Privacy policy

1. Scope of the privacy policy

This privacy policy applies to the app for mobile operating systems and devices (hereinafter referred to as “app”) mentioned in the heading. This policy explains the nature, purpose, and scope of data collection in connection with the use of the app.

Please note that when you download our app from an app store, you must register or identify yourself with the respective app store operator (e.g., via a Google or Apple ID). When downloading, various personal data, such as your email address, user name, the customer number of your app store account, your individual device identification number, the time of download, and, if applicable, payment information may be processed by the app store operator. The privacy policies and terms of use of the app store operators apply here, which may differ from the data protection laws of the European Union. We have no influence on these conditions.

We reserve the right to change these privacy provisions at any time in compliance with legal requirements.

2. Responsible body

The responsible body for the data processing described in this privacy policy is:

MovePoints UG (limited liability)

Schopenhauerstr. 71

Munich 80807

Email address: info@movepointsapp.com

Phone number: +49 176 22235356

3. Purpose and legal basis of data processing

Unless otherwise specified in this privacy policy, we process your personal data in connection with your use of the app in order to provide the app's functionalities, to ensure the security of the app, or to contact you if necessary and legally permissible. The legal basis is Art. 6 (1) (b) GDPR (performance of a contract) and our legitimate interest in providing a functional app (Art. 6 (1) (f) GDPR). If consent has been requested, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG; consent can be revoked at any time. Please refer to the following explanations for details. If the user uses a paid version of the app, we also process information about the respective subscription or tariff status for the activation and administration of the corresponding functions. The legal basis is Art. 6 (1) lit. b GDPR.

4. Processed data categories

When you use this app, the following personal data about you will be processed:

Personal information:

• First and last name

• Email address

• Profile picture

• Profile

• City

• Date of birth

• Gender

• Favorite sport

The information regarding profile picture, profile, city, date of birth, gender, and favorite sport is voluntary.

Contract data:

• Order data

• Invoice and contract data

• Payment data

Communication data:

• Support and contact requests

Usage and content data

• User-generated content (e.g., activities, posts, photos, videos, uploads)

• Activity registrations

• Points balance

• Favorite places

• Usage data (e.g., interactions within the app)

• Location data, if applicable

•

Technical data:

• IP addresses

• Metadata

• Device identifiers and device IDs

• Device number and device type

• Device type

• Operating system of the end device

• Device-specific app settings

• Date and time of app accesses

• Time of accesses and technical events (e.g., crashes)

• Transferred data volumes

• Time zone

The data collected in connection with the use of the app is processed for the purpose of performing the user agreement (Art. 6 (1) (b) GDPR).

Insofar as processing is necessary to safeguard legitimate interests (e.g. to ensure IT security or to prevent misuse), it is carried out on the basis of Art. 6 (1) (f) GDPR.

If consent has been requested (e.g., for certain tracking or marketing measures), processing is carried out on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

5. Registration

You can register in the app to use additional app features. We only use the data you enter for this purpose to provide the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise, we will reject your registration. For important changes, such as changes to the scope of the offer or technically necessary changes, we will use the email address provided during registration to inform you. The data entered during registration is processed for the purpose of implementing the user relationship established by the registration and, if necessary, for initiating further contracts (Art. 6 (1) (b) GDPR). The data collected during registration will be stored by us for as long as you are registered on this app and will then be deleted. Statutory retention periods remain unaffected.

For registration with an Apple account, the provider is Apple Inc., Infinite Loop, Cupertino, CA 95014, USA, https://www.apple.com/de/ios/app-store/. The privacy policy can be found at: https://www.apple.com/legal/privacy/de-ww/. If you register with your social media account, you only need to enter your social media account name and the corresponding password. Your account in our app will then be automatically completed with the data stored in your social media profile. The use of the social media registration function is in our legitimate interest to provide our users with the simplest possible registration process (Art. 6 (1) (f) GDPR). Since the use of the registration function is voluntary and users can decide for themselves on the respective access options, there are no apparent conflicting overriding rights of the data subjects.

6. App access rights

In order to provide our services, the app requests the access rights listed below, which enable us to access certain functions of your device.

• Location data Access is granted for the following purpose: to display activities in your area and to show event locations.

• Photos. Access is granted for the following purpose: to upload and create images within the app.

The access permissions granted are used exclusively to provide the associated app functionalities. The data may be processed by the app store providers under certain circumstances.

The legal basis for access is, on the one hand, Art. 6 (1) (b) GDPR (contract) and, on the other hand, your consent, which you gave during installation (Art. 6 (1) (a) GDPR). You can change the app's access permissions at any time and revoke your consent in this way. In this case, however, the app or certain app functions may no longer work properly.

7. In-app purchases

Within the app, you have the option of purchasing additional services, such as paid subscriptions (in-app purchases). The purchase is made via the App Store from which you obtained the app. For details, please refer to the respective privacy policies of the App Store. In the case of in-app purchases, you will be redirected to your App Store provider. This may be one of the following app stores:

Apple App Store: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA, https://www.apple.com/de/ios/app-store/. The privacy policy can be found at: https://www.apple.com/legal/privacy/de-ww/.

Google Play: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://play.google.com/store/apps?hl=de. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, so the transfer of your data to the USA cannot be ruled out. The privacy policy can be found at: https://policies.google.com/privacy.

8. Contact

When you contact us (e.g., via contact form, email, telephone, fax, or other channel), your request, including all resulting personal data (e.g., name, request), will be stored and processed by us for the purpose of processing your request. This data is processed on the basis of Art. 6 (1) (b) GDPR, provided that your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interests (Art. 6 (1) (f) GDPR), as we have a legitimate interest in the effective processing of inquiries addressed to us. The data you send us via the contact form will remain with us until you request its deletion, revoke your consent to its storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions—in particular statutory retention periods—remain unaffected.

9. Technical operation and analysis

We use technical services from external providers to provide, secure, and optimize our app. If personal data is processed in this context, this is done exclusively within the framework of legal requirements and on the basis of corresponding contracts for order processing in accordance with Art. 28 GDPR.

Firebase (Google Ireland Limited)

We use services from the “Firebase” platform provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Firebase Firestore (database)

We use Firestore to store and process user data and content (e.g., user profiles, uploads, configuration data). The legal basis is Art. 6 (1) lit. b GDPR (performance of the user relationship).

Firebase Authentication

We use Firebase Authentication for user registration and authentication. In particular, email addresses, user IDs, and authentication information are processed. The legal basis is Art. 6 (1) lit. b GDPR.

Firebase Hosting

For the technical provision of the app, connection data (e.g., IP address, time of access) is processed via Firebase Hosting.

The legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the secure and efficient provision of our app.

Firebase Analytics

We use Firebase Analytics, an analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to statistically evaluate the use of our app and to optimize our features and content.

Firebase Analytics processes usage data (e.g., interactions within the app, session duration, technical events), device information, pseudonymous identifiers (e.g., advertising ID – IDFA for Apple or GAID for Android), and the IP address of the device used on our behalf. The processing serves to analyze app usage, technical optimization, and error detection. We receive aggregated evaluations from Google; we do not directly identify individual users.

Processing is carried out exclusively on the basis of your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG. Consent is voluntary and can be revoked at any time with effect for the future.

A contract for order processing has been concluded with Google in accordance with Art. 28 GDPR. Insofar as personal data is transferred to the USA, this is done on the basis of the standard contractual clauses of the EU Commission. Google is also certified under the EU-US Data Privacy Framework.

Further information on data protection at Firebase can be found at:

https://firebase.google.com/support/privacy

10. Recipients of personal data

Your personal data will be transferred to the following recipients:

1) Supabase Inc.: The app itself is hosted by the provider of the app store from which you downloaded the app. We use Supabase as a technical service provider for hosting, database operation, and storage of user content (e.g., profile data, uploads, images). Processing is carried out on our behalf. A contract for order processing in accordance with Art. 28 GDPR has been concluded with Supabase.

