Privacy Policy for the dearlist App

1. Controller

konax media Günther Fick GbR
Responsible: Axel Fick
Weberstraße 30
23966 Wismar
Germany
Phone: +49 (0)3841 6204972
Email: info@dearlist.de

The controller is the natural or legal person who determines the purposes and means of processing personal data.

2. General notes on data processing

Scope of processing

We process personal data of users only insofar as this is necessary to provide a functional app and our content and services. Processing normally takes place only after the user’s consent.

An exception applies where obtaining prior consent is not possible for practical reasons and processing is permitted by law.

Legal bases

If we obtain consent, Art. 6(1)(a) GDPR is the legal basis. If processing is necessary for contract performance or pre-contractual measures, Art. 6(1)(b) GDPR applies. If a legal obligation requires processing, Art. 6(1)(c) GDPR applies. If vital interests require processing, Art. 6(1)(d) GDPR applies. Processing based on legitimate interests uses Art. 6(1)(f) GDPR.

Deletion and storage duration

Personal data is deleted or blocked as soon as the purpose of storage ceases. Storage may continue if required by EU or national law. Data is also deleted when statutory retention periods expire unless further storage is necessary for contract fulfilment.

3. Provision of the App and technical data

Description and scope

When using the App, the system automatically collects technical data from the device:

• Device type and operating system (iOS/Android)
• App version
• Device language and region settings
• Time of use
• Network status (online/offline)

This data is used to provide and improve functionality. It is linked to other personal data only as part of authentication.

Legal basis

The temporary storage of data and log files is based on Art. 6(1)(f) GDPR (legitimate interest in stable provision of the app).

Purpose

Collecting technical data is necessary to deliver the app correctly on your device and ensure smooth synchronisation. The data is used to optimise performance and ensure functionality. No marketing evaluation takes place.

Storage duration

Technical data is processed only for the duration of app use and deleted after the session unless legal retention periods require otherwise.

Objection

Collecting data to provide the app and storing it in log files is essential for operation; there is no possibility to object.

4. Registration and user account

Description and scope

Registration is required to use the app. Authentication is handled by Supabase (see Section 7). We collect:

• Email address (required)
• Password (stored hashed)
• Username

Additionally, we store:

• Registration date and time
• Email verification status
• Authentication tokens (stored locally on the device for auto sign-in)

The email address is used for authentication and important app notifications; verification is required to ensure access to the account.

Legal basis

If consent is given, the legal basis is Art. 6(1)(a) GDPR. If registration serves contract performance or pre-contractual measures, Art. 6(1)(b) GDPR applies.

Purpose

Registration is necessary to provide a personal account where users manage their wishlists.

Storage duration

Data collected during registration is deleted when it is no longer needed, e.g. when the registration is cancelled or modified. Statutory retention periods remain unaffected.

Objection and removal

Users can cancel registration at any time. Stored data can be changed at any time.

5. Wishlists and shared data

Description and scope

The core functionality is creating, managing, and sharing wishlists. The following data is processed and stored:

Wishlists

• Wishlist name
• Owner (user ID)
• Share code (6-character code)
• Creation date
• Owner name

Wishes

• Title/name of the wish
• Price (optional)
• Note/description (optional)
• Product link (optional, e.g. Amazon link)
• Creation date
• Creator (user ID)

Reservations

• Which user reserved which wish
• Reservation date

List memberships

• Which users have access to which list
• Role (owner or member)
• Join date

Important: Each user can create up to 5 own wishlists. Lists are shared via a unique 6-character code; only people with the code can access the list. Data is stored on our servers (Supabase) and visible to all list members.

Legal basis

Art. 6(1)(b) GDPR (necessary for fulfilling the user contract).

Purpose

Storing this data is necessary to create, manage, and share wishlists.

Storage duration

Data is deleted when you delete the respective list or your user account. You can delete lists at any time in the app.

6. App permissions

Permissions we request

The app needs certