1. Preamble / Publication Notice

1.1 Purpose and Scope (App & PHP (without CMS) Website)

This privacy policy provides transparent information about the nature, scope, purposes, legal bases, and recipients of the processing of personal data in connection with:

• the Trabista app (currently Android; iOS planned) and
• the accompanying PHP website (without CMS) of Trabista.

It describes in particular:

• which data is processed locally on the device and which data is optionally processed in the cloud (Premium),
• which legal bases apply in each case (including consents),
• which third-party providers/recipients are integrated (e.g., Supabase, Google services, Scaleway),
• retention periods, deletion concepts, and data subject rights,
• as well as the technical and organizational measures (TOMs) for data protection.

This statement is addressed to users of the app and visitors to the website and applies regardless of whether the app is used offline or optional online features (e.g., cloud synchronization, premium APIs) are activated.

1.2 Note: This Version is Published in the App and on the Website

• This privacy policy is published identically in the app (Legal/Info section) and on the website (separate page).
• Changes/versions are made traceable synchronously in both publications (see chapter "Changes & Updates").
• Insofar as individual services are only activated in the future (e.g., iOS version, later analytics), the corresponding sections will be supplemented and -- where necessary -- new consents will be obtained.

1.3 Validity for Android (iOS Planned), Website without Tracking

• Android: This privacy policy applies to the published Android app (available via Google Play Store).
• iOS (planned): Upon publication in the Apple App Store, this statement will be supplemented with Apple-specific notes. Until then, iOS-related passages are considered notices of the planned expansion.
• Website (PHP website (without CMS)): The website deliberately refrains from tracking/analytics and marketing cookies. Only technically necessary data is processed (e.g., server log files, contact form emails) -- details in the website chapters.

2. Controller, Contact & Imprint

2.1 Controller (Name, Legal Form, Addresses incl. c/o Delivery Address)

Controller within the meaning of Art. 4 No. 7 GDPR
Danilo Endesfelder -- Sole Proprietorship
Delivery/Service Address (c/o): c/o Nico Eberhardt, Pfotenhauerstraße 65, 01307 Dresden, Germany
Note on Address Protection: The address provided is a delivery address (c/o). The operator's private address is not published for privacy protection reasons.
VAT ID No.: TBD (to be added)
Responsible for Content (§ 18 Para. 2 MStV): Danilo Endesfelder, c/o Nico Eberhardt, Pfotenhauerstraße 65, 01307 Dresden, Germany

2.2 Communication Channels (Email General, Phone, Contact Form)

• General Email: gobbltech@proton.me
  • We use the ProtonMail service provided by Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Switzerland for email communication. Data processing is based on Art. 6 Para. 1 lit. f GDPR. Proton AG processes data in a country with recognized adequate data protection level according to Art. 45 GDPR. Further information can be found at: https://proton.me/legal/privacy
• Contact Form: via the website https://impressum.gobbltech.com/contact.php
• Legal Notice: A telephone number is not mandatory (ECJ, C-298/07; BGH, PM 41/2025). For the legally required fast and direct contact option, we provide email and a contact form.

2.3 Privacy Contact: ,

For all privacy matters (e.g., information, correction, deletion, withdrawal, objection), you can reach us at:
datenschutz@trabista.app · privacy@trabista.app

2.4 Official Imprint (Binding URL)

Binding exclusively: https://impressum.gobbltech.com/\

2.5 Competent Data Protection Supervisory Authority (Address, Tel., Fax, Email, Web)

Saxon Commissioner for Data Protection and Transparency
Maternistraße 17, 01067 Dresden, Germany
Phone: +49 351 85471-101 · Fax: +49 351 85471-109
Email: post@sdtb.sachsen.de · Web: www.datenschutz.sachsen.de

2.6 Data Protection Officer (Status: Not Appointed)

There is currently no data protection officer appointed, as no legal obligation exists.
Should the obligation arise, the information will be added here immediately.

3. Definitions (GDPR Definitions)

Our privacy policy is based on the terminology used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance.

We use, among others, the following terms in this privacy policy:

3.1 Personal Data

Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

3.2 Data Subject

Data subject is any identified or identifiable natural person whose personal data is processed by the controller.

3.3 Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

3.4 Restriction of Processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

3.5 Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

3.6 Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

3.7 Controller

Controller or controller responsible for the processing is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

3.8 Processor

Processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

3.9 Recipient

Recipient is a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

3.10 Third Party

Third party is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

3.11 Consent

Consent is any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

4. Principles of Data Processing

4.1 Lawfulness, Purpose Limitation, Transparency

• Lawfulness (Art. 5 Para. 1 lit. a, Art. 6 GDPR): We process personal data exclusively on a legal basis (in particular contract/contract performance, consent, legitimate interests, legal obligations). For consents, we inform in advance, document the consent demonstrably (timestamp/scope) and enable withdrawal at any time with effect for the future.
• Purpose Limitation (Art. 5 Para. 1 lit. b): Data is processed only for clearly defined, legitimate purposes (e.g., local travel management, optional cloud sync, advertising in the free version, support communication). We review purpose changes according to Art. 6 Para. 4 GDPR (compatibility assessment, see 7.2).
• Transparency (Art. 5 Para. 1 lit. a, Art. 12-14): We inform clearly and comprehensibly about purposes, legal bases, retention periods, recipients, third country transfers, data subject rights, and about the voluntary/mandatory nature of data provision. Changes to this statement are versioned and published synchronously in-app and on the website.

4.2 Data Minimization & Storage Limitation

• Data Minimization (Art. 5 Para. 1 lit. c): We collect only data that is necessary for the respective function. By default, the app runs offline; optional functions (cloud sync, premium APIs, advertising in the free version) are deactivatable or require consent (where necessary).
• Storage Limitation (Art. 5 Para. 1 lit. e): We store data only as long as necessary for the purposes or legal obligations exist. Specific periods and deletion concepts are described in Chapter 10 (including account deletion, inactivity rules, backup windows).
• Accuracy Principle (Art. 5 Para. 1 lit. d): We take appropriate measures to ensure that stored data is factually correct and up-to-date (self-management in-app; corrections upon request).

4.3 Integrity & Confidentiality (Security)

• Protection Goals (Art. 5 Para. 1 lit. f, Art. 32): We ensure confidentiality, integrity, availability and resilience of systems.
• TOMs (Overview): Encryption in transit (TLS) and at rest (e.g., SQLCipher locally, server-side encryption for cloud service), key management (Android Keystore/HSM), access controls (least privilege, RLS/JWT), logging/audit, hardening/firewalls, backup/recovery concepts (PITR), incident response procedures including notifications according to Art. 33/34 GDPR. Details in Chapter 11.
• Confidentiality in the App: No disclosure of local content without active user action (e.g., cloud sync, export). Optional sensitive content (e.g., allergies) remains exclusively local and encrypted.
• Access by Third Parties: Data processors act under instruction based on Art. 28 GDPR and DPA/SCC; sub-processors are integrated in a controlled manner (see Chapters 8-9).

4.4 Privacy by Design & by Default

• By Design (Art. 25 Para. 1): Functions are designed to process as little personal data as possible (offline-first, local encryption, proxy concepts for premium APIs, no obligation to use cloud accounts).
• By Default (Art. 25 Para. 2): Privacy-friendly default settings:
  • App usable without cloud sync by default.
  • Crashlytics/Analytics deactivated; activation only after opt-in.
  • Personalized advertising only after CMP consent (EEA/UK); otherwise non-personalized or completely removed by upgrade.
  • Notifications/Alarms only after OS opt-in.
• Accountability (Art. 5 Para. 2): We document processing (register according to Art. 30), manage legal bases/consents, conduct DPIA when necessary (Art. 35) and train processes for data subject rights, deletions and incidents.

5. Processing in the App (Operations & Legal Bases)

5.1 Local Data Processing (Standard Operation without Cloud)

Core Statement: The app is fully usable offline. All content is processed and stored exclusively locally in the private app storage of the device. No transmission to our servers or third parties, unless you actively trigger an online function (e.g., cloud sync, premium APIs) or an export.

5.1.1 Data Categories (incl. optional special categories locally only)

• Travel Data & Content
  • Travels/Trips (name, description, time period)
  • Participants (name/pseudonym, role, optional: contact details such as email/phone for emergencies)
  • Packing lists/Checklists (entries, status, notes)
  • Expenses/Costs (without payment methods; amounts/categories/notes)
  • Attachments (e.g., documents, images) -- in app-internal storage
  • Free text fields (can be filled in by the user as desired)
• App Settings
  • Language, UI preferences
  • Reminder/notification preferences (local)
  • Optional App Lock (PIN hash with salt; biometrics via operating system)
• Special Categories (Art. 9 GDPR) -- exclusively local & voluntary
  • e.g., health information (allergies, medication notes) only if voluntarily entered by you in free text fields.
  • Biometrics (fingerprint/face): no storage by the app; verification is performed system-side (OS).
• Explicitly not collected locally
  • No location tracking via GPS.
  • No calendar or contact book synchronization.
  • No external storage access (no READ/WRITE-External-Storage permission).

5.1.2 Purposes (Travel/Packing Planning, Exports, Local Reminders)

• Travel & Packing Planning: Structured organization of trips, participants, tasks and lists without network connection.
• Local Reminders/Alarms: Time-accurate notifications for tasks/events without data transmission (OS opt-in required).
• Exports/Sharing (optional, by user action):
  • ICS export (e.g., appointments) via FileProvider; you decide whether and with what you share/import the file.
  • File/Report export (e.g., PDF/CSV planned) also via FileProvider; without permanent app permission for external storage.
• Security/Convenience: App lock (PIN/biometrics), session timeout, encrypted local storage.

Important: Without your active action (e.g., activating cloud, sharing file), local content does not leave your device.

