Recoon Recoon

Privacy Policy

đź“‹ Table of Contents

Data Controller: Recoon GmbH
German Office: 83395 Freilassing, Germany
Austrian Office: 5020 Salzburg, Austria
Data Protection Officer: dpo@recoon.com
Effective Date: September 4, 2025
Last Updated: September 4, 2025

0. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below:

Personal Data:
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or other factors.
Processing:
Any operation or set of operations performed on personal data or sets of personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure or destruction.
Data Controller:
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this case, Recoon GmbH.
Data Processor:
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (e.g., our service providers like Stripe, Google Cloud).
Consent:
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of personal data relating to them.
Data Subject:
The identified or identifiable natural person whose personal data is processed (i.e., you, the user).
Supervisory Authority:
An independent public authority established by Member States to monitor the application of GDPR (e.g., German BfDI, Austrian DSB).
Profiling:
Any form of automated processing of personal data to evaluate personal aspects relating to a natural person, including analyzing or predicting performance, preferences, interests, behavior, location or movements.
Cookies:
Small text files placed on your device that store information about your preferences and activities on our website and services.
Service/Platform:
Recoon's task management and collaboration platform, including web application, mobile applications, and all related services.

1. Introduction and Overview

Recoon GmbH ("we," "us," or "our") is committed to protecting your privacy and ensuring compliance with the EU General Data Protection Regulation (GDPR), German Federal Data Protection Act (BDSG), Austrian Data Protection Act (DSG), and other applicable privacy laws.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our task management and collaboration platform, including our web application, mobile applications, and all related services (collectively, the "Service").

2. Age Requirements and Child Protection

Our Service is exclusively for users aged 16 and above. We do not knowingly collect personal information from children under 16.

2.1 Age Verification and Enforcement

  • Mandatory Age Declaration: All users must provide their date of birth during registration
  • Automated Age Verification: Our systems automatically calculate and verify user ages
  • Immediate Account Termination: Accounts of users under 16 are immediately terminated and data deleted
  • Document Verification: We reserve the right to request age verification documents
  • Ongoing Monitoring: Continuous age compliance checking across all features

2.2 Enhanced Protections for Minors (Ages 16-17)

Special privacy protections for users aged 16-17:

  • Data Minimization: We collect only essential data necessary for service provision
  • No Behavioral Profiling: No advertising-related behavioral analysis or profiling
  • Enhanced Default Settings: Strongest privacy settings applied by default
  • Limited Data Sharing: Restricted sharing with third parties
  • Parental Rights: Parents/guardians may exercise data protection rights on behalf of minors
  • Consent Requirements: Enhanced consent mechanisms for data processing
  • Regular Data Review: Automatic data review and deletion consideration every 12 months

3. Information We Collect

3.1 Personal Identification Information

Account Registration Data:

  • Email Address: Primary identifier and communication channel
  • Username: Public identifier (minimum 3 characters, maximum 3 changes allowed)
  • Password: Securely hashed using industry-standard algorithms
  • Date of Birth: For age verification and compliance (mandatory)
  • First and Last Name: Optional profile information
  • Gender: Optional (male, female, custom)
  • Locale/Language: For interface localization
  • Profile Photo: Optional avatar image with automatic thumbnail generation

Verification and Security Data:

  • Email Verification: Verification status and timestamps
  • Two-Factor Authentication: TOTP secrets, recovery codes (encrypted)
  • WebAuthn/Passkey Data: Credential IDs, public keys (biometric data processed locally only)
  • Username Change History: Previous usernames, change timestamps, IP addresses

3.2 Activity and Behavioral Data

User Activity Tracking:

  • Login Activity: Login timestamps, IP addresses, device information
  • Session Data: Session duration, last activity timestamps
  • Online Status: Real-time presence indicators
  • Feature Usage: Which features are accessed and how frequently
  • Navigation Patterns: Page views, click streams, user journeys

User Preferences and Settings:

  • Task Preferences: Category preferences, difficulty levels, duration preferences
  • Category Selections: Chosen categories from bubble interface with importance ratings
  • Notification Settings: Email, push, and in-app notification preferences
  • Privacy Settings: Profile visibility, data sharing preferences
  • Advertisement Consent: Consent status for advertising-related processing

