MaWaTu

Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

[Company Name GmbH] [Street and number], [Postcode] Berlin, Germany Email: hello@mawatu.app

[Optional, if appointed:] Data Protection Officer: [Name, contact]

2. General information on data processing

We process personal data only to the extent necessary to provide a functional website and our content and services, or where you have given your consent. Legal bases are in particular Art. 6(1)(a) (consent), (b) (contract/pre-contractual measures) and (f) (legitimate interest) GDPR.

3. Hosting and server log files

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When you access the website, Vercel processes technical access data on our behalf as a processor (e.g. IP address, date and time, page accessed, browser type, referrer). This processing serves to ensure smooth and secure operation (Art. 6(1)(f) GDPR).

Since Vercel may also operate servers in the USA, a transfer to a third country may occur. Such transfers are safeguarded by the EU Commission's Standard Contractual Clauses (Art. 46 GDPR) and/or — where certified — the EU-US Data Privacy Framework.

4. Cookies and consent

We use strictly necessary cookies and local storage (e.g. for session management in the protected admin area and to remember your privacy choice). These do not require consent (§ 25 (2) TDDDG in conjunction with Art. 6(1)(f) GDPR).

Any non-essential technologies (e.g. analytics or marketing) are only used after you have given your consent via our consent banner (Art. 6(1)(a) GDPR, § 25 (1) TDDDG). On your first visit you can "Accept all", "Reject all", or enable individual categories under "Customize". Non-essential categories are deactivated by default. You can change or withdraw your decision at any time with effect for the future via the "Cookie settings" link in the footer. At present we do not load any analytics or marketing technologies.

5. Contact and partner enquiries

If you contact us by email or via the partner form, we process the data you provide (e.g. name, email address, company, message) in order to handle your enquiry. The legal basis is Art. 6(1)(b) or (f) GDPR. The data is deleted once it is no longer required for the purpose and no statutory retention obligations apply.

6. Newsletter (double opt-in)

To send our newsletter we use the double opt-in procedure: after you sign up, we send you an email with a confirmation link. Only after confirmation do we add you to the distribution list. We log the sign-up, the confirmation and the IP address used in order to be able to prove your consent.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and § 7 (2) UWG. You can unsubscribe at any time via the unsubscribe link in every email or by contacting us; your consent is then deemed revoked.

Sending is carried out via the service provider [Resend / your email service provider] as a processor. [If a third country is involved: the transfer is safeguarded by Standard Contractual Clauses.]

7. Backend / database (Supabase)

To store website data (e.g. newsletter sign-ups, partner enquiries, editorial content) and for the app's functions, we use Supabase (Supabase, Inc.) as a processor. The database is operated in the EU region (Frankfurt am Main, Germany). A data processing agreement (Art. 28 GDPR) is in place with the provider.

8. Data processing in the MaWaTu app

This Privacy Policy also applies to our mobile app, MaWaTu. Depending on use, we process in the app, among other things:

  • Account data (email or Sign in with Apple) for registration and login (Art. 6(1)(b) GDPR).
  • Profile data (name, age, languages, interests, travel styles, profile photos) to display your profile. Profile photos are processed for verification.
  • Location data: your approximate location may be used to show travelers nearby. Your live location is shared only after your explicit consent and only with the trusted contacts you choose (Trusted Circle). For this purpose, the current location is stored per user; it is automatically deleted after 7 days of inactivity. Only people you have accepted can gain access, and you can revoke sharing at any time in the app. The legal basis is your consent (Art. 6(1)(a) GDPR).
  • Push notifications: for delivery we use Firebase Cloud Messaging (Google Ireland Ltd.). A device token is processed for this (Art. 6(1)(f) GDPR, or (a) where consent is required).
  • Crash and stability data: for error analysis we use Firebase Crashlytics (Google).
  • Subscriptions/purchases: in-app subscriptions are handled via RevenueCat, Inc. and the Apple App Store / Google Play. Purchase and subscription data is processed (Art. 6(1)(b) GDPR).
  • AI travel guides: for AI-assisted recommendations, requests are sent to OpenAI. No directly identifying profile data is transmitted for this purpose unless necessary.

You can delete your account at any time in the app; your personal data is then deleted, unless statutory retention obligations apply.

9. Recipients / processors used

  • Vercel Inc. (website hosting)
  • Supabase, Inc. (database, authentication, storage)
  • [Resend / email service provider] (newsletter and transactional emails)
  • Google Ireland Ltd. (Firebase Cloud Messaging, Crashlytics)
  • RevenueCat, Inc. as well as Apple Inc. / Google Ireland Ltd. (subscriptions)
  • OpenAI (AI features in the app)

10. Third-country transfers

Where data is transferred to processors outside the EU/EEA (in particular the USA), this is based on Standard Contractual Clauses (Art. 46 GDPR) and/or a certification under the EU-US Data Privacy Framework, as well as, where applicable, your consent (Art. 49 GDPR).

11. Storage period

We store personal data only for as long as necessary for the respective purposes or as required by statutory retention periods. The data is then deleted.

12. Your rights

You have the right at any time to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and to object (Art. 21 GDPR). You can revoke consent you have given at any time with effect for the future (Art. 7(3) GDPR).

13. Right to object

Insofar as we process data on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object on grounds relating to your particular situation.

14. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) Alt-Moabit 59–61, 10555 Berlin, Germany https://www.datenschutz-berlin.de

15. SSL/TLS encryption

For security reasons, this site uses SSL/TLS encryption. You can recognise an encrypted connection by the "https://" in your browser's address bar.

16. Currency and changes

This Privacy Policy is dated [month/year]. We update it when the legal situation or our processing changes.