2) Google Ireland Limited (“Firebase”): We use services from the “Firebase” platform provided by Google Ireland Limited. We use the following services:

Firebase Firestore (database) for storing and processing user data and content within the app. Processing is carried out for the purpose of implementing the user relationship (Art. 6 (1) (b) GDPR).

Firebase Authentication for user registration and authentication. In particular, login data (e.g., email address, user ID, and authentication information) is processed. The legal basis is Art. 6 (1) (b) GDPR.

Firebase Hosting for the technical provision of the app. Technical connection data (e.g., IP address, time of access) is processed in this process. The legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the secure and efficient provision of our services.

Firebase Analytics for statistical analysis of the use of our app and to optimize our offering. Usage data, device information, and pseudonymous identifiers may be processed in this process. Processing is carried out exclusively on the basis of your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG. Consent can be revoked at any time with effect for the future.

A contract for order processing has been concluded with Google in accordance with Art. 28 GDPR.

11. Data transfer to third countries

Among other things, we use tools from companies based in the USA or other third countries that are not secure in terms of data protection. When these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that these countries cannot guarantee a level of data protection comparable to that of the EU. For example, US companies are required to disclose personal data to security authorities without you, as the data subject, being able to take legal action against this. It cannot therefore be ruled out that US authorities (e.g., secret services) may process, evaluate, and permanently store your data located on US servers for surveillance purposes. We have no influence on these processing activities.

12. Reporting inappropriate content

App users can report inappropriate content to us if they believe it violates our guidelines, general laws, or public decency. Such reports are sent exclusively to us and reviewed by us. We will review every report and remove the reported content if necessary. Data processing is based on Art. 6 (1) lit. f GDPR, as it is in our legitimate interest to respond to inappropriate content or behavior. We will delete unfounded reports immediately after review. Justified reports will be deleted once the purpose has been fulfilled.

13. Encryption

This app uses encryption for security reasons and to protect the transmission of confidential content. This encryption prevents the data you transmit from being read by unauthorized third parties.

14. Storage period

Unless a more specific storage period is specified in this privacy policy, we only store personal data for as long as is necessary for the respective processing purposes.

If the respective purpose no longer applies, the relevant data will be deleted. Termination of the user relationship (e.g., by canceling or deleting the user account) regularly results in the deletion of data that was used exclusively for the purpose of the user relationship.

Any further storage will only take place if and as long as we are legally obliged or entitled to do so, in particular to fulfill commercial or tax law retention obligations or to safeguard legal claims within the statutory limitation periods.

15. Automated decision-making

No automated decision-making takes place.

16. Your rights

You have the following data protection rights under the provisions of the GDPR:

Right to information (Art. 15 GDPR): You have the right to request information about your personal data stored by us.

Right to rectification (Art. 16 GDPR): You have the right to request the rectification of inaccurate personal data concerning you. Taking into account the purpose of the processing, you also have the right to request the completion of incomplete personal data.

Right to erasure (Art. 17 GDPR): You have the right to request the erasure of your personal data.

Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of the processing of personal data concerning you.

Right to data portability (Art. 20 GDPR): You have the right to have personal data that we process automatically, on the basis of your consent or in fulfillment of a contract, handed over to you or to another controller in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

Right to withdraw your consent (Art. 7 (3) GDPR): If you have given your consent to the processing of your data, you have the right to withdraw this consent at any time with effect for the future.

Right to lodge a complaint (Art. 77 GDPR): If you believe that we are not complying with data protection regulations when processing your personal data, you have the right to lodge a complaint with a data protection authority.

In cases where data processing is based on Art. 6 (1) (e) or (f) GDPR, you have the right to object to data processing on grounds relating to your particular situation (right to object under Art. 21 GDPR).