Every withdrawal gets a fingerprint.
One nobody can forge.
We do something none of our competitors can: every single withdrawal is cryptographically fingerprinted, and every day all fingerprints are combined into a tree whose root is publicly verifiable. In a dispute, you can prove that a withdrawal reached you on exactly that day — without giving anyone access to the other withdrawals.
The problem
Imagine a customer complains, six months after the purchase, that they already filed their withdrawal back in May and that you never reacted. How do you prove they never filed it? Or the other way round — how do you prove it did come in and that you reacted within the deadline?
An ordinary database row is not enough in court. The judge asks: who guarantees the row was not altered afterwards? Who guarantees the row really existed on the date stated?
The solution — step by step
A fingerprint per withdrawal
As soon as a customer submits a withdrawal, we compute a SHA-256 hash over name, contact details, shop ID, timestamp, order reference and legal basis. That is a 64-character fingerprint that changes if even a single character in the withdrawal is altered.
A proof URL for every withdrawal
Every withdrawal gets a 32-character token as a public URL: widerrufbutton.net/proof/abc123.... Anyone holding the token can verify the hash — without having to log in, without seeing the data of other withdrawals.
Daily Merkle-tree aggregation
Every night at 02:00 UTC a cron job runs. It takes all fingerprints from the previous day, orders them deterministically, and builds a Merkle tree — a data structure in which every leaf is a fingerprint, every node is the hash of its two children, and the root is a single 64-character hash that uniquely represents all withdrawals of the day.
The root seals the day
For each individual withdrawal it can be proven mathematically that it was part of the sealed daily set (Merkle proof). If a withdrawal from the previous day is altered afterwards — in content, timestamp or order — the root no longer matches and the change is exposed immediately. The daily root can additionally be published externally as an independent timestamp.
Analogy: the digital notary
Picture a notary who, every evening, signs a logbook of all the day's withdrawals and prints the signature in the newspaper. If someone later claims a withdrawal came in on a particular day, the notary can say: “Yes, it is in my logbook, and the next day's newspaper edition proves the logbook looked exactly like that that evening.”
Our Merkle tree is that notary: the daily root is the signature under the day's logbook. It can be published as an external timestamp — the “newspaper” — and makes any later change instantly detectable. Incorruptible, verifiable, with no court date.
Why this matters
If a shop does not have a legally compliant withdrawal button when the obligation takes effect EU-wide on 19 June 2026, the withdrawal period extends automatically — in Germany under § 356 (3) German Civil Code to twelve months and fourteen days. For a whole year any customer can withdraw any purchase and demand a refund.
If a shop has a button but cannot prove that a particular withdrawal came in — or, conversely, that none came in — a customer can trigger damage with a simple assertion. Our audit proof makes such assertions verifiable.
No other withdrawal-button provider on the market offers cryptographic proof. That is our specialty.
Audit proof is included in every plan
Even in the free tier. We believe court-usable proof should not be a premium feature.
Start free