Preface

The app, as it exists here and now, was actually intended as a prototype to show what is possible. When I started development in 2019, Google Firebase was a simple but powerful solution for a backend. Firebase allows, for example, multiple people to work on the same calendar, even if the internet connection breaks in between - without much effort for development. In addition, it is also free until you have a lot of users.

I am not a fan of Google and its privacy policy at all. If the app ever forms a solid financial basis for further development, then I will remove Firebase.

Until then, our users unfortunately have to live with Google.

§ 1 General

We take the protection of your personal data very seriously and treat it confidentially and in accordance with legal data protection regulations and this privacy policy. This privacy policy applies to our mobile web, iPhone, and Android apps (“APP”). It explains the type, purpose, and scope of data collection in the context of APP use. We would like to point out that data transmission over the Internet can have security gaps. Complete protection of the data from access by third parties is not possible.

Responsible Entity

The responsible entity for data processing within the scope of this APP is:

Mathias Münscher
Kiehlufer 45
12059 Berlin

Telefon: +49-177-5588669
E-Mail: info@onceweek.app

"Responsible Entity" is the body that collects, processes or uses personal data (e.g. names, email addresses, etc.).

General Storage Duration of Personal Data

Subject to differing or specifying information within this privacy policy, the personal data collected by this APP will be stored until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies. If there is a legal obligation to retain or another legally recognized reason for storing the data (e.g., legitimate interest), the relevant personal data will not be deleted before the respective reason for retention ceases.

Legal Basis for the Storage of Personal Data

The processing of personal data is only permitted if there is a valid legal basis for the processing of this data. If we process your data, this is regularly done on the basis of your consent according to Art. 6(1)(a) GDPR and § 25 para. 1 TTDSG, for the purpose of contract fulfillment according to Art. 6(1)(b) GDPR (e.g., when using in-app purchases or using other paid app features) or due to legitimate interests according to Art. 6(1)(f) GDPR, which are always weighed against your interests (e.g., in the context of advertising measures). The relevant legal bases will be specified separately within this privacy policy if necessary.

Encryption

This app uses encryption for security reasons and to protect the transmission of confidential content, such as the requests that you send to us as the app operator, or the communication between app users. This encryption prevents the data that you transmit from being read by unauthorized third parties.

Changes to this Privacy Policy

We reserve the right to change these privacy provisions at any time, in compliance with legal requirements.

Note on Data Transfer to Data Protection Non-Secure Third Countries and transfer to US Companies not DPF-Certified

We use, among other things, tools from companies located in data protection non-secure third countries as well as US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). When these tools are active, your personal data can be transferred to these countries and processed there. We would like to point out that in data protection non-secure third countries, a level of data protection comparable to the EU cannot be guaranteed.

We would like to point out that the USA is generally considered a safe third country with a level of data protection comparable to the EU. Data transfer to the USA is therefore permissible if the recipient has certification under the “EU-US Data Privacy Framework” (DPF) or has suitable additional guarantees. Information on transfers to third countries, including the data recipients, can be found in this privacy policy.

§ 2 Your Rights

The GDPR grants certain rights to individuals whose personal data we process, which we would like to inform you about here:

Revocation of your consent to data processing

Many data processing operations are only possible with your consent. We will expressly obtain this from you before starting data processing. You can revoke this consent at any time. A simple notification by email to us is sufficient for this. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

RIGHT TO OBJECT TO DATA COLLECTION IN SPECIAL CASES AND AGAINST DIRECT ADVERTISING (ART. 21 GDPR)

If data processing is carried out on the basis of Art. 6(1)(e) or (f) GDPR, you have the right at any time to object to the processing of your personal data for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal bases on which processing is based can be found in this privacy policy. If you object, we will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object, your personal data will subsequently no longer be used for direct advertising purposes.

Right to Lodge a Complaint with a Supervisory Authority

In the event of violations of the GDPR, those affected have the right to lodge a complaint with a supervisory authority. This right to lodge a complaint exists regardless of other administrative or judicial remedies.

Information, Deletion and Elimination

You have the right at any time to free information about your stored personal data, their origin and recipients and the purpose of data processing as well as a right to correction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time at the address given in the imprint.

Right to Restrict Processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time at the address given in the imprint for this purpose. The right to restrict processing exists in the following cases:

• If you dispute the accuracy of your personal data stored with us, we usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.

• If the processing of your personal data was / is unlawful, you can request the restriction of data processing instead of deletion.

• If we no longer need your personal data, but you need them for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.

• If you have lodged an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to demand the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data may - apart from their storage - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.

Right to Data Portability

You have the right to receive data that we process automatically on the basis of your consent or in fulfillment of a contract, in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically feasible.

§ 3 Processed Data

Technical Background

The app - originally intended only as a prototype - was developed as a platform-independent HTML5 app. This means it is based on a website and is displayed in an unrecognizable browser. Accordingly, it uses web technologies, such as cookies.

Therefore, documents from third parties often only speak of websites - this also applies to the app.

We refer to a backend as an instance (one or more servers) that store data for the app or provide other services.

The app uses a backend from Google that transfers all essential application and tracking data to:

• Google Firebase (“FIREBASE”) of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

• Google Analytics (“ANALYTICS”) of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

The APP is delivered as an HTML5 website to your device. This is provided by the following major IT infrastructure service provider (as “Content Delivery Network”, CDN), which can ensure fast access even with high demand or long distance. This does not apply if you have installed the app from the Apple App Store. Then the HTML5 website was installed on your device by the Appstore.

