Privacy Policy

1. Data Controller

ProDoWeb UG (limited liability)
c/o Tino Wittig
35 Zwickauer Street
04639 Gößnitz
Email: info@prodoweb.de

2. General Information on Data Processing

We generally process our users’ personal data only to the extent necessary to provide a functional website and our content and services. The processing of personal data generally takes place only with the user’s consent or when permitted by law.

The legal basis for the processing of personal data includes, in particular:

  • Art. 6(1)(a) GDPR — User consent
  • Art. 6(1)(b) GDPR — Performance of a contract or pre-contractual measures
  • Art. 6(1)(f) GDPR — legitimate interest of the controller

3. Hosting

This website is hosted by Scaleway S.A.S. The servers are located in Amsterdam (Netherlands, EU). The personal data collected on this website is stored on the host’s servers. This may include, in particular, IP addresses, access data, and transmitted content.

The use of the hosting provider is in the interest of a secure, fast, and efficient provision of our online services (Art. 6(1)(f) GDPR).

Provider: Scaleway S.A.S., 8 rue de la Ville-l'Évêque, 75008 Paris, France

4. Registration & User Account

When you register for a user account, we collect the following data:

  • Name (optional)
  • Email address
  • Password (stored in encrypted form)

To confirm your email address, we will send you a verification email. This data is processed for the purpose of fulfilling the contract in accordance with Article 6(1)(b) of the GDPR.

5. Sign-up via third-party providers (Google, GitHub)

You have the option to log in to Nevlo using your Google or GitHub account. In doing so, the following data is transmitted to us by the respective provider:

  • Email address
  • Name
  • Provider account ID

If a user account already exists with the same email address, the third-party account will be automatically linked to it. Processing is carried out for the purpose of fulfilling the contract in accordance with Art. 6(1)(b) GDPR.

Google: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
GitHub: GitHub Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA (transfer to a third country based on standard contractual clauses pursuant to Art. 46(2)(c) GDPR)

6. Bank details & financial data (finAPI)

We use the services of finAPI GmbH to connect your bank accounts. The following data is collected and processed in this process:

  • Bank accounts: IBAN, account type, account name, account balance, currency
  • Transactions: Amount, posting date, value date, payment reference, recipient/payer name and IBAN, merchant name
  • Bank details: Bank name, BIC

The connection is established via the PSD2 interface. Your consent to your bank is valid for 90 days. We will notify you via email in a timely manner before your consent expires so that you can renew it.

Bank access data is stored exclusively in encrypted form. Processing is carried out for the purpose of fulfilling the contract in accordance with Art. 6(1)(b) GDPR and on the basis of your consent in accordance with the requirements of the PSD2 Directive.

Provider: finAPI GmbH, Adams-Lehmann-Straße 44, 80797 Munich

7. AI-powered transaction categorization (Mistral AI)

If you enable automatic categorization of your transactions, the following transaction data will be transmitted to Mistral AI for categorization:

  • Recipient name
  • Merchant name
  • Purpose
  • Amount

This feature is disabled by default and will only be used after you explicitly enable it. You can disable the feature at any time in your account settings.

The legal basis is your consent pursuant to Art. 6(1)(a) of the GDPR.

Provider: Mistral AI, 15 rue des Halles, 75001 Paris, France (EU)

8. Payment processing (Stripe)

We use the payment service provider Stripe to process payments and manage subscriptions. The following data is transmitted to Stripe:

  • Email address
  • Billing address
  • Tax ID (if provided)
  • Selected subscription plan

Payment data (e.g., credit card numbers) is collected and stored exclusively by Stripe and is never transmitted to us. Processing is carried out for the purpose of fulfilling the contract in accordance with Art. 6(1)(b) GDPR.

Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (EU)

9. Email delivery (Resend)

We use the Resend service to send transaction-related emails. Your email address is transmitted to Resend for this purpose. The following emails are sent via this service:

  • Email verification during registration
  • Password reset
  • Reminders regarding the PSD2 consent process for bank accounts

Processing is carried out for the purpose of fulfilling the contract in accordance with Art. 6(1)(b) GDPR. Since Resend is based in the United States, data transfer is carried out on the basis of standard contractual clauses in accordance with Art. 46(2)(c) GDPR.

Provider: Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA

10. Cookies

This website uses the following cookies:

  • Session cookie: For authentication and session management. This cookie is technically necessary and is deleted when you log out or after the session expires.
  • OAuth state cookie: Temporary cookie used during login via Google or GitHub. It is automatically deleted after a few minutes.
  • Google Click ID Cookie: Stores an identifier from Google Ads campaigns for 90 days for marketing attribution.

The technically necessary cookies are set based on Art. 6(1)(f) GDPR. The Google Click ID cookie is set based on your consent in accordance with Art. 6(1)(a) GDPR.

11. Google Ads / Conversion Tracking

We use Google Ads to promote our services. When you click on a Google ad, an identifier (Google Click ID) is recorded and stored for 90 days in a cookie and in our database. This is used to associate registrations with advertising campaigns.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. Since Google is based in the United States, data is transferred on the basis of standard contractual clauses pursuant to Art. 46(2)(c) GDPR.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

12. Webhooks (user-configurable)

You have the option to configure your own webhook endpoints in your account. Transaction data and account information will be transmitted to the endpoints you specify. The transmission is initiated by you and is your responsibility.

Processing is carried out for the purpose of fulfilling the contract in accordance with Art. 6(1)(b) GDPR.

13. Server Log Files & Logging

The following data is automatically collected each time you visit our website:

  • IP address
  • Browser type and version
  • Pages viewed
  • Time of access

In addition, we log API requests to ensure operational stability and for troubleshooting purposes. This data is not combined with other data sources. The legal basis for data processing is Article 6(1)(f) of the GDPR.

14. Data Security

We implement comprehensive technical and organizational measures to protect your data:

  • Encrypted data transmission between your browser and our servers (TLS)
  • Encrypted storage of sensitive data such as bank login credentials and passwords
  • Regular security checks of our systems

15. Retention Period & Deletion

We store your personal data only for as long as is necessary for the respective processing purposes:

  • Account details: Until your user account is deleted
  • Session details: Until the end of the session or until you log out
  • Log data: For a limited period to troubleshoot and ensure operation

When you delete your user account, all associated data will be completely deleted, including bank details, transactions, sessions, and settings. Statutory retention periods remain unaffected.

16. Your Rights

You have the following rights with respect to us:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent with future effect (Art. 7(3) GDPR)

You also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data. The supervisory authority responsible for us is:

Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI)
Häßlerstraße 8, 99096 Erfurt

17. Overview of Data Processors / Third-Party Providers

The following third-party providers process personal data on our behalf or as independent data controllers:

ProviderPurposeHeadquartersTransfer Basis
Scaleway S.A.S.HostingFrance (EU)
finAPI GmbHBank connectionGermany (EU)
Mistral AITransaction categorizationFrance (EU)
Stripe Payments Europe Ltd.Payment processingIreland (EU)
Resend Inc.Email deliveryUSAStandard Contractual Clauses
Google Ireland LimitedOAuth login, AdsIreland (EU) / USAStandard Contractual Clauses
GitHub Inc.OAuth loginUSAStandard Contractual Clauses

18. Contact for Data Protection Questions

If you have any questions regarding data protection, please contact us at: info@prodoweb.de

19. Timeliness

This Privacy Policy is currently valid and is effective as of March 2026. Due to the ongoing development of our website or changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy.