPR) and based on our legitimate interests (Art. 6(1)(f) GDPR). For more information: https://firstpromoter.com/privacy-policy

4.4 Communication

Chatwoot (self-hosted): We use Chatwoot, a self-hosted open-source application, for our chat support. Communication is stored exclusively on our own servers in the EU (Hetzner Online GmbH, Germany); no data is transmitted to any third-party chat provider. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in providing effective customer service). For more information about the software we use: https://www.chatwoot.com/

5. Your Rights as a Data Subject

You have the following rights:

• Right of Access (Art. 15 GDPR): You can request information about your processed personal data.
• Right to Rectification (Art. 16 GDPR): You can request the correction of inaccurate or completion of your stored personal data.
• Right to Erasure (Art. 17 GDPR): You can request the deletion of your stored personal data.
• Right to Restriction of Processing (Art. 18 GDPR): You can request the restriction of processing of your personal data.
• Right to Data Portability (Art. 20 GDPR): You can request the transfer of your personal data to a third party.
• Right to Object (Art. 21 GDPR): You can object to the processing of your personal data.
• Right to Lodge a Complaint (Art. 77 GDPR): You can lodge a complaint with a data protection supervisory authority.

6. Data Security

We use SSL encryption (Secure Socket Layer) with the highest encryption level supported by your browser within the website visit. This is typically 256-bit encryption. If your browser doesn’t support 256-bit encryption, we use 128-bit v3 technology instead. You can recognize whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

7. Currency and Amendment of this Privacy Policy

This privacy policy is currently valid and was last updated in May 2026. Due to the further development of our website and offers or due to changed legal or regulatory requirements, it may become necessary to amend this privacy policy. You can access the current privacy policy at any time on our website.

8. Contact

If you have any questions about data protection, please send us an email or contact the person responsible in our company mentioned above.