Privacy Policy

As of: March 2026

1. Data Controller

intercolo GmbH

Carl-Goerdeler-Str. 114

60320 Frankfurt am Main

Germany

Managing Director: Maxim Gade

Email: datenschutz@pavavo.com

Phone: 069 / 56 40 60

2. Subject Matter of this Privacy Policy

This privacy policy informs you about the type, scope and purpose of processing personal data when using the website pavavo.com and the cloud accounting software Pavavo (hereinafter "Service").

3. Hosting and Server Location

The Service is operated on intercolo GmbH's own servers in Germany (location: Düsseldorf). No third-party infrastructure services (AWS, Google Cloud, Microsoft Azure or similar) are used.

No data transfers to third countries by the provider: All data is processed and stored exclusively on servers in Germany. No transfers to countries outside the EU/EEA are made by the provider. To the extent the user activates payment service providers (Stripe, PayPal), data transfer to the USA may occur (see section 8).

4. Types of Data Collected

During registration:

  • Name
  • Email address
  • Password (hashed)

Company data:

  • Company name, address, tax number, VAT ID
  • Bank details (IBAN, BIC)
  • Logo (optional)

Accounting data:

  • Invoices, offers, credit notes
  • Contacts (customers and suppliers)
  • Receipts and vouchers
  • Bookings and journal entries
  • Bank transactions (when imported)

Technical data:

  • IP address
  • Browser type and version
  • Operating system
  • Date and time of access
  • Referrer URL

Usage data:

  • Login times
  • Features used (anonymized)
  • Device type

5. Purpose of Data Processing

  • Provision and operation of the accounting software
  • User management and authentication
  • Creation and management of invoices and documents
  • DATEV export in EXTF format and ELSTER submission
  • Payment processing (when using Stripe/PayPal)
  • Email communication (invoice delivery)
  • Technical security and abuse prevention
  • Compliance with legal retention requirements (GoBD, AO)

6. Legal Bases

  • Contract performance: Art. 6(1)(b) GDPR for registration, service use, support and billing.
  • Legal obligations: Art. 6(1)(c) GDPR for tax retention obligations and legally required records.
  • Legitimate interest: Art. 6(1)(f) GDPR for security, abuse prevention, error analysis and product improvement.

7. Data Processing (DPA)

We process personal data only to provide, secure and improve Pavavo.

For accounting data, intercolo GmbH generally acts as a processor. A data processing agreement is provided for business customers.

8. Recipients and Subprocessors

Data is shared with service providers only where necessary for operation, support, payment or statutory interfaces.

Service Provider Purpose
Email delivery intercolo GmbH / commissioned mail service Transactional emails, invoice delivery and support communication
Payment processing Stripe, PayPal or bank transfer depending on selection Billing paid plans and confirming payments
ELSTER / tax submission German tax administration Optional submission of tax reports in the Pro plan

If Stripe or PayPal is activated, the privacy information of the selected payment provider also applies.

Pavavo is accounting software and not a payment or banking service provider. Bank data is processed only where required for accounting, reconciliation or billing.

9. Storage Duration

  • Accounting data: is generally stored for up to 10 years in line with statutory retention obligations.
  • Receipts and invoices: are stored for the duration of commercial and tax retention obligations.
  • Account data: is stored until the account is deleted and afterwards only where required for settlement and records.
  • Technical logs: are stored for a limited time where required for security, error analysis and abuse prevention.
  • Audit logs: are retained where required for traceability, GoBD requirements or statutory evidence.

10. Your Rights

Subject to the GDPR, you have the following rights in particular:

  • Access: You may request information about the personal data we process.
  • Rectification: You may request correction of inaccurate or incomplete data.
  • Erasure: You may request deletion where no statutory retention obligations apply.
  • Restriction: You may request restriction of processing.
  • Structured disclosure of personal data: Where the statutory requirements are met, personal data can be provided in a structured format.
  • Objection: You may object to processing based on legitimate interests.
  • Complaint: You may lodge a complaint with a data protection supervisory authority.

To exercise your rights, write to datenschutz@pavavo.com

Accounting exports: Accounting data is available inside the application through export functions.

11. Cookies

Pavavo uses technically required cookies for login, security and preferences.

  • Session cookie: keeps you signed in during the session.
  • CSRF cookie: protects forms from abusive requests.
  • Preference cookie: stores language, theme or similar settings.
  • Analytics cookies (Matomo): collect anonymised usage statistics (e.g. pages visited, time spent) solely with your consent in order to improve our service. We run Matomo on our own servers in Germany, anonymise IP addresses and do not share any data with third parties.

The legal basis for analytics cookies is your consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG). You can withdraw your consent at any time with effect for the future via the "Cookie settings" link in the footer.

Without your consent we do not set any analytics or marketing cookies; technically required cookies remain unaffected.

12. Necessity of Providing Personal Data

Without the required registration, company and accounting data, Pavavo cannot be provided or can only be provided in a limited way.

13. Technical and Organizational Measures

We use technical and organizational measures to protect personal data from unauthorized access, loss and misuse.

  • TLS encryption for all data transfers
  • Encrypted storage of sensitive data (AES-256)
  • Regular security updates and penetration testing
  • Access control and role-based permissions
  • Automatic encrypted backups
  • Firewall and intrusion detection systems

14. Notification of Data Breaches

Data breaches are reviewed and, where legally required, reported to supervisory authorities and affected persons within the statutory deadlines.

15. Supervisory Authority

Competent data protection supervisory authority:

The Hessian Commissioner for Data Protection and Freedom of Information

Gustav-Stresemann-Ring 1

65189 Wiesbaden, Germany

Phone: +49 611 1408-0

Email: poststelle@datenschutz.hessen.de

Web: https://datenschutz.hessen.de

16. Changes to This Privacy Policy

We may update this privacy policy if legal, technical or organizational circumstances change.