Privacy Policy
This privacy policy explains which personal data we process when you use TROVARO (trovaro.app, trovaro.io and my.trovaro.app), for which purposes, and which rights you have.
1. Controller
MasteryBits AB
Skarpskyttevägen 16
271 60 Ystad, Sweden
Email: info@trovaro.app
2. Our principles
- TROVARO is ad-free and uses no third-party tracking or analytics services.
- Your content is stored on servers in the European Union.
- We only process the data required to operate the service, and we do not analyse your content.
- We do not sell data and only share it with the service providers listed below, to the extent necessary for operating the service.
3. Hosting and server log files
TROVARO is hosted by Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany (data centres in the European Union). A data processing agreement pursuant to Art. 28 GDPR is in place with Hetzner.
When you visit our pages, the server automatically processes technical access data (IP address, date and time, requested page, browser type and operating system). These log files serve to keep the service running, analyse errors and defend against attacks, and are deleted automatically after a short period. The legal basis is our legitimate interest in a secure and stable operation (Art. 6(1)(f) GDPR).
4. Cookies
We only use strictly necessary cookies: a session cookie for signing in to the app and a cookie protecting against attacks (CSRF). No marketing, analytics or third-party cookies are set; a cookie banner is therefore not required. Legal basis: Art. 6(1)(b) and (f) GDPR; the storage is strictly necessary for the service you request.
5. Registration and user account
Using TROVARO requires an account. For this we process your email address, your name (if provided), your password (only as a cryptographic hash) and your account settings. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR). The data is stored for as long as your account exists.
6. Your content (notes, bookmarks, videos, photos)
We process the content you store in TROVARO exclusively to provide the service to you (Art. 6(1)(b) GDPR). We do not analyse your content, do not use it for advertising and do not pass it on to third parties. If you share an album via a link, it is only accessible to people who know the link (and the password, if set). When you delete your account, your content is deleted; it may remain in backups for a transition period of up to 30 days.
7. Transactional emails (Postmark)
We send system emails (e.g. registration confirmation, password reset) via the Postmark service of ActiveCampaign, LLC, 1 North Dearborn Street, Chicago, IL 60602, USA. This involves processing your email address and the content of the respective system email. ActiveCampaign is certified under the EU-US Data Privacy Framework; EU standard contractual clauses are in place in addition. Legal basis: Art. 6(1)(b) GDPR. We do not send newsletters or marketing emails.
8. Backups (Backblaze)
We create daily backups to protect your data. Backups are encrypted on our servers before transfer (client-side, restic) and then stored with Backblaze, Inc., 201 Baldwin Ave, San Mateo, CA 94401, USA. Backblaze only receives encrypted data and has no access to the content; the keys remain with us. Backblaze is certified under the EU-US Data Privacy Framework; EU standard contractual clauses are in place in addition. Legal basis: Art. 6(1)(f) GDPR (data security).
9. Payment processing (Paddle)
Paid subscriptions are handled by our reseller (merchant of record) Paddle: Paddle.com Market Limited, Judd House, 18–29 Mora Street, London EC1V 8BT, United Kingdom. When you purchase, payment and billing data (e.g. name, email address, country, payment method) are collected and processed directly by Paddle as an independent controller; we ourselves do not receive or store full payment data. An EU Commission adequacy decision is in place for the United Kingdom. See the Paddle privacy policy for details.
10. Recipients and international transfers
We only share personal data with the service providers named in this policy. Where data is transferred to countries outside the EU/EEA (USA: ActiveCampaign/Postmark, Backblaze; UK: Paddle), this is based on adequacy decisions of the EU Commission (EU-US Data Privacy Framework, UK adequacy decision) and/or EU standard contractual clauses.
11. Storage periods
We store personal data only for as long as necessary for the purposes described: account data and content until you delete your account (plus a backup transition period of up to 30 days), server logs for a few days, and billing data for the statutory retention periods.
12. Your rights
Under the GDPR you have the following rights:
- access to the data we process about you (Art. 15),
- rectification of inaccurate data (Art. 16),
- erasure (Art. 17) and restriction of processing (Art. 18),
- data portability (Art. 20),
- objection to processing based on legitimate interests (Art. 21).
An email to info@trovaro.app is sufficient to exercise these rights. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR) – in Sweden this is the Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, imy.se; you may also contact the supervisory authority of your country of residence.
13. Data security
All connections are TLS-encrypted. We use technical and organisational measures in line with the state of the art, including encrypted backups, access restrictions and regular security updates.
14. Changes to this privacy policy
We update this privacy policy when the service or the legal situation changes. The version published here applies.
Last updated: July 2026