• kontakt@venovani.com
  • +49 151 1955 6969
Facebook-f Instagram Linkedin-in Youtube
Contact us

Data protection - Web app

General information

venovani UG (haftungsbeschränkt) (“venovani“) respects the protection of your personal data. In this data protection notice, we inform you which personal data is collected from you when you use our venovani web app at https://app.venovani.com (“web app”), how we use and pass on your personal data and how your personal data is protected.

If we require your consent for the collection and processing of your data, we will explicitly ask you for this apart from this data protection notice.

The controller within the meaning of data protection law is

venovani UG (haftungsbeschränkt)
Am Leimengraben 34
D-69168 Wiesloch
E-mail: kontakt@venovani.com

If you have any questions about this data protection notice, you can contact us by e-mail at any time.

What is the venovani web app?

The venovani web app is a digital place for sharing and preserving beautiful memories. You can upload photos and videos, locate them on an interactive world map, create private or public memories and invite friends and family to join you.

The app can only be accessed via the browser at app.venovani.com. There is no native iOS or Android app based on the same data model.

When does venovani collect personal data?

We collect personal data about you if you:

  • visit and use the web app at app.venovani.com;
  • register (via e-mail/password or Google login);
  • upload photos, videos or other content;
  • invite other users or interact with them in memories;
  • other questions or inquiries to us.

What personal data does venovani collect?

Automatically collected data when visiting the web app

Each time the web app is accessed, the following data is automatically collected and stored in server log files:

  • IP address and Internet service provider
  • Browser type and browser version used
  • Operating system
  • Date and time of retrieval
  • Pages accessed and actions

This data is not assigned to specific user profiles. It is processed exclusively at infrastructure level by the hosting service provider Render and automatically deleted in accordance with its guidelines (currently up to 7 days). We do not store our own server logs.

Registration and user account

When you register, we collect and process your data:

  • Name and nickname
  • E-mail address
  • Password (stored exclusively in encrypted form)
  • Language and notification settings
  • Profile picture (optional, uploaded by you)
  • Registration date

When logging in via Google (OAuth), we also receive the profile information provided by Google (name, e-mail address, Google user ID). Passwords are not stored by us in this case.

Content uploaded by you

You actively provide the following content when using the app:

  • Photos and videos (including any EXIF data such as GPS coordinates and date taken)
  • Titles, descriptions and hashtags for photos and memories
  • Location information (set manually or taken from EXIF data)
  • Chat messages within reminders
  • Audio files (optional background music in memories)
Web push notifications

If you activate web push notifications, a browser-based push subscription (push subscription object incl. endpoint) is stored on our servers. This is used to inform you about new photos or comments in your memories. The subscription can be revoked at any time in the profile settings or browser settings. It will also be deleted automatically if the delivery fails permanently (e.g. if the browser is uninstalled) or the user account is deleted.

For what purposes do we process your data?

We use the data collected exclusively for the following purposes:

  • Provision, operation and protection of the web app;
  • Registration and administration of your user account;
  • Provision of the app functions (reminders, map, chat, sharing);
  • Storage and delivery of photos, videos and other content;
  • Sending of notifications (e-mail and web push) about activities in your reminders, if activated by you;
  • Answering your queries and support;
  • Improvement of the app based on aggregated usage statistics.

Legal basis of the processing

Your personal data is processed on the following legal bases:

  • Art. 6 para. 1 lit. b GDPR (contract fulfillment): for all data required to provide the app functions and to fulfill our performance obligations;
  • Art. 6 para. 1 lit. a GDPR (consent): for web push notifications and optional functions for which we obtain your consent;
  • Art. 6 para. 1 lit. f GDPR (legitimate interest): for the storage of server logs for security and error diagnosis as well as for the improvement of our offer.

Service providers used and data transfer

We use the following service providers who process personal data on our behalf to provide the web app. We have concluded data processing agreements (DPAs) with all service providers in accordance with Art. 28 GDPR:

Supabase (database hosting)

We use Supabase (Supabase Inc., San Francisco, USA) as a database service (PostgreSQL) to store user accounts, reminders, chat messages and other structured data. Supabase processes personal data in the EU (Frankfurt region). Data is transferred on the basis of EU standard contractual clauses (SCCs).

Data protection information Supabase:

supabase.com/privacy

Cloudflare R2 (file storage)

Photos, videos, audio files and profile pictures are stored in Cloudflare R2 (Cloudflare, Inc., San Francisco, USA). Cloudflare R2 stores the data in the EU. Data is transferred on the basis of EU standard contractual clauses.

Data protection information Cloudflare (R2):

cloudflare.com/privacypolicy

Render (hosting / server infrastructure)

The application server (Node.js/Express backend) is operated on the Render platform (Render Services, Inc., San Francisco, USA). Server logs and temporary processing data (incl. IP addresses) are processed on these servers. The data is hosted in the EU region (Frankfurt).

Data protection information Render:

render.com/privacy

Brevo (e-mail dispatch)

We use Brevo (formerly Sendinblue, Sendinblue SAS, Paris, France) to send notification emails (e.g. anniversary reminders, invitations, messages). Email addresses and message content are transmitted to Brevo. Processing takes place within the EU.

