Privacy Policy

Last updated: May 26, 2026

Introduction

This page explains what personal data we process when you use Avara, the legal bases on which we process it, who else may receive it, and what rights you have. We aim to keep this readable; if anything is unclear, write to [email protected].

Controller

The controller responsible for processing within the meaning of Art. 4 (7) GDPR is:

Lennart Diedrichsen

Grundstr. 26, 20257 Hamburg, Germany

[email protected]

Categories of data we process

We process the following categories of personal data:

  • Account data: name, email address, username, profile photo
  • Profile data: bio, website, social links, city and country, teaching credentials
  • Schedule data: class titles, times, locations, descriptions
  • Usage data: pages visited, features used, in-app actions
  • Technical data: IP address, browser, device, log data created when our servers respond to your requests
Purposes and legal bases

We process data for the following purposes, on the following legal bases:

  • Providing the platform (account, schedule, public profile) — performance of contract, Art. 6 (1) (b) GDPR.
  • Showing your public schedule to students and connecting you with studios — performance of contract, Art. 6 (1) (b) GDPR.
  • Operating, securing and improving the platform (logs, abuse prevention) — legitimate interests, Art. 6 (1) (f) GDPR.
  • Service emails (account, security, transactional) — performance of contract, Art. 6 (1) (b) GDPR.
  • Marketing emails — only with your consent, Art. 6 (1) (a) GDPR; you can withdraw at any time.
  • City suggestions while you edit your profile — your browser sends the typed query and your IP address to Photon (see below) on the basis of our legitimate interest in offering autocomplete, Art. 6 (1) (f) GDPR.
Service providers and recipients

We use the following processors and third parties. They only act on our instructions, except for Photon, which is triggered directly by your browser:

  • Supabase Inc., 970 Toa Payoh North #07-04, Singapore — database, authentication and file storage. Production data is hosted on AWS in eu-central-1 (Frankfurt). Data Processing Addendum and EU Standard Contractual Clauses are in place.
  • Render Services, Inc., 525 Brannan St, San Francisco, CA 94107, USA — application hosting. Data Processing Addendum and EU Standard Contractual Clauses are in place.
  • Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — transactional email delivery. Data Processing Addendum and EU Standard Contractual Clauses are in place.
  • Komoot GmbH, Karl-Liebknecht-Str. 1, 14482 Potsdam, Germany — Photon city autocomplete. When you type in the city field, your browser sends the query and your IP address to photon.komoot.io. The underlying data is © OpenStreetMap contributors, licensed under ODbL.

If you connect with a studio through Avara, the studio receives the profile data needed to confirm the connection (name, profile photo, the classes that link to them). Your public profile and public schedule are visible to anyone who opens them.

International data transfers

Some of our service providers (Supabase, Render, Resend) are headquartered outside the EU/EEA. Where personal data is transferred to a third country we rely on the European Commission's Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR, together with the supplementary safeguards described in the relevant Data Processing Addenda. You can request copies of the SCCs by emailing [email protected].

Your rights under the GDPR

Subject to the conditions of the GDPR, you have the right to:

  • Information about the data we process about you (Art. 15)
  • Correction of inaccurate data (Art. 16)
  • Erasure of your data (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing based on our legitimate interests (Art. 21)
  • Withdrawal of any consent at any time, with effect for the future (Art. 7 (3))
Right to lodge a complaint

You may lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement. The competent authority for our establishment is: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Str. 22, 7. OG, 20459 Hamburg — datenschutz-hamburg.de.

Cookies and similar technologies

We use only strictly necessary cookies (e.g. authentication, language preference, CSRF protection). They are exempt from the consent requirement under §25 (2) TTDSG. If we ever introduce optional analytics or marketing technologies we will ask for your consent first via a cookie banner.

Data security

Traffic is encrypted in transit (TLS) and at rest where supported by our infrastructure providers. Access to production data is restricted to the operator and reviewed regularly. No system is fully secure; please report suspected vulnerabilities to [email protected].

Retention

We retain account and profile data for as long as your account exists. When you delete your account we delete or anonymise personal data within 30 days, except where statutory retention periods apply (e.g. invoicing data under §147 AO for up to 10 years). Server logs are kept for up to 14 days for abuse prevention and then deleted.

Contact

For privacy questions or to exercise your rights, write to:

[email protected]