• Amazon Cloudfront CDN (“CDN”) of Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA

Data Collection and Processing in the Context of Use (e.g., by Google)

Data Processing Within the Device

Data is stored directly by the app or indirectly by the FIREBASE module or ANALYTICS on the device. Essentially, the following data is stored locally:

• APP

• Consent to data processing

• Language setting

• Imported recipe databases

• FIREBASE

• Caching and synchronization management

• ANALYTICS

• Various identification tokens

Data Processing Outside the Device

All essential data that the app does not transmit locally, i.e., externally, are processed by:

• FIREBASE

• Storage of application data (recipe, calendar entry, own category, etc.): Firestore-DB (Frankfurt a.M. *)

• Authentication of the user (passwords, email addresses, phone numbers, user agents, IP addresses, etc.): Firebase Authentication (only possible with US servers)

• Further metadata that Google uses for the provision of its services (especially for personalized advertising!). See further information on data processing below.

• ANALYTICS

• Storage of anonymous events (see usage analysis/tracking) within the APP (Global, incl. USA)

• Further metadata that Google uses for the provision of its services (see further information on data processing below)

• CDN

• The CDN analyzes and stores metadata when loading the app to ensure secure and fast transfer.

* eur3 in https://cloud.google.com/about/locations#europe

Further Information on Data Processing

• In FIREBASE

• You can find information on what data is stored where and for how long here:
https://firebase.google.com/support/privacy

• And the data processing terms here:
https://firebase.google.com/terms/data-processing-terms

• In ANALYTICS

• https://www.google.com/analytics/terms

• https://blog.google/around-the-globe/google-europe/google-analytics-facts/

• https://support.google.com/firebase/answer/6318039

• In Google in general

• Further overarching information (privacy policy, terms of use) on Google services can be found here:
https://policies.google.com

• The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here:

https://policies.google.com/privacy/frameworks

https://privacy.google.com/businesses/controllerterms/mccs

• Google has certification under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards in data processing in the USA. Every company certified under the DPF commits to comply with these data protection standards. You can get more information from the provider at this link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

• By CDN

• The data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here:
https://aws.amazon.com/blogs/security/aws-gdpr-data-processing-addendum/

• Further information on security and data protection can be found here:
https://aws.amazon.com/compliance/data-protection/

• The current privacy policy of CDN can be found at:
https://aws.amazon.com/privacy/

• AWS has certification under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards in data processing in the USA. Every company certified under the DPF commits to comply with these data protection standards. You can get more information from the provider at this link:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TOWQAA4&status=Active

§ 4 Collection of personal data in the context of APP use

General

When you use our APP, we collect the following personal data from you:

• Email address

• Usage data

• IP address

• Device ID

• Metadata

The processing of this personal data is necessary to

• ensure the functionality of the APP and to

• be able to further develop the functions of the APP.

The legal basis for this data processing is our legitimate interest within the meaning of Article 6(1)(f) GDPR, your consent within the meaning of Article 6(1)(a) GDPR and § 25 para. 1 TTDSG and - if a contract was concluded - the fulfilment of our contractual obligations (Article 6(1)(b) GDPR).

Storage Duration

The storage duration for the data collected in this way is regulated as follows: All data outside the device will be deleted with the deletion of the account. The complete deletion may take longer (max. 6 months) due to distributed storage locations, synchronization and backups. All data within the device that is not deleted by appropriate synchronization remains on the device until the APP is deleted, but cannot be accessed from outside.

The data stored for analysis purposes will be automatically deleted after 14 months.

Excluded from this are all (non-personal) data that you voluntarily make available to other users for sharing. After deleting the account, this data will only be made available anonymously. This is intended to prevent a user’s departure from affecting other users’ usage.

Request within the APP, by email, phone or fax

If you contact us (e.g., via contact form within the app, by email, phone or fax), your request including all resulting personal data (e.g., name, request) will be stored and processed by us for the purpose of processing your request. The processing of this data is based on Article 6(1)(b) GDPR if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Article 6(1)(a) GDPR) and/or on our legitimate interests (Article 6(1)(f) GDPR), as we have a legitimate interest in effectively processing requests addressed to us. The data you send us via contact request will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g., after we have completed processing your request). Mandatory statutory provisions - especially statutory retention periods - remain unaffected. We do not pass on your data without your consent.

Newsletter Data

If you would like to receive the newsletter offered in our APP, we need an email address from you as well as information that allows us to verify that you are the owner of the provided email address and that you agree to receive the newsletter. No additional data is collected. We use this data exclusively for sending the requested information and do not pass it on to third parties. The sending of the newsletter is based on your consent (Article 6(1)(a) GDPR). You can revoke this consent at any time. The data stored by us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe from the newsletter.

§ 5 Data Analysis

When you access our APP, your behavior can be statistically evaluated and analyzed to improve our offers using certain analysis tools. When using such tools, we ensure compliance with legal data protection regulations. When using external service providers (processors), we ensure through appropriate contracts with the service providers that data processing complies with German and European data protection standards.

ANALYTICS (Google Analytics Firebase)

ANALYTICS includes various functions that allow us to analyze your in-APP behavior. This way, we can, for example, track your screen views, button presses. We can also determine which functions within our APP are frequently or rarely used. For these purposes, ANALYTICS stores, among other things, the number and duration of sessions, operating systems, device models, region and a number of other data. A detailed overview of the data collected by ANALYTICS can be found at:

• https://support.google.com/firebase/answer/6318039

The use of ANALYTICS may require the transfer of your personal data to the USA. This is based on the adequacy decision of the EU Commission (EU-US Data Privacy Frameworks). The storage duration for the data collected in this way is regulated as follows:

• The data will be deleted after 14 months.

The use of ANALYTICS is for optimizing this APP and improving our offers. This represents a legitimate interest within the meaning of Article 6(1)(f) GDPR. If consent was requested, the use of ANALYTICS is based on Article 6(1)(a) GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.