5.1.3 Legal Bases (Art. 6 Para. 1 a/b/f; Art. 9 Para. 2 a)

• Art. 6 Para. 1 lit. b GDPR (Contract/Contract Performance):
  • Core functionality of the app (travel/packing management, local storage, local reminders, exports at your request).
• Art. 6 Para. 1 lit. a GDPR (Consent):
  • Notifications/Alarms (OS opt-in), insofar as to be qualified as consent under platform law.
  • Voluntary entries of special categories (e.g., allergies) in free text fields.
• Art. 6 Para. 1 lit. f GDPR (Legitimate Interest):
  • App security (e.g., app lock, integrity checks), abuse prevention within local app usage.
• Art. 9 Para. 2 lit. a GDPR (Explicit Consent):
  • For special categories (health information), if you voluntarily enter them.
  • Note: This data remains locally encrypted; no transmission to us or third parties.

Voluntary Nature & Consequences: Entry of optional data (especially sensitive information) is voluntary. Without this data, certain convenience functions (e.g., specially tagged reminders) may remain unused, but the core function of the app is retained.

5.1.4 Storage & Security (SQLCipher, Keystore)

• Storage Location: exclusively internal app storage (sandbox); no external device storage; other apps have no access.
• Encryption "at rest":
  • SQLite with SQLCipher (AES-256) for content databases.
  • Encrypted SharedPreferences for sensitive settings/flags.
• Key Management:
  • Android Keystore (hardware-backed, where available) for secure key storage.
  • PIN Protection: Storage as hashed value (SHA-256 with salt); no plaintext PIN.
• Biometrics:
  • Authentication via operating system API (e.g., fingerprint/face); no raw biometric data in the app.
• Transport Security:
  • For purely local usage, no network connection required.
  • If the device is network-capable (e.g., for later online features), cleartext traffic is disabled in the app (Network Security Config); generally TLS is enforced; critical domains are certificate-pinned (affects only online features).
• Backups (local):
  • Android Auto-Backup is disabled by default to avoid unwanted copies of sensitive content.
• Retention Period/Deletion (local):
  • Unlimited until manual deletion by you or app uninstallation (then local data is removed).
  • In-app functions allow targeted deletion of individual or all content.
• Exports:
  • Files are only provided via FileProvider (temporary, controlled access for the target app you choose).
  • No permanent read/write access to external storage areas.

Additional: There is no profiling, no automated decision-making and no silent background transmission of local content. All online processing is described separately in the following sections and requires your active use/consent (where required).

6. Website Processing

6.1 Server Log Files (Contents, Purposes, Separate Storage)

Core statement: Trabista's PHP website (without CMS) operates without tracking. When pages are accessed, technically necessary server logs are generated. These serve exclusively for operation, security, and error analysis.

6.1.1 Processed Log Data (typical)

• IP address of the requesting device
• Date and time of access (timestamp)
• Accessed resource/URL, HTTP method (e.g., GET/POST)
• Status code (e.g., 200, 404, 500), amount of data transferred
• Referrer URL (the previously visited page, if transmitted by the browser)
• User agent (browser/OS type and version, device type)
• Error/diagnostic entries in error logs (e.g., stack traces for server errors)
• Server-side protection signals (e.g., rate limit hits, firewall events, bot/spam indicators)

No content analysis: There is no analysis of your input contents for marketing/profiling purposes.
No merging with other data sources (e.g., app usage data).

6.1.2 Purposes of Processing

• Operation & functionality of the website, delivery of content
• Security/defense against attacks, abuse and fraud prevention (e.g., DDoS detection, bot defense, firewall rules)
• Error analysis & stability, performance monitoring, capacity planning
• Traceability in case of technical disruptions and unlawful access

6.1.3 Legal Bases

• Art. 6 Para. 1 lit. f GDPR (legitimate interest) -- secure, stable website operation and defense against attacks
• Art. 6 Para. 1 lit. c GDPR (legal obligation) -- if and to the extent we are legally obligated to provide or retain data upon order (e.g., in the context of investigations)

6.1.4 Storage Duration & Deletion

• Access logs: short-term retention for technical operation (typically 7-14 days).
• Error logs/security events: Storage until resolution/clarification of the incident; in case of security incidents, a temporary extension may be necessary.
• Thereafter deletion or anonymization (e.g., truncation of the IP address).

(Specific periods depend on technical necessity in hosting operations; there is no long-term retention for marketing purposes.)

6.1.5 Recipients & Data Processing

• Hosting/operating service providers (data center/managed hosting) as data processors pursuant to Art. 28 GDPR -- processing strictly purpose-bound according to instructions.
• IT security service providers (if engaged) within the scope of disruption/incident analyses -- likewise data processors.
• Authorities/law enforcement -- only within the legally prescribed framework and in case of corresponding obligation.

6.1.6 Separation from Other Data / No Profiling

• Server log files are kept separate from other user-related data (e.g., contact form data, see 6.2).
• No profiling, no cross-site tracking, no marketing/analytics purposes.

6.1.7 Processing Security

• TLS encryption (HTTPS) for transmission paths
• Hardening & firewalling at server/application level, rate limiting, bot/spam protection
• Access/role principle (need-to-know), administrative access logged
• Regular updates/patches (PHP website (without CMS), server stack)

Note: In connection with Section 6.4 (cookies & tracking), we confirm that no analytics/marketing cookies are set and no third-party trackers are loaded.

6.2 Contact Form & Email (Purposes, Contents, Sending)

Core statement: On the PHP website (without CMS), we provide a contact form. Submissions are not stored in the website database but sent as email to us. Sending occurs via Scaleway Transactional Email (Paris/FR). Alternatively, you can write to us directly by email.

6.2.1 Functional Description (Website)

• Contact form: Transmission of form fields to the web server; immediate forwarding as email to our destination mailboxes.
• No ticket system: There is no separate helpdesk; cases are handled as emails.
• No database storage: Form contents are not persistently stored in the PHP website (without CMS) (except short-term technical buffers/error queues, if necessary).

6.2.2 Processed Data (Contents)

• Required/voluntary fields (form-dependent): Name (optional), email address, subject, message; optionally phone number/attachment, if provided.
• Metadata: Sending/receipt time, technical headers (message ID, routing), delivery status.
• Server logs (see 6.1): Time, IP, user agent only within the scope of the website visit (operation/security).
• Please do not send sensitive content: Do not transmit special categories of personal data (Art. 9 GDPR) via the form/email unless this is necessary and expressly desired (see 6.2.9).

6.2.3 Purposes

• Processing your inquiry, follow-up questions and communication.
• Evidence and documentation of case processing, as necessary.
• Ensuring deliverability/error analysis (Scaleway sending logs).

6.2.4 Legal Bases

• Art. 6 Para. 1 lit. b GDPR (contract/pre-contractual measures), when the inquiry relates to contract/app usage.
• Art. 6 Para. 1 lit. f GDPR (legitimate interest) for general communication, support organization, and IT security/deliverability (minimal logs).
• Art. 6 Para. 1 lit. c GDPR (legal obligation), insofar as retention/evidence is legally required (only to the extent personal data is involved).
• Art. 6 Para. 1 lit. a in conjunction with Art. 9 Para. 2 lit. a GDPR in case of voluntary transmission of sensitive data (explicit consent required).

6.2.5 Recipients / Data Processors

• Scaleway SAS (Paris/FR) -- data processor for email sending of the form (EU location; no planned third-country transfer).
• Mail providers/mail clients -- delivery/retrieval of emails (transport TLS).
• No disclosure for advertising/analytics purposes; no other third parties, except when legally obligated (authorities/law enforcement).

6.2.6 Storage Duration & Deletion

• Email mailbox: No automatic deletion; manual deletion after problem resolution.
• Scaleway sending logs: 30 days; bounce/complaint lists: 90 days.
• Legal/evidence obligations: To the extent applicable (e.g., correspondence with contract reference), retention according to legal periods; otherwise deletion after purpose fulfillment.

6.2.7 Security

• Transport encryption: Form → server → Scaleway → destination mailbox via TLS.
• Spam/abuse protection: Validations/CSRF protection (without tracking); no marketing pixels.
• Access protection: Access only for authorized persons (need-to-know), administrative access logged; strong passwords/MFA.

6.2.8 Voluntariness & Consequences of Non-Provision

• Providing your email address and a message is required for processing. Without sufficient information, a meaningful response may not be possible.
• Alternatives: Direct sending by email or post (see contacts in Section 2.2).

6.2.9 Special Categories (Art. 9 GDPR)

• Please do not send sensitive data (e.g., health data) via form/email.
• If this is exceptionally necessary, processing occurs only with your explicit consent solely for the purpose of handling your concern; thereafter deletion, unless mandatory reasons prevent it.

6.2.10 Transparency Notes (References)

• Scaleway (data processing in the EU; DPA/TOMs): Sending logs/lists according to 6.2.6.
• Email security: Emails are not necessarily end-to-end encrypted despite TLS. Use E2E encryption (PGP/SMIME) if you are sending particularly sensitive content.

6.3 Registration on the Website (currently not active)

6.3.1 Status

• On the PHP website (without CMS), no registration for visitors is provided.
• No user accounts for website functions (e.g., comments, shop, customer area) are offered.
• Cloud synchronization of the app is not accessible via website login but -- if desired by the user -- exclusively in the app (see 5.2).

6.3.2 Current Data Processing

• Since no registration on the website is possible, no corresponding processing (collection, storage, or use of registration data) takes place.
• No passwords, no user profiles, and no social logins are processed on the website.

6.3.3 Future Outlook (if activated in the future)

Should an optional website registration be introduced in the future (e.g., for support portal, customer area, training materials), the following principles apply -- only after activation. Before starting, we will update this privacy policy synchronously in-app and on the website and -- if necessary -- obtain consent.

6.3.4 Potential Data Categories (only if activated)

• Master data: Name (optional), display name, email address (required), possibly username.
• Authentication: Password (server-side stored exclusively as strong hash), email verification/double opt-in (timestamp, token), possibly 2FA seed/2FA backup codes.
• Logs/metadata: Account creation time, last login, failed logins (for abuse prevention), roles/permissions.
• Communication: System emails (verification, password reset, security-related notices).

6.3.5 Potential Purposes (only if activated)

• Provision of the website function for which login is required (e.g., protected download area, ticket overview).
• Security/abuse prevention (e.g., account locking logic, rate limiting, audit).
• Support/administration (e.g., role management, traceability of security-relevant changes).

6.3.6 Potential Legal Bases (only if activated)

• Art. 6 Para. 1 lit. b GDPR (contract/pre-contractual measures) for provision of a registration-required service.
• Art. 6 Para. 1 lit. f GDPR (legitimate interests) for security, abuse prevention, logging of minimal login metadata.
• Art. 6 Para. 1 lit. a GDPR (consent) for individual convenience features (e.g., "stay logged in", optional newsletter -- if offered).

6.3.7 Potential Storage Durations & Deletion (only if activated)

• Account data: for the duration of account use; deletion upon request or in case of inactivity after a defined period (will be specified before activation).
• Security/login logs: short-cycle, only as necessary for defense/analysis; subsequently deletion/anonymization.
• Legal/evidence obligations: only to the extent legally required (and personal).

6.3.8 Potential Security Measures (only if activated)

• TLS (HTTPS) throughout; hardening of PHP website (without CMS);
• Passwords: exclusively strongly hashed (e.g., Argon2id/bcrypt), no plain text;
• 2FA/MFA (recommended), rate limiting, account locks for brute force;
• Role concept/least privilege, logging of critical admin actions.

6.3.9 Potential Recipients & Data Processing (only if activated)

• Hosting/managed services as data processors (Art. 28 GDPR);
• Mail sending for system emails (verification/reset) via EU-based mail infrastructure (e.g., Scaleway -- see 6.2);
• No disclosure to third parties for advertising/tracking purposes.

6.3.10 Voluntariness & Consequences of Non-Provision (only if activated)

• Providing email and a password would be required for account creation. Without this data, no access to registration-required website functions.
• App usage is independent of this (app remains fully usable without website account).

6.3.11 Minors (only if activated)

• Target audience 18+. No child-oriented registration functions are offered.

6.3.12 Update of the Privacy Policy

• Before introducing website registration, the specific parameters (exact data fields, storage periods, recipients, TOMs) will be precisely added to this privacy policy and published.

6.4 Cookies & Similar Technologies (PHP website (without CMS), with **CCM19**)

Core statement: Our website does not use statistics or marketing cookies. Exclusively technically necessary cookies/similar technologies are used -- in particular the consent cookie of the deployed consent tool CCM19 as well as possibly session-necessary PHP website (without CMS)/server cookies.

6.4.1 Deployment Overview

• No tracking/analytics cookies, no marketing/retargeting cookies, no third-party pixels.
• Technically necessary cookies (e.g., session, CSRF/ security tokens, load balancing, consent status).
• Consent management: CCM19 blocks all non-necessary scripts/categories before consent is granted (currently no optional categories are active).

6.4.2 Technically Necessary Cookies (Examples)

• Consent cookie (CCM19): stores your consent preferences (e.g., "only necessary"), timestamp, possibly anonymous/random ID for evidence, hash/signature of the selection.
• Session/security cookies (PHP website (without CMS)/server): for delivery of the page, session management, CSRF protection, firewall/rate limit.
• Properties: purely functional, no tracking across websites, no profiling.

6.4.3 Consent Management with **CCM19**

• Purpose: Management of consents/revocations, script blocking for non-necessary categories, evidence (Art. 7 GDPR).
• Functionality:
  • Upon first visit, the banner is displayed.
  • Only necessary cookies are pre-selected.
  • Your selection (e.g., "Accept only necessary") is stored as consent status.
  • As long as no optional categories are activated, no additional scripts/cookies appear.
• Processed data (CCM19): Consent status (categories), timestamp, consent ID/hash, possibly anonymized technical metadata for operational security.
• Storage duration (consent cookie): 12 months (configured), then renewed query.
• Recipients/role: CCM19 is deployed as a consent management tool; processing of consent status occurs purpose-bound. Transmission to third parties for marketing/analytics purposes does not occur.

6.4.4 No Statistics/Marketing Cookies

• No services like Google Analytics, Facebook Pixel, Hotjar, etc., are loaded.
• External content/fonts/CDNs are -- if used at all -- integrated so that no additional tracking cookies are set (e.g., self-hosted fonts).
• If optional services are introduced in the future, the following occurs beforehand:
  1. Update of this privacy policy,
  2. Obtaining consent via CCM19,
  3. Script blocking until an opt-in decision is made.

6.4.5 Legal Bases

• Technically necessary cookies: Art. 6 Para. 1 lit. f GDPR (legitimate interest in secure, functional operation) or Art. 6 Para. 1 lit. c GDPR (legal obligations/evidence of consent pursuant to Art. 7 GDPR).
• Optional categories (currently none active): would be set exclusively on the basis of Art. 6 Para. 1 lit. a GDPR (consent).

6.4.6 Control & Revocation

• Banner/preferences: You can change your decision at any time via the "Cookie Settings" dialog linked in the page footer change/revoke.
• Browser settings: Additionally, you can delete/block cookies at the browser level.
• Consequences: With "only necessary," the website remains fully usable; possibly future convenience/third-party functions will not be available if they are offered optionally later.

6.4.7 Storage Durations & Deletion

• Consent cookie (CCM19): 12 months; early deletion via browser settings or via cookie settings possible.
• Session/security cookies: session-based (until browser close) or short fixed durations (security/load balancing purposes).
• Server-side logs of consent events (if necessary): minimal and purpose-bound (evidence, security), deletion after short technical period.

7. Applicable Legal Bases (Overview)

7.1 Art. 6 Para. 1 lit. a-f GDPR (specifically for Trabista)

a) Consent (Art. 6 Para. 1 lit. a GDPR)
Deployed when a function is legally permissible only with prior opt-in or we voluntarily implement it as such:

• Personalized advertising (AdMob, EEA/UK): Opt-in via CMP/UMP in the app (see 5.4).
• Crash reporting & analytics (Firebase): deactivated, only after explicit opt-in in the app (see 5.6).
• Notifications/alarms (POST_NOTIFICATIONS / SCHEDULE_EXACT_ALARM): OS-level opt-in; classified as consent under data protection law (see 5.3).
• Special categories in free text (e.g., allergies): only voluntarily by the user and exclusively locally (Art. 9 Para. 2 lit. a, see 7.4 and 5.1).
• Possibly future optional services (e.g., additional third-party integrations): consent before activation.

b) Contract/contract performance (Art. 6 Para. 1 lit. b GDPR)
Required to provide the agreed app functions:

• Offline core functions: Travel/luggage management, local reminders, exports (5.1, 5.3).
• Optional cloud synchronization (Premium): Account, auth, sync, device access (5.2).
• Geocoding/weather (Free/Premium): to the extent necessary for the requested function (5.5).
• In-app purchases/subscriptions (planned) via Google Play Billing: License check/activation (5.7).
• Support communication with contract reference: Response/processing (5.8, 6.2).

c) Legal obligation (Art. 6 Para. 1 lit. c GDPR)
Where applicable:

• Evidence obligations (e.g., consent evidence Art. 7 Para. 1 GDPR; consent logging via CCM19 on the website, 6.4).
• Information/cooperation with authorities/courts, when legally required.
• Commercial/tax-related retention, only to the extent personal data is involved and actually occurs with us (e.g., correspondence with billing reference).

d) Vital interests (Art. 6 Para. 1 lit. d GDPR)
Generally not applicable. If processing should exceptionally be necessary to protect vital interests, we rely on this (currently no corresponding standard process in the app; emergency contacts are purely local fields).

e) Public task (Art. 6 Para. 1 lit. e GDPR)
Not applicable (no sovereign tasks).

f) Legitimate interest (Art. 6 Para. 1 lit. f GDPR)
Balancing of interests with right to object (see 12.7). Typical cases:

• Website operation & security: Server log files, firewall/rate limiting, error analysis (6.1).
• App operation & stability: Minimal logs/error codes for online features, abuse/fraud prevention (5.2, 5.4, 5.5, 5.7).
• Non-personalized advertising (AdMob) in EEA/UK without opt-in; purely contextual/aggregation-based (5.4).
• License/integrity protection with Play Billing (5.7).
• Consent management (website): Operation of CCM19 including evidence (6.4).

7.2 Purpose Changes (Art. 6 Para. 4 GDPR)

Should processing occur for a different purpose than originally collected, we examine the compatibility according to Art. 6 Para. 4 GDPR based on:

• Connection between original and intended purpose,
• Collection circumstances (relationship to us, user expectations),
• Type of data (including special categories),
• Possible consequences for data subjects,
• Existing safeguards (e.g., pseudonymization, encryption, access restrictions).
  Only when the requirements are met (or a new legal basis, especially consent, exists) does the purpose change occur. Transparent information and possibly renewed consent are ensured.

7.3 Consent & Revocation (Art. 7 GDPR) -- plus national ePrivacy rule

• Transparency & evidence: Consents are clearly explained, obtained per purpose, and logged (time, scope). On the website, this is done via CCM19 (consent cookie, 6.4).
• Revocation: possible at any time with effect for the future -- in-app (e.g., switches for advertising/crash/analytics), in the cookie dialog (website), and via OS settings (notifications, AD_ID).
• Consequences of revocation: Functionality generally remains intact; the respective optional function (e.g., personalized ads, telemetry) will no longer be used.
• Additionally (Germany/ePrivacy): § 25 TTDSG.
  • For storing/accessing information on end devices (e.g., cookies, advertising IDs) -- outside technically necessary cases -- prior consent is generally required.
  • Our deployment: only technically necessary cookies (including CCM19 consent), no statistics/marketing cookies (6.4). For app advertising ID/AdTech in EEA/UK, CMP/UMP opt-in is used (5.4).

7.4 Special Categories of Personal Data (Art. 9 Para. 2 GDPR)

• Principle: We do not process special categories (Art. 9 Para. 1 GDPR) except when you voluntarily enter them in local free text fields (e.g., allergies).
• Legal basis: Art. 9 Para. 2 lit. a GDPR (explicit consent), granted by your voluntary input; the data remains exclusively local and encrypted (5.1.4).
• No transmission of such content to our servers or third parties.
• No processing for medical purposes, no profiling based on sensitive data.
• Application procedures (only if used, see 15): To the extent applicants voluntarily provide sensitive information, processing likewise only according to Art. 9 Para. 2 lit. a GDPR; additionally § 26 BDSG (Germany) for employee data.

