Privacy Policy

Last updated: 23.04.2026

We are pleased about your interest in our CalTracker application. The protection of your privacy is very important to us. Below, we inform you in detail about the handling of your data in accordance with the General Data Protection Regulation (GDPR).

1. Responsible Body

The controller for data processing within the meaning of the GDPR is:

Dorian Laforet Riedeselstraße 35d, 82319 Starnberg, Germany [email protected] https://laforet-it.com/impressum

2. Data Collection and Processing

a) Provision of the App and Creation of Log Files

Each time our app is used, data and information are automatically collected from the computer system of the calling computer or end device.

The following data may be collected:

• User's IP address
• Date and time of access
• Type and version of the browser/operating system used
• Referrer URL (the previously visited page)
• Information about interactions within the app

This data is temporarily stored in the log files of our system. This data is not stored together with other personal data of the user.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in ensuring the functionality, security, and optimization of the app).

b) Hosting and Backend

For hosting our application and providing the backend infrastructure (database, REST API), we use services from Oracle Cloud Infrastructure (OCI), operated by Oracle.

• Provider: Oracle Deutschland B.V. & Co. KG, Riesstraße 25, 80992 Munich, Germany.
• Server location: Frankfurt am Main, Germany (EU).

We have concluded a Data Processing Agreement (DPA) with Oracle in accordance with Art. 28 GDPR. This contract ensures that Oracle processes the data only according to our instructions and in compliance with the GDPR.

As part of the operation, necessary technical data (see 2a) is processed on Oracle's servers.

Legal basis: Art. 6 (1) lit. b GDPR (processing for contract fulfillment, i.e., provision of app functions) and Art. 6 (1) lit. f GDPR (legitimate interest in secure and efficient hosting).

We use Supabase as a backend platform, which is hosted on the Oracle Cloud Infrastructure in Frankfurt.

• Supabase (as technology): Data processing takes place on the infrastructure controlled by us at Oracle.

All data actively entered by you (e.g., during registration, creation of content) is processed via the REST API and stored in the Supabase database (PostgreSQL) on the Oracle Cloud Infrastructure.

c) Registration and User Account

If you register for our app, we collect the following data:

• Email address (mandatory)
• Password (stored securely hashed, we do not have access to the plain text password)
• Full name (voluntary)

Additionally, Supabase automatically generates and stores user-specific data (e.g., a unique User ID) necessary for the functionality of the user account.

This data is used exclusively for providing and managing your user account and for enabling the use of app functions.

Legal basis: Art. 6 (1) lit. b GDPR (processing for the fulfillment of the user contract).

d) Contact

If you contact us by email, the personal data you transmit (in particular your email address and your request, as well as any other information you provide) will be stored and processed by us to handle your inquiry and for follow-up questions. We do not pass on this data without your consent.

Legal basis: The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6 (1) lit. f GDPR) or on your consent (Art. 6 (1) lit. a GDPR), if this has been requested. The data you send by email will remain with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

e) Analysis and Improvement (PostHog)

To analyze user behavior and improve our application, we use PostHog. We use PostHog Cloud EU for this purpose.

• Provider: PostHog, Inc., 220 9th St, San Francisco, CA 94103, USA (as operator of the cloud platform).
• Data processor: PostHog acts as our data processor.
• Server location: The processing of analysis data takes place exclusively on servers within the European Union (Frankfurt am Main, Germany).

PostHog collects usage data such as visited pages, interactions with elements (clicks, form entries), session duration, and technical information (device type, operating system, browser). We have configured PostHog so that no IP addresses are collected.

We have concluded a Data Processing Addendum (DPA) with PostHog in accordance with Art. 28 GDPR, which ensures that PostHog processes the data only according to our instructions and in accordance with GDPR requirements.

