Your GDPR Rights — Trevio

Trevio — GDPR Rights Notice (Art. 15–22)

Controller: Andor Plotár | andor@trevio.world | https://trevio.world

Under the EU General Data Protection Regulation (GDPR), you have a number of rights regarding your personal data. This page explains each right in plain language, when it applies, and how to exercise it.

To make a request, email us at request@trevio.world with the subject line "GDPR Rights Request". We will respond within 30 days (Art. 12 GDPR). If your request is complex, we may extend this by a further 2 months — we will notify you if this is the case.

We will not charge a fee for any rights request unless requests are manifestly unfounded or excessive.

What it means: You can ask us for a copy of all personal data we hold about you, along with information about how and why we process it.

What you'll receive:

A copy of your personal data in a structured, readable format
The purposes of processing
The categories of data held
Who we have shared it with (processors)
How long we retain it
Information about your other rights

How to request: Email request@trevio.world with subject "GDPR Access Request". We will verify your identity before providing data.

What it means: You can ask us to correct personal data that is inaccurate or to complete data that is incomplete.

Examples:

Your name is misspelled in your profile
Your email address has changed and not been updated

Note: You can update most profile information directly in your Trevio account settings without needing to contact us.

What it means: You can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it.

When we can erase:

Your data is no longer necessary for the purpose it was collected
You withdraw consent (for consent-based processing, e.g. analytics)
You object and there are no overriding legitimate grounds
The data has been unlawfully processed

When we cannot immediately erase:

We are required to retain billing records for 10 years under German commercial law (§§ 238, 257 HGB)
We need to retain data to establish, exercise or defend a legal claim

Account deletion: You can delete your Trevio account from your account settings. This will trigger erasure of your personal data within 30 days.

What it means: You can ask us to pause the processing of your data (without deleting it) in certain circumstances:

You contest the accuracy of the data (we pause while we verify)
The processing is unlawful but you prefer restriction over erasure
We no longer need the data, but you need it for a legal claim
You have objected and we are assessing whether our grounds override yours

Effect: While restricted, we will only store your data — not actively use it — until the restriction is lifted.

What it means: You can receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV), and transmit it to another service.

Applies to:

Data you provided to us (profile, trips, preferences)
Data processed on the basis of your consent or a contract

Does not apply to:

Data processed under legitimate interests
Data derived from analytics

How to request: Email request@trevio.world with subject "GDPR Portability Request". We will provide your data within 30 days.

What it means: You can object to processing based on our legitimate interests (Art. 6(1)(f) GDPR). We must stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Applies to:

Server log retention for security purposes

Does not apply to:

Processing necessary to perform your contract with us (e.g. your account, trip data)

Direct marketing: If we ever use your data for direct marketing (we currently do not), you have an absolute right to object at any time with no justification required.

What it means: Where we process your data based on consent (currently: Google Analytics 4 cookies), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to withdraw:

Use the Cookie Settings link in the Trevio footer
Email request@trevio.world

What it means: You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce significant legal or similarly significant effects on you.

Trevio's position: We do not make any automated decisions that produce legal or similarly significant effects on users. AI-generated travel suggestions (Tria) are informational only — no automated decisions are made regarding your account, access, or any other significant matter without human review.

If you are not satisfied with how we handle your personal data or a rights request, you have the right to complain to a data protection supervisory authority.

German supervisory authority:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) Graurheindorfer Str. 153 53117 Bonn Deutschland Tel.: +49 (0)228 997799-0 E-Mail: poststelle@bfdi.bund.de https://www.bfdi.bund.de

You may also contact the supervisory authority of the EU member state where you reside or work.

How We Verify Your Identity

To protect your data, we will verify your identity before processing a rights request. We typically do this by:

Confirming you have access to the email address registered to your Trevio account
For sensitive requests, we may ask for additional confirmation

We will never ask for your password.

Contact

For all data rights requests:

Andor Plotár E-Mail: request@trevio.world Subject line: "GDPR Rights Request — type of request"

Response time: 30 days (extendable by 2 months for complex requests, with notice)

This notice is provided in accordance with Art. 13 and Art. 14 GDPR.Last updated: 2026-05-01