Task and Content Data:

  • Task Creation: Task content, descriptions, assignments, due dates
  • Completion Data: Task completion history, time spent, performance metrics
  • Collaboration Data: Comments, discussions, file attachments
  • Board Configurations: Board settings, member roles, permissions
  • Public Content: Tasks published to public pool, public profile information

3.3 Technical and Device Information

Device and Browser Data:

  • IP Addresses: Collected for security, fraud prevention, and geographic analytics
  • Device Information: Device type, operating system, browser type and version
  • User Agent Strings: Technical browser and device specifications
  • Screen Resolution: For responsive design optimization
  • Timezone Information: For proper time display and scheduling

Mobile Application Data:

  • Push Notification Tokens: For sending mobile notifications
  • App Version Information: For compatibility and feature support
  • Device Identifiers: Anonymous device IDs for analytics
  • Crash Reports: Technical error information for debugging

3.4 Advertisement and Analytics Data (18+ Only)

Advertisement features are restricted to users 18 years and older. Users under 18 do not see targeted advertisements and have minimal analytics tracking.

Advertisement Analytics (Adults Only):

  • Advertisement Interactions: Views, clicks, completions, time spent
  • Demographic Segments: Age ranges, general geographic regions (anonymized)
  • Interest Categories: Inferred interests based on behavior (tech, business, creative)
  • Session Analytics: Advertisement performance within user sessions
  • Conversion Tracking: Actions taken after advertisement exposure

3.5 Organization and Team Data

  • Organization Membership: Roles, permissions, join dates
  • Invitation History: Sent and received invitations, acceptance status
  • Domain Verification: Email domain ownership verification
  • Team Collaboration: Shared tasks, boards, communication within organizations
  • Administrative Actions: User management, policy changes, role assignments

4. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal bases:

4.1 Contract Performance (Article 6(1)(b) GDPR)

  • Account creation and management
  • Service provision and feature delivery
  • Task management and collaboration features
  • Payment processing for premium subscriptions
  • Customer support and technical assistance

4.2 Legitimate Interest (Article 6(1)(f) GDPR)

  • Service Improvement: Analytics to enhance user experience and features
  • Security: Fraud prevention, abuse detection, account protection
  • Technical Operations: System monitoring, error detection, performance optimization
  • Communication: Service announcements, security alerts, product updates

We have conducted legitimate interest assessments to ensure our interests do not override your fundamental rights and freedoms.

4.3 Consent (Article 6(1)(a) GDPR)

  • Marketing Communications: Newsletter, promotional emails (opt-in required)
  • Targeted Advertising: Behavioral advertising and profiling (18+ only)
  • Analytics Cookies: Non-essential website analytics and tracking
  • AI Features: Enhanced AI-powered recommendations and content generation

4.3.1 How Consent Is Obtained:

Consent Collection Mechanisms:

  • • Cookie Banner: EU users see granular consent banner with accept/reject/customize options
  • • Registration Opt-ins: Checkbox consent during account creation for marketing communications
  • • Settings Modal: Detailed consent management through privacy settings dashboard
  • • Feature Activation: Just-in-time consent when accessing consent-requiring features
  • • Age-Based Restrictions: Automatic consent limitations based on verified age
  • • Clear Language: Plain language explanations before consent collection
  • • Withdrawal Options: Easy consent withdrawal through account settings

4.4 Legal Obligation (Article 6(1)(c) GDPR)

  • Age verification and child protection compliance
  • Tax and accounting record keeping
  • Data breach notifications to authorities
  • Response to lawful requests from authorities

5. How We Use Your Information

5.1 Service Provision and Enhancement

  • Account Management: Create, maintain, and secure user accounts
  • Feature Delivery: Provide task management, collaboration, and productivity tools
  • Personalization: Customize interface, recommendations, and user experience
  • AI Assistance: Provide AI-powered task suggestions, content generation, and assistance
  • Real-time Features: Enable live collaboration, notifications, and updates

5.2 Communication and Support

  • Service Communications: Account verification, password resets, security alerts
  • Customer Support: Respond to inquiries, resolve issues, provide assistance
  • Product Updates: Inform about new features, changes, and improvements
  • Marketing Communications: Newsletter, promotional content (with consent)

5.3 Security and Fraud Prevention

  • Account Security: Monitor for suspicious activity, unauthorized access
  • Fraud Detection: Identify and prevent fraudulent use of services
  • Age Verification: Ensure compliance with age restrictions
  • Content Moderation: Automated and manual review of user-generated content

5.4 Analytics and Improvement

  • Usage Analytics: Understand how features are used to improve service
  • Performance Monitoring: Track system performance and identify issues
  • A/B Testing: Test new features and improvements with user subsets
  • Research and Development: Develop new features and capabilities

5.5 Advertisement Services (18+ Only)

Advertisement targeting and analytics are only available for users 18 years and older who have provided explicit consent.

  • Targeted Advertising: Show relevant advertisements based on interests and behavior
  • Advertisement Analytics: Measure advertisement performance and effectiveness
  • Advertiser Services: Provide campaign management and analytics tools
  • Market Research: Aggregate, anonymized market insights

6. Information Sharing and Disclosure

We do not sell your personal information to third parties. We may share your information only in the following circumstances:

6.1 Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf under strict data processing agreements:

Essential Service Providers:

  • Stripe: Payment processing and subscription management
    Data shared: Billing information, payment methods, transaction history
    Legal basis: Contract performance, legitimate interest
  • Email Service Providers (Mailgun, AWS SES, Postmark): Email delivery
    Data shared: Email addresses, email content, delivery metrics
    Legal basis: Contract performance, consent (for marketing)
  • Google Cloud Storage: File storage and content delivery
    Data shared: User-uploaded files, media content
    Legal basis: Contract performance
  • Pusher: Real-time communication and notifications
    Data shared: User IDs, notification content, presence data
    Legal basis: Contract performance
  • Sentry: Error monitoring and performance tracking
    Data shared: Error logs, user context (anonymized), performance metrics
    Legal basis: Legitimate interest
  • OpenAI: AI-powered features and content generation
    Data shared: User queries, content for processing (anonymized when possible)
    Processing location: United States (primary), EU (when available)
    Legal safeguards: Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914, Data Privacy Framework (DPF) certification where applicable
    Legal basis: Consent, contract performance

6.2 Within Organizations and Teams

  • Team Members: Profile information, task assignments, collaboration data shared within organizations
  • Organization Administrators: User management data, activity reports, compliance information
  • Public Content: Publicly shared tasks and profiles visible to all users

6.3 Legal Requirements and Safety

  • Legal Compliance: When required by law, regulation, or court order
  • Law Enforcement: Response to lawful requests from government authorities
  • Safety Protection: To protect users, prevent fraud, or address security threats
  • Rights Protection: To protect our legal rights, property, or safety

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity, subject to the same privacy protections.

6.5 Special Protections for Minors

Enhanced restrictions for users aged 16-17:

  • No data sharing for marketing or advertising purposes
  • Limited sharing with service providers (essential services only)
  • Enhanced consent requirements for any data sharing
  • Parental notification rights where applicable

7. International Data Transfers

As a global service, your personal information may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

7.1 Transfer Safeguards

  • Adequacy Decisions: Transfers to countries with EU adequacy decisions (UK, Canada, Japan, etc.)
  • Standard Contractual Clauses: Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 for all third-country transfers
  • Data Processing Agreements: Comprehensive GDPR-compliant agreements with all processors
  • Certification Programs: Processors certified under Data Privacy Framework (DPF), Privacy Shield successor programs
  • Additional Safeguards: Technical measures including encryption, access controls, and transfer impact assessments

7.2 Data Localization

  • Primary Storage: EU-based data centers for European users
  • Backup Systems: Geographically distributed with appropriate safeguards
  • Processing Locations: Preference for EU-based processing where possible

8. Data Security Measures

We implement comprehensive technical and organizational security measures to protect your personal information:

8.1 Technical Security Measures

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access controls and principle of least privilege
  • Authentication: Multi-factor authentication, WebAuthn/passkey support
  • Network Security: Firewalls, intrusion detection, and prevention systems
  • Vulnerability Management: Regular security assessments and penetration testing

