Tavora

Privacy · DSGVO / GDPR

Privacy notice

This notice describes how we process personal data on tavora.ai in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller responsible for data processing on this site, within the meaning of Article 4(7) GDPR, is:

Valiro Solutions UG (haftungsbeschränkt)
Eduard-Kandl-Str. 23
82211 Herrsching am Ammersee, Germany
Represented by Olga Ryannel (Geschäftsführerin)
Email: privacy@tavora.ai

2. Hosting and server logs

This website is hosted on dedicated infrastructure operated by us at Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All servers are located within the European Union. Hetzner acts as a processor under Article 28 GDPR; a data processing agreement (Auftragsverarbeitungsvertrag) is in place.

We operate the application and reverse-proxy ourselves on these servers. Each request is recorded in our own server log files. The data logged is limited to:

  • browser type and version (User-Agent),
  • referring URL,
  • requested path and HTTP status,
  • time of the request,
  • IP address.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the secure and stable operation of the website and the detection and defence of attacks. Logs are deleted no later than 14 days after collection unless retention is required to investigate a specific security incident.

We create encrypted daily backups of the application database. Backups are retained for 30 days and stored on infrastructure within the European Union. They are used solely for disaster recovery.

3. Fonts

We use the typefaces Inter, Geist, and Geist Mono. All font files are self-hosted on our own servers and delivered from the same origin as this website. No connection is established to Google Fonts, Adobe Fonts, or any other third-party font provider, and no IP address or browser information is transmitted to such third parties.

4. Cookies

This website does not set tracking cookies. We use only such storage that is strictly necessary for the requested service to function (Art. 6(1)(b) GDPR / §25 Abs. 2 Nr. 2 TTDSG). No consent is required for these strictly necessary entries.

5. Waitlist form

The waitlist form on /waitlist is hosted entirely on this domain. When you submit it, the form fields (name, work email, company, optional team size, and your free-text answer about what you would build) are sent to a Google Apps Script endpoint we operate inside our own Google Workspace, which appends the row to a spreadsheet we control. No third-party form provider is involved. The data does not leave Google Workspace, the same processor that already handles our email and calendar under our existing data processing agreement with Google Ireland Ltd.

The legal basis is Article 6(1)(b) GDPR for processing in the context of pre-contractual measures, and Article 6(1)(f) GDPR (legitimate interest in operating a waitlist that lets us admit teams in batches). We delete waitlist entries 24 months after submission, or earlier on request. Optional fields stay optional — leaving them blank does not affect your spot in the queue.

6. Email contact

If you contact us by email, the data you provide (email address, content of the message) will be stored for the purpose of processing the inquiry and for possible follow-up questions. The legal basis is Article 6(1)(b) GDPR for inquiries related to a contract or pre-contractual measures, and Article 6(1)(f) GDPR for other inquiries. We delete this data when retention is no longer necessary, unless statutory retention obligations apply.

7. Web analytics — Umami (self-hosted)

We use Umami for privacy-friendly web analytics. Umami is open-source software that we run ourselves on a Hetzner server in the EU, served from analytics.tavora.ai. No data is sent to Umami's commercial cloud or to any third party.

Umami does not set tracking cookies and does not use cross-site identifiers. It records aggregated information about visits — page URL, referrer, browser, operating system, screen size, and country — and derives a session-level hash from a daily-rotating salt, your IP address, and your User-Agent. This hash cannot be linked back to you across days and does not allow tracking across sessions or sites.

Legal basis is Article 6(1)(f) GDPR. Our legitimate interest is to measure aggregated usage of the website in order to improve it. Because Umami does not access information stored on your device beyond what is strictly necessary, no consent under §25 TTDSG is required.

8. Other third-party services

Beyond the form provider listed in section 5 and the self-hosted analytics in section 7, no third-party tracking, advertising, or social-media services are loaded on this website. No data is transmitted to Google Analytics, Google Tag Manager, Meta, LinkedIn, or similar providers. We host our fonts ourselves (see section 3) and do not use a third-party CDN for static assets.

9. Your rights as a data subject

You have the following rights with regard to your personal data:

  • right of access (Art. 15 GDPR),
  • right to rectification (Art. 16 GDPR),
  • right to erasure (Art. 17 GDPR),
  • right to restriction of processing (Art. 18 GDPR),
  • right to data portability (Art. 20 GDPR),
  • right to object to processing based on legitimate interests (Art. 21 GDPR).

To exercise any of these rights, write to privacy@tavora.ai.

10. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). The competent authority for our establishment in Bavaria is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, www.lda.bayern.de.

11. Changes to this notice

We may update this notice to reflect changes in our processing or the legal framework. The current version is always available at this URL.

Last updated: 2026-05-01