Privacy Policy

1. Who We Are (Data Controller)

Tarvio is a trade name operated by Fabian Rainer Dürkop, Vor dem Berge 40, 38524 Sassenburg, Germany. Email: [email protected].

As a Kleingewerbe (sole trader), Fabian Rainer Dürkop is the Data Controller for all personal data processed through this Service within the meaning of Art. 4(7) GDPR. For our full legal details see our Impressum.

2. Information We Collect

Account holders (workspace owners)

• Email address and password, or your Google account via OAuth (for authentication)
• Billing information — processed directly by Stripe; we store only a Stripe customer ID
• Workspace names and configuration you provide
• Usage data (pages visited, features used, timestamps, account tier)
• Any other information you voluntarily provide or that we reasonably determine is necessary to provide the Service

Testimonial submitters (your customers)

• Name and any other fields requested in the collection form
• Written testimonials and star ratings
• Video recordings (if the video option is enabled)
• IP address and approximate location (for fraud prevention and legal compliance)
• A browser cookie stored for 30 days to prevent duplicate submissions when no email address was provided (contains no personal data)
• Any other information submitted through the testimonial form

Automatically collected data

• Browser type, device information, and referring URLs
• Session cookies required for authentication (see our Cookie Policy)
• Inferred data such as feature usage patterns, for internal product analytics

3. How We Use Your Information

• To provide, operate, maintain, and improve the Service
• To process payments and manage subscriptions
• To send transactional emails (account confirmations, receipts, security alerts)
• To communicate with you about the Service, including updates, maintenance notices, and new features
• To display testimonials on widgets and public walls as configured by workspace owners
• To prevent fraud, abuse, and enforce our Terms of Service
• To enforce our legal rights and protect against misuse of the Service
• To comply with legal obligations
• For any other purpose described at the time of collection, or with your consent

4. Legal Basis for Processing (GDPR)

Where the GDPR applies, we process personal data on the following legal bases:

5. Third-Party Processors

We share data with the following trusted processors only as necessary to operate the Service:

Each processor is bound by data processing agreements. Transfers to non-EEA countries rely on Standard Contractual Clauses or equivalent safeguards under Art. 46 GDPR. We may engage additional or replacement processors from time to time; we will update this list and notify you of any material changes where required by law.

6. Data Retention

• Account data is retained for as long as your account is active. On deletion it is purged within 90 days, unless a longer period is required by law or to resolve outstanding disputes.
• Testimonials are retained until you delete them or close your account.
• Video recordings stored on Cloudflare R2 are deleted when you remove the testimonial or close your account.
• Billing records are retained for 7 years as required by German commercial and tax law (§257 HGB, §147 AO).

7. Your Rights

Depending on your location you may have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection / Restriction — object to or restrict certain processing
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
• Opt-out of sale — we do not sell personal data; this right is satisfied by default (CCPA)

To exercise any right, email [email protected], subject to verification of your identity. We will respond within 30 days (or within the timeframe required by applicable law). We may decline requests that are manifestly unfounded, repetitive, or excessive. EU/EEA residents may also lodge a complaint with their local supervisory authority (in Germany: the relevant Landesbeauftragter für Datenschutz).

8. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted data, contact us at [email protected] and we will delete it promptly.

9. Security

We use industry-standard measures including TLS encryption in transit, access controls, and regular security reviews to protect your data. No system is 100% secure. In the event of a personal data breach we will notify affected users and relevant authorities as required by applicable law (Art. 33–34 GDPR). We are not responsible for data breaches or losses caused by your own actions, compromised credentials, or failures of third-party services outside our control.

10. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable law. We will post the new version here and update the "Last updated" date. For material changes, we will provide advance notice by email or via a notice on the Service. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

11. Contact

Questions or data subject requests: [email protected]. See our Impressum for full legal contact details.