Love Places

Privacy Policy

Privacy Policy for the “Love Places” App

Effective date: 11 August 2025

1) Controller

Dominik Boch
Auf der Entenweide 48
69502, Hemsbach, Germany
Email: info@loveplacesapp.de
Website: https://loveplacesapp.de

No data protection officer is appointed. The controller himself is your point of contact for all privacy matters (see contact above).

2) Scope

This Privacy Policy applies to the Love Places mobile application. A separate policy may apply to our website.
Age limit: The app is intended for users aged 16 and over.

3) Privacy at a glance

Who is responsible? Dominik Boch (see Section 1).
What do we process? Account data (e.g. email/display name), content you add (pins, groups), optional push token, and technical usage data for stability and security. Your current GPS position is not stored or synced; it is used only for live display in Apple Maps(iOS) or Mapbox(Android).
Why? To provide the app (account, sync, groups), show map content (Apple Maps or Mapbox), optionally send notifications, and show ads (Google AdMob).
Legal bases: Contract/usage (Art. 6(1)(b) GDPR), consent (Art. 6(1)(a) GDPR together with §25 TTDSG for device access like push token/IDFA), legitimate interests (Art. 6(1)(f) GDPR, e.g. stability, non-personalised ads).
Your rights: Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (see Section 12).

4) Purposes and legal bases

We process personal data to run and improve the app and to communicate with you. Depending on the processing, the legal basis is:

  • Art. 6(1)(b) GDPR (contract/usage), e.g. account, content, groups.
  • Art. 6(1)(a) GDPR + §25 TTDSG (consent & device access), e.g. push token, IDFA/personalised ads, location permission.
  • Art. 6(1)(f) GDPR (legitimate interests), e.g. app stability, fraud prevention, non-personalised ads.

5) What data we process in the app

5.1 Account & sign-in

Sign in with Apple(iOS) or Google Sign-In(Android) and Firebase Authentication (Google LLC)
Categories: email/relay email, display name, unique user ID, timestamps of account creation/last sign-in.
Purpose: authentication and account management.
Legal basis: Art. 6(1)(b) GDPR.
Retention: until you delete your account.

5.2 Profile & push notifications

Categories: profile (username/display name), platform/last activity; push token for notifications.
Purpose: operate the account, deliver notifications.
Legal bases: Art. 6(1)(b) GDPR (account); Art. 6(1)(a) GDPR + §25 TTDSG for storing/using the push token.
Opt-out: iOS → Notifications.
Retention: until withdrawal/token expiry/app uninstall or account deletion.

5.3 Location & maps (Apple Maps)

Use of your position: live display only in the map.
Important: we do not store or sync your current GPS position on our servers.
Map services:

  • iOS: Apple Maps (Apple Inc.) provides map content under its own responsibility.
  • Android: Mapbox (Mapbox Inc., https://www.mapbox.com) provides map content under its own responsibility. Mapbox may collect telemetry data (e.g., device type, OS version, IP address, general location data) to improve their services. See Mapbox Privacy Policy: https://www.mapbox.com/legal/privacy

Mapbox collects telemetry data (device type, OS version, IP address, general location information) to improve map quality and services. This data is processed by Mapbox as an independent data controller under their Product Privacy Policy: https://www.mapbox.com/legal/privacy#product-privacy-policy You can opt out of Mapbox telemetry collection. For details, see: https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely/#telemetry-opt-out

Legal basis: consent (Art. 6(1)(a) GDPR; §25 TTDSG).
Withdraw:

  • iOS → Settings → Privacy & Security → Location Services
  • Android → Settings → Apps → Love Places → Permissions → Location
    If place names are shown (reverse geocoding), we do not store them.

5.4 Content (pins) & groups

Pins (content data): title, notes, rating, category/type, pin coordinates chosen by you, timestamps, and internal linkage to your account.
Groups: group name, invite/join code, creator, member list as pseudonymous user IDs (display names are visible). Emails are not stored or shown in groups.
Visibility: within a group, the group name, members (as display names), pins and comments are visible to all group members.
Purpose/legal basis: store/sync your content and enable group features, Art. 6(1)(b) GDPR.
Retention: until you delete content or your account. When you leave/delete your account, your membership is removed; remaining group content may persist without personal reference (e.g. shown as “Deleted user”).

