Privacy Policy

1. Who is responsible?

The data controller for varyAlive (app and website) is:

2. What data do we store?

Here's exactly what we store and why.

2.1 Account data

• First name, last name, email address: So you can sign in and your friends can find you when sending a friend request.
• Sign-in: In the app, you can sign in via Apple Sign-In, Google Sign-In (OAuth 2.0), or email and password. With Apple/Google, we receive a unique provider ID along with your name and email address — authentication is handled by Apple or Google. With email sign-in, your password is stored encrypted. The organizer dashboard on the website supports email and password login.
• Notification settings: Which push notifications you want to receive (e.g. messages, friend requests, meetings).

2.2 Friendships and contacts

• Connections: Who is friends with whom, so you can plan activities together.
• Friend requests: Pending requests between users.
• Reminders: If you set a reminder to stay in touch with a friend, we store the interval and last contact time.

2.3 Messages

• Direct messages: Text messages between you and your friends. Only sender and receiver can read them.
• Group messages: Messages in groups. Only group members can read them.

2.4 Activities and matching

• Interests: Your selected interests (e.g. sports, cooking, photography), so we can suggest activities that match you and your friends.
• Swipes: Which activities you swiped right or left on with which friend. When both sides are interested, a match is created.
• Group swipes: Votes within groups about shared activities.

2.5 Meetings and memories

• Meeting proposals: Date and title of proposed meetups between you and friends or in groups.
• Meetings: Start and end time, participants, and the associated activity. After a meeting ends, it becomes a memory.
• Memories: Timestamps, title, and a snapshot of the activity at the time of the meetup. Only participants can access them.

2.6 Photos

• Memory photos: Photos you upload to a memory are stored in protected storage. Only meeting participants can view, upload, and delete them.

2.7 Social Battery

• Battery levels: Your self-reported social energy level. Your current level is shown to your friends. Older levels are stored for your personal statistics.

2.8 Invitations

• Invite links: When you create an invite link, we store who created it and whether it was used.

3. Data for organizers

If you register as an organizer, we additionally store:

• Organization data: Name, description, category, logo, and banner of your organization.
• Contact details: Email, phone, website, and address of your organization.
• Activities: Title, description, pricing, images, and all details of the activities you create.
• Statistics: How often your activities are viewed and clicked (view and click counts).

Organizers only see aggregated, anonymized data about their activities — no personal data of individual users.

4. What do we use your data for?

• Provide the app: So you can sign in, find friends, and plan activities.
• Suggest activities: Based on your interests, we show you relevant activities.
• Send notifications: About new messages, friend requests, and meeting invitations — only if you allow it.
• Preserve memories: So you can revisit past meetups and photos.
• Improve the platform: To find bugs and make the app better.

5. Legal basis

• Contract performance (Art. 6(1)(b) GDPR): Most data is needed for the app to work — to provide the service you signed up for.
• Consent (Art. 6(1)(a) GDPR): For push notifications and camera access, we ask for your permission first. You can revoke it any time in your device settings.
• Legitimate interest (Art. 6(1)(f) GDPR): For improving the platform and securing your account.

6. Who else processes your data?

We do not share your data with third parties and we do not sell it. We use the following services as data processors:

6.1 Supabase (database and backend)

• What: All your data (account, messages, photos, etc.) is stored with Supabase.
• Where: EU region (Frankfurt). Your data does not leave the EU.
• Security: SOC 2 Type II certified. A data processing agreement (DPA) under GDPR is in place.
• Encryption: All data is encrypted in transit (HTTPS/TLS). Data is also encrypted at rest by Supabase. Access is protected by authentication and row-level security, so you can only see your own data.

6.2 Firebase Cloud Messaging (push notifications)

• What: To send you push notifications, we use Firebase Cloud Messaging (FCM) by Google.
• Data: A device token and the notification content.
• Where: Google (USA). Data transfer is secured by EU Standard Contractual Clauses.
• More info: Firebase Privacy

6.3 EmailJS (contact form)

• What: When you use the contact form on the website, your message is forwarded to us via EmailJS.
• Data: Your name, email address, and your message.
• More info: EmailJS Privacy

7. How long do we keep your data?

• Account data, messages, interests, swipes, Social Battery: As long as your account exists. When you delete your account, this data is permanently removed.
• Friendships: Marked as "deleted" when you delete your account, so your friends' network stays intact.
• Memories: Remain accessible to other participants even after you delete your account. Your name is removed.
• Photos: Deleted when you remove them yourself or when your account is deleted.
• Organizer data: Completely removed when you delete your organizer account, including all activities.

8. Delete your account

You can delete your account at any time:

• App users: In the app under Settings.
• Organizers: In the dashboard under Account Settings.
• Without the app: Via our web deletion page.

When you delete your account, all your personal data is permanently removed. If something doesn't work, email us at kontakt@varyalive.de and we'll delete your account manually.

9. Your rights

Under the GDPR, you have the following rights:

Email us at kontakt@varyalive.de — we'll respond within 4 weeks.

You also have the right to file a complaint with a data protection supervisory authority. The authority responsible for us is:

10. App permissions

The app asks for your permission before accessing features on your device:

• Camera: For scanning QR codes (invite links, meeting codes) and taking photos for memories. No images are saved or transmitted without your action.
• Photos: To select images from your photo library or save photos there.
• Calendar: To add meetups directly to your device calendar. No existing calendar entries are read. This permission is optional and can be revoked at any time.
• Notifications: For push notifications about messages, requests, and meetings.

You can revoke any permission at any time in your device's system settings.

11. Cookies and tracking

We use no tracking cookies and no third-party analytics tools. On the website, only technically necessary cookies are used for signing in to the organizer dashboard. The app does not set any cookies.

12. Minimum age

varyAlive is intended for people aged 16 and over. If you are under 16, you may only use the app with the consent of your parent or guardian.

13. How do we protect your data?

• Encrypted transmission of all data (HTTPS/TLS)
• Encrypted storage in the database (encryption at rest)
• Passwords are stored hashed
• Row-level security: at the database level, you can only access your own data
• Photos in protected, private storage — only meeting participants can access them
• Regular security updates

14. Changes to this policy

If we change this privacy policy, we will notify you at least 4 weeks in advance — via an app update or email.

15. Questions?