Mandavo Tools
Last updated: 27 March 2026
This notice explains how we process personal data when you use our website and the online tools offered as Mandavo Tools (EU General Data Protection Regulation — “GDPR”).
1. Controller
The controller under the GDPR is:
Silas Nutz
trading under Mandavo Softwareentwicklung
Daimlerstraße 50
74211 Leingarten
Germany
Email: kontakt@mandavo.app
We are not required to appoint a data protection officer. For privacy matters, please contact the controller at the address above.
2. Overview
Mandavo Tools are web-based utilities for processing files. We process personal data in particular when you visit our website, use individual tools (including uploading files for processing), optionally use an account, or contact us.
Processing personal data on behalf of your customers or other third parties (processor scenario) is not what this service is designed for; use is intended for your own file processing via the website.
3. Categories of data
3.1 Master and account data
Where registration or sign-in is required for certain features, we may process e.g. email address, name if collected, and technical account identifiers (e.g. user ID). Passwords are stored as a secure hash, not in plain text.
3.2 Usage and technical data
When you access pages or APIs, we may process IP address, timestamps, requested resources, transfer sizes, error codes, and browser or system information. Limited rate limiting may be applied to prevent abuse.
3.3 File content
When you upload a file for a tool, we process its content and metadata (e.g. file name, type) as needed to provide the function you requested. Uploaded files, temporary working data and result data tied to that run are automatically deleted from our application systems no later than one hour after processing completes. We do not store uploads for advertising purposes.
If an optional short-term copy on a separate system is configured (e.g. a separate transfer path), different short retention may apply there; content is not used for marketing.
3.4 Audit logs (technical records of tool use)
When the tool API is called, we generate audit logs for information security, abuse prevention and operational traceability. They do not contain uploaded file contents or file names. They may include timestamps, the tool identifier requested, HTTP status, processing duration and a shortened hash derived from connection data (not the full IP address in plain text in these entries).
3.5 Communication data
If you email us, we process the data you send (e.g. sender address, message content).
4. Purposes and legal bases
4.1 Visiting the website
We process technically necessary data to deliver the site and maintain stability and security.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, functioning web service).
4.2 Using the tools
Processing uploads and producing output files serves the function you request.
Legal bases: Art. 6(1)(b) GDPR where a contract exists or you request pre-contractual steps; additionally Art. 6(1)(f) GDPR (operation, security, abuse prevention).
4.3 Optional sign-in / authentication
Where tools require sign-in, we process the data needed for authentication and access control.
Legal bases: Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(f) GDPR (platform security).
4.4 Contact by email
Legal bases: Art. 6(1)(b) and/or (f) GDPR (handling your request).
4.5 Audit logs
The logs described in section 3.4 support our legitimate interests in operating the tools securely, traceably and resiliently to misuse.
Legal basis: Art. 6(1)(f) GDPR.
5. Cookies and similar technologies
We use strictly necessary cookies or similar technologies where required to provide the website, maintain sessions, or enable sign-in. We do not use cookies for marketing-only or cross-site tracking in the manner described here.
Legal basis: Art. 6(1)(b) and/or (f) GDPR.
6. Recipients and processors
We use IT service providers to deliver the service, in particular for hosting and, where configured, authentication and data storage in a region we choose. We enter into data processing agreements under Art. 28 GDPR with those providers where required by law.
Specific locations and sub-processors may vary by deployment (e.g. own servers in the EU or cloud providers). The applicable processing agreements and the purposes described in this notice apply.
7. Transfers outside the EEA
Where providers in third countries are used or access from third countries occurs, we ensure the requirements of Chapter V GDPR are met (e.g. adequacy decision, standard contractual clauses, supplementary measures as appropriate).
8. Retention
We keep personal data only as long as necessary for the respective purposes or where law requires longer retention.
- Tool files: Content and related temporary data on application systems are deleted no later than one hour after processing completes (see section 3.3). Optional short-term copies may be shorter or slightly longer in edge cases, without marketing use.
- Audit logs: Entries described in section 3.4 are typically kept in the technical infrastructure for up to 90 days, unless hosting or log operations apply a shorter rotation (automatic deletion or overwrite).
- Accounts and general logs: Account data generally for the duration of the relationship; other server or access logs under the usual time-limited practices of the infrastructure.
9. Obligation to provide data
Certain features require you to provide the necessary data (e.g. a file upload). Without that data we cannot provide the chosen function.
10. Your rights
Where the legal requirements are met, you have rights of access, rectification, erasure, restriction of processing, data portability, and objection. Where processing is based on consent, you may withdraw consent with effect for the future.
11. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The authority responsible for us is typically:
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (Germany)
(Contact details are published on the authority’s official website.)
12. Automated decisions
We do not use solely automated decision-making within the meaning of Art. 22 GDPR.
13. Data protection by design
We apply appropriate technical and organisational measures, including encrypted transmission (HTTPS/TLS), access restrictions, and data-minimising processing.
14. Changes
We may update this privacy policy when legal requirements or our service change. The current version is always available on this website.