Privacy Policy

Data Controller:
Janik Dietz
Wolframstraße 25
86161 Augsburg
Germany
Email: team@eloora.io


1. General Information

This web application ("Eloora") processes personal data exclusively in accordance with applicable data protection laws, in particular the GDPR. This privacy policy explains what data is processed for what purpose and what rights you have.


2. Data We Collect

Registration & Login

To use the app, registration with an email address and password is required. This data is used exclusively for managing your user account.

Passwords are stored encrypted (via Supabase Auth with bcrypt).

Rental Administration Data

As a landlord using Eloora, you enter information about your compounds, garages, tenants (including names, contact details, and IBANs), leases, and payment history. This data is processed on your behalf to provide the administration features of the app.

Bank Transaction Data

When you upload CSV bank statements for payment matching, the individual transactions (booking date, payer name, IBAN, amount, purpose) are parsed and stored. The original CSV file itself is not retained after processing.

Tenant Documents

You can upload or create documents for your tenants and leases, for example ID copies, signed lease agreements, dunning letters, terminations, and handover protocols. These files are processed on your behalf (Art. 6 para. 1 lit. b GDPR) and stored encrypted at rest with our storage provider Supabase (AES-256 encryption). Access is only possible through short-lived signed links.

AI Assistance

When you use the built-in AI assistant for payment matching or administrative tasks, the relevant content of your request is transmitted to our AI provider for processing. Responses are returned to you and are not used to train the provider's models.

Server Logs

The hosting provider Vercel may collect technical data (for example, IP address, browser type, access time) to ensure the operation of the app.


3. Purpose of Data Processing

  • Providing the garage administration features (compounds, garages, tenants, leases, payments)
  • User account management and authentication
  • Matching incoming bank transactions against expected payments, partly assisted by AI
  • Sending transactional notifications related to your account (for example, signup confirmations)
  • System security, bot protection, and error analysis

4. Legal Basis

Processing is based on Art. 6 para. 1 lit. b GDPR (contract fulfillment) and Art. 6 para. 1 lit. f GDPR (legitimate interest in operating and securing the app).


5. Data Recipients

  • Supabase Inc. (authentication and database services)
  • Vercel Inc. (hosting and aggregate web analytics)
  • Anthropic, PBC (AI processing via Claude, used for the built-in assistant and payment matching)
  • Resend (transactional email delivery, for example signup notifications)
  • Cloudflare, Inc. (bot protection on the signup form via the Turnstile service). When you open the signup form, Cloudflare receives technical signals from your browser (such as IP address, user agent, and interaction metadata) to distinguish humans from automated abuse. See the Cloudflare Turnstile Privacy Addendum for details.

These service providers act as data processors within the meaning of the GDPR, some with headquarters in the USA. GDPR-compliant contracts (standard contractual clauses) exist.


6. Data Retention

  • User account data: stored as long as your account exists
  • Rental administration data (compounds, garages, tenants, leases, payments): stored as long as your account exists, or until you archive or delete individual records
  • Server logs by Vercel: according to the provider, maximum 30 days

Retention Periods for Tenant Documents

Fixed retention periods apply to tenant documents. The period starts when the lease ends or when the tenant is archived. The legal basis for keeping documents after the lease ends is our legitimate interest in keeping evidence until the statutory limitation periods expire (Art. 6 para. 1 lit. f GDPR).

  • ID copies: 3 months
  • Signed lease agreements, dunning letters, terminations, termination confirmations, and handover protocols: 3 years, based on the standard limitation period under Section 195 of the German Civil Code (BGB)
  • Contract drafts, cover letters, and other documents: 6 months

Once the period expires, the files and their database records are permanently deleted by a daily automated job. The scheduled deletion date is shown next to each document in the app. When a tenant is archived, the period is at least 30 days so that an accidental archive has no consequences.

Deleted data may remain in our database provider's backups until those backups rotate out on their regular schedule. Backups are not used to restore deleted personal data.


7. Your Rights

You have the right at any time to:

  • Information about your stored data
  • Correction of incorrect data
  • Deletion of your data ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Object to processing

You can permanently delete tenant documents yourself at any time (Art. 17 GDPR): open the tenant or unit detail page and use the delete icon next to the document. The file and its database record are removed immediately.

Please contact us at: team@eloora.io


8. SSL Encryption

The connection to this web app is made via a secure HTTPS connection.


9. Cookies & Tracking Technologies

Eloora uses two categories of cookies and tracking technologies. A full inventory, including vendor, purpose, and retention, is available on the cookies page.

Strictly necessary

We use a Supabase authentication cookie to keep you signed in, the Cloudflare Turnstile bot-protection signal on the signup form, and a localStorage entry that remembers your cookie preferences on this device. These cannot be turned off because the app would not function without them. Legal basis: Art. 6 para. 1 lit. b and lit. f GDPR.

Measurement (legitimate interest, opt-out available)

We use Vercel Analytics to count page views and measure performance in aggregate. No advertising profile is built, no cross-site identifier is set, and no personal data is shared with third parties. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in understanding how the product is used). We have balanced this interest against your privacy rights and concluded that aggregate measurement without personal identifiers is proportionate. You can opt out at any time on the cookies page; opting out stops the beacons being sent.

If we add further measurement tools in the future, they will be added under the same category and gated by your consent.


10. Changes

This privacy policy may be updated as needed. The current version is always available on the website.


Legal Notice (Impressum)

Information according to § 5 TMG:

Janik Dietz
Wolframstraße 25
86161 Augsburg
Germany
Email: team@eloora.io

Responsible for content according to § 55 para. 2 RStV:
Janik Dietz