Privacy Policy of Tavel GmbH

As of: November 2025

1. Controller

Tavel GmbH
Oberer Stadtplatz 18
94469 Deggendorf, Germany

Represented by: Regina Gegenfurtner
Email: contact@tavel.app

2. General Information and Scope

The protection of your personal data is a matter of great importance to us. We treat your data confidentially and in accordance with the statutory data protection regulations, particularly the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Telecommunications-Telemedia Data Protection Act (TTDSG).

This Privacy Policy informs you about the type, scope, and purpose of processing personal data in connection with the use of our mobile application (Tavel-App).

3. Purposes of Data Processing and Necessary Categories

The Tavel App is designed to comprehensively facilitate the immigration and integration process into Germany.

We process your data for the following core purposes:

  • Contract Execution (App Services): Provision of functions to support administrative procedures (visa applications, residence status), language courses, and document management.
  • Intermediation Services: Initiation and execution of the arrangement of third-party services (bank accounts, insurance).
  • Operational Security: Ensuring the IT security and functionality of our systems.
  • Optimization: Analysis and improvement of app functionality and user-friendliness.

4. Data Collected

We specifically process the following categories of personal data:

Data Category Examples Purpose of Processing
Identification and Contact Data Name, date of birth, address, email address, telephone number Contract fulfillment, communication
Special Document Data Passport, visa, tax ID, salary slip, birth certificate, other proofs Fulfillment of legal and contractual obligations (e.g., for visa applications, bank intermediation)
Financial and Account Data IBAN, salary information Execution of intermediation services
Usage Data Logins, in-app interactions, device IDs, operating system information IT security, app improvement (see Section 10)
Communication Data Content of support requests (email, WhatsApp) Handling your inquiries

5. Legal Basis for Processing

The processing of your data is based on the following legal grounds:

Art. 6 (1) lit. b GDPR – Contract Execution:

Processing is necessary for the performance of the app usage contract and the provision of services (e.g., document management, support with applications).

Art. 6 (1) lit. a GDPR – Consent:

  • Processing for the disclosure of your data to partners (e.g., banks, insurance companies) for the initiation of specific contracts.
  • Processing for marketing (Section 13) and non-essential tracking (Section 10).

Art. 6 (1) lit. c GDPR – Legal Obligation:

Processing is necessary for compliance with legal requirements (e.g., retention of business records according to HGB and AO).

Art. 6 (1) lit. f GDPR – Legitimate Interest:

  • IT Security: Ensuring the functionality and security of our app and IT systems.
  • Quality Improvement: Non-personalized, statistical analysis to improve our services.

Note on Art. 9 GDPR: The processing of documents that potentially contain special categories of personal data (e.g., information on ethnic origin in the passport, health data) is additionally based on Art. 9 (2) lit. a GDPR (Explicit Consent) or Art. 9 (2) lit. g GDPR (Important public interest, BDSG § 22), insofar as this is strictly necessary for the fulfillment of the integration and immigration services.

6. Disclosure to Third Parties (Recipients)

Your data will only be disclosed if this is necessary for the fulfillment of the contract or if you have given explicit consent.

Recipients may include:

  • External Service Providers (Processors): Providers of hosting, app analytics, and cloud infrastructure. We have concluded data processing agreements (Art. 28 GDPR) with these parties.
  • Partners: Banks, insurance companies, language schools (disclosure only with your separate, active consent).
  • Public Bodies: Authorities (e.g., immigration office, tax office) within the scope of contractual support or due to legal obligations.

7. Storage Duration and Deletion

Your personal data will be stored as long as you maintain an active user account with us.

  • Account-related Data: After deletion of your account or withdrawal of consent, your data will be deleted or anonymized within 30 days, provided there are no further retention obligations.
  • Statutory Retention Periods: Commercial and tax law documents (e.g., invoices, business and payment data) must be retained for up to 10 years (Art. 6 (1) lit. c GDPR in conjunction with HGB and AO). The processing of this data will be restricted after the contract has expired.

8. Data Transfer to Third Countries

We use services that may involve processing data outside the European Union (third country), particularly by US-American providers of cloud and analysis services (e.g., Firebase).

A transfer only takes place if:

  • You have consented (Art. 49 (1) lit. a GDPR).
  • An adequacy decision of the EU Commission (e.g., EU-US Data Privacy Framework) exists.
  • Appropriate safeguards pursuant to Art. 46 GDPR (in particular through the conclusion of Standard Contractual Clauses – SCCs) have been implemented.

We ensure through contractual measures that your data receives an adequate level of protection even in third countries.

9. Your Rights as a Data Subject

You have the following comprehensive rights under the GDPR. You can contact us at any time to exercise these rights: 📧 contact@tavel.app

  • Right of Access (Art. 15 GDPR): You have the right to request information on whether and which data we process about you.
  • Right to Rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
  • Right to Erasure („Right to be forgotten,“ Art. 17 GDPR): You can request the deletion of your data, provided there are no legal retention obligations to the contrary.
  • Right to Restriction of Processing (Art. 18 GDPR): You can request the restriction of processing, e.g., if the accuracy of the data is disputed.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive the data concerning you in a structured, commonly used, and machine-readable format.
  • Right to Object (Art. 21 GDPR): You can object at any time to the processing of your data that is based on a legitimate interest (Art. 6 (1) lit. f GDPR).
  • Right to Withdraw Consent (Art. 7 (3) GDPR): You have the right to withdraw any consent given to us at any time with future effect.

10. Use of Analysis Tools and Tracking (TTDSG)

The Tavel App uses the following tools to improve stability and functionality:

Firebase Analytics / Crashlytics (Google): For anonymized or pseudonymized analysis of user behavior, measurement of app performance, and recording of crash reports.

Legal Basis:

The reading and storing of information in the terminal equipment (e.g., device ID) is based on your explicit consent (Art. 6 (1) lit. a GDPR in conjunction with TTDSG § 25 (1)), unless the functions are absolutely necessary for the operation of the app.

You will be asked for this consent when the app is first launched. The use of these analysis functions can be revoked at any time in the app settings.

11. In-App Purchases and Payments

Insofar as in-app purchases are offered, payment processing is carried out exclusively via the platform operators (Google Play Store / Apple App Store). Tavel GmbH itself does not store any payment data such as credit card information.

12. Communication

If you contact us by email, chat, or WhatsApp, your details will be stored for the purpose of processing the request and in case of follow-up questions (Art. 6 (1) lit. f GDPR). We do not disclose this data without your consent.

13. Advertising and Marketing

We may display information to users in the app about our own suitable services or offers from partners. Promotional content is carried out exclusively on the basis of your consent according to Art. 6 (1) lit. a GDPR and can be deselected or withdrawn at any time in the app settings.

14. Automated Decisions

No automated individual decisions or profiling within the meaning of Art. 22 GDPR take place.

15. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us includes:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach
Web: https://www.lda.bayern.de

16. Contact to the Data Protection Officer

For all questions and concerns regarding data protection, please contact our operational data protection officer (if appointed) or directly the Controller:

Email: contact@tavel.app

(Recommendation: Set up a dedicated email address such as „datenschutz@tavel.app“ to facilitate communication.)

17. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy as needed. The current version is always available in the app or under tavel.app/privacy-policy.