Aavaaa
aavaaa pe aava — social plan-sharing app
Effective date: June 2026
Aavaaa (“we”, “us”) is operated by an individual data controller based in Copenhagen, Denmark. You can reach us at admin@aavaaa.com.
To run the service: authenticate you, deliver invites + notifications, render the feed, render Memories, and let friends find you.
We use the following sub-processors. Each receives only the data needed for its narrow purpose.
What are Standard Contractual Clauses (SCCs)? SCCs are contract terms pre-approved by the European Commission that legally bind a data recipient outside the EU to provide the same level of data protection required under GDPR. When we use a US-based processor, we have signed SCCs with them, giving you the same enforceable rights and giving EU regulators legal recourse if those commitments aren't met.
Aavaaa encrypts data at rest and in transit. We implement strict technical controls (Row Level Security) to ensure other users cannot access your private data, photos, or conversations without your permission.
As the data controller, Aavaaa's operator retains the technical ability to access stored data — including messages, photos, and account information — for the purposes of:
We do not access user content for any other purpose, and all administrative access is logged. We do not sell, share, or use your personal data for advertising or any purpose beyond operating Aavaaa.
If you require communications with guaranteed end-to-end encryption that even Aavaaa cannot access, we recommend using a dedicated secure messaging app for sensitive conversations.
We may disclose your information if required to do so by law, a valid court order, or other legal process, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect the rights, safety, or property of Aavaaa, our users, or the public, or investigate fraud or security issues.
We will only respond to legally valid requests from law enforcement or government authorities, and we carefully review each request before responding. Where legally permitted, we will make reasonable efforts to notify affected users of such requests.
You can exercise the following rights directly inside the app at Settings → Privacy or by emailing us:
Active-account data is kept until you ask us to delete it. Audit / abuse logs are kept for up to 90 days. Backups roll off Supabase's retention window (typically 7 days).
All traffic uses HTTPS. Database access is gated by Postgres Row-Level Security policies — each row is filtered by auth.uid() at the database engine, not just the application layer. App-lock + biometric unlock is available locally.
We do not knowingly collect data from children under 13 without parental consent. Photos and memories shared in events may include images of children — this content belongs to the uploader and is governed by our Privacy Policy. We do not delete event memories simply because they contain images of minors.
We will note the new effective date at the top of this page when we make material changes. Continued use after that date constitutes acceptance.
Email admin@aavaaa.com for any data-protection question.