Legal basis and right to object: The processing of this analysis data is based exclusively on your active consent pursuant to Art. 6 (1) lit. a GDPR, which you grant by activating a corresponding option (e.g., a switch) during registration or at any time in the app settings. Only after your explicit consent will the analysis of your user behavior by PostHog be started. Without your consent, no analysis of your user behavior by PostHog will be carried out. You can revoke your consent at any time with effect for the future by deactivating the corresponding option in the app settings.

f) AI-Powered Image Processing and Storage

If you use the image analysis function, the images you upload are processed as follows:

• AI Processing Services: The images are transmitted to AI service providers for analysis and processing.
• OpenAI: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA.
• Google Gemini: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
• Purpose: AI-powered analysis and processing of image content according to the app function you are using.
• Data storage at AI providers: According to both OpenAI and Google policies, data transmitted via their APIs is not used for training their models and is handled according to their respective retention policies (typically deleted after 30 days for OpenAI, similar policies for Google Gemini).
• Data transfer to third countries: Processing by these AI services may take place in the USA. We have concluded appropriate contractual agreements (Data Processing Addendum with Standard Contractual Clauses) with both providers to ensure an adequate level of data protection.
• Legal basis: Art. 6 (1) lit. b GDPR (necessary for providing the function you requested).
• Storage in Supabase: The images you upload are stored in our Supabase Storage (hosted on Oracle Cloud Infrastructure in Frankfurt, see 2b).
• Purpose: Enabling access and management of your images within the app.
• Storage duration: The images remain stored until you actively delete them.
• Access: Only you have access to the images you upload, unless otherwise indicated in the app (e.g., for sharing functions).
• Legal basis: Art. 6 (1) lit. b GDPR (necessary for providing app functionality).

g) Email Dispatch (Resend)

For sending transactional emails (e.g., registration confirmation, password reset), we use the Resend service.

• Provider: Resend, Inc., 548 Market St PMB 63388, San Francisco, CA 94104-5401, USA.
• Processed data: Your email address and the content of the respective email.
• Purpose: Reliable delivery of necessary emails as part of app usage.
• Data transfer to third countries: Processing by Resend may take place in the USA. We have concluded a Data Processing Addendum with Standard Contractual Clauses with Resend to ensure an adequate level of data protection.
• Legal basis: Art. 6 (1) lit. b GDPR (necessary for contract fulfillment, e.g., sending the registration email) and Art. 6 (1) lit. f GDPR (our legitimate interest in communication for essential functions such as password reset).

h) Error Monitoring and Performance Tracking (Sentry)

To monitor application errors, track performance issues, and improve the stability of our service, we use Sentry.

• Provider: Functional Software, Inc. (Sentry), 132 Hawthorne Street, San Francisco, CA 94107, USA.
• Processed data: Error logs, performance metrics, device information, and technical data necessary for debugging and performance monitoring. No personal user content is transmitted.
• Purpose: Monitoring application stability, identifying and fixing bugs, and improving overall app performance.
• Data storage: Error and performance data is stored on Sentry's servers and is retained according to our configured retention policies.
• Data transfer to third countries: Processing by Sentry may take place in the USA. We have concluded a Data Processing Addendum with Standard Contractual Clauses with Sentry to ensure an adequate level of data protection.
• Legal basis: Art. 6 (1) lit. f GDPR (our legitimate interest in maintaining a stable and well-functioning application).

i) Advertising Measurement and Marketing (Meta / Facebook)

To measure the effectiveness of our own advertising campaigns on Instagram, Facebook, and across the broader Meta network, and to optimize our user acquisition, we use the Meta Software Development Kit (SDK) as well as Meta's server-side Conversions API.

Important note: CalTracker does not display any advertisements inside the app. The data processing described below serves exclusively to measure and optimize the advertising campaigns we run ourselves on platforms outside the app.

• Provider (EU): Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (controller for data processing within the European Economic Area).
• Parent company: Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.

Processed data:

• Device and advertising identifiers (in particular the Identifier for Advertisers, IDFA – only with your explicit consent granted via Apple's App Tracking Transparency dialog)
• Technical device information (device type, operating system version, language, time zone)
• IP address (truncated or anonymized by Meta after brief processing)
• App events (e.g. installation, app open, start of free trial, subscription purchase, paywall view)

Purpose:

• Attribution of installations and subscription purchases to our advertising campaigns
• Measuring the performance of individual ads (e.g. cost per install, cost per subscription)
• Optimizing the delivery of our campaigns to people for whom CalTracker may be relevant (including the creation of Lookalike Audiences)

Joint controllership (Art. 26 GDPR): For certain processing activities (in particular the creation of Custom Audiences and the delivery of advertising based on them), we are a joint controller together with Meta Platforms Ireland Limited. The joint-controller agreement is available at: https://www.facebook.com/legal/controller_addendum

