Contact Information

Owner and Data Controller

Kevin Waltz
Wiltbergstraße 50
13125 Berlin
hello@kaevin.io

Policy Summary

Personal Data processed for the following purposes and using the following services:

Analytics — TelemetryDeck

• Personal Data: anonymized user identifier (per app installation); app events defined by the app publisher; device metadata (system version, app version, device type); rounded timestamp (to the nearest hour)

Beta Testing — TestFlight

• Personal Data: app information; country; device information; device logs; email address; first name; last name; Usage Data

Hosting and Backend Infrastructure

• Firebase Cloud Firestore / Cloud Functions: Usage Data; various types of Data as specified in the service's privacy policy

• Firebase Storage: Usage Data; files and content you upload or that the Application stores on your behalf; metadata relating to stored objects; various types of Data as specified in the service's privacy policy

Platform Services and Hosting — App Store Connect

• Personal Data: diagnostics; Usage Data

Registration and Authentication — Firebase Authentication / Sign in with Apple

• Personal Data: email address

Medical Disclaimer

Preppy is not a medical device, medical product, or healthcare service under EU MDR 2017/745 or the German MPDG. All data and information provided by the Application are for personal, non-medical self-tracking and informational purposes only. Nothing in this Application constitutes medical advice, a diagnosis, or a treatment recommendation. Always consult a qualified healthcare professional regarding any health concerns. Kevin Waltz accepts no liability for health decisions made on the basis of data tracked in the Application.

Full Policy

Types of Data Collected

Among the types of Personal Data that this Application collects, by itself or through third parties, there are:

• Usage Data

• Email address

• Device information

• First name

• Last name

• Country

• App information

• Device logs

• Diagnostics

• Anonymized user identifier

• App events

• Device metadata

• Files and content you upload or that the Application stores on your behalf

• Metadata relating to stored objects

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy. Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using the Application. Unless specified otherwise, all Data requested by this Application is mandatory; failure to provide it may make it impossible for the Application to provide its services. Users are responsible for any third-party Personal Data obtained, published or shared through this Application.

Mode and Place of Processing the Data

Methods of Processing

The Owner applies appropriate technical and organizational security measures to prevent unauthorized access, disclosure, modification, or destruction of the Data. Processing is carried out following procedures strictly related to the stated purposes. Where third parties act as Data Processors, the Owner has entered into Data Processing Agreements (DPAs) per Art. 28 GDPR to ensure Personal Data is processed only on documented instructions and with adequate safeguards in place. The updated list of processors may be requested from the Owner at any time.

Place

The Data is processed at the Owner's operating offices and at the respective service providers. For third-country transfers, the transfer mechanisms listed per service apply.

Retention Time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose it was collected for, and may be retained longer due to applicable legal obligations or User consent. Data collected for contract performance is retained until the contract is fully performed; data processed on the basis of legitimate interests is retained as long as needed to fulfill those purposes. Once the retention period expires, Personal Data is deleted.

The Purposes of Processing

Data is collected to allow the Owner to provide its Service, comply with legal obligations, respond to enforcement requests, and protect its rights and interests. Specific purposes include:

• Hosting and backend infrastructure

• Registration and authentication

• Analytics

• Beta Testing

• Platform services and hosting

• Scientific research

Detailed Information on the Processing of Personal Data

Analytics

TelemetryDeck (TelemetryDeck GmbH)

Privacy-friendly analytics service. All user identifiers are hashed and anonymized before transmission; no IP addresses, cookies, or persistent traceable identifiers are used. Open source SDK: github.com/TelemetryDeck.

• Personal Data processed: anonymized user identifier (per app installation, not traceable to individuals); app events (e.g., "app launched," "settings opened"); device metadata (system version, app version, device type); rounded timestamp (to the nearest hour); additional metadata defined by the app publisher

• Place of processing: Germany – Privacy Policy – Privacy FAQ

• Legal basis: Performance of a contract with the User (Art. 6(1)(b) GDPR)

• CCPA category: internet or other electronic network activity information

Beta Testing

TestFlight (Apple Inc.)