8.2 Organizational Security Measures

  • Employee Training: Regular privacy and security awareness training
  • Access Logging: Comprehensive audit trails for all data access
  • Incident Response: 24/7 security monitoring and response procedures
  • Data Minimization: Collection and processing limited to necessary purposes
  • Privacy by Design: Privacy considerations integrated into all system designs

8.3 Account Security Features

  • Two-Factor Authentication: TOTP-based 2FA with recovery codes
  • WebAuthn/Passkeys: Modern passwordless authentication
  • Session Management: Automatic session timeout and secure session handling
  • Login Monitoring: Suspicious activity detection and alerting
  • Password Security: Strong password requirements and secure storage

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

Essential Cookies (No Consent Required):

  • Session Cookies: User authentication and session management
  • Security Cookies: CSRF protection, secure authentication
  • Preference Cookies: Language settings, interface preferences
  • Load Balancing: Distribute traffic across servers

Analytics Cookies (Consent Required):

  • Usage Analytics: Page views, feature usage, user journeys
  • Performance Monitoring: Load times, error rates, system performance
  • A/B Testing: Feature testing and optimization

Advertising Cookies (Consent Required, 18+ Only):

  • Targeted Advertising: Interest-based advertisement delivery
  • Conversion Tracking: Measure advertisement effectiveness
  • Cross-Site Tracking: Limited to advertisement purposes only

9.2 Cookie Consent Management

  • Granular Consent: Separate consent for different cookie categories
  • Consent Withdrawal: Easy opt-out through cookie settings
  • Age-Based Restrictions: Limited cookies for users under 18
  • Browser Controls: Respect browser Do Not Track (DNT) and Global Privacy Control (GPC) signals
  • Cookie Duration Transparency: Clear information about cookie expiration periods (see our separate Cookie Policy for detailed duration table)

9.3 Third-Party Tracking

We use minimal third-party tracking and only with appropriate consent mechanisms:

  • Analytics Providers: Anonymous usage statistics (with consent)
  • Advertisement Partners: Limited tracking for adult users with consent
  • Social Media: No social media tracking pixels or buttons

10. Data Retention and Deletion

10.1 General Retention Principles

We retain personal information only as long as necessary for the purposes outlined in this policy:

  • Data Minimization: Regular review and deletion of unnecessary data
  • Purpose Limitation: Data retained only for original collection purposes
  • Automated Deletion: Systematic deletion based on retention schedules
  • User Control: Users can request early deletion

10.2 Specific Retention Periods

Account and Profile Data:

  • Active Accounts: Retained while account is active
  • Deleted Accounts: Most data deleted within 30 days of account deletion
  • Inactive Accounts: Automatic deletion after 2 years of inactivity
  • Profile Information: Deleted immediately upon account deletion

Activity and Usage Data:

  • Session Logs: 90 days for active users, 30 days for deleted accounts
  • Activity Logs: 1 year for service improvement purposes
  • Usage Analytics: Aggregated, anonymized data may be retained indefinitely
  • Error Logs: 6 months for debugging and system improvement

Security and Compliance Data:

  • Security Logs: 2 years for fraud prevention and security monitoring
  • Audit Logs: 7 years for regulatory compliance
  • Age Verification: Verification records retained for compliance purposes
  • Consent Records: Proof of consent retained for legal compliance

Financial and Payment Data:

  • Payment Records: 10 years for tax and accounting compliance
  • Invoice Data: 10 years as required by law
  • Subscription History: 7 years for business records

Backup Systems:

  • System Backups: Data in backups retained for up to 90 days
  • Disaster Recovery: Emergency backups retained for 1 year
  • Backup Deletion: Systematic deletion from backup systems
  • Legal Hold Exception: Data deletion may be deferred if subject to legal hold, litigation preservation orders, or regulatory investigation requirements

10.3 Special Retention Rules for Minors

Enhanced deletion protections for users aged 16-17:

  • Automatic data review every 12 months
  • No retention for marketing or advertising purposes
  • Shorter retention periods for non-essential data
  • Priority processing for deletion requests
  • Enhanced right to erasure protections

11. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal information:

11.1 Individual Rights

Right of Access (Article 15):

  • Data Export: Request a complete copy of your personal data
  • Processing Information: Understand how your data is processed
  • Third-Party Sharing: Know who has access to your data
  • Response Time: Within 1 month of request