International data transfer: Meta transfers data to the USA. Such transfers are based on the EU Commission's Standard Contractual Clauses and on the EU-US Data Privacy Framework, in which Meta Platforms, Inc. is a certified participant. Further information: https://www.facebook.com/about/privacy

Legal basis: Art. 6 (1) lit. a GDPR (your active consent). Consent is obtained within the app before any Meta SDK events are transmitted. Additionally, on iOS the use of the advertising identifier (IDFA) requires your consent via Apple's App Tracking Transparency dialog. Without your consent, no data is transmitted to Meta.

Withdrawal of consent: You can withdraw your consent at any time with effect for the future:

• Within the app by disabling the corresponding option in the settings
• In the iOS system settings under Settings → Privacy & Security → Tracking → CalTracker
• Via your Meta account settings: https://www.facebook.com/settings/?tab=ads

j) Subscription Management (RevenueCat)

To manage in-app subscriptions, validate purchase receipts with Apple and Google, and analyze subscription metrics, we use the RevenueCat service.

• Provider: RevenueCat, Inc., 972 Mission Street, San Francisco, CA 94103, USA.
• Processed data: Anonymized user ID (App User ID), purchase history (subscription status, trial starts, renewals, cancellations), device and platform information (App Store / Google Play), transaction identifiers.
• Purpose: Management and validation of in-app subscriptions, verification of purchase receipts, and analysis of subscription metrics (e.g. conversion and cancellation rates).
• Forwarding to advertising partners: If you have consented to advertising measurement under section 2i, RevenueCat forwards certain subscription events (in particular trial starts and subscription purchases) server-to-server to Meta so that we can measure the effectiveness of our advertising campaigns. Without your consent, no such forwarding takes place.
• International data transfer: Processing by RevenueCat takes place in the USA. We have concluded a Data Processing Addendum with Standard Contractual Clauses with RevenueCat to ensure an adequate level of data protection.
• Legal basis: Art. 6 (1) lit. b GDPR (necessary for the fulfillment of the user contract, i.e., provision and management of subscription functionality).

3. Use of Cookies

No cookies are processed.

4. Data Transfer to Third Parties

Your data will generally only be passed on to third parties if this is necessary for the fulfillment of the contract (Art. 6 (1) lit. b GDPR), we have a legitimate interest in doing so (Art. 6 (1) lit. f GDPR), you have consented (Art. 6 (1) lit. a GDPR), or there is a legal obligation to do so (Art. 6 (1) lit. c GDPR).

Recipients may include:

• Hosting provider (Oracle Cloud, see 2b)
• Analysis service provider (PostHog, see 2e)
• AI-powered image processing service providers (OpenAI and Google Gemini, see 2f)
• Email dispatch service provider (Resend, see 2g)
• Error monitoring and performance tracking service provider (Sentry, see 2h)
• Advertising measurement service provider (Meta Platforms Ireland Limited, see 2i)
• Subscription management service provider (RevenueCat, Inc., see 2j)

Appropriate contracts (DPA) have been concluded with all processors, or other suitable guarantees for third-country transfers exist (e.g., Standard Contractual Clauses).

5. Data Security

We take technical and organizational security measures (TOMs) to protect your data against unintentional or unlawful deletion, alteration, or loss, and against unauthorized disclosure or access.

6. Storage Duration

We store your personal data only as long as necessary to achieve the respective purposes or as required by statutory retention periods. After the purpose no longer applies or the periods expire, the data is routinely blocked or deleted.

7. Your Rights as a Data Subject

You have the right to:

• Request information about your personal data processed by us (Art. 15 GDPR).
• Request the correction of incorrect data (Art. 16 GDPR).
• Request the deletion of your data stored by us (Art. 17 GDPR).
• Request the restriction of the processing of your data (Art. 18 GDPR).
• Data portability (Art. 20 GDPR).
• Object to processing (Art. 21 GDPR).
• Revoke your consent at any time (Art. 7 (3) GDPR).
• Lodge a complaint with a supervisory authority (Art. 77 GDPR).

To exercise your rights, please contact the responsible body mentioned in point 1.

8. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to your next visit.