8. Data Processors & Recipients

8.1 Supabase (Data Processor) -- DB/Auth/Edge, Region, TOMs, Sub-Processors

8.1.1 Role, Contract & Scope

• Role: Supabase processes our customer data ("Covered Data") as a data processor. For own operational/billing/security data ("Usage Data"), Supabase acts as an independent controller -- each as regulated in the DPA with Supabase.
• Contractual Basis: Data Processing Agreement (DPA) with Supabase including annexes (TOMs, SCC, sub-processor regulations).

8.1.2 Region, Scope of Services, Architecture

• Region: Storage/processing of Covered Data in our selected EU region (Frankfurt/eu-central-1), according to DPA.
• Services: Database hosting (Postgres), Auth, Edge Functions/Proxy, Storage, Realtime, etc. according to DPA.
• Isolation: Multi-tenant schemas with Row-Level-Security (RLS) and JWT-based access, according to DPA.

8.1.3 Data Categories (processed by Supabase)

• Covered Data: App content stored by us in Supabase (e.g., synchronized travel data/attachments) as well as auth/account data (email, token metadata) -- according to DPA.
• Usage Data (Supabase's own purposes): Technical operational/billing/security data, as necessary for provision and securing of services -- according to DPA.

8.1.4 Purposes (by Supabase)

• Provision and operation of subscribed services (hosting, auth, edge), support, security/scaling -- according to DPA.
• Use of Usage Data by Supabase for operation, billing, security and product improvement -- according to DPA.

8.1.5 Technical & Organizational Measures (TOMs)

• Transport/Storage Protection: TLS "in transit", encryption "at rest" (AES-256) including backups -- according to DPA.
• Access/Identity Controls: Roles/least privilege, 2FA/MFA, change management, logging -- according to DPA.
• Backups/Availability: Encrypted backups, PITR and high availability according to service description -- according to DPA.
• Tests/Monitoring: Regular security reviews, pen tests by third parties -- according to DPA.

8.1.6 Security Incidents & Notification

• Incident Handling/Breach Notice: Timely notification, ongoing information and support with authority/data subject notifications according to DPA.

8.1.7 Sub-Processors

• Categories/Examples: Hosting/network (e.g., AWS, network/CDN), logging/analytics for operational purposes, support/communication tools -- according to DPA.
• Integration/Transparency: Advance information on changes, objection/coordination mechanisms and liability of Supabase for sub-processors -- according to DPA.

8.1.8 International Data Transfers & Safeguards

• Transfer Mechanisms: EU Standard Contractual Clauses (SCC) (including possibly UK/Swiss addenda) and -- where applicable -- EU-US Data Privacy Framework (DPF) for participating US providers -- according to DPA.
• Additional Protective Measures (TIA/Safeguards): Risk-appropriate technical and organizational additional measures according to transfer impact assessment -- according to DPA.

8.1.9 Support for Data Subject Rights & Audits

• DSR Support: Support for information, deletion, correction, etc., only upon our instruction, according to DPA.
• Evidence/Audits: Documentation/certificate provision and audit rights within agreed limits -- according to DPA.

8.1.10 Return & Deletion After Contract End

• Return/Deletion of all Covered Data (including backups/sub-processors) after contract end within agreed periods -- according to DPA.

8.1.11 Implementation in "Trabista"

• EU region (Frankfurt), RLS/JWT, PITR (7 days), TLS/pinning and key management are active in our implementation (see sections 5.2, 10.2, 11).
• No transmission of sensitive local app content to Supabase outside of voluntarily activated cloud synchronization.

8.2 Scaleway (Transactional Email, FR)

8.2.1 Role, Contract & Scope

• Role: Data processor for transactional email sending (website contact form, system emails like verification/reset in cloud context).
• Contractual Basis: Data Processing Agreement (DPA) with Scaleway including annexes (TOMs, SCC/addenda, sub-processor regulations).
• Instruction Binding: Processing exclusively for provision of commissioned sending/delivery service according to DPA.

8.2.2 Processing Subject & Data Categories

• Content Data: User-entered contact form fields (name -- optional, email, subject, message) as well as attachments (if attached).
• Address Data: Our recipient email addresses (e.g., gobbltech@proton.me, datenschutz@trabista.app, privacy@trabista.app).
• Transport/Header Data: Sender/recipient, Message-ID, routing information, timestamps.
• Delivery Logs: Sending logs (success/failure), bounce/complaint lists (undeliverability/complaints).
• No Tracking: No marketing open/click tracking pixels; no profiling.

8.2.3 Processing Purposes

• Delivery of website contact requests and system-related notifications.
• Operational Security/Deliverability: Traceability for failed delivery/bounce, abuse prevention (spam, spoofing).
• Support & Evidence: Technical proof of sending/acceptance without content evaluation for marketing purposes.

8.2.4 Legal Bases

• Art. 6 Para. 1 lit. b GDPR (contract/initiation), if request/usage-related.
• Art. 6 Para. 1 lit. f GDPR (legitimate interest) in secure communication, deliverability, abuse prevention (minimal logs).
• Art. 6 Para. 1 lit. c GDPR (legal obligations), where evidence/retention is applicable.
• Art. 6 Para. 1 lit. a in conjunction with Art. 9 Para. 2 lit. a GDPR for voluntary transmission of sensitive data -- only purpose-bound for request processing.

8.2.5 Location, Data Flows & International Transfers

• Primary Processing Location: France (Paris/EU).
• Planned Third Country Transfers: Not planned.
• Exception Cases/Sub-Processors: If required in individual cases outside the EEA, transfers occur exclusively with appropriate safeguards (SCC, possibly UK/Swiss addenda) according to DPA.

8.2.6 Technical & Organizational Measures (TOMs)

• Transport: Mail transport via TLS end-to-end as supported by participating servers; no forced marketing tracking.
• Storage: Purpose-bound temporary storage/processing within sending chain; access controls, role principle, logging according to DPA.
• Protection Mechanisms: Anti-spam/anti-abuse, rate limiting, IP/domain reputation; no content-based data mining.
• Organization: Security policies, patch/vulnerability management, business continuity/disaster recovery according to DPA.

8.2.7 Retention Periods & Deletion

• Sending Logs: 30 days (technical delivery logs).
• Bounce/Complaint Lists: 90 days (delivery protection/error analysis).
• Content Data: No independent, permanent storage beyond delivery purpose; deletion/rotation according to DPA and technical necessity.
• At our end: Emails in inbox without automatic deletion; manual deletion after problem resolution (see 5.8/6.2). Legal retention obligations remain unaffected.

8.2.8 Recipients, Sub-Processors & Responsibilities

• Scaleway acts as data processor; any sub-processors are only integrated according to DPA and with appropriate safeguards.
• No disclosure for advertising/analysis purposes. Authority access only in legally regulated exceptional cases.
• We remain controller for communication content and configure sending paths.

8.2.9 Data Subject Rights, Support & Audits

• Data Subject Rights: Information/deletion/correction are processed by us; Scaleway supports us according to DPA.
• Audits/Evidence: Provision of security/compliance evidence and audit options within agreed framework according to DPA.

8.2.10 Special Notes & User Controls

• Confidentiality: Emails despite TLS are not necessarily end-to-end encrypted. For sensitive content, we recommend PGP/SMIME.
• Voluntary: Use of form is voluntary; alternatively email or mail is possible (Section 2.2).
• No Marketing Emails: No sending of newsletters/marketing without separate consent.

8.2.11 Implementation in "Trabista"

• Website form sends directly via Scaleway to our inboxes; no DB storage in CMS.
• We implement no tracking pixels/click evaluations.
• Log/list periods (30/90 days) are configured at Scaleway; our internal deletion occurs after purpose achievement or legal obligations.

8.3.2 AdMob (Advertising in Free Version)

Purpose & Integration

• Delivery of display advertising exclusively in the free app version.
• No linkage with local app content (travel data, attachments, etc.).
• Premium/Pro: No advertising.

Data Categories (by Google)

• Advertising ID (AD_ID), device/app metadata (OS/app version, device model, language), IP address (derivation of approximate location at country/region level), events (impression/click/error).
• EEA/UK: Personalization only after consent via CMP/UMP in app; without consent non-personalized ads (context/aggregation-based).

Legal Bases

• Art. 6 Para. 1 lit. a GDPR (consent) for personalized advertising in EEA/UK.
• Art. 6 Para. 1 lit. f GDPR (legitimate interest) for non-personalized ads, reach limitation/fraud prevention and technical operation.

Control & Withdrawal

• In-App Preferences: Grant/revoke consent; switch to non-personalized.
• OS Settings: Reset/deactivate advertising ID.
• Upgrade removes ads completely.

International Transfers & Retention Periods

• Possible USA transfers by Google; safeguarded via SCC/DPF.
• Retention according to Google policies (e.g., ad signals typically up to ~14 months).
• We do not store personalized ad profiles.

8.3.3 Google Play Billing (Purchases & Subscriptions -- planned)

Purpose & Responsibility

• Processing exclusively via Google Play (account, payment method, billing).
• Google processes payment/account data independently. We receive only validation signals (e.g., purchase token, subscription status).

Data Categories (minimal at our end, function-related)

• Purchase Token (temporary, ≤ 24 h) for license verification, subscription status/expiration, last validation timestamp (grace window), feature flags (Free/Premium/Pro) encrypted locally.
• No payment methods or address data at our end.

Legal Bases

• Art. 6 Para. 1 lit. b GDPR (contract/service: activation of paid features).
• Art. 6 Para. 1 lit. f GDPR (license protection/fraud prevention).
• Art. 6 Para. 1 lit. c GDPR (evidence obligations), only if personal data arises.

International Transfers & Retention Periods

• Google may process data outside EEA (SCC/DPF).
• At our end: Token cache ≤ 24 h; license status term + 90 days; validation timestamp 45 days; then deletion/anonymization (details 5.7.6).

8.3.4 Firebase (Crashlytics & Analytics -- **currently deactivated**, only after opt-in)

Purpose & Status

• Crashlytics: Technical crash reports/stack traces for stability improvement.
• Analytics: Aggregated usage signals (e.g., screen views).
• Both are implemented but deactivated by default in our app; activation only after explicit consent (opt-in) within app (EEA/UK via CMP/UMP).