Right to Rectification (Article 16):

  • Data Correction: Correct inaccurate or incomplete personal data
  • Profile Updates: Update profile information through account settings
  • Third-Party Notification: We notify relevant third parties of corrections

Right to Erasure/Right to be Forgotten (Article 17):

  • Account Deletion: Delete your account and associated data
  • Specific Data Deletion: Request deletion of specific data categories
  • Third-Party Notification: We notify processors of deletion requests
  • Legal Limitations: Some data may be retained for legal compliance

Right to Restrict Processing (Article 18):

  • Processing Limitation: Limit how we process your data
  • Consent Withdrawal: Withdraw consent for specific processing
  • Dispute Resolution: Restrict processing during dispute resolution

Right to Data Portability (Article 20):

  • Data Export: Receive your data in machine-readable format (JSON)
  • Data Transfer: Transfer data to another service provider
  • Complete Export: Includes all personal data and usage history

Right to Object (Article 21):

  • Legitimate Interest Processing: Object to processing based on legitimate interests
  • Direct Marketing: Absolute right to opt out of marketing
  • Profiling: Object to automated decision-making and profiling

11.2 Enhanced Rights for Minors (16-17 years)

Additional rights for users aged 16-17:

  • Parental Rights: Parents/guardians may exercise rights on your behalf
  • Enhanced Erasure: Stronger right to deletion for data created as a minor
  • Processing Objection: Enhanced right to object to any non-essential processing
  • Data Minimization: Automatic review and minimization of data collection
  • Accessible Formats: Information provided in easy-to-understand formats

11.3 How to Exercise Your Rights

  • Account Settings: Many rights can be exercised through your account settings
  • Email Requests: Send detailed requests to gdpr@recoon.com
  • Identity Verification: We may require identity verification for security
  • Response Timeline: We respond within 1 month (extendable to 3 months for complex requests)
  • Free Exercise: No charge for exercising your rights (except for excessive requests)
  • California Residents: California residents may also exercise rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), where applicable

12. Automated Decision-Making and Profiling

12.1 Automated Systems We Use

  • Content Moderation: Automated detection of inappropriate content
  • Fraud Detection: Automated analysis for suspicious account activity
  • Task Recommendations: AI-powered task and content suggestions
  • Advertisement Targeting: Automated interest-based advertisement delivery (18+ only)
  • Spam Detection: Automated identification of spam content

Important Note on AI Task Personalization:

AI-based task personalization and recommendations are not solely automated decisions under GDPR Article 22. These features include meaningful human oversight, user control mechanisms, and allow for manual adjustment. Users can disable personalization features and modify recommendations at any time through their account settings.

12.2 Profiling Activities (18+ Only)

Profiling for advertising purposes is only conducted for users 18 years and older with explicit consent.

  • Interest Profiling: Analysis of behavior to infer interests (tech, business, creative)
  • Demographic Analysis: Age ranges and general geographic preferences
  • Usage Patterns: Analysis of feature usage for personalization
  • Advertisement Analytics: Performance analysis for advertisement optimization

12.3 Your Rights Regarding Automated Processing

  • Right to Object: Object to automated decision-making and profiling
  • Human Review: Request human review of automated decisions
  • Explanation: Receive explanations of automated decision logic
  • Opt-Out: Disable personalization and profiling features

13. Data Breach Notification

13.1 Our Breach Response Procedures

  • Detection: 24/7 monitoring and automated breach detection systems
  • Assessment: Immediate assessment of breach scope and risk
  • Containment: Rapid containment and mitigation measures
  • Notification: Timely notification to authorities and affected individuals
  • Investigation: Thorough investigation and remediation

13.2 Notification Timelines

  • Authority Notification: Within 72 hours to relevant data protection authorities
  • Individual Notification: Without undue delay if high risk to rights and freedoms
  • Public Disclosure: Transparent communication about significant breaches

13.3 Information We Provide

  • Nature of Breach: Description of what happened
  • Data Involved: Categories of personal data affected
  • Consequences: Likely consequences of the breach
  • Measures Taken: Steps taken to address the breach
  • Recommendations: Actions individuals can take to protect themselves

14. Changes to This Privacy Policy

14.1 Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service features:

