Privacy Policy – Grassrisk App
1. Controller
The controller for the app "Grassrisk" (also known as "Fruktanampel") is: Florian Geyer, Werastrasse 7, 72555 Metzingen, Germany, info(at)fruktanampel.de
2. Processed Data
When using the service, technical server log data is processed (for example IP address, timestamp, requested URL, user agent) to provide a secure and stable service.
For location search and risk queries, provided coordinates are processed to fetch weather data and calculate risk. Logged-in users can save locations permanently in their account (name, coordinates).
3. User Account and Login
To use extended features (e.g. saving locations, notifications), you can create an account. Your email address is collected and stored for this purpose. Login is passwordless via Magic Link or one-time code (OTP).
Login emails are sent via the service Resend (Resend Inc., USA). Your email address is transmitted to Resend for this purpose. Legal basis: Art. 6(1)(b) GDPR (contract performance).
4. Purpose and Legal Basis
Processing is performed to provide the application and compute indicative fructan risk estimates (Art. 6(1)(b) GDPR). Where you consent to usage analytics or push notifications, the legal basis is Art. 6(1)(a) GDPR (consent). Legitimate interests in operational security are based on Art. 6(1)(f) GDPR.
5. Recipients and Services
Weather and geodata are processed via Open-Meteo (open source, no account required).
Email delivery: Resend Inc. (USA) – for sending login links.
In-app purchases and subscription management: RevenueCat Inc. (USA) – for managing subscriptions and purchase receipts. A pseudonymous user ID is transmitted to RevenueCat.
Push notifications: Google Firebase Cloud Messaging (FCM) – for delivering risk alerts. Device push tokens are transmitted to Google.
Hosting and server operations are handled on own infrastructure (Hetzner, Germany).
6. International Data Transfers
Some service providers (Resend, RevenueCat) are based in the USA. Data transfers are carried out on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR) or the EU-US Data Privacy Framework (Art. 45 GDPR), where an adequacy decision exists. Google (FCM) also processes data under Standard Contractual Clauses.
7. Push Notifications
When you enable push notifications, a device token is collected and stored in your account. Risk alerts are sent to your device via Google Firebase Cloud Messaging. You can disable push notifications at any time in your device settings. Legal basis: Art. 6(1)(a) GDPR (consent).
8. Retention
Log data is retained only as long as required for operational security and troubleshooting (typically 14 days).
Account data (email, saved locations, push tokens, alert preferences) is stored until you delete your account. You can request deletion at any time via our account deletion page or by email.
RevenueCat purchase data is subject to RevenueCat's retention policies and is removed after account deletion, unless legal retention obligations apply.
9. Cookies and Tracking
This application uses Matomo, a self-hosted analytics tool that sets first-party tracking cookies. Cookie placement requires your prior consent—you grant this by confirming the cookie notice. Additionally, a session cookie for login (NextAuth) is set, which is required for functionality. Details in section 11 and cookie page.
10. Your Rights
Under GDPR, you have rights to access, rectification, erasure, restriction, portability, and objection. To delete your account, a dedicated page is available at /account-deletion. You also have the right to lodge a complaint with a supervisory authority.
11. Web Analytics (Matomo)
This application uses Matomo (open source, self-hosted on own infrastructure). Upon your consent to the cookie notice, usage data (e.g. page views, approximate origin, time spent, searched location names) is collected anonymously to improve the service. No data is shared with third parties. The legal basis is Art. 6(1)(a) GDPR (consent). You can revoke your consent at any time by deleting cookies or clearing browser storage.