LEGAL
Privacy Policy for Stundora
This privacy policy applies to the Stundora landing page, the iOS and Android apps and the related contact and service processes. Provider and app details are taken directly from the legal texts stored in the app. The original binding version is the German one.
1. Data controller
The controller responsible for the website and the app is Andreas Kelz. These details match the legal texts stored in the app.
As the provider is based in Austria, the information obligations of the GDPR apply, together with the supplementary Austrian rules for online services. The provider identification itself is additionally fulfilled in the legal notice.
2. Data processed in the app and in operation
Depending on how you use Stundora, the following data in particular is processed: registration data such as first name, last name and e-mail address, optionally or contextually also date of birth, plus authentication information, as well as work-time entries, settings, local storage content, notification preferences and premium status.
- Registration data such as first name, last name, e-mail address, date of birth where applicable, and authentication information
- Work-time entries, settings, local storage content, notification preferences and premium status
- Advertising data and technical device information once AdMob or other advertising services are active
- Local preferences and choices such as language, theme and notification times
3. Supabase, Apple and Google services, advertising and notifications
Based on the current technical configuration, Stundora uses, among others, Supabase (authentication, database, storage and server functions), Google Sign-In, Sign in with Apple, Google Mobile Ads / AdMob, App Tracking Transparency (iOS), Google Play Billing, Apple in-app purchases (StoreKit), and iOS and Android notification features.
- Supabase Authentication for sign-in, account management and authentication data such as e-mail address, internal user identifier and login events. The provider is Supabase Inc.; the servers used for Stundora are located in the European Union (Frankfurt region, Germany).
- Supabase database (PostgreSQL) and Supabase storage for synchronising work-time entries, profile values, settings, theme selection and premium status, and for generated PDF/file exports. Storage location is also the EU (Frankfurt).
- Supabase Edge Functions (server functions) for account deletion and for verifying premium purchases (Google Play and Apple App Store).
- Google Sign-In for optional login with a Google account; the e-mail address, display name and Google account identifiers may be processed.
- Sign in with Apple (iOS and macOS only) for optional login with an Apple ID; the e-mail address (or an Apple-provided relay address), first and last name (only at first login) and an anonymised Apple user identifier may be processed. Apple can hide the user's real e-mail address using its private-relay service.
- App Tracking Transparency (ATT) on iOS 14.5 and later: before the first ad request, iOS asks for permission to use the device tracking identifier. If declined, ads are served non-personalised only.
- Google AdMob for banner advertising in the free version; device information, advertising IDs, approximate usage data and ad interactions may be processed.
- Google Play Billing for purchasing and managing premium subscriptions on Android; Google acts as the billing entity and processes the payment data.
- Apple in-app purchases (StoreKit) for premium subscriptions on iOS and macOS; Apple acts as the billing entity. Server-side receipt verification via the Apple App Store Server API links the premium status to the Stundora account. Transaction IDs and purchase timestamps are processed.
The central data storage via Supabase takes place on servers in the European Union (Frankfurt). With the Google and Apple services used (Google Sign-In, AdMob, Google Play Billing, Sign in with Apple, Apple App Store / StoreKit, ATT), processing may take place in third countries, in particular the USA; the relevant terms are the providers' current data-protection and data-processing terms and the safeguards for data transfers described therein.
4. Landing page, hosting and server log files
When you open the landing page, the hosting provider processes technically necessary data, in particular IP address, time stamp, file requested, browser information and the volume of data transferred. This processing serves the secure delivery of the website and the prevention of misuse.
Externally hosted web fonts have been removed. If analytics, tracking, consent or chat services are integrated later, this privacy policy must be updated before they are activated. The specific hosting provider and the log-file retention period are added with the finally published version of the website once the deployment is fixed.
5. Legal bases and retention periods
Processing is based in particular on Art. 6(1)(b) GDPR to perform the usage relationship, on Art. 6(1)(f) GDPR for security, hosting and the prevention of misuse, and on Art. 6(1)(a) GDPR where consent is required, for example for certain advertising or notification scenarios.
Account data is generally stored until the user account is deleted and afterwards only for as long as technical residual data or legal proof purposes require. Work-time entries, profile settings and synchronised usage data are stored until they are deleted by the user or until the account is deleted. Data stored locally on the device remains until it is deleted in the app, until the app is reset or until it is uninstalled. Support requests sent to supp-stundora@outlook.com are stored until they have been finally processed and for a maximum of twelve months afterwards, unless a longer statutory retention period applies.
6. Account deletion inside and outside the app
If a Stundora account has been created, deletion can be triggered directly in the app. In addition, a public web page is available where users can sign in with the same credentials and confirm the deletion of their account.
The public account deletion is available here: Delete account
Via the web page, the auth account and the data synchronised in the Supabase database are removed. Data already stored locally on devices can additionally be removed directly in the app or by resetting the app data.
7. Data subject rights and supervisory authorities
Data subjects have, in particular, the right to information (access), rectification, erasure, restriction of processing, data portability and the right to object to processing based on legitimate interests.
There is also a right to lodge a complaint with a data protection supervisory authority in the member state of habitual residence, place of work or place of the alleged infringement. As the provider is based in Austria, the Austrian Data Protection Authority (Datenschutzbehörde) is generally the relevant authority.