  • Material Changes: 30 days' advance notice for significant changes
  • Minor Updates: Immediate implementation for clarifications and corrections
  • Version Control: All versions archived with effective dates

14.2 Notification Methods

  • Email Notification: Sent to registered email address
  • In-App Notification: Prominent notice within the service
  • Website Banner: Visible notification on our website
  • Push Notifications: Mobile app notifications for material changes

14.3 Your Options

  • Continued Use: Continued use constitutes acceptance of changes
  • Account Termination: Right to terminate account if you disagree with changes
  • Data Export: Export your data before changes take effect
  • Consent Withdrawal: Withdraw consent for new processing activities

15. Contact Information and Complaints

15.1 Data Controller Information

Recoon GmbH

Primary Office (Germany):

83395 Freilassing, Germany
Phone: [To be added]
Fax: [To be added]

Austrian Office:

5020 Salzburg, Austria
Phone: [To be added]
Fax: [To be added]

15.2 Specialized Contact Addresses

  • Data Protection Officer: dpo@recoon.com
  • Privacy Inquiries: privacy@recoon.com
  • GDPR Rights Requests: gdpr@recoon.com
  • Data Breach Reports: security@recoon.com
  • Age Verification/Compliance: compliance@recoon.com
  • Parents/Guardians (minor users): parents@recoon.com
  • Legal Inquiries: legal@recoon.com
  • General Support: support@recoon.com

15.3 Supervisory Authorities

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the relevant data protection supervisory authority:

German Supervisory Authority:

Bundesbeauftragte fĂĽr den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Phone: +49 (0)228 997799-0
Email: poststelle@bfdi.bund.de
Website: www.bfdi.bund.de

Austrian Supervisory Authority:

Österreichische Datenschutzbehörde (DSB)
Barichgasse 40-42
1030 Wien, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

EU Residents:

EU residents may also contact their local data protection authority. A complete list is available at: https://edpb.europa.eu/about-edpb/board/members_en

15.4 EU Online Dispute Resolution

EU Online Dispute Resolution Platform: EU consumers can access the European Commission's Online Dispute Resolution platform for alternative dispute resolution at: https://ec.europa.eu/consumers/odr/

16. Additional Legal Information

16.1 Legal Framework

This Privacy Policy is governed by and complies with:

  • EU General Data Protection Regulation (GDPR): Primary data protection framework
  • German Federal Data Protection Act (BDSG): National implementation of GDPR
  • Austrian Data Protection Act (DSG): Austrian data protection law
  • ePrivacy Directive: Electronic communications privacy
  • Telecommunications Act (TKG): Communications data protection

16.2 Representative for EU Users

As we are established within the EU, we do not require an EU representative under Article 27 GDPR. Our German office serves as our primary EU establishment.

16.3 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by GDPR Article 35, including:

  • DPIA Criteria: DPIAs are conducted for any new feature involving profiling of minors, sensitive personal data processing, or systematic large-scale monitoring
  • Risk Assessment: Evaluation of privacy risks and mitigation measures for all new processing activities
  • Specific Assessments: Advertisement targeting and profiling systems, automated content moderation, large-scale processing of behavioral data
  • Technology Integration: New AI technologies, third-party integrations, and processing methods
  • Consultation Process: Data Protection Officer review and, where required, supervisory authority consultation

17. Version History

This section provides a transparent record of all material changes to this Privacy Policy for audit and compliance purposes:

Version Effective Date Key Changes Legal Basis
1.0 September 4, 2025
  • • Initial comprehensive privacy policy
  • • GDPR Article 28 compliance framework
  • • Age-based processing restrictions (16+ only)
  • • Enhanced consent mechanisms
  • • International transfer safeguards
  • • Detailed data retention schedules
 Legal requirement, service launch
Future versions will be documented here as the policy evolves. All material changes will include 30 days advance notice to users.

Regulatory Note: This version history is maintained for compliance with GDPR Article 30 (records of processing activities) and to demonstrate accountability under Article 5(2). Previous versions are archived and available upon request from our Data Protection Officer.

Privacy Policy Version: 1.0
Effective Date: September 4, 2025
Last Updated: September 4, 2025
Next Scheduled Review: September 4, 2026

This Privacy Policy is legally binding and effective immediately. By using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.