Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:

Tim Konrath
Straßburger Str. 43
10405 Berlin
Germany
Email: support@re-ember.de

2. Overview and data-minimisation principle

Re:Ember is deliberately designed to process as little personal data as possible. There are no user accounts, no email registration, no advertising SDKs and no cross-app or cross-site tracking. On the website, we use Google Analytics with your consent to understand how the site is used (see Section 9).

All content you enter into the app primarily stays local on your device. Only if you actively create or join a so-called “Gift Space” are the associated messages transmitted to our servers so that other participants can receive them.

3. What data we process

a) Locally on your device (not transmitted to us): messages (“Embers”), author names, your favourite markers, app settings, and a randomly generated device ID (UUID). This data is stored exclusively in the local database of the app (SwiftData on iOS, Room on Android) and only leaves your device in the cases described under b).

b) In Gift Spaces (stored on our server): when you create or join a Gift Space, the messages placed in that space, the author name you entered, timestamps, the randomly generated space codes (e.g. “C-ABC123” for contributors, “R-XYZ789” for the recipient) and your device ID (UUID) are stored in our database at Supabase (EU region). We do not collect your real name or your email address in this process.

c) Technically necessary data for web contributions: if someone contributes an Ember to a Gift Space via the website (not the app), the sender’s IP address is processed briefly, hashed with a server-side salt using SHA-256, and stored only in that hashed form for a maximum of 24 hours. This serves exclusively to prevent abuse and bulk spam (rate limiting of 10 contributions per space and IP per 24 hours). The original IP address is not stored.

d) Server logs: at the hosting provider Vercel, technical access data (e.g. request time, user agent, HTTP status code) as is customary for the secure operation and troubleshooting of a web application may be recorded briefly. This data is not combined into profiles.

4. Legal bases

Processing takes place on the following legal bases:

Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual measures) — when you actively use the app’s features, in particular when you create or join Gift Spaces.

Art. 6 (1) (f) GDPR (legitimate interest) — for the technically secure operation of the API, in particular the hashing of IP addresses to protect against abuse.

5. Recipients and processors

We use the following processors, with whom corresponding agreements under Art. 28 GDPR are or will be in place:

• Supabase (database for Gift Spaces): Supabase offers EU regions. The Re:Ember database is operated in an EU region (Frankfurt or Ireland), so that Gift Space data does not leave the EU.
• Vercel (hosting of the website and API): Vercel is a hosting provider that delivers content via a global content delivery network. Static content may be served from edge locations; write operations on Gift Spaces land in the EU database.
• Apple and Google (app store delivery): if you obtain the app from the Apple App Store or Google Play, Apple and Google independently process data under their own responsibility. Please refer to Apple’s and Google’s privacy notices for details.

6. Transfer to third countries

Gift Space data is stored exclusively in the EU. No transfer to third countries takes place on the server side.

To the extent that website hosting via Vercel may involve individual technical connections to locations outside the EU, this takes place on the basis of the Standard Contractual Clauses (Art. 46 GDPR) and concerns only technically necessary connection data, not the content of Gift Spaces.

7. Storage period

Data stored locally on your device remains until you delete it or uninstall the app.

Data in Gift Spaces is stored for as long as the respective space is active. You may request deletion of your space or your contributions at any time; we will then delete the data within 30 days.

Hashed IP addresses used for rate limiting are automatically deleted after a maximum of 24 hours.

8. Push notifications

Re:Ember uses only local notifications triggered directly on your device. No push tokens are transmitted to Apple, Google or us, and no push services such as APNs or Firebase Cloud Messaging are used.

9. Cookies and website analytics

The Re:Ember app does not use cookies, analytics tools, or advertising SDKs. There is no tracking within the app.

On the website (re-ember.de), we use Google Analytics 4 (operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to understand how visitors use the site. Google Analytics uses cookies that are stored on your device. The legal basis is your consent (Art. 6(1)(a) GDPR).

Before any analytics cookies are set, you will be asked for your explicit consent via a cookie banner. You can reject cookies, in which case no analytics data is collected. You can revoke your consent at any time by clearing your browser cookies or using your browser's cookie settings.

The information generated by the cookie is usually transmitted to a Google server in the USA and stored there. We use IP anonymisation, so your IP address is truncated within EU member states before transmission. Google processes this data on our behalf to evaluate website usage and compile reports. Google will not merge your IP address with other Google data.

For more information, see Google's privacy policy: https://policies.google.com/privacy. You can also prevent data collection by Google Analytics by installing the Google Analytics opt-out browser add-on: https://tools.google.com/dlpage/gaoptout.

We do not use any advertising cookies, Facebook Pixel, or similar marketing tools.

10. Minors

Re:Ember is aimed at people aged 16 and older. People under the age of 16 should only use the app with the consent of their legal guardians.

11. Your rights

Under the GDPR you have, in particular, the following rights:

• Access to the personal data we hold about you (Art. 15 GDPR)
• Rectification of incorrect data (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on legitimate interest (Art. 21 GDPR)

An informal message to support@re-ember.de is sufficient to exercise these rights. Please note that without the device ID used in the app or the affected space code, we will usually be unable to assign your data to you.

12. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. Our competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin, Germany
Email: mailbox@datenschutz-berlin.de

13. Changes to this privacy policy

We will adjust this privacy policy if the legal situation or the way the app works changes. The current version is always available on this page.

14. Contact

For any privacy-related questions, please contact: support@re-ember.de.