Data Categories (when function activated)

• Device/app metadata (app/OS version, model), crash details (stack trace, timestamp), events (screen/event IDs), pseudonymous instance/session IDs; no local content data, no special categories.
• No linkage with your cloud account/email by us.

Legal Bases

• Art. 6 Para. 1 lit. a GDPR (consent) -- mandatory prerequisite for any transmission to Firebase.
• Withdrawal at any time in-app; takes effect ex nunc.

International Transfers & Retention Periods

• Possible USA transfers; safeguarded via SCC/DPF.
• Retention according to Google policies; we only keep configuration/consent status.

8.3.5 Google Maps Geocoding (Premium, **via EU Proxy**)

Integration & Architecture

• Only in premium plan; geocoding requests from app are not sent directly to Google, but forwarded via EU-based Supabase Edge Function (proxy).
• This does not expose your device IP to Google; Google sees the proxy IP (EU).
• Only parameters necessary for geocoding are transmitted (search string/coordinates), no user identifiers (no email, no account ID).

Responsibility & Data Processing

• Google processes geocoding parameters independently (own purposes/terms).
• We use the response exclusively for display/further processing in app (e.g., destination coordinates).

Legal Bases

• Art. 6 Para. 1 lit. b GDPR (fulfillment of premium function requested by user).
• Art. 6 Para. 1 lit. f GDPR (operation/stability/error analysis of proxy layer at meta level).

International Transfers & Retention Periods

• Google may process data EU-internally and -- depending on service -- also transfer to USA (SCC/DPF).
• Proxy logs (EU): Minimal and short-cycle for operational/security purposes (details 5.5).

Website Note: On the PHP website (without CMS), no Google Maps widget and no Google Geocoding API is used. Section 8.3.5 concerns only the app (premium function).

8.4 Photon (komoot) & OpenStreetMap (Geocoding/Reverse)

8.4.1 Role & Integration

• Photon (komoot GmbH, DE) and OpenStreetMap Foundation (OSMF, EU/UK servers) are used for location search/geocoding and reverse geocoding -- primarily for free users (standard), OSM as fallback.
• Both act for their respective processing as independent controllers (Art. 4 No. 7 GDPR). No DPA with us.
• No continuous location tracking; requests arise only from manually entered locations/addresses or from coordinates initiated by you.

8.4.2 Processed Data (typical)

• Search/Query Parameters: Location/address/POI or coordinates (lat/lon) for geocoding/reverse geocoding.
• Technical Metadata: Timestamp, User-Agent, IP address (server-side), status/error signals, possibly rate limit indicators.
• Not Transmitted: No email addresses, no app accounts/IDs, no local content data (trips, attachments).
• App-side Local: Your entered destinations/travel objects are only stored locally encrypted (cf. 5.1.4).

8.4.3 Purposes

• Geocoding/Reverse: Conversion of search terms to coordinates and vice versa for convenient travel/list planning.
• Quality & Stability: Resolution of technical errors, compliance with terms of use/rate limits (meta/error information).

8.4.4 Legal Bases

• Art. 6 Para. 1 lit. b GDPR: Required for provision of location search/resolution you requested in the app.
• Art. 6 Para. 1 lit. f GDPR: Operation/security/abuse prevention based on minimal log data.
• Consent (Art. 6 Para. 1 lit. a GDPR): Not required, as no optional marketing/tracking services are integrated.

8.4.5 Recipients, Responsibility & Data Flows

• Photon (komoot GmbH, DE): Recipient of your pseudonymous search requests (without user identifier); processing on German/European servers.
• OpenStreetMap Foundation (EU/UK servers): Recipient of pseudonymous search/reverse requests; UK is secured by adequacy decision under data protection law.
• No disclosure by us to other third parties; no use of tracking/marketing pixels in connection with these API calls.

8.4.6 International Transfers

• Photon/OSM: Regularly no third country transfer; processing occurs on DE/EU/UK servers.
• Should a provider exceptionally mirror/deliver to other regions, their own safeguards/policies apply; we transmit no user identifiers.

8.4.7 Retention Periods

• At our end (app): Search terms/coordinates only purpose-bound in respective trip/object; no independent history/profiling.
• At services: Retention according to providers' own policies (e.g., short-term server/error logs). We transmit only the necessary query parameters.

8.4.8 Security

• Transport: Consistently TLS between app ↔ service.
• Data Minimization: No email/account IDs, only search string/coordinates and unavoidable technical metadata.
• Separation: Results are processed in app; no linkage with ad IDs, crash/analytics data, etc.

8.4.9 Control & Consequences of Non-Provision

• Without location search you can maintain travel destinations manually as free text; convenience functions (auto-completion, reverse geocodes) are unavailable.
• Core functions (local planning, checklists, reminders) remain fully usable.

8.4.10 Transparency & Links

• Photon (komoot) -- Privacy:
• OpenStreetMap Foundation -- Privacy Policy:

Website Note: On the PHP website (without CMS), no geocoding/maps services are loaded. Section 8.4 concerns only the app (free/fallback).

8.5 OpenWeather (Weather, UK -- via EU Proxy)

8.5.1 Role & Integration

• OpenWeather Ltd. (UK) provides weather forecasts for travel destinations -- only in premium plan.
• The app does not call OpenWeather endpoints directly. All requests run via EU-based Supabase Edge Function (proxy).
• Responsibility: OpenWeather processes parameters forwarded by proxy as independent controller. No DPA with us.

8.5.2 Processed Data (by proxy/service)

• Query Parameters: Coordinates (lat/lon) or possibly a destination location you selected in app.
• Technical Metadata (Proxy Level): Timestamp, status/error codes, proxy IP (EU), minimized logs for operational security/abuse prevention.
• Not Transmitted: No email addresses, no app accounts/IDs, no local content data (trips, attachments).
• OpenWeather Response: Forecast/weather data (temperature, precipitation, etc.) -- only displayed/processed in app.

8.5.3 Processing Purposes

• Weather Display for travel destinations you selected, to facilitate planning and preparation.
• Proxy Purposes: Stability, load control, IP shielding (OpenWeather sees not your device IP, but the EU proxy IP), error handling.

8.5.4 Legal Bases

• Art. 6 Para. 1 lit. b GDPR (contract/service): Provision of premium weather function you requested.
• Art. 6 Para. 1 lit. f GDPR (legitimate interest): Operation/stability/security of proxy layer at meta level (minimal logging).
• Consent is not required for this function (no marketing/tracking services).

8.5.5 International Data Transfers & Safeguards

• UK has an EU adequacy decision. Requests to OpenWeather (UK) occur via EU proxy.
• Insofar as OpenWeather makes further transfers within its own service provision, their own safeguards/policies apply (e.g., SCC). We transmit only the necessary coordinate parameters.

8.5.6 Retention Periods

• App-side: Weather data is used only temporarily for display/session; no permanent, personal storage.
• Proxy Logs (EU): Short-cycle and purpose-bound (operation/security); no profiling.
• OpenWeather: Retention according to provider's own policies; no user identifiers are transmitted.

8.5.7 Security

• Transport: Consistently TLS (app ↔ EU proxy ↔ OpenWeather).
• Data Minimization: Disclosure exclusively of coordinate-based parameters; no email/account IDs, no AD_ID/tracking IDs.
• Architecture: EU proxy decouples your end device from OpenWeather; reduces data exposure and enables rate limiting/error sanitizing.

8.5.8 Control & Consequences of Non-Provision

• Weather function is optional (premium). If you do not use/cancel it, app remains fully functional; only weather display is unavailable.
• You can still plan travel destinations without weather data.

8.5.9 Transparency & References

• OpenWeather -- Privacy Policy: (see OpenWeather website)
• Note: On the PHP website (without CMS), no weather API is loaded. Section 8.5 concerns only the app (premium feature).

9. International Data Transfers

Core statement: Processing occurs primarily in the EU (especially Frankfurt/eu-central-1). International transfers occur only exceptionally and purpose-bound -- for example, with Google services (AdMob, Play Billing, optional Firebase; Premium geocoding) as well as with OpenWeather (UK) or OSMF (UK). All third-country transfers are secured by approved safeguards (especially SCC, possibly EU-US DPF) and additional protective measures.

9.1 Standard Contractual Clauses (SCC -- Modules 2/3)

• Scope of application: For data exports to third countries without adequacy decision, we use the EU SCC.
• Modules:
  • Module 2 (Controller → Processor): e.g., when we transfer EU data to a non-EU data processor.
  • Module 3 (Processor → Processor): e.g., when an EU data processor (our data processor) in turn engages a non-EU sub-processor.
• Onward transfers: Sub-processors may only transfer data based on equivalent protective mechanisms (SCC/adequacy).
• Core obligations: Purpose limitation, data minimization, confidentiality, state-of-the-art security, assistance with data subject rights, audits/evidence, information obligations regarding government access.
• Conflict-of-laws clauses: Legal disclosure requests are reviewed, challenged, limited to the legally necessary minimum, and documented; we will be -- to the extent permitted -- notified.

9.2 EU-US Data Privacy Framework (DPF)

• Applicability: For US recipients certified under DPF (e.g., certain Google entities), we rely on transfers -- to the extent applicable -- on the DPF.
• Fallback: If DPF does not apply (service/entity/scope), EU SCC (including UK/Swiss addenda, if necessary) plus supplementary TOMs are deployed.
• Transparency: We monitor changes to the legal framework and update this privacy policy and our contractual situation when necessary.

9.3 Supplementary Technical/Organizational Measures (Safeguards)

• Encryption: TLS 1.3 for all transmissions; encryption at rest at server/database level; SQLCipher (AES-256) locally.
• Key management: Android Keystore (app) and HSM-supported procedures on server/provider side (according to DPA).
• Data minimization/pseudonymization: No transmission of locally sensitive content; cloud sync only with opt-in; API calls (geocoder/weather) without email/account ID.
• EU proxy/edge: Premium geocoding (Google) and weather (OpenWeather) run via EU proxy; device IP is not disclosed (Google/OpenWeather see the EU proxy IP).
• Access/role principle: Least privilege, logging of administrative access, 2FA/MFA, RLS (database), JWT-based auth.
• Logs: minimal operational/error logs, short rotation periods, no profiling.
• Government access: Review of every request, narrow interpretation, challenging excessive demands, information forwarding to data subjects, to the extent legally permissible.