5.5 Feedback & support

Categories: subject/description, status, user ID/display name/email, app version, iOS version, device model, timestamps.
Purpose/legal bases: handle your request (Art. 6(1)(b) GDPR) and quality/product improvement (Art. 6(1)(f) GDPR).
Retention: until resolved; thereafter deletion/anonymisation within reasonable periods.

5.6 Local storage (settings & offline)

Categories: local pins, username, app settings, push token.
Legal basis: §25(2) No. 2 TTDSG (technically necessary) and Art. 6(1)(f) GDPR; for non-essential items: consent.
Retention: until uninstall/reset or manual deletion.

5.7 Advertising & measurement

Google AdMob (Google LLC)
Categories: advertising ID (IDFA, only with consent), truncated IP, device type/model, OS version, app usage data, approximate location.
Purposes: show ads; personalised ads only with consent; reach/measurement.
Legal bases: §25 TTDSG (IDFA), Art. 6(1)(a) GDPR (personalised), Art. 6(1)(f) GDPR (non-personalised).
EU consent: consent dialog (e.g. Google UMP/TCF).
Apple SKAdNetwork: anonymous install/conversion data; Art. 6(1)(f) GDPR.

6) Recipients / categories of recipients

  • Google LLC (Firebase/AdMob; processing under Art. 28 GDPR),
  • Apple Inc. (Sign in with Apple, Apple Maps/MapKit, ATT, SKAdNetwork – separate controller),
  • Mapbox Inc. (map services on Android – separate controller),
  • IT/cloud and email providers that help us deliver the service,
  • Other users: group members see content shared within their groups and display names.

7) Hosting/Cloud & logs

We run our app infrastructure on Google Cloud/Firebase (Google LLC) and use cloud services for authentication, database and push. Personal data is processed by our processor only as required and in accordance with our instructions (Art. 28 GDPR).
Operational/security logs (e.g. technical events, error messages) may be processed to ensure stability, security and troubleshooting (Art. 6(1)(f) GDPR). We do not create usage profiles beyond this.
Backups: We currently operate no Firestore scheduled backups and no Point-in-Time Recovery (PITR). Data is redundantly held within Google Cloud for service continuity; we do not control those internal redundancies.

8) Device access under TTDSG

We access device information such as the advertising ID (IDFA) or push token only with your consent (§25 TTDSG). Technically necessary storage/access required for the app to function is permitted under §25(2) No. 2 TTDSG.

9) International data transfers

Using services of Google LLC, Apple Inc. and Mapbox Inc. may involve transfers to the USA. Both participate in the EU–US Data Privacy Framework; we also rely on EU Standard Contractual Clauses (SCCs) and, where necessary, additional safeguards.

10) Mandatory data & consequences

Basic account/profile data is required to use account and sync/group features.
Optional: location, push notifications and personalised advertising. Without consent, these features are unavailable or limited.

11) Retention & deletion

  • Delete account: in the app under Profile → Delete account. Personal profile data is then deleted/anonymised.
  • Content: you can delete pins/comments at any time; remaining group content may persist without personal reference for group history.
  • Backups: we currently run no own backups (no scheduled Firestore backups, no PITR). Internal cloud redundancies are maintained by Google for operational reasons.

12) Your rights

Subject to the legal conditions, you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection to processing under Art. 6(1)(e/f) (Art. 21), and withdrawal of consent (Art. 7(3) GDPR). To exercise your rights, contact us (Section 1).

13) Automated decision-making / profiling

We do not use automated decision-making within the meaning of Art. 22 GDPR. Personalised advertising is shown only if you consent.

14) Security

We implement appropriate technical and organisational measures, including TLS encryption in transit, role-based access, least-privilege principles, and regular security updates.

15) Changes to this notice

We may update this notice from time to time. The current version is available in the app and on our website. Material changes will be announced in the app.

16) Supervisory authority & complaints

You have the right to lodge a complaint with any data protection supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work or the place of the alleged infringement (Art. 77 GDPR). For our place of establishment, the competent authority is:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI Baden-Württemberg)
House address: Lautenschlagerstraße 20, 70173 Stuttgart, Germany
Postal address: P.O. Box 10 29 32, 70025 Stuttgart, Germany
Phone: +49 711 61 55 41-0
Email: poststelle@lfdi.bwl.de
Website: baden-wuerttemberg.datenschutz.de

 

Effective as of: 11 August 2025 • Last updated: 4 December 2025