Data Processing / AVV

This page describes the data processing arrangement used by Avolura for business customers during beta. Business customers in Germany and the EU may need a data processing agreement, often called an AVV or DPA, when Avolura processes customer data on their behalf.

For a signed AVV/DPA or additional processor information, contact privacy@avolura.com.

The business owner is typically the controller for customer data submitted through the public booking page. Avolura may act as processor when hosting the booking page, storing appointment requests, organizing conversations, sending notifications and supporting owner-approved AI draft replies on behalf of the business.

The Avolura operator remains controller for platform account administration, beta applications, security logs, abuse prevention and its own support communication.

Processing covers operation of the Avolura SaaS platform for the duration of the business customer beta access or contractual use, plus any legally or technically required retention period for backups, logs, security review and deletion handling.

• Business owner account data and business profile data.
• Customer names, email addresses, phone numbers and request details.
• Booking status, timestamps, notes, service selections and manage-link metadata.
• Client messages, owner replies and AI draft context where enabled.
• Uploaded images, service catalog data and notification records.
• Technical logs, security events and anti-spam/rate-limit data.

Business owners, staff users, customers or prospective customers who submit booking requests or messages, and visitors interacting with public booking pages.

Hosting and operating business booking pages, authenticating owners, receiving booking requests, managing customer communication, preparing owner-approved AI draft replies, sending notifications, securing the service and supporting backups and maintenance.

• Process business customer data only for operating and supporting Avolura.
• Keep platform access limited to authorized personnel and systems.
• Support reasonable requests for data access, correction, deletion and export.
• Notify affected business customers of relevant security incidents without undue delay.
• Use sub-processors only where needed for hosting, email delivery, storage, AI drafts or maintenance.

• Use Avolura only with a valid legal basis for processing client data.
• Keep public booking page privacy, imprint and service information accurate.
• Avoid collecting unnecessary sensitive data through public forms.
• Review AI draft replies before sending any client communication.
• Inform Avolura about deletion, export or data-subject requests that require platform support.

Sub-processors may include hosting, database, cache, upload storage, email delivery and, if configured, an AI provider for owner-approved draft generation. Production sub-processor details must match the actual infrastructure and SMTP/AI providers configured by the operator.

Avolura is designed with account authentication, password hashing, session security, tenant separation, rate limiting, upload validation, role checks, security logs, backup support and HTTPS deployment requirements. Production operation should also include server hardening, firewall rules, regular updates, database backups, upload backups and restore testing.

When a business stops using Avolura, the operator can review deletion or export requests for account data, business data, customer requests, conversations and uploads. Backup deletion may follow the normal backup lifecycle where immediate deletion is not technically possible.

Data processing questions can be sent to privacy@avolura.com. Last updated: 2026-06-08.