• Personal Data processed: app information; country; device information; device logs; email address; first name; last name; Usage Data

• Place of processing: United States – Privacy Policy

• Transfer mechanism: EU Standard Contractual Clauses (SCCs), Art. 46(2)(c) GDPR

• Legal basis: Consent (Art. 6(1)(a) GDPR)

• CCPA category: identifiers; internet or other electronic network activity information

• This processing constitutes: a Sale in California

Hosting and Backend Infrastructure

Firebase Cloud Firestore (Google LLC)

• Personal Data processed: Usage Data; various types of Data as specified in the service's privacy policy

• Place of processing: Germany – Privacy Policy

• Legal basis: Performance of a contract with the User (Art. 6(1)(b) GDPR)

• CCPA category: internet or other electronic network activity information

Firebase Cloud Functions (Google LLC)

• Personal Data processed: Usage Data; various types of Data as specified in the service's privacy policy

• Place of processing: Germany – Privacy Policy

• Legal basis: Performance of a contract with the User (Art. 6(1)(b) GDPR)

• CCPA category: internet or other electronic network activity information

Firebase Storage (Google LLC)

• Personal Data processed: Usage Data; files and content you upload or that the Application stores on your behalf; metadata relating to stored objects; various types of Data as specified in the service's privacy policy

• Place of processing: Germany – Privacy Policy

• Legal basis: Performance of a contract with the User (Art. 6(1)(b) GDPR)

• CCPA category: internet or other electronic network activity information

Platform Services and Hosting

App Store Connect (Apple Inc.)

Distributed via Apple's App Store; enables the Owner to manage analytics, user engagement, and marketing campaigns. Users may opt-out via their device settings.

• Personal Data processed: diagnostics; Usage Data

• Place of processing: United States – Privacy Policy

• Transfer mechanism: EU Standard Contractual Clauses (SCCs), Art. 46(2)(c) GDPR

• Legal basis: Legitimate interests of the Owner (Art. 6(1)(f) GDPR) — distribution, management, and improvement of the Application

• CCPA category: internet or other electronic network activity information

Registration and Authentication

Firebase Authentication (Google Ireland Limited)

• Personal Data processed: email address

• Place of processing: Ireland – Privacy Policy

• Legal basis: Performance of a contract with the User (Art. 6(1)(b) GDPR)

• CCPA category: identifiers

• This processing constitutes: a Sale in California

Sign in with Apple (Apple Inc.)

May generate a private relay address to shield the user's actual email.

• Personal Data processed: email address

• Place of processing: United States – Privacy Policy

• Transfer mechanism: EU Standard Contractual Clauses (SCCs), Art. 46(2)(c) GDPR

• Legal basis: Performance of a contract with the User (Art. 6(1)(b) GDPR)

• CCPA category: identifiers

• This processing constitutes: a Sale in California

Scientific Research

The Owner may process aggregated, anonymized or pseudonymized Usage Data for scientific research purposes, including academic research and the development and improvement of the Application.

• Personal Data processed: anonymized or pseudonymized Usage Data; app events; device metadata (no directly identifying data where avoidable)

• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) with Art. 89 GDPR and § 27 BDSG; compatible with original collection purpose (Art. 5(1)(b) GDPR)

• Safeguards: data anonymized/pseudonymized before use; results published in aggregated form only; no commercial profiling or advertising

Users have the right to object at any time at hello@kaevin.io.

Cookie Policy

This Application uses Trackers (including device identifiers and technologies functionally equivalent to cookies). In Germany, consent is required under § 25(1) TTDSG before non-essential Trackers are activated. Consent can be withdrawn at any time.

Further Information for Users

Legal Basis of Processing

The Owner may process Personal Data where: the User has given consent for one or more specific purposes; processing is necessary for contract performance or pre-contractual obligations; processing is required by legal obligation; processing is in the public interest or exercise of official authority; or processing serves the legitimate interests of the Owner or a third party.

Retention Time

Personal Data is stored for as long as required for its collection purpose, and may be retained longer due to legal obligations or User consent. Contract-related data is kept until full performance; data on the basis of legitimate interests is kept as long as needed to fulfill those purposes. Once the retention period expires, Personal Data is deleted.

The Rights of Users Based on the GDPR

Users may exercise certain rights regarding their Data:

• Withdraw their consent at any time (without affecting the lawfulness of prior processing)

• Object to processing of their Data

• Access their Data

• Verify and seek rectification

• Restrict the processing of their Data

• Have their Personal Data deleted or otherwise removed

• Receive their Data in a structured, commonly used and machine readable format

• Lodge a complaint with the competent supervisory authority: BlnBDI, Friedrichstr. 219, 10969 Berlin (www.datenschutz-berlin.de), or the authority in their country of residence

Users may object when data is processed for public interest, official authority, or legitimate interests by providing a justification. For direct marketing, no justification is needed. Requests are free of charge and answered within one month.

Data Protection Officer

Not required under Art. 37 GDPR for the current scope of processing activities.

Automated Decision-Making and Profiling

This Application does not carry out automated decision-making with legal or similarly significant effects (Art. 22 GDPR). Analytics services process Usage Data for statistical and performance purposes only.

Further Information for Users in Brazil

This section applies to all Users in Brazil under the LGPD and supersedes any conflicting information.

