Privacy Policy

Effective 28 May 2026

This Privacy Policy explains what elvix collects, why, where it is stored, and what rights you have, under the EU General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG). elvix is a sign-in and identity service: you sign in once, and you can keep a profile (contact details, addresses, billing and tax entities, languages) that you choose to share with the apps you sign in to, instead of re-typing it everywhere. Because of that, elvix sits in two relationships, set out in section 2.

1. Who is responsible

The controller for your elvix account data is the Einzelunternehmen trading as "edvone" (Inhaber Edvard Grei), Jülicher Straße 72a, 52070 Aachen (DigitalHub Aachen), Germany. Privacy contact: [email protected]. We are not legally required to appoint a Data Protection Officer and have not done so.

2. Two relationships

  • Your account. For the identity and profile data you hold with elvix, we are the controller. This policy covers that.
  • The Console.When a business (an "Operator") integrates elvix, the records about that business's own end users are controlled by the business; elvix acts as its processor under a Data Processing Agreement (Art. 28 GDPR). See section 9.

3. What we collect, when we're your controller

Collected automatically when you sign in:

  • One or more email addresses (each tagged with how it was added and whether it is verified).
  • Sign-in factors: a short-lived hash of email one-time codes (never the code), passkey public keys and credential ids (the private key never leaves your device), and, if you use a social login, the provider account id plus the profile payload the provider returns. We keep a history of those provider payloads for security and audit.
  • Sign-in activity: the time, the app, the coarse country derived from your IP at that moment (we then discard the raw IP), and the browser user-agent.
  • Region defaults (country, timezone, locale, formats) that we may pre-fill from your IP country and provider locale on first sign-in. These are flagged as auto-derived until you confirm or change them, after which they are yours.

Profile data you choose to add (so apps you sign in to can reuse it with your consent, instead of asking you again):

  • Identity: name, username, avatar and banner images, and optionally phone, date of birth, gender, pronouns, age range, job title, organization, education, and the languages you speak with self-reported proficiency.
  • Postal addresses (billing and shipping): recipient and optional company name, the address itself, and, if you pick it from address autocomplete, its coordinates and timezone.
  • Legal and tax entities (only if you add one for invoicing): legal and trading name, tax country, tax number and VAT id (which we may validate against the competent authority), company registration number, the registered address and contact, and, for individuals or sole proprietors, date and place of birth and nationality.

You can view, edit, or delete every item of profile data from /account. Nothing in the profile is required to sign in; you add only what you want to reuse across apps.

4. Sensitive data

Some profile fields (date of birth, nationality, tax identifiers) are sensitive even though they are not "special categories" under Art. 9 GDPR. We collect them only when you enter them yourself for a purpose you choose (for example a tax entity for invoicing). elvix does not ask for and does not want Art. 9 data (health, religion, political opinions, racial or ethnic origin, sexual orientation). Please do not put such data into free-text fields.

5. What we do not collect

  • Raw IP addresses at rest. We resolve to country and discard the original.
  • The content or activity inside the apps you sign in to. That lives in each app's own systems. (An Operator may store its own custom attributes against your membership of its app; for those, elvix is the Operator's processor.)
  • Passwords. elvix has no password sign-in.
  • Advertising or cross-site tracking. elvix sets no third-party tracking cookies and no ad pixels.

6. Cookies

elvix sets only first-party, strictly necessary cookies: a session cookie once you are signed in, and a CSRF protection token. They are required to keep you signed in securely and are exempt from consent under § 25 (2) TTDSG. We set no analytics or marketing cookies.

7. Lawful basis

  • Contract (Art. 6(1)(b)) for sign-in and for delivering the service you asked for.
  • Consent (Art. 6(1)(a)) for the optional profile data you add and each time you share profile data with a specific app. You can withdraw it any time by deleting the data or revoking the app.
  • Legitimate interest (Art. 6(1)(f)) for security telemetry, fraud and abuse prevention, and reliability, balanced against minimal data.
  • Legal obligation (Art. 6(1)(c)) for tax, accounting, and breach-notification duties.

8. Where your data lives, and international transfers

Your elvix account record is stored in Germany 🇩🇪, on managed PostgreSQL infrastructure operated by delvix on servers in Germany. Avatar and banner images are stored in Cloudflare R2 (EU). Some sub-processors that support specific functions are based in the United States. Where personal data reaches them, the transfer relies on the European Commission's Standard Contractual Clauses and, where applicable, the processor's EU-US Data Privacy Framework certification. We keep these flows as narrow as possible.

9. Sub-processors

We use the following processors, each under a data processing agreement:

  • delvix (Germany): managed database hosting. Primary data store.
  • Cloudflare (USA): DNS, TLS, DDoS protection, CDN, and R2 object storage for images. Privacy.
  • Resend (USA): delivery of transactional email such as sign-in codes. Privacy.
  • Google(USA): only if you choose "Continue with Google" (sign-in) or use address autocomplete (Google Maps / Places). Privacy.

We do not sell your data, and we do not share it with advertisers.

10. Operator data (Console)

When you integrate elvix into your own product, you remain the controller of your end users' data, including any custom attributes you store against them, and elvix acts as your processor under a Data Processing Agreement reflecting Articles 28 and 32 GDPR. We process that data only on your documented instructions, keep it confidential, support your data-subject obligations, and return or delete it when our agreement ends.

11. Retention

  • Active accounts and the profile data on them: kept until you delete the item or the account.
  • Sign-in audit log: 90 days, then aggregated and anonymised.
  • Provider payload history: kept for security and audit, and removed with the account.
  • One-time code challenges: minutes, then deleted.
  • Deleted accounts: removed within 30 days, except where law requires longer (for example German tax records, up to 10 years).

12. How we protect your data

We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR): encryption in transit (TLS), encryption at rest for sensitive secrets, hashing of one-time codes, least-privilege access, and audit logging. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security, but we work to protect your data and respond to incidents quickly.

13. No automated decision-making

We do not subject you to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects (Art. 22 GDPR). Security signals may flag activity for human review, but no consequential decision is made without a person.

14. Your rights

  • Access (Art. 15): see what we hold about you.
  • Rectification (Art. 16): correct it.
  • Erasure (Art. 17): delete it.
  • Portability (Art. 20): export it as machine-readable JSON.
  • Objection and restriction (Art. 21, Art. 18).
  • Withdraw consent at any time, without affecting processing already carried out before withdrawal.

Access, export, editing, and deletion are self-service from /account. For anything else, email [email protected]. You may also lodge a complaint with a supervisory authority. For our base in Aachen that is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

15. Breach response

Under Articles 33 and 34 GDPR, we notify the competent supervisory authority within 72 hours of becoming aware of a personal-data breach, and notify affected users directly where the risk to them is high.

16. Children

elvix is not directed at children. We do not knowingly create accounts for anyone under 16. If you believe a child has an account with us, contact [email protected] and we will remove it.

17. Changes

Material changes are published on this page at least 14 days before they take effect, and registered users are notified by email.