Last updated: May 2026
These privacy notices inform you in accordance with Articles 13 and 14 GDPR about the processing of personal data in connection with the use of onvela – a web-based CRM service.
onvela processes the following categories of personal data. Categories marked “entered by the user” are only added to the system directly by the user themselves (see section 4 on data processing on behalf of the user).
2.1 User account and authentication
To provide the service, we process users’ names and email addresses. Single-use links (magic links) and OAuth access tokens are used for sign-in. API tokens are stored only as SHA-256 hashes; the plaintext token cannot be retrieved after creation.
- Name
- Email address
- API token (stored as SHA-256 hash)
- OAuth access token (Doorkeeper)
- Invitation token / magic link (temporary, valid 15 minutes)
- Admin status and control scope (account)
2.2 CRM contact data (entered by the user)
Contact data of natural persons that users create and maintain in onvela. Only the name is required; all other fields are optional.
- Name (required)
- Email address
- Phone number
- Mobile phone number
- Job title / position
- Street, postal code, city
- Affiliation with organizations and role therein
- Internal notes (free text)
- Tags
- Engagement temperature (internal rating value 0–100)
2.3 CRM organization data (entered by the user)
Master data for companies and organizations that users create and maintain. Only the name is required.
- Name (required)
- Email address
- Phone number
- Street, postal code, city
- Website (URL)
- Instagram profile (URL)
- Industry
- Company size
- Internal notes (free text)
- Tags
2.4 Activities and interaction history (entered by the user)
Log entries about interactions with contacts and organizations (calls, emails, meetings, notes). Entries are created manually or via the AI assistant integration.
- Activity type (call, email, meeting, note)
- Description / conversation note (free text)
- Date and time of the interaction
- Linked contact (optional)
- Linked organization
2.5 Notes (entered by the user)
Private notes created by users. Notes are linked to the user and are not visible to other users in the same account.
- Note content (free text)
- Tags
- Creator (linked user)
- Created and updated timestamps
2.6 Todos / tasks (entered by the user)
Tasks can be private (visible only to the creator) or linked to a contact or organization.
- Task title (required)
- Description (optional)
- Status (open, in progress, done)
- Due date (optional)
- Assigned user (optional)
- Tags
- Linked contact or organization (optional)
2.7 Groups / pools (entered by the user)
Groups collect contacts and organizations, for example for email lists. The email export outputs the addresses of all members as a semicolon-separated list.
- Group name (required)
- Description (optional)
- Members (contacts and/or organizations)
- Email addresses of members (for export)
2.8 Server log data
Technical connection data is logged automatically when accessing the application.
- IP address of the device
- Access timestamp
- Requested resource (URL, HTTP method)
- HTTP status code
- Referrer (if provided)
The following table summarizes the processing purposes and the applicable legal basis under Article 6 GDPR.
| Processing purpose | Legal basis |
|---|---|
| Provision and operation of the CRM service | Article 6(1)(b) GDPR (performance of a contract) |
| User management and authentication | Article 6(1)(b) GDPR |
| Sending registration and invitation emails | Article 6(1)(b) GDPR |
| Storage of CRM data on behalf of the user | Article 6(1)(b) GDPR together with Article 28 GDPR (processor) |
| Server logging (operational security) | Article 6(1)(f) GDPR (legitimate interest: operation and security) |
If users enter personal data of third parties in onvela (for example contacts, customers, partners), they act as controllers within the meaning of Article 4(7) GDPR. onvela processes those data exclusively on the user’s instructions as a processor pursuant to Article 28 GDPR. Users are responsible for ensuring that they have an appropriate legal basis for processing these third-party data. A data processing agreement (DPA) is available on request at post@onvela.app.
Personal data is generally not shared with third parties unless required to provide the service. The following processors are used:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Postmark (Wildbit LLC) | Transactional email delivery (registration links, invitations) | USA | Standard contractual clauses pursuant to Article 46(2)(c) GDPR |
| Own server (self-hosted) | Application operation and data storage | Germany / EU | No third-country transfer |
If data are transferred to the USA (Postmark), this is done on the basis of standard contractual clauses pursuant to Article 46(2)(c) GDPR. Further information is available on request.
Personal data are deleted or blocked as soon as the purpose of storage no longer applies and no legal retention obligations conflict.
| Data category | Retention period |
|---|---|
| User account data | Until the user account is closed |
| CRM data (contacts, organizations, activities, notes, todos) | Until deleted by the user or the account is closed |
| API tokens | Until revoked by the user |
| OAuth access tokens | Until expiry or revocation |
| Invitation tokens (magic links) | 7 days (then deleted automatically) |
| Server log data | Maximum 90 days |
You have the following rights regarding your personal data processed by the controller:
Right of access (Article 15 GDPR)
You may request information about the personal data we process about you, their source, recipients, and processing purpose.
Right to rectification (Article 16 GDPR)
You have the right to request correction of incorrect or incomplete data.
Right to erasure (Article 17 GDPR)
You may request deletion of your personal data under the conditions of Article 17 GDPR (“right to be forgotten”).
Right to restriction of processing (Article 18 GDPR)
You have the right to request that processing of your personal data be restricted.
Right to data portability (Article 20 GDPR)
You have the right to receive your data in a structured, machine-readable format or to have it transferred to another controller.
Right to object (Article 21 GDPR)
Where data are processed on the basis of Article 6(1)(f) GDPR (legitimate interest), you have the right to object.
Right to withdraw consent (Article 7(3) GDPR)
If processing is based on consent, you may withdraw your consent at any time with effect for the future. Processing carried out before the withdrawal remains lawful.
To exercise your rights, please contact us by email at post@onvela.app
Without prejudice to any other legal remedies, you have the right under Article 77 GDPR to lodge a complaint with a supervisory authority. The responsible authority is:
Bavarian State Office for Data Protection Supervision (BayLDA)Promenade 27
91522 Ansbach
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de
There is no automated decision-making, including profiling, within the meaning of Article 22 GDPR. The engagement temperature (section 2.2) is an informational rating value only and has no legal or similarly significant effects.
These privacy notices are currently valid. We reserve the right to amend them as needed to reflect current legal requirements or changes to the service. The current version is available at onvela.app/datenschutz.