Love Places

Privacy Policy

Privacy Policy for the “Love Places” App

Effective date: 11 August 2025

1) Controller

Dominik Boch
Auf der Entenweide 48
69502, Hemsbach, Germany
Email: info@loveplacesapp.de
Website: https://loveplacesapp.de

No data protection officer is appointed. The controller himself is your point of contact for all privacy matters (see contact above).

2) Scope

This Privacy Policy applies to the Love Places mobile application. A separate policy may apply to our website.
Age limit: The app is intended for users aged 16 and over.

3) Privacy at a glance

Who is responsible? Dominik Boch (see Section 1).
What do we process? Account data (e.g. email/display name), content you add (pins, groups), optional push token, analytics data (app usage, events, device info), and technical usage data for stability and security. Your current GPS position is not stored or synced; it is used only for live display in Apple Maps(iOS) or Mapbox(Android).
Why? To provide the app (account, sync, groups), show map content (Apple Maps or Mapbox), optionally send notifications, and show ads (Google AdMob).
Legal bases: Contract/usage (Art. 6(1)(b) GDPR), consent (Art. 6(1)(a) GDPR together with §25 TTDSG for device access like push token/IDFA), legitimate interests (Art. 6(1)(f) GDPR, e.g. stability, non-personalised ads).
Your rights: Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (see Section 12).

4) Purposes and legal bases

We process personal data to run and improve the app and to communicate with you. Depending on the processing, the legal basis is:

  • Art. 6(1)(b) GDPR (contract/usage), e.g. account, content, groups.
  • Art. 6(1)(a) GDPR + §25 TTDSG (consent & device access), e.g. push token, IDFA/personalised ads, location permission.
  • Art. 6(1)(f) GDPR (legitimate interests), e.g. app stability, fraud prevention, non-personalised ads.

5) What data we process in the app

5.1 Account & sign-in

Sign in with Apple(iOS) or Google Sign-In(Android) and Firebase Authentication (Google LLC)
Categories: email/relay email, display name, unique user ID, timestamps of account creation/last sign-in.
Purpose: authentication and account management.
Legal basis: Art. 6(1)(b) GDPR.
Retention: until you delete your account.

5.2 Profile & push notifications

Categories: profile (username/display name), platform/last activity; push token for notifications.
Purpose: operate the account, deliver notifications.
Legal bases: Art. 6(1)(b) GDPR (account); Art. 6(1)(a) GDPR + §25 TTDSG for storing/using the push token.
Opt-out: iOS → Notifications.
Retention: until withdrawal/token expiry/app uninstall or account deletion.

5.3 Location & maps

Use of your position: live display only in the map.
Important: we do not store or sync your current GPS position on our servers.
Map services:

  • iOS: Apple Maps (Apple Inc.) provides map content under its own responsibility.
  • Android: Mapbox (Mapbox Inc., https://www.mapbox.com) provides map content under its own responsibility. Mapbox may collect telemetry data (e.g., device type, OS version, IP address, general location data) to improve their services. See Mapbox Privacy Policy: https://www.mapbox.com/legal/privacy

Mapbox collects telemetry data (device type, OS version, IP address, general location information) to improve map quality and services. This data is processed by Mapbox as an independent data controller under their Product Privacy Policy: https://www.mapbox.com/legal/privacy#product-privacy-policy You can opt out of Mapbox telemetry collection. For details, see: https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely/#telemetry-opt-out

Legal basis: consent (Art. 6(1)(a) GDPR; §25 TTDSG).
Withdraw:

  • iOS → Settings → Privacy & Security → Location Services
  • Android → Settings → Apps → Love Places → Permissions → Location
    If place names are shown (reverse geocoding), we do not store them.

5.4 Content (pins) & groups

Pins (content data): title, notes, rating, category/type, pin coordinates chosen by you, timestamps, and internal linkage to your account.
Groups: group name, invite/join code, creator, member list as pseudonymous user IDs (display names are visible). Emails are not stored or shown in groups.
Visibility: within a group, the group name, members (as display names), pins and comments are visible to all group members.
Purpose/legal basis: store/sync your content and enable group features, Art. 6(1)(b) GDPR.
Retention: until you delete content or your account. When you leave/delete your account, your membership is removed; remaining group content may persist without personal reference (e.g. shown as “Deleted user”).

5.5 Feedback & support

Categories: subject/description, status, user ID/display name/email, app version, iOS version, device model, timestamps.
Purpose/legal bases: handle your request (Art. 6(1)(b) GDPR) and quality/product improvement (Art. 6(1)(f) GDPR).
Retention: until resolved; thereafter deletion/anonymisation within reasonable periods.

5.6 Local storage (settings & offline)

Categories: local pins, username, app settings, push token.
Legal basis: §25(2) No. 2 TTDSG (technically necessary) and Art. 6(1)(f) GDPR; for non-essential items: consent.
Retention: until uninstall/reset or manual deletion.

5.7 Advertising & measurement

Google AdMob (Google LLC)
Categories: advertising ID (IDFA, only with consent), truncated IP, device type/model, OS version, app usage data, approximate location.
Purposes: show ads; personalised ads only with consent; reach/measurement.
Legal bases: §25 TTDSG (IDFA), Art. 6(1)(a) GDPR (personalised), Art. 6(1)(f) GDPR (non-personalised).
EU consent: consent dialog (e.g. Google UMP/TCF).
Apple SKAdNetwork: anonymous install/conversion data; Art. 6(1)(f) GDPR.

