Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is:

Tornaido UG (haftungsbeschränkt)

71272 Renningen, Germany

Registered at: Amtsgericht Stuttgart, HRB 801603

2. Scope of This Policy

This Privacy Policy applies to all applications — including mobile apps and web apps — developed and published by Tornaido, unless those applications have their own dedicated privacy policy. Our applications fall into two categories, each described below:

Client-Side Applications

These applications run entirely on your device. They do not require an account, do not communicate with our servers, and do not transmit any personal data to us. Any data stored (e.g. preferences or local history) is saved only on your device using standard local storage mechanisms.

Connected Applications

These applications require account creation and communicate with our backend servers to store and synchronise your data across devices and with other users you invite. Personal data including account information and user-generated content is processed and stored on our servers.

Most of our applications display advertising. Before any advertising data is collected or personalised ads are shown, your explicit consent is requested via an in-app consent flow compliant with applicable data protection law.

3. Data We Collect

A All Applications — Advertising Data

Apps that display advertising use third-party advertising partners. If you provide consent, our advertising partners may collect and process the following data:

• Advertising identifiers (e.g. Google Advertising ID / IDFA)
• IP address and approximate location (country/region)
• Device type, operating system, and language settings
• App usage and interaction data for ad personalisation

If you decline consent, only non-personalised ads will be shown. No advertising data is collected without your prior consent.

B Connected Applications — Account & User-Generated Data

When you create an account in one of our connected applications, we collect and store the following:

• Email address — used as your account identifier and for account recovery.
• Display name — visible to other users you share content with.
• Password — stored in hashed form only; we cannot access your plain-text password.
• User-generated content — content you create, enter, or share within the application (e.g. events, lists, notes).
• Technical metadata — timestamps of account creation, last login, and data modifications.

We do not collect phone numbers, payment information, biometric data, health data, or precise GPS location.

4. Legal Basis for Processing

We process personal data only where a valid legal basis under Art. 6 GDPR exists:

Consent — Art. 6(1)(a) Processing of advertising and analytics data by third-party ad partners, collected only after you provide explicit consent through the in-app consent flow.

Contract — Art. 6(1)(b) Processing of account data and user-generated content necessary to provide the service you registered for in our connected applications.

Legal Obligation — Art. 6(1)(c) Retention of certain data where required by applicable law (e.g. logging obligations).

5. Advertising & Third Parties

Applications that display advertising use third-party advertising networks (for example, Google AdMob). These partners act as independent data controllers for the data they collect for ad personalisation purposes.

Before any personalised advertising processing begins, you are presented with a consent management interface powered by Google's User Messaging Platform (UMP SDK), compliant with IAB TCF v2.3 standards. You may:

• Accept all — personalised ads are shown based on your interests.
• Decline or manage preferences — only contextual, non-personalised ads are shown.
• Withdraw consent at any time — through the privacy settings within the app.

You may also change your consent preferences at any time through the privacy settings accessible within each application. For information on how advertising partners process your data, please refer to their respective privacy policies. Google's privacy policy is available at policies.google.com/privacy.

We do not sell personal data to third parties. Advertising partners are contractually bound not to use your data for purposes other than those specified in the consent you provided.

7. Data Retention

Client-side apps: All data is stored locally on your device and persists until you clear app data or uninstall the application. We have no access to this data.

Connected apps — account data: Your account data is retained for as long as your account is active. If you delete your account, your personal data is permanently deleted from our servers within 30 days, except where retention is required by law.

Connected apps — shared content: Content shared within a group remains available to group members until it is deleted by the user who created it, or until the entire account is deleted.

Advertising data: Retention periods for advertising data are governed by the respective third-party advertising partners and their policies.

8. Data Security

We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

• Encrypted data transmission via TLS/HTTPS for all server communication
• Passwords stored using strong one-way hashing algorithms
• Access to backend infrastructure restricted to authorised personnel only
• Regular security reviews of our systems

No method of data transmission or storage is entirely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

9. Children's Privacy

Our applications are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@tornaido.de and we will take steps to delete such information promptly.

10. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Restriction

Request that we limit processing of your data in certain circumstances.

Right to Object

Object to processing based on our legitimate interests at any time.

Withdrawing consent: Where processing is based on your consent (e.g. personalised advertising), you may withdraw it at any time through the app's privacy settings. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at info@tornaido.de. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. In Germany, this is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (www.baden-wuerttemberg.datenschutz.de).

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For connected applications, we may additionally notify you via an in-app notification. Your continued use of the application after any changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

12. Contact

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us:

info@tornaido.de