Privacy Policy (app)

The protection of the user's personal data is important to us. This privacy policy outlines which data we collect, how we process it, and the rights the user has concerning their data. This privacy policy is provided in accordance with the General Data Protection Regulation (GDPR).

Data controller

The data controller and data protection officer responsible under data protection law is:

Bastian Raschke
(contact information is available in the imprint)

Server synchronization

The user can freely choose whether to use the app solely locally or to synchronize their data with the provided server. This part of the privacy policy applies only to the latter case.

Hosting

We utilize hosting services to provide the infrastructure for this feature. To this end, we have entered into a data processing agreement with the following data processor:

netcup GmbH
Daimlerstr. 25
76185 Karlsruhe

This legally required contract under data protection law ensures that the processor handles users' personal data exclusively in accordance with our instructions and in compliance with the GDPR.

Data collected and purpose of use

In the context of using this feature, we transfer, process and store the following data:

  • Email address is stored in plain text for identification purposes.
  • Displayed public name is stored in plain text for the "Share password" feature.
  • Synchronization data: To enable synchronization of user data across different devices, the data is end-to-end encrypted on the user's device before being transferred and stored.
  • IP address (pseudonymized) for brute force protection: To protect against unauthorized access and attacks, we process the IP address in a pseudonymized form, which does not allow conclusions to be drawn about the user's identity.
  • Server logs for protection against attacks and misuse, diagnosing and resolving technical issues, and analyzing the performance and stability of our infrastructure. These logs contain timestamps, request URLs, user-agent identification, status indicating whether the request was successful, and the size of the transferred data. IP addresses are not explicitly stored.

Legal basis

The processing of the user's data is based on Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of the contract regarding the use of the desired server synchronization feature, and on Article 6(1)(f) of the GDPR due to our legitimate interest in the security and stability of our infrastructure.

Data recipients and storage within the EU

The data is exclusively transmitted to our server, which is operated in Vienna, Austria.

No transfer of personal data to third-party countries outside the EU takes place.

Data transfer security

All data is encrypted during transmission between the user's device and our servers.

Storage duration

The collected data is stored only for as long as necessary to fulfill the contractual purpose or as long as there are legal retention obligations. Data processed as part of the server synchronization feature is stored until the user requests the deletion of the user account. After the termination of the contractual relationship and the expiration of any legal retention periods, the data will be deleted.

Server logs are typically stored for 7 days unless further retention is required to analyze attacks or misuse or to preserve evidence. In such cases, the data may be partially or fully exempt from deletion until the incident is fully resolved.

User rights

The user has the right to:

  • Request information about the data stored with us (Art. 15 GDPR).
  • Request the correction of incorrect or incomplete data (Art. 16 GDPR).
  • Request the deletion of stored data, provided there are no legal retention obligations (Art. 17 GDPR).
  • Request the restriction of the processing of their data (Art. 18 GDPR).
  • Object to the processing of their data (Art. 21 GDPR).
  • Request data portability (Art. 20 GDPR).

Mixpanel

We use the analytics service Mixpanel in our app, a service of Mixpanel Inc., 405 Howard Street, Floor 2, San Francisco, CA 94105, USA (hereinafter referred to as "Mixpanel"). Mixpanel helps us analyze user behavior in the app. This is done solely to better tailor the app to the needs of our users (e.g., to prioritize popular and unpopular features in the app's development) or to quickly resolve problems.

Data collected and purpose of use

The following data is transferred, processed and stored by Mixpanel:

  • Event data (so-called "Events"): e.g., interactions within the app, click behavior
  • User profile data (so-called "User data"): e.g., user ID
  • IP address to determine approximate location of the user
  • Version information: e.g., app version, SDK version
  • Device information: e.g., operating system, device model, unique device identifiers
  • Error reports and performance data: e.g., details of crashes

The complete privacy policy for Mixpanel can be found here.

Legal basis

The processing of the data is based on the user's consent, pursuant to Article 6(1)(a) of the GDPR. We obtain consent at the start of the app. The user can revoke their consent at any time through the app settings.

Data recipients and storage within the EU

The collected data is transmitted to Mixpanel. As part of Mixpanel's EU Data Residency Program, user data is processed and stored exclusively within the European Union. Mixpanel is committed to complying with the requirements of the GDPR and taking appropriate security measures to ensure the confidentiality and security of user data.

No transfer of personal data to third-party countries outside the EU takes place.