Data protection information Brevo:

brevo.com/en/legal/privacypolicy

Google OAuth (optional login)

When you log in with your Google account, your name, email address and Google user ID are transmitted to us as part of the OAuth 2.0 protocol. The use of Google OAuth is voluntary; alternatively, registration by e-mail/password is always available.

Data protection information Google:

policies.google.com/privacy

Nominatim / OpenStreetMap Foundation (Geocoding)

For the location search (address to coordinates) and the reverse search (coordinates to address), your browser calls up the Nominatim API of the OpenStreetMap Foundation (OSMF, United Kingdom) directly. Your IP address and the entered search term or GPS coordinates are transmitted to the OSMF. This function is only triggered if you actively search for a location or manually locate a photo. According to the OSMF privacy policy, personal data is not stored permanently.

Data protection information OpenStreetMap Foundation:

osmfoundation.org/wiki/Privacy_Policy

CDN services (unpkg.com, cdnjs.cloudflare.com)

The web app loads two JavaScript libraries (Leaflet for the map, QRCode.js for QR codes) and associated CSS files from the content delivery networks unpkg.com and cdnjs.cloudflare.com (both: Cloudflare, Inc.). Your IP address is transmitted to Cloudflare servers once when the app is loaded. The content security policy restricts external script sources to just these two services. According to Cloudflare, no further processing of personal data takes place.

Data protection information Cloudflare (CDN):

cloudflare.com/privacypolicy

We only pass on your personal data beyond this if:

  • you have expressly consented;
  • this is required by law (e.g. vis-à-vis authorities, courts);
  • it is necessary to protect our legitimate interests or for legal defense.

International data transfer

Some of the above-mentioned service providers (Supabase, Cloudflare, Render, Google) are based in the USA. The transfer of personal data to the USA takes place on the basis of EU Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. All service providers mentioned are also certified in accordance with the EU-U.S. Data Privacy Framework or have implemented comparable guarantees.

Cookies and local storage

The venovani web app does not use cookies. Instead, the following data is stored locally in the browser memory (localStorage):

  • Authentication token (JWT): to maintain the login (valid for 30 days).
  • User profile and settings (name, language, notification settings): for faster display without having to call up the server again.
  • App cache (reminders, member names, chat preview): temporary local cache to improve loading times.

This data remains exclusively locally in your browser and is not transmitted to third parties. They are removed when you log out or delete the browser memory.

We do not use tracking cookies or cookies from advertising networks. Analysis services such as Google Analytics are not used.

You can empty the localStorage memory at any time in the developer tools of your browser. This will automatically log you out.

Data retention and deletion

We only store your personal data for as long as is necessary for the respective purpose:

  • User account data: as long as your account is active;
  • Uploaded content (photos, videos, etc.): until you delete it or delete the respective reminder;
  • Server logs: are automatically deleted by the hosting service provider Render according to its guidelines (currently up to 7 days); we do not keep our own log files.
  • In-app notifications (database): unread notifications after 30 days, read notifications after 7 days – automatically deleted by a daily cleanup job.
  • Notification e-mails: no permanent storage of content;
  • Push subscriptions: until manual deactivation in the settings, account deletion or permanently failed delivery.

You can delete your account completely at any time via the profile settings. All your memories, photos and uploaded content will be irrevocably deleted. Legal retention obligations remain unaffected.

If you have any questions about data deletion, please contact kontakt@venovani.com.

Your rights

As a data subject, you have the following rights vis-à-vis us:

  • Right to information (Art. 15 GDPR): You can request information about the personal data stored by us.
  • Right to rectification (Art. 16 GDPR): You can request the rectification of incorrect or incomplete data.
  • Right to erasure (Art. 17 GDPR): You can request the erasure of your personal data, provided that there are no statutory retention obligations to the contrary.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object (Art. 21 GDPR): You can object to processing on the basis of legitimate interest.
  • Right of revocation: Consent given (e.g. for push notifications) can be revoked at any time with effect for the future.

To exercise your rights, please contact: kontakt@venovani.com

You also have the right to lodge a complaint with the competent data protection supervisory authority. The supervisory authority responsible for us is

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

https://www.baden-wuerttemberg.datenschutz.de

Data security

We use technical and organizational security measures to protect your personal data against accidental or intentional manipulation, loss, destruction or access by unauthorized persons:

  • Encrypted transmission of all data via HTTPS/TLS;
  • Secure storage of passwords through cryptographic hashing (bcrypt);
  • No cookies – authentication exclusively via JWT tokens stored securely in the browser local storage;
  • Content Security Policy (CSP): The browser may only load resources from its own server and the explicitly approved sources (unpkg.com, cdnjs.cloudflare.com, OpenStreetMap services) – all other sources are automatically blocked;
  • Access control: Photos and content are only accessible to members of the respective reminder;
  • Regular security checks of the service providers used;
  • Authentication tokens (JWT) with a validity of 30 days, after which a new registration is required.

Contact us

If you have any questions or concerns about the use of your personal data, please contact us at any time:

venovani UG (haftungsbeschränkt)
Am Leimengraben 34, D-69168 Wiesloch
E-mail: kontakt@venovani.com

app.venovani.com

Changes to this privacy policy

We reserve the right to amend this privacy policy if necessary, in particular in the event of changes to the services used or legal requirements. The current version is available in the web app under the profile settings and at app.venovani.com. Registered users will be informed of any significant changes by email.