Privacy Policy

The controller within the meaning of the GDPR is:

We process the following personal data:

• Account data: email address, first/last name, password (hashed with bcrypt — never stored in plain text)
• Project data: all content you upload — documents, invoices, photos, notes, defect reports
• Usage data: IP address at login, error logs (pseudonymised)
• AI-processed content: Uploaded invoices and photos may be analysed by an AI component for automatic data extraction (e.g. amount, date, vendor, image quality). Processing takes place exclusively on our own EU infrastructure — no content is sent to external AI providers.
• Contact data: first/last name and email address submitted via the contact form or by email, and the content of your message
• Review data: star rating and optional feedback text submitted via the review feature. If you explicitly consent, your first name and the initial of your last name may be displayed on the Travio website.
• Payment data: none currently — Travio is in a free beta phase

Processing is based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): providing and operating the service, account management, authentication, handling contact requests
• Legitimate interests (Art. 6(1)(f) GDPR): security monitoring, bug fixes, service improvement, anonymous usage analysis (Umami)
• Consent (Art. 6(1)(a) GDPR): display of your review (first name + last initial) on the Travio website — only when you have activated the corresponding checkbox

All data is stored within the EU on Hetzner Online GmbH servers:

• Database and file storage (documents, photos): Hetzner Online GmbH, data centre Helsinki, Finland (PostgreSQL + MinIO/S3-compatible)
• Analytics (Umami): Hetzner Online GmbH, data centre Falkenstein, Germany

Hetzner is ISO 27001 certified and GDPR-compliant. A data processing agreement (DPA) is in place.

We use Resend, Inc. (USA) for transactional emails. Transfer to the USA is based on Standard Contractual Clauses (SCC) under Art. 46 GDPR. Resend only processes the recipient email address and email content; no profiling takes place. Resend privacy policy: resend.com/legal/privacy-policy

We only use a single technically necessary session cookie (HttpOnly, Secure) required for authentication. No marketing or tracking cookies are set.

For anonymous analysis of website visits, we use Umami Analytics — a privacy-friendly, cookieless analytics tool. Umami collects no personal data, stores no IP addresses, and uses no fingerprinting. The data collected (page views, country of origin, device type, referrer) is fully anonymous and requires no consent under GDPR Art. 6(1)(f). The tool is self-hosted on our own server at Hetzner Online GmbH, data centre Falkenstein, Germany — no data is shared with third parties. No services such as Google Analytics or Meta Pixel are used.

Your data is stored as long as your account is active. After a deletion request, your account and all associated project data are permanently deleted within 30 days. Backup copies are overwritten within 90 days.

To delete your account, please send an email to privacy[at]travio.at.

You have the right to:

• Access the data stored about you (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure of your data ("right to be forgotten", Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)

To exercise your rights, please contact us at privacy[at]travio.at.

You also have the right to lodge a complaint with the competent supervisory authority. For Austria: Datenschutzbehörde (DSB), Barichgasse 40-42, 1030 Wien – www.dsb.gv.at

We do not share your data with third parties for advertising or other commercial purposes. Data is shared only with the processors named in sections 4 and 5 (Hetzner, Resend), who are contractually bound to comply with data protection requirements.

Travio is currently in a private beta phase. During this period, features, data structures, and privacy practices may change. Material changes to this Privacy Policy will be communicated to registered users by email.

We reserve the right to update this Privacy Policy as needed. The current version is always available on this page. Material changes will be communicated to registered users by email.