9.4 UK and Swiss Addenda

• UK: For transfers to or via the United Kingdom, we use the UK adequacy decision (if applicable, e.g., OpenWeather/OSMF) or EU SCC + UK addendum.
• Switzerland: If Swiss law is affected, SCC with Swiss addendum/adjustments are used.

9.5 Service/Recipient Overview (Transfer Short Profile)

• Supabase (EU, Frankfurt)
  • Role: Data processor (database/auth/edge).
  • Primary location: EU. Any sub-processors/telemetry exclusively according to DPA (SCC/safeguards). No export of sensitive local data.
• Scaleway (FR, EU)
  • Role: Data processor (mail delivery of contact form).
  • Transfer: no planned third countries.
• Google (independent controller)
  • AdMob (Free ads): EEA/UK with/without consent (personalization); possible USA transfers → DPF/SCC.
  • Play Billing (planned): Payments/account with Google; possible USA transfers → DPF/SCC.
  • Firebase (deactivated; opt-in only): possible USA transfers → DPF/SCC.
  • Maps Geocoding (Premium): Call via EU proxy; Google sees EU proxy IP; possible USA transfers → DPF/SCC.
• OpenWeather (UK, Premium weather)
  • Role: independent controller.
  • Transfer: EU → UK (adequacy decision); call via EU proxy (no device IP at OpenWeather).
• Photon (komoot, DE) & OSMF (UK/EU servers)
  • Role: independent controllers (Free/fallback geocoder).
  • Transfer: DE/EU/UK; UK secured by adequacy decision; no planned USA transfers.

9.6 Your Options

• Without cloud/without Premium, nearly all processing remains local on your device (cf. 5.1, 5.3-5.5).
• Manage consents: Personalized ads as well as crash/analytics are opt-in and revocable at any time (cf. 5.4, 5.6, 7.3).
• Export/deletion: Cloud data can be exported and the account deleted in-app; backups expire after 7 days (cf. 5.2.6, 10.2).

10. Storage Durations, Deletion & Retention

10.1 Local Data (Device)

• Data types: Travel data (trips, participants, checklists, notes), attachments (e.g., photos/documents, if stored locally), settings/feature flags, reminders/alarms, possibly sensitive free text entries (only local).
• Storage duration: unlimited, until manual deletion by user or app uninstallation.
• Deletion:
  • In-app: Deletion of individual entries/trips or "Delete all."
  • System-side: Uninstallation removes all app data (app sandbox).
• Backups: Android Auto Backup is deactivated.
• Security: SQLCipher (AES-256) + Android Keystore (key management).

10.2 Cloud Data (Supabase)

• Data types: When cloud sync is activated (Premium) -- account/authentication (email, token metadata), synchronized travel data/attachments, minimally required operational/error logs (edge/proxy).
• Storage duration:
  • As long as the account is active.
  • Inactivity: Deletion of cloud data after 365 days without active login (planned, see 10.6).
  • Backups: Point-in-time recovery (PITR) 7 days (rotation window).
• Deletion:
  • In-app function "Delete account & data" (deleteAccountAndData) → immediate deletion of primary data in the production database.
  • Backups: Technical immutability until scheduled overwrite after max. 7 days; no restoration from backups except for investigating a security incident/legal obligation.
  • Attachments/blobs: With account/object deletion, referenced files in cloud storage are also deleted.
• Note: Without activated cloud sync, no app content is transferred to Supabase.

10.3 Subscription/License Data (local; **planned**, Google Play Billing)

• Data types (with us):
  • Purchase token (temporary validation cache) -- max. 24 h.
  • Subscription/license status (plan, expiration, renewal) -- during active term, then + 90 days grace/error clarification.
  • Validation timestamp -- 45 days (offline grace).
  • Feature flags (Free/Premium/Pro) -- until app uninstallation or downgrade; in encrypted preferences.
• Data types (with Google): Payment profile, billing/transaction data -- not with us, storage according to Google policies.
• Deletion: Expiration/cancellation revokes the license; local caches/status are removed/anonymized after the above periods.

10.4 Email Logs (Scaleway, Website Contact)

• Sending logs: 30 days (deliverability/error analysis).
• Bounce/complaint lists: 90 days (spam/delivery protection).
• Content data: No independent permanent storage at Scaleway beyond the sending purpose.
• With us (mailbox): No automatic deletion; manual deletion after problem resolution; legal retention obligations remain unaffected.

10.5 Advertising Data (AdMob -- Free version only)

• Data with Google (independent controller): AD_ID (if present), device/app metadata, IP (coarse location), ad events.
• Storage duration: According to Google policies; typical signal storage up to ~14 months.
• With us: No storage of personal ad profiles.
• Control: Opt-in/opt-out (personalization) in-app; AD_ID in OS reset/deactivate; upgrade removes advertising completely.

10.6 Automated Deletion Routines & Inactivity

• Planned:
  • Inactivity check for cloud accounts: Notification after 12 months without login; subsequent deletion after 365 days without response/renewed login.
  • Automated cleanup of temporary validation data (billing) after the periods specified in 10.3.
• Already active:
  • Backup rotation Supabase: Overwrite after max. 7 days.
  • Proxy/edge logs: short-cycle rotation (only operational/security purposes; no profiling).
• Website logs: Access/error logs 7-14 days (typically), cf. 6.1.

10.7 Procedure for Account Deletion (Cloud)

1. Initiation: In-app confirmation "Delete account & data."
2. Immediate action (T-0):
   • Access block, immediate deletion of primary data (database rows, storage objects) including references/metadata.
   • Invalidation of active tokens/sessions.
3. Follow-up:
   • Backups remain technically for up to 7 days and are then overwritten as part of rotation (no re-import for operational purposes).
   • Support/compliance exceptions: Restoration only if legally required (e.g., incident forensics), with logging and "need-to-know."
4. Confirmation: (planned) Email notice of completed deletion, if email address is available and delivery is not deactivated.

Legal bases for this section:

• Art. 5 Para. 1 lit. c/e GDPR (data minimization/storage limitation),
• Art. 6 Para. 1 lit. b/c/f GDPR (contract, legal obligations, legitimate interests),
• Art. 17 GDPR (right to erasure) -- implemented via in-app deletion functions and account delete,
• Art. 32 GDPR (security) -- including encryption/key management/backups.

11. Security (Technical & Organizational Measures -- TOMs)

Principle: Protection of confidentiality, integrity, and availability according to Art. 32 GDPR, state of the art, risk appropriateness. Measures apply to app and website; cloud components are operated in the EU (see 5.2, 6.x, 8.x, 9, 10).

11.1 Organizational Measures (Access, Role, Process Controls)

• Responsibilities & roles: Clear roles/least privilege; admin access only for a few authorized persons (need-to-know).
• Joiner/mover/leaver: On-/offboarding with documented rights assignment, immediate revocation upon departure/role change.
• Instructions/data processing: DPA with data processors (including Supabase, Scaleway). Sub-processors only according to DPA rules.
• Policies & training: Security/data protection policies; regular awareness training on phishing, password/device protection.
• Data classification & minimization: Collection "as little as possible"; separation of local/cloud data; no sensitive content in tickets/emails without explicit consent.
• Change/release management: Code reviews (four-eyes principle), reproducible builds, signed releases (store signature).
• Secret management: No secrets in source code; secure storage/rotation (provider secrets/keystore).
• Supply chain security: Updated dependencies; only necessary SDKs; avoidance of tracking libraries without opt-in.
• Incident management (IR): Documented procedures, escalation paths, notification chains; breach register (Art. 33/34).
• Audit & logging: Logging of critical admin actions; regular log review (technical, not personal).

11.2 Technical Measures -- Transport (Network/Transmission Security)

• TLS throughout: App/website ↔ services exclusively HTTPS/TLS 1.3; HSTS on the website.
• Certificate pinning (app): Active for critical endpoints (Supabase/edge, central APIs).
• No cleartext connections: Network Security Config rejects cleartext; only explicitly allowed hosts.
• Secure ciphers & PFS: Contemporary cipher suites with perfect forward secrecy (provider requirement).
• Proxy shielding: Premium requests to Google Maps/OpenWeather via EU edge/proxy (IP protection, rate limit, error sanitizing).

11.3 Technical Measures -- Storage (At-Rest Protection)

• Local (app):
  • SQLCipher (AES-256) for database contents;
  • Android Keystore (preferably StrongBox) for keys;
  • Encrypted SharedPreferences for sensitive settings (e.g., feature flags, future billing status).
  • PIN/biometrics for app lock (optional, OS BiometricPrompt).
• Cloud/server:
  • Encryption "at rest" (provider side, e.g., AES-256) including backups;
  • PITR backups (7 days) with automatic rotation;
  • Separation of production data and operational/error logs.
• Passwords (auth): bcrypt hashing (Supabase Auth), salting; no plain text storage.
• Data minimization: No storage of payment data; purchase tokens only temporarily (≤ 24 h) -- planned, see 5.7/10.3.

11.4 Access & Authentication (App/Backend/Admin)

• App side: Short-lived JWTs (Supabase Auth), row-level security (RLS) at database level, session timeouts; no direct third-party access to local content.
• Backend/admin access: MFA/2FA mandatory; strong passwords; IP protection/rate limit; logging of administrative access.
• Rights concept: Role/rights model (least privilege); regular review/recertification of permissions.
• Secret rotation: Regular key/token rotation; revocation of compromised tokens/sessions (invalidate on delete).
• Integrity checks (planned): Regular certificate health check (worker), integrity checks for offline license window.

11.5 Monitoring, Firewalls, Backups (Operations & Availability)

• Hardening & firewalls: Provider-side network/application firewalls, rate limiting, protection against injection/XSS/CSRF (framework/middleware).
• Logging: Minimal operational/error logs (time, status, no content data); short rotation periods; no profiling.
• Performance/availability: Monitoring of core endpoints; automatic restart on failures; capacity planning.
• Backups: Encrypted backups, geographically redundant according to provider standard; PITR 7 days (see 10.2); no restoration for operational purposes after account deletion.
• Website operation: Regular core/plugin updates, theme hardening, only necessary plugins; protection against brute force/spam.

