Privacy policy

1. Data Controller

The party responsible for processing data on this website and within the PAVL app is:

Ken Berns
Tiergartenstraße 31
47533 Kleve, Germany
support@pavl.app

2. What data do we process?

PAVL is designed to collect as little personal data as possible.

When using the app without an account:

• An anonymous user ID (UUID) to associate your profile
• Your quiz answers
• Your swipes, ratings, and watchlist entries
• Your selected streaming providers and region

When you secure your account (Passkey):

• Your public key for authentication (no password)
• Optional: a username of your choice

When using Pair Mode:

• A link between your account and your partner's account
• Your shared swipes and the joint watchlist

Beta signup on the website:

You may voluntarily apply for Google Play beta access via the form at pavl.app/en/beta/. We collect and process:

• Name or nickname
• Email address (to process your application and contact you)
• The free-text message you enter (“Why do you want in?”)

Submissions are delivered through FormSubmit (formsubmit.co), which forwards the data to us by email (support@pavl.app). That provider’s privacy terms apply in addition for the transmission step.

What we do NOT collect for ordinary in-app use:

• No email address inside the app itself (different rules apply only if you use the voluntary beta signup form)
• No real names (unless you voluntarily provide one as username)
• No phone numbers
• No tracking cookies or advertising IDs
• No data sharing with advertising networks

3. Why do we process your data?

• Film recommendations: Your profile and swipes are used to suggest matching films.
• Profile development: From your interactions, we calculate your psychological archetype.
• Authentication: Passkeys allow secure access from multiple devices.
• Pair Mode: With your explicit consent, we share specific data with your pair partner.
• Beta signup: Handling your application for Google Play beta access, contacting you by email, and assigning you to the tester pool if applicable.

Legal basis for the app: Art. 6 (1) lit. b GDPR (contract performance) and Art. 6 (1) lit. f GDPR (legitimate interest in operating a functional app). For the beta form, Art. 6 (1) lit. b GDPR (pre-contractual measures at your request) applies as well as — where you ticked the box acknowledging this privacy policy — Art. 6 (1) lit. a GDPR (consent).

4. Where is your data stored?

Your data is processed on servers operated by Cloudflare, Inc. Cloudflare runs a global network; your data is preferentially processed in EU data centers but may technically be routed to other regions.

Cloudflare is certified under the EU-US Data Privacy Framework. A Data Processing Agreement is in place with Cloudflare.

5. Third-party services

FormSubmit (formsubmit.co): Used only for the beta signup form on the website to submit your entries securely over HTTPS to us by email.

TMDB (The Movie Database): We obtain film data and streaming availability from TMDB. When film posters are displayed, a connection to TMDB servers is established.

Google Password Manager / Apple Keychain: Passkeys are stored on your device and, if applicable, in your device account. This processing is outside our control.

6. How long do we store your data?

For as long as you actively use your account. When you delete your account in the app, all your data is fully removed within 30 days — including profile, swipes, watchlist, and passkeys.

Data from beta applications (emails and their contents) are kept only as long as needed to process your request (invitation, rejection, follow-up questions) and are deleted thereafter unless we have a legitimate interest or legal retention obligation that requires longer storage.

7. Your rights

You have the right to:

• Access your stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR) — available directly in the app
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR)

For inquiries and requests: support@pavl.app

Competent supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.

8. Security

All data transfers between app and server are encrypted via HTTPS. Passkeys use the WebAuthn standard and are therefore phishing-resistant.

9. Changes

This privacy policy may change as our processing practices evolve. The current version is always available at pavl.app.