Privacy policy

1. Data Controller

The party responsible for processing data on this website and within the PAVL app is:

Ken Berns
Tiergartenstraße 31
47533 Kleve, Germany
support@pavl.app

2. What data do we process?

PAVL is designed to collect as little personal data as possible.

When using the app without an account:

• An anonymous user ID (UUID) to associate your profile
• Your quiz answers
• Your swipes, ratings, and watchlist entries
• Your selected streaming providers and region

When you secure your account (Passkey):

• Your public key for authentication (no password)
• Optional: a username of your choice

When using Pair Mode:

• A link between your account and your partner's account
• Your shared swipes and the joint watchlist

Google Play (open beta):

PAVL is available in open beta on the Google Play Store. Installation happens directly with Google — Google’s privacy terms apply. We do not provide a contact form on our website for this download.

What we do NOT collect for ordinary in-app use:

• No email address inside the app itself
• No real names (unless you voluntarily provide one as username)
• No phone numbers
• No tracking cookies or advertising IDs
• No data sharing with advertising networks

3. Why do we process your data?

• Film recommendations: Your profile and swipes are used to suggest matching films.
• Profile development: From your interactions, we calculate your psychological archetype.
• Authentication: Passkeys allow secure access from multiple devices.
• Pair Mode: With your explicit consent, we share specific data with your pair partner.

Legal basis for the app: Art. 6 (1) lit. b GDPR (contract performance) and Art. 6 (1) lit. f GDPR (legitimate interest in operating a functional app).

4. Where is your data stored?

Your data is processed on servers operated by Cloudflare, Inc. Cloudflare runs a global network; your data is preferentially processed in EU data centers but may technically be routed to other regions.

Cloudflare is certified under the EU-US Data Privacy Framework. A Data Processing Agreement is in place with Cloudflare.

5. Third-party services

TMDB (The Movie Database): We obtain film data and streaming availability from TMDB. When film posters are displayed, a connection to TMDB servers is established.

Google Password Manager / Apple Keychain: Passkeys are stored on your device and, if applicable, in your device account. This processing is outside our control.

6. How long do we store your data?

For as long as you actively use your account. When you delete your account in the app, all your data is fully removed within 30 days — including profile, swipes, watchlist, and passkeys.

Emails you send to us (e.g. at support@pavl.app) are kept only as long as needed to handle your request and are deleted afterward unless a legal retention obligation requires longer storage.

7. Your rights

You have the right to:

• Access your stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR) — available directly in the app
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR)

For inquiries and requests: support@pavl.app

Competent supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.

8. Security

All data transfers between app and server are encrypted via HTTPS. Passkeys use the WebAuthn standard and are therefore phishing-resistant.

9. Changes

This privacy policy may change as our processing practices evolve. The current version is always available at pavl.app.