Privacy Policy

Last update: Jan 1st, 2025

1. Controller

mivo bookings

Franke & Winter GmbH

Schulgasse 10

88339 Bad Waldsee

Germany

Controllers according to GDPR: Jan Franke & Antonia Winter.

2. Data We Collect

When you use mivo, we may process:

  • Account data (name, email, password, company details)
  • Booking data (courses, training sessions, time slots, participants)
  • Payment data (via payment providers such as Stripe/PayPal)
  • Calendar data (if Google Calendar is connected)
  • Communication data (support requests, emails)
  • Technical data (IP address, browser, device info, logfiles)

3. Purposes & Legal Basis

We process your data for:

  • Providing and operating our SaaS platform (Art. 6(1)(b) GDPR)
  • Processing payments via third-party providers (Art. 6(1)(b) GDPR)
  • Customer communication and support (Art. 6(1)(b) and (f) GDPR)
  • Security, fraud prevention (Art. 6(1)(f) GDPR)
  • Marketing and analytics (only with consent, Art. 6(1)(a) GDPR)

4. Third-Party Services

We work with the following providers (some located in the USA):

  • Stripe Payments Europe Ltd. (payment processing)
  • Supabase Inc. (hosting, database)
  • Vercel Inc. (hosting, deployment)
  • Upstash Inc. (Redis database)
  • Google LLC (see detailed description under 4a. Google Services)
  • Sanity.io (content management for blog)

Data transfers to the USA are based on EU Standard Contractual Clauses (SCCs).

4a. Google Services

We use various Google services that require your consent. Your Google data is used exclusively in accordance with the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy).

Google Login & Registration

When logging in or registering via Google, we access:

  • Your email address (for account creation and identification)
  • Your name (for display in your mivo profile)
  • Your profile picture (optional, for display in your mivo profile)

We use this data exclusively for authentication and management of your mivo account. No data is shared with third parties.

Google Calendar Integration (Pro Feature)

When activating the Google Calendar integration, we access:

  • Reading Calendar Events (for conflict detection and preventing double bookings)
  • Creating Calendar Events (for automatic booking entries in your calendar)
  • Your email address (to link with your mivo account)

Purpose of data processing:

  • Automatic appointment blocking for new bookings
  • Prevention of double bookings through real-time conflict detection
  • Synchronization of your training sessions and courses with your Google Calendar
  • Push notifications for calendar changes (webhook-based)

Data storage and security:

  • Refresh tokens: Encrypted storage in our database (Supabase, EU servers, TLS 1.3, AES-256 at-rest encryption)
  • Event data: Only processed temporarily for synchronization, no permanent storage of calendar contents
  • Blocked time slots: Temporarily in Redis cache for performance optimization (automatic deletion after 7 days)
  • No sharing of your Google Calendar data with third parties

Your control over the data:

  • Disconnect anytime in Settings → Integrations → Google Calendar → "Disconnect"
  • Access also revocable directly at Google: https://myaccount.google.com/permissions
  • Upon disconnection, all stored tokens and webhook subscriptions are immediately deleted
  • Your existing booking data in mivo remains, only Calendar synchronization is ended

Compliance and legal basis:

  • Legal basis: Art. 6(1)(a) GDPR (consent) and (b) GDPR (contract performance)
  • Compliance with Google API Services User Data Policy
  • Data minimization principle: We only access the minimally necessary scopes (calendar.events, not calendar)
  • Data transfer to the USA based on EU Standard Contractual Clauses
  • Retention period: Tokens are deleted immediately upon disconnection, temporary data automatically removed after 24h

5. Data Retention

We retain personal data only as long as necessary for the stated purposes:

  • Contract and booking data: as long as the account is active + statutory retention periods (6–10 years for invoices).
  • Support data: max. 2 years after last contact.
  • Calendar and booking data: until the purpose has been fulfilled, then deleted.

6. Your Rights

Under GDPR you have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object (Art. 21 GDPR)
  • Withdraw consent (Art. 7(3) GDPR)

To exercise your rights, please contact:info@franke-winter.de

You also have the right to lodge a complaint with a data protection authority.

7. Cookies & Tracking

mivo uses cookies and similar technologies for:

  • Login and session management
  • Security
  • Optional analytics & marketing (only with consent)

8. Security

We apply modern security measures (TLS encryption, database RLS policies, access controls) to protect your data against loss, misuse and unauthorized access.

9. Changes

We may update this Privacy Policy from time to time. The current version is always available on our website.