Exception for Premium Users: If you purchase the “Premium” upgrade, the advertising modules (e.g., Google AdMob) are completely disabled. In this case, no personal data is processed for advertising purposes, and no advertising ID is collected or transmitted.

5.8 Analytics & app improvement (Firebase Analytics)

We use Firebase Analytics (Google LLC) to understand how users interact with the app and to improve our service. Categories: anonymized/pseudonymized usage data (app opens, screen views, events), device information (type, model, OS version), approximate location (country/region level), Firebase Installation ID, timestamps. Purposes: analyze app usage, understand user behavior, improve features and performance, identify technical issues.

Legal bases:

  • EU users: Art. 6(1)(a) GDPR (consent via GDPR dialog) – Consent obtained: full analytics with detailed event tracking – Consent denied: limited analytics (aggregated data only, GDPR-compliant) –
  • Non-EU users: Art. 6(1)(f) GDPR (legitimate interest in app improvement)

EU consent: shown in GDPR consent dialog after onboarding. You can withdraw consent at any time (see Section 12). Data sharing: Firebase Analytics data is processed by Google LLC as part of Firebase services. Google may use this data in accordance with their Firebase Data Processing Terms. Retention: Firebase Analytics data is automatically deleted after 14 months (Google’s standard retention period). Opt-out: EU users can deny consent in the GDPR dialog. Analytics will then operate in limited mode with aggregated data only. More information: https://firebase.google.com/support/privacy

5.9 In-App Purchases (Premium)

We offer additional features via an one-time In-App Purchase. Payment Processing: The entire payment process is handled exclusively by the app store provider (Apple App Store for iOS or Google Play Store for Android). We do not collect, store, or process your payment data (such as credit card numbers, bank account details, or billing address). Data we receive: We only receive a cryptographic token or receipt from the respective store (Apple or Google) confirming that the purchase was successful. We link this confirmation to your account to unlock the Premium features. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Retention: We store the status of your premium unlock as long as your account exists, to ensure you maintain access to the features you paid for.

6) Recipients / categories of recipients

  • Google LLC (Firebase/AdMob; processing under Art. 28 GDPR),
  • Apple Inc. (Sign in with Apple, Apple Maps/MapKit, ATT, SKAdNetwork – separate controller),
  • Mapbox Inc. (map services on Android – separate controller),
  • IT/cloud and email providers that help us deliver the service,
  • Other users: group members see content shared within their groups and display names.

7) Hosting/Cloud & logs

We run our app infrastructure on Google Cloud/Firebase (Google LLC) and use cloud services for authentication, database and push. Personal data is processed by our processor only as required and in accordance with our instructions (Art. 28 GDPR).
Operational/security logs (e.g. technical events, error messages) may be processed to ensure stability, security and troubleshooting (Art. 6(1)(f) GDPR). We do not create usage profiles beyond this.
Backups: We currently operate no Firestore scheduled backups and no Point-in-Time Recovery (PITR). Data is redundantly held within Google Cloud for service continuity; we do not control those internal redundancies.

8) Device access under TTDSG

We access device information such as the advertising ID (IDFA) or push token only with your consent (§25 TTDSG). Technically necessary storage/access required for the app to function is permitted under §25(2) No. 2 TTDSG.

9) International data transfers

Using services of Google LLC, Apple Inc. and Mapbox Inc. may involve transfers to the USA. Both participate in the EU–US Data Privacy Framework; we also rely on EU Standard Contractual Clauses (SCCs) and, where necessary, additional safeguards.

10) Mandatory data & consequences

Basic account/profile data is required to use account and sync/group features.
Optional: location, push notifications and personalised advertising. Without consent, these features are unavailable or limited.

11) Retention & deletion

  • Delete account: in the app under Profile → Delete account. Personal profile data is then deleted/anonymised.
  • Content: you can delete pins/comments at any time; remaining group content may persist without personal reference for group history.
  • Backups: we currently run no own backups (no scheduled Firestore backups, no PITR). Internal cloud redundancies are maintained by Google for operational reasons.

12) Your rights

Subject to the legal conditions, you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection to processing under Art. 6(1)(e/f) (Art. 21), and withdrawal of consent (Art. 7(3) GDPR). To exercise your rights, contact us (Section 1).

13) Automated decision-making / profiling

We do not use automated decision-making within the meaning of Art. 22 GDPR. Personalised advertising is shown only if you consent.

14) Security

We implement appropriate technical and organisational measures, including TLS encryption in transit, role-based access, least-privilege principles, and regular security updates.

15) Changes to this notice

We may update this notice from time to time. The current version is available in the app and on our website. Material changes will be announced in the app.

16) Supervisory authority & complaints

You have the right to lodge a complaint with any data protection supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work or the place of the alleged infringement (Art. 77 GDPR). For our place of establishment, the competent authority is:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI Baden-Württemberg)
House address: Lautenschlagerstraße 20, 70173 Stuttgart, Germany
Postal address: P.O. Box 10 29 32, 70025 Stuttgart, Germany
Phone: +49 711 61 55 41-0
Email: poststelle@lfdi.bwl.de
Website: baden-wuerttemberg.datenschutz.de

 

Effective as of: 11 August 2025 • Last updated: 21 January 2026