Data transfer security

All data is encrypted during transmission between the user's device and Mixpanel's servers.

Storage duration

Collected event data is stored for a maximum period of 60 months. After this period, the event data is automatically deleted, making it impossible to link the data to the affected user.

Collected user profile data is stored until the user requests the deletion of the user account. After the termination of the contractual relationship and the expiration of any legal retention periods, the data will be deleted.

User rights

The user has the right to:

  • Receive information about the processed personal data (Art. 15 GDPR).
  • Request the correction of incorrect or incomplete data (Art. 16 GDPR).
  • Request the deletion of stored data, provided there are no legal retention obligations (Art. 17 GDPR).
  • Request the restriction of the processing of their data (Art. 18 GDPR).
  • Revoke their consent to the processing of their data at any time (Art. 7 (3) GDPR).
  • Submit a complaint to a supervisory authority if they believe that the processing of their data violates the GDPR (Art. 77 GDPR).

Qonversion

We use the in-app purchases platform Qonversion in our app, a service of Qonversion Inc., 1160 Battery Street East, Suites 100, San Francisco, CA 94111, USA (hereinafter referred to as "Qonversion"). Qonversion helps us manage subscriptions in the app.

Data collected and purpose of use

The following data is transferred, processed and stored by Qonversion:

  • Transaction information to provide in-app purchase functionality: e.g., Google purchase token, device push token
  • IP address to provide secure in-app purchase functionality
  • Version information: e.g., app version, SDK version
  • Device information: e.g., operating system, device model, unique device identifiers, current carrier
  • Locale information: e.g., locale, country, time zone
  • Time the user last used the app

The complete privacy policy for Qonversion can be found here.

Legal basis

The processing of the user's data is based on Article 6(1)(f) of the GDPR, due to our legitimate interest in the ability to provide in-app purchases to the user to maintain our business.

Data recipients and storage outside the EU

The collected data is transmitted to Qonversion. The user data is processed and stored in Microsoft Azure data centers in London, UK. This is permissible, as there is an adequacy decision in place for the United Kingdom under Article 45 of the GDPR.

Data transfer security

All data is encrypted during transmission between the user's device and Qonversion's servers.

Storage duration

The collected data is stored only for as long as necessary to fulfill the contractual purpose or as long as there are legal retention obligations. The data is stored until the user requests the deletion of the user account. After the termination of the contractual relationship and the expiration of any legal retention periods, the data will be deleted.

User rights

The user has the right to:

  • Request information about the data stored with us (Art. 15 GDPR).
  • Request the correction of incorrect or incomplete data (Art. 16 GDPR).
  • Request the deletion of stored data, provided there are no legal retention obligations (Art. 17 GDPR).
  • Request the restriction of the processing of their data (Art. 18 GDPR).
  • Object to the processing of their data (Art. 21 GDPR).
  • Request data portability (Art. 20 GDPR).

Android permissions

The following permissions are required by the Android app:

Internet access (android.permission.INTERNET)

This permission is needed if the user wishes to use the server synchronization feature. Additionally, this permission is used by Mixpanel to transmit analytics data if consent has been granted and Qonversion to be able to provide in-app purchases.

Access network status (android.permission.ACCESS_NETWORK_STATE)

This permission allows for the determination of the network connection status on the device, such as whether an internet connection is available or the type of connection (e.g., Wi-Fi or mobile network). Additionally, it enables the detection of changes in network status. Mixpanel uses this permission so that we can better understand specific issues or errors encountered by users with the app in relation to connectivity problems, provided that consent for the use of Mixpanel has been granted.

Biometric sensors (android.permission.USE_BIOMETRIC)

This permission allows access to the device's biometric sensors, making it possible to unlock the app using a fingerprint, facial recognition, or another biometric feature for enhanced security and convenience.

Changes to the privacy policy

We reserve the right to update this privacy policy to reflect changes in our services or legal requirements. The user will be informed of significant changes in the way we process personal data through a notification in the app.

Continuing to use the app after 30 days from the notification will be considered acceptance of the amended privacy policy.

If the user does not agree to the amended privacy policy, they are required to terminate their account within this period. After this period, and in the case of non-acceptance, all data will be deleted, and access to the service will be permanently terminated.

Contact

If you have any questions or concerns about data protection, you can contact us at any time:

(contact information is available in the imprint)

Effective Date: 2024-10-10