11.6 Incident Response & Notifications (Art. 33/34 GDPR)

• Detection & triage: Continuous monitoring of security-relevant events; prioritization by impact/scope.
• Containment & forensics: Immediate isolation of affected components, evidence preservation (log/system-side) to the necessary extent.
• Notification to supervisory authority: Without undue delay, where feasible within 72 hours after awareness (Art. 33), including nature, categories, approximate number of data subjects/records, consequences, and measures taken.
• Notification to data subjects: Without undue delay in case of high risk (Art. 34); clear, understandable information about risks and countermeasures.
• Follow-up: Root cause analysis, action plan, update of TOMs/training, documentation in breach register.
• Contact point: Data protection contact datenschutz@trabista.app / privacy@trabista.app (see Section 2/18); competent supervisory authority see Section 2.5.

12. Data Subject Rights

Principle: You have the following rights under Art. 15-21, 7 Para. 3, 22 GDPR. Exercise is free of charge. We respond within one month of receiving your request; extension by up to two months is possible for complex/numerous requests (notice with justification within one month). Manifestly unfounded or excessive requests may be rejected or subject to a reasonable fee.

Contact Channels for Exercising Rights:

• In-App: Settings → Privacy/Account (view/change data, local deletion functions, cloud account deletion).
• Email: datenschutz@trabista.app, privacy@trabista.app (Sections 2.3, 18).
• Mail/Phone: see Section 2.2.
• Website Cookies/Consent: Website footer → Cookie Settings (CCM19) (Section 6.4).

Identity Verification: We may request additional information necessary to confirm identity (e.g., verification of cloud account email). This serves to protect your data.

12.1 Right to Confirmation

You have the right to request confirmation whether we process personal data concerning you (Art. 15 Para. 1 GDPR -- "whether processing").
How? Short-form request in app (cloud account) or via email (see above). For purely local data on your device, we confirm that it is processed only locally (Section 5.1).

12.2 Right of Access

You have the right to access information about:

• Processing purposes, categories of personal data, recipients/categories (including third countries/IO),
• Retention period or criteria,
• Origin of data, if not collected from you,
• Existence of automated decisions including profiling, including meaningful information about the logic involved, significance, and envisaged consequences,
• Your rights (rectification, erasure, restriction, objection, complaint).

You receive a copy of the personal data undergoing processing (Art. 15 Para. 3 GDPR). Further copies may be subject to a fee.
Note local/cloud: For local app data, only you have access (we do not). For cloud data (Supabase), we provide a structured data copy (depending on scope as download link; Sections 5.2, 10.2).

12.3 Right to Rectification

You have the right to have inaccurate personal data rectified without undue delay; incomplete data must be completed (Art. 16 GDPR).
How?

• In-App: All content (trips, participants, notes, etc.) is directly editable.
• Cloud Account: Email/profile data via app; if problems arise, via email to us.

12.4 Right to Erasure ("Right to be Forgotten")

You have the right to request erasure of personal data (Art. 17 GDPR), particularly if:

• The purpose has ceased,
• You withdraw consent and there is no other legal basis,
• You lodge an objection (Art. 21 GDPR) and no overriding grounds exist,
• Data was processed unlawfully,
• Erasure is necessary to fulfill a legal obligation,
• Data was collected in relation to information society services pursuant to Art. 8 Para. 1 GDPR.

How?

• Local (device): In-app "delete all" or selective deletion; app uninstallation completely removes local data (Section 10.1).
• Cloud: In-app "Delete account & data" → immediate primary deletion; backups overwrite within max. 7 days (no restoration for operational purposes), cf. 10.2/10.7.

Exceptions: Erasure may be refused/postponed if legal obligations or establishment/defense of legal claims prevent it (Art. 17 Para. 3 GDPR).

12.5 Right to Restriction of Processing

You may request restriction (Art. 18 GDPR) if:

• The accuracy of data is contested by you (for duration of verification),
• Processing is unlawful and you request restriction instead of erasure,
• We no longer need the data but you require it for establishment/defense of legal claims,
• You lodged an objection pursuant to Art. 21 Para. 1 GDPR (for duration of balancing).

When restricted, data is marked and processed only for the stated purposes.

12.6 Right to Data Portability

You have the right to receive data you have provided to us in a structured, commonly used, machine-readable format and -- where technically feasible -- to request direct transmission to another controller (Art. 20 GDPR).
How?

• App Export: e.g., ICS export (calendar format) via FileProvider (Sections 5.9.4/5.9.5).
• Cloud Data: Upon request data export; provision as download (format depends on data type).

12.7 Right to Object

You may at any time object to processing based on Art. 6 Para. 1 lit. e or f GDPR on grounds relating to your particular situation (Art. 21 GDPR). We will then no longer process the data unless we demonstrate compelling legitimate grounds.
Special Case Direct Marketing: Objection to processing for direct marketing is possible at any time; in this case we cease processing for these purposes.
For Trabista specifically:

• Non-personalized advertising (AdMob) is based on legitimate interest -- you can choose upgrade (ad-free) or use app offline; personalized advertising occurs only with consent (Art. 6 Para. 1 lit. a), which you can withdraw (see 12.8/5.4).
• Operational/security logs (app/website) are minimized (Sections 5.x/6.1); objection will be examined within balancing of interests.

12.8 Right to Withdraw Consent

You may withdraw granted consents at any time with effect for the future (Art. 7 Para. 3 GDPR).
How?

• In-App: Toggles for personalized advertising, Crashlytics, Analytics (by default off, 5.4/5.6).
• Website: Cookie Settings (CCM19) -- changeable at any time (6.4).
• OS Settings: Notifications/exact alarms revocable; AD_ID resettable/deactivatable.
  Consequences: Withdrawal does not affect lawfulness of processing until withdrawal; respective option is deactivated.

12.9 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), particularly in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.
Competent at company headquarters:
Saxon Commissioner for Data Protection and Transparency
Maternistraße 17, 01067 Dresden
Phone: +49 351 85471-101 · Fax: +49 351 85471-109
Email: post@sdtb.sachsen.de · Web: www.datenschutz.sachsen.de
(Independently, you may contact any other supervisory authority in the EEA.)

12.10 Exercise of Rights (In-App & Email) -- Process & Notes

Process (Cloud Data):

1. Submit request (in-app or via email) with indication of your account email;
2. Identity verification (if necessary);
3. Processing within 1 month; possibly extension (notice with justification);
4. Provision of information/data copy/deletion confirmation via secure communication channel.

Locally Stored Data:

• This data resides exclusively on your device. You can manage/delete it yourself (Section 10.1). No remote access is possible for us.
• Upon app uninstallation, all local data is removed.

Special Cases:

• Special Categories (Art. 9 GDPR) -- only local and voluntary; we do not process them in the cloud (Sections 5.1, 7.4).
• Purchases/Subscriptions (Google Play, planned): Payment/account data resides with Google (independent controller). Exercise rights there; we support regarding license-related data (Section 5.7).
• Website Cookies/Consent: Adjustment immediately via CCM19 (6.4).

13. Minors

13.1 Target Audience 18+

• Orientation: Trabista is exclusively directed at adult users (18+). The app store target audience is configured accordingly; content, functions, and communication are not child- or youth-oriented.
• No child orientation/profiles:
  • No design as a child- or youth-oriented offering, no addressing of minors, no dedicated children's areas.
  • No profiling, behavioral advertising, or personalization targeting minors.
• Cloud/online functions: The (optional) cloud synchronization as well as premium services are intended for adult users.
• Advertising (free version): Ads are not child-directed; personalization occurs only with consent (EEA/UK) and not with child-specific targeting.
• Notice upon knowledge of a minor: If we receive specific notice that an account/co-use occurs by a person below the applicable age of majority or digital consent age, we take appropriate measures:
  • Block further online processing (e.g., cloud sync),
  • Contact the reported user for clarification,
  • Deletion of the cloud account and the data stored there, unless a legal impediment prevents it.
    Local app data resides exclusively on the device and can be deleted there by the device owner.

13.2 No Parental Consent Activated

• No child consent processes: We do not collect consents from parents/guardians, as Trabista is not intended for minors and is not offered as child-oriented.
• Legal framework (EU/EEA/UK):
  • We do not rely on consents of minors for optional services. In the EU, the digital consent age is up to 16 years (depending on member state, possibly lower), in the UK 13 years. Since Trabista addresses 18+, we refrain from claiming child-related consents.
• Data subject rights by guardians: If a guardian asserts rights for an affected minor child (e.g., access/deletion for a wrongly created cloud account), we verify the representation authority and fulfill the request in accordance with GDPR (see Section 12).
• Contact point: Reports/inquiries please to datenschutz@trabista.app or privacy@trabista.app with a brief note on the minor-related matter (no upload of sensitive documents without request).

14. No Automated Individual Decision-Making/Profiling

14.1 No Decisions within the Meaning of Art. 22 GDPR

• No deployment at Trabista: No processing is carried out where exclusively automated decisions produce legal effects for users or similarly significantly affect them (Art. 22 Para. 1 GDPR).
• Specifically:
  • No credit/solvency checks, no suitability/risk assessments, no algorithmic blocking/exclusion decisions with legal effect.
  • License/access checks (e.g., Play Billing token, session/JWT validation, rate limits) are technical access controls for contract performance. They do not constitute a decision within the meaning of Art. 22; in case of technical misclassifications, manual review is possible (contact: datenschutz@trabista.app / privacy@trabista.app).
  • Support cases are always assessed by humans.
• Application procedures (Section 15): There are no automated selection/rejection decisions; decisions are human-led.