Legal Grounds for Processing

We process personal information only where we have a legal basis: consent; legal or regulatory obligation; public policies or contracts; research studies on anonymized data; contract execution and preliminary procedures; judicial, administrative, or arbitration procedures; protection of life or safety; health protection; legitimate interests; or credit protection.

Your Brazilian Privacy Rights

You have the right to: obtain confirmation of processing activities; access your personal information; rectify incomplete, inaccurate, or outdated information; anonymize, block, or eliminate unnecessary or excessive data; obtain information on consent options; learn about third-party data sharing; port your personal information; delete data processed based on consent; revoke consent at any time; lodge a complaint with ANPD; oppose non-compliant processing; and request criteria and review of automated decisions.

Requests may be submitted via the contact details provided or through a legal representative. For full disclosure requests we respond within 15 days; for rectification or deletion requests we notify relevant third parties as required.

Transfer of Personal Information Outside of Brazil

Transfers outside Brazil are permitted when necessary for international legal cooperation, to protect life or safety, when authorized by the ANPD, when resulting from international cooperation agreements, or when necessary for public policy or legal obligations.

Further Information for Users in the United States

This section applies to residents of specified states and supersedes any conflicting provisions. We collect Personal Information directly from you, automatically when you use the Application, and from third parties working with us.

Categories Collected or Disclosed in the Past 12 Months

Internet or Other Electronic Network Activity Information

• Personal Information collected or disclosed: Usage Data; device information; email address; first name; last name; country; app information; device logs; diagnostics; anonymized user identifier; app events; device metadata; files and content you upload; metadata relating to stored objects

• Purposes: Hosting and backend infrastructure; Analytics; Beta Testing; Platform services and hosting

• Retention period: for the time necessary to fulfill the purpose

• Sold or Shared: Yes — Targeted Advertising: Yes

• Third-parties: Google LLC; Google Ireland Limited; Apple Inc.; TelemetryDeck GmbH

Identifiers

• Personal Information collected or disclosed: email address; device information; Usage Data; first name; last name; country; app information; device logs

• Purposes: Registration and authentication; Beta Testing

• Retention period: for the time necessary to fulfill the purpose

• Sold or Shared: Yes — Targeted Advertising: Yes

• Third-parties: Google Ireland Limited; Apple Inc.

Your Privacy Rights Under US State Laws

You have the right to: access your Personal Information; correct inaccurate Personal Information; request deletion; obtain a portable copy; opt out of the Sale of your Personal Information; and be free from discrimination for exercising your rights.

California residents may additionally opt out of Sharing for cross-context behavioral advertising and request limitation of Sensitive Personal Information.

Residents of VA, CO, CT, TX, OR, NV, DE, IA, NH, NJ, NE, MT may additionally opt out of Targeted Advertising or profiling for legal/significant decisions, and give, deny, or withdraw consent for Sensitive Personal Information.

Residents of UT and IA may additionally opt out of Targeted Advertising and the processing of Sensitive Personal Information.

To exercise your rights, submit a request via the contact details provided; we will verify your identity and respond within the legally required timeframe. You may also use a global privacy control (e.g., GPC) to opt out of sale or sharing. We will respond without undue delay; if we need more time or must deny your request, we will explain why.

Additional Information About Data Collection and Processing

Legal action: Personal Data may be used for legal purposes or disclosed to public authorities upon request.

System logs: The Application and third-party services may collect logs and other data (e.g., IP address) for operation and maintenance.

Further details: Additional information about specific services or processing may be requested from the Owner at any time.

Changes: The Owner may update this policy at any time. The latest update date is shown below.

Definitions and Legal References

Personal Data (or Data / Personal Information): Any information that directly, indirectly, or in connection with other information allows for the identification of a natural person.

Sensitive Personal Information: Personal Information that is not publicly available and reveals information considered sensitive under applicable law.

Usage Data: Information collected automatically, including IP addresses, URI addresses, request times, methods, file sizes, status codes, country of origin, browser features, operating system, time details per visit, navigation path, and device parameters.

User / Data Subject: The individual using this Application and to whom the Personal Data refers.

Data Processor (or Processor): A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

Data Controller (or Owner): A natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of Personal Data.

This Application: The means by which the User's Personal Data is collected and processed.

Service: The service provided by this Application.

Sale: Any exchange of Personal Information to a third party for monetary or other valuable consideration, as defined by applicable US privacy law.

Sharing: Any sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's Personal Information to a third party for cross-context behavioral advertising.

Targeted Advertising: Displaying advertisements selected based on a consumer's activities over time and across non-affiliated websites or applications.

European Union (or EU): Includes all current EU and EEA member states unless otherwise specified.

Latest update: April 5, 2026