Aavaaa

aavaaa pe aava — social plan-sharing app

Privacy Policy

Effective date: June 2026

1. Who we are

Aavaaa (“we”, “us”) is operated by an individual data controller based in Copenhagen, Denmark. You can reach us at admin@aavaaa.com.

2. What we collect

3. Why we collect it

To run the service: authenticate you, deliver invites + notifications, render the feed, render Memories, and let friends find you.

4. Third-party processors

We use the following sub-processors. Each receives only the data needed for its narrow purpose.

What are Standard Contractual Clauses (SCCs)? SCCs are contract terms pre-approved by the European Commission that legally bind a data recipient outside the EU to provide the same level of data protection required under GDPR. When we use a US-based processor, we have signed SCCs with them, giving you the same enforceable rights and giving EU regulators legal recourse if those commitments aren't met.

5. Data Access and Security

Aavaaa encrypts data at rest and in transit. We implement strict technical controls (Row Level Security) to ensure other users cannot access your private data, photos, or conversations without your permission.

As the data controller, Aavaaa's operator retains the technical ability to access stored data — including messages, photos, and account information — for the purposes of:

We do not access user content for any other purpose, and all administrative access is logged. We do not sell, share, or use your personal data for advertising or any purpose beyond operating Aavaaa.

If you require communications with guaranteed end-to-end encryption that even Aavaaa cannot access, we recommend using a dedicated secure messaging app for sensitive conversations.

6. Law Enforcement Requests

We may disclose your information if required to do so by law, a valid court order, or other legal process, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, protect the rights, safety, or property of Aavaaa, our users, or the public, or investigate fraud or security issues.

We will only respond to legally valid requests from law enforcement or government authorities, and we carefully review each request before responding. Where legally permitted, we will make reasonable efforts to notify affected users of such requests.

7. Your rights (GDPR)

You can exercise the following rights directly inside the app at Settings → Privacy or by emailing us:

8. Data retention

Active-account data is kept until you ask us to delete it. Audit / abuse logs are kept for up to 90 days. Backups roll off Supabase's retention window (typically 7 days).

9. Security

All traffic uses HTTPS. Database access is gated by Postgres Row-Level Security policies — each row is filtered by auth.uid() at the database engine, not just the application layer. App-lock + biometric unlock is available locally.

10. Children

We do not knowingly collect data from children under 13 without parental consent. Photos and memories shared in events may include images of children — this content belongs to the uploader and is governed by our Privacy Policy. We do not delete event memories simply because they contain images of minors.

11. Changes to this policy

We will note the new effective date at the top of this page when we make material changes. Continued use after that date constitutes acceptance.

12. Contact

Email admin@aavaaa.com for any data-protection question.


© Aavaaa, Copenhagen — Denmark. Terms of Service