Privacy Policy for Kalvenda

Last Updated: March 2026

1. Introduction

This Privacy Policy applies to the use of the mobile application Kalvenda (the “App”), developed and operated by Timon Polley (“we”, “us”, or “our”). We are committed to protecting your privacy and ensuring the security of your personal information in accordance with the General Data Protection Regulation (GDPR) and other applicable laws (including the TDDDG and DDG).

2. Information We Collect & Lawful Basis (Art. 6 GDPR)

We collect the minimum amount of data necessary to operate the App effectively. Our processing is based on the following legal grounds:

• Account & Profile Data: When you create an account, we collect your email address, display name, user IDs, and authentication data (via Google or Email/Password). Lawful Basis: Performance of a Contract (Art. 6(1)(b) GDPR).

• Social & Group Data (User-Generated Content): Your created groups, events, alerts, reactions, and membership information are stored securely on our servers (Google Firebase/Firestore) to synchronize across your devices and with other members of your groups. Lawful Basis: Performance of a Contract (Art. 6(1)(b) GDPR).

• Location & Map Data: When you add a location to an event, precise coordinate data (latitude/longitude) is temporarily processed and optionally stored in our database. It is displayed on an interactive map. No continuous or background location tracking is performed. This data collection is strictly optional. Lawful Basis: Performance of a Contract (Art. 6(1)(b) GDPR).

• In-App Purchases & Subscriptions: Managed via RevenueCat, which processes purchase history, app user IDs, and device IDs on our behalf. Payments are processed securely by Apple or Google. Lawful Basis: Performance of a Contract (Art. 6(1)(b) GDPR).

• Advertisements & Tracking: We use Google AdMob to serve ads. AdMob collects device identifiers (e.g., Advertising ID), approximate location, and interaction data to serve targeted advertising. This involves tracking your data across other apps and websites. For iOS users, this is subject to the App Tracking Transparency (ATT) prompt. Lawful Basis: Explicit Consent (Art. 6(1)(a) GDPR, § 25(1) TDDDG).

• Usage Data, Analytics, & Crash Logs: Firebase collects app interactions, crash logs, diagnostics, device information, and approximate location (IP-based) to improve the App’s performance. This data collection is optional and can be toggled on or off at any time in the App’s Settings. Lawful Basis: Explicit Consent (Art. 6(1)(a) GDPR).

• Push Notifications: Used to alert you about group updates. Firebase Cloud Messaging (FCM) processes a device token. Notifications require your explicit permission.
  Lawful Basis: Explicit Consent (Art. 6(1)(a) GDPR).

Mandatory vs. Optional Data: Providing your email and authentication data is mandatory to use the App. Location permissions, analytics data, push notifications, and advertising tracking are optional.

3. Third-Party Services & Sub-Processors (Art. 28 GDPR)

The App uses third-party services that process data on our behalf under Data Processing Agreements (DPAs):

• Google LLC (Firebase, Google AdMob, Google Sign-In): Database hosting, authentication, crash reporting, and ad serving. Data is hosted in the EU where technically possible. Google’s DPA incorporates EU Standard Contractual Clauses (SCCs).
• RevenueCat, Inc.: Subscription and in-app purchase management. Privacy Policy
• Apple Inc. / Google LLC: Processing of app transactions.

4. International Data Transfers (Art. 46 GDPR)

Google LLC and RevenueCat are established in the US. Transfers of your personal data to the US are safeguarded by Standard Contractual Clauses (SCCs). Details: https://cloud.google.com/terms/data-processing-addendum

5. Automated Decision-Making & Profiling (Art. 22 GDPR)

We do not make automated decisions with legally significant effects. Google AdMob may use automated profiling based on device identifiers to serve personalized ads, subject to your prior consent.

6. Your Rights (Art. 15–22 GDPR)

• Right of Access & Data Portability: You can request an export of your personal data at any time.
• Right to Erasure (Account Deletion): You can permanently delete your account directly within the App’s settings (“Delete Account”). This action completely wipes your user profile, authentication data, and linked user data from our Firestore databases and servers.
• Right to Rectification: You can edit your profile and content within the App.
• Right to Object & Withdraw Consent: You can withdraw your ad or analytics consent at any time via the App’s privacy settings.
• Right to lodge a complaint: You have the right to lodge a complaint with your competent supervisory data protection authority (e.g., LDI NRW, Germany).

7. Data Retention

• Account & Social Data: Retained until you delete your account. Upon account deletion, your data is completely wiped from our database. Some anonymized metadata or group-owned content may remain to preserve group integrity for other members.
• Analytics & Crash Reports: Retained by Google Firebase for up to 90 days.

8. Child Safety

We have a strict zero-tolerance policy against Child Sexual Abuse and Exploitation. Please refer to our CSAE Standards for more information.

9. Contact

If you have any questions or wish to exercise your data subject rights, please contact us at: Email: dev@timonply.com