14.2 No Profiling with Legal Effect/Similar Significant Impact

• No own profiling: Trabista does not create personal usage profiles to evaluate personal aspects (e.g., interests, behavior) and make decisions based on them with legal effect.
• Analytics/crash (currently deactivated): If users voluntarily consent in the future, aggregated/technical signals (e.g., crash clusters, screen views) are used solely for product improvement -- without personal profiling, without feature gating by user characteristics.
• Advertising (AdMob):
  • Personalized advertising in EEA/UK occurs only with consent and is subject to the independent responsibility of Google under data protection law (Section 8.3.2). Even in this case, the delivery has no legal effect/similar significant impact within the meaning of Art. 22.
  • Non-personalized advertising (without opt-in) is based on context/aggregates; no profiling by us.
  • No linking of advertising signals/AD_ID with local app content (trips, notes, attachments).
• Geocoding/weather/cloud sync: The parameters generated (search strings/coordinates, sync metadata) are not used for personal profiling; no cross-device merging, no marketing segments.
• User controls: Consents can be revoked at any time (app settings / CMP; details in Section 7.3, 5.4, 5.6). For technical blocks/misclassifications perceived as unjustified: manual review upon request (contact see Section 18).

15. Application Procedures (Currently No Job Postings)

Applicability: This section applies only if you apply with us (e.g., to a job posting or unsolicited). Currently, we do not operate an applicant portal; applications are typically made by email or by post. An online form may optionally be provided; in this case, the following provisions apply accordingly.

15.1 Purposes & Legal Bases

Purposes of processing

• Conducting the application procedure: Review, selection, communication, appointment scheduling, decision preparation.
• Documentation/evidence of proper procedure (e.g., equal treatment).
• Possibly recruitment into an employment relationship.

Legal bases

• Art. 6 Para. 1 lit. b GDPR in conjunction with § 26 Para. 1 BDSG (pre-contractual measures for an employment relationship).
• Art. 6 Para. 1 lit. f GDPR (legitimate interest) for legal defense/securing evidence (e.g., within the scope of the AGG) or IT security (spam/abuse prevention).
• Art. 6 Para. 1 lit. c GDPR (legal obligations), where applicable (e.g., tax/commercial documentation for travel expense reimbursement).
• Art. 9 Para. 2 lit. b GDPR (labor law) or Art. 9 Para. 2 lit. a GDPR (explicit consent), only if you voluntarily disclose special categories of personal data (e.g., health data, disability) and these are necessary for the decision.
• Art. 6 Para. 1 lit. a GDPR (consent), only if you expressly consent to longer retention (talent pool).

15.2 Required/Voluntary Information

Required (typically):

• Master data/contact: Name, address, email, possibly phone number.
• Application documents: Cover letter, CV, qualification-related evidence (certificate copies, references).

Voluntary (optional):

• Additional information you wish to provide (e.g., portfolio, work samples).
• Special categories (Art. 9 GDPR), only if you voluntarily disclose them and they are relevant for the intended position (e.g., disclosure of a disability). In this case, we process this information purpose-bound (see 15.1) and only to the necessary extent.

Please note:
Do not submit unnecessary sensitive data. If we do not request such data, it is not necessary for the procedure.

15.3 Transmission/Transport (Email/Online Form, Encryption)

• Email application: Transport typically occurs via TLS between mail servers but is not automatically end-to-end encrypted. If you send sensitive content, we recommend PGP/SMIME or postal submission.
• Online form (if provided):
  • Transmission encrypted (HTTPS/TLS) to our server.
  • Forwarding as email to the internal mailbox (transport TLS).
  • No ticket/helpdesk system; processing occurs as email case (cf. website contact in 6.2).
• Postal route: Alternatively, you can submit documents by post.
• Internal recipients: Exclusively the departments responsible for personnel selection.
• Data processors: Mail/hosting services (EU), Scaleway for form emails (FR, EU) -- each DPA-bound; no disclosure to third parties for marketing/analytics purposes.

15.4 Storage Duration (typically 6 months) & Legal Retention

• Unsuccessful applications:
  • Deletion typically after 6 months from completion of the procedure to answer follow-up questions and defend against claims under the AGG.
  • Legal retention obligations remain unaffected (e.g., tax documentation for travel expense reimbursement -- retention according to tax/commercial retention periods).
• Talent pool (only with consent):
  • Separate, voluntary consent for extended retention (e.g., 12 months).
  • Revocation at any time with effect for the future; we delete the documents immediately unless legal obligations prevent it.
• Successful application:
  • The application documents become part of the personnel file and henceforth are processed for employment purposes (separate information obligations in employee data protection).
• Integrity & access:
  • Access only for authorized persons (need-to-know); logging of administrative access; protection against unauthorized access (technical/organizational).

Your rights in the application procedure: Access, rectification, erasure, restriction, objection, data portability, revocation of consents granted (cf. Section 12).
Contact: datenschutz@trabista.app / privacy@trabista.app (please subject "Application -- Data Protection").

16. Changes & Updates

16.1 Regular Review/Adjustment

• Review cycle: At least quarterly as well as event-driven (new features/SDKs, new recipients/regions, legal changes, app store requirements).
• Scope: App (Android; iOS planned) and PHP website (without CMS) including CCM19 consent layer.
• Responsibility & documentation:
  • Internal owners (product/tech/data protection) maintain a change log with date, description, risk/legal review (including TIA/DPIA if necessary), approvals, and rollout plan.
  • DPA/sub-processor register is maintained synchronously (e.g., Supabase, Scaleway; Google as independent controller separately listed).
• Synchronization of technical artifacts: Adjustment of in-app consent (CMP/UMP), CCM19 categories, store questionnaires (Google Play Data Safety), release notes.

16.2 Consent-Relevant Changes (Information & Re-Consent Obligations)

Material changes are made transparent before activation; where legally necessary, we obtain new consents. These include in particular:

• New purposes or purpose changes (Art. 6 Para. 4 GDPR), e.g., introduction of analytics/crashlytics or personalized advertising in previously unaffected areas.
• New data categories (especially special categories under Art. 9 GDPR), extended logs, or profiling elements.
• New recipients/sub-processors, new regions/third countries, or changed transfer mechanisms (e.g., SCC/DPF status).
• Changes in roles/controllers, contact addresses, supervisory authority, or minimum age/target group.
• Integration of additional cookies/similar technologies (website) via CCM19.

How do we inform?

• In-app: Timely via notice banner/dialog with link to the new privacy policy; opt-in switches for affected features (e.g., ads personalization, analytics/crash).
• Email (cloud users only): Brief notice of material changes with link to the version and to opt-in/opt-out options.
• Website: Notice bar + CCM19 re-prompt when cookie categories are affected.

Re-consent & revocation:

• New/extended purposes are delivered deactivated (opt-in required).
• Already granted consents do not automatically apply to new purposes/categories.
• Revocation at any time in app settings/CMP or cookie settings (website) possible (cf. Section 7.3).

16.3 Versioning & Validity

• Version information: Each version bears version and effective date (e.g., "Privacy Policy Trabista v1.0 -- effective from 2025-09-21").
• Archiving: Previous versions are archived and provided upon request; for material changes, we maintain a change log.
• Multilingualism: An English translation is provided. The German version is binding.
• Publication: Simultaneous provision in the app (legal/info area) and on the website (static page). The reference to the official imprint remains unchanged (see Section 2.4).
• Conflict rule: In case of conflicts between brief notices (banner/release notes) and the complete privacy policy, the complete version applies.

17. Publication & Applicability

17.1 In-App Deposit (Legal/Info Area)

• Location: "Settings" → "Legal/Privacy."
• Version/version status: Clearly visible (e.g., "Privacy Policy Trabista v1.0 -- effective from YYYY-MM-DD").
• Offline access: Full text is cached locally so it is viewable without internet; upon updates, notice dialog (see 16).
• In-app links:
  • Privacy contact: datenschutz@trabista.app, privacy@trabista.app
  • Supervisory authority: Short link to the authority from 2.5
  • Imprint: Link to the binding imprint page (see 17.3)
• Store reference: The in-app text corresponds to the version published on the website (synchronized).

17.2 Website Publication (static page, without tracking)

• URL & findability: Static page "Privacy" in main menu/footer menu; no tracking scripts; consent banner (CCM19) shows only necessary cookies (cf. 6.4).
• Languages: German (binding) + English (translation).
• Versioning/archive: Visible version information; older versions upon request.
• Play Store requirement: The "Privacy Policy URL" field in the Google Play listing refers to this website privacy page.
• Consistency: Content identical to the in-app version; changes are rolled out synchronously (cf. 16).

17.3 Reference to Official Imprint

• Imprint: https://impressum.gobbltech.com/\
• In-app & website: The above link is used uniformly everywhere (settings/legal in the app, footer/legal on the website).
• Contact options: Email (gobbltech@proton.me as well as datenschutz@trabista.app / privacy@trabista.app) remain unchanged; a telephone obligation does not exist (note as in Section 2).

18. Contact for Privacy Matters

18.1 Privacy Email Addresses

• Primary: datenschutz@trabista.app
• Alternative: privacy@trabista.app

Notes for efficient processing (voluntary):

• Subject e.g.: "GDPR request -- access/erasure/rectification/objection/data copy".
• Indication of the app version and -- if cloud sync is used -- the email address registered with us (for identity verification).
• No sensitive documents sent unencrypted. For confidential content, please use PGP/SMIME or initially only briefly outline; we will then coordinate the further procedure.
• We confirm receipt and respond typically within one month (Art. 12 Para. 3 GDPR). In complex cases, the period can be extended by up to two months; you will then receive an interim notification.

18.2 General Contact (without specific GDPR reference)

• Email (general): gobbltech@proton.me
• Contact form: Accessible via the official imprint (see Section 17.3).
• Postal address (delivery/legal capacity -- c/o):
  Danilo Endesfelder -- Sole Proprietorship
  c/o Nico Eberhardt
  Pfotenhauerstraße 65
  01307 Dresden
  Germany

Important:

• For GDPR rights (access, erasure, etc.), please use preferably the privacy emails from 18.1 -- this ensures fast, documented processing.
• The competent supervisory authority can be found in Section 2.5; you have the right to lodge a complaint there (Art. 77 GDPR).
• Telephone availability is not legally required; we offer email and contact form as immediate, verifiable communication channels.

Achievement unlocked: Privacy Policy 100%
Loot: GDPR know-how. Next run: Your own, robust privacy policy?
Email to info@trabista.app,
Subject "We also want a good privacy policy" -- Danilo knows someone.
Legal notice: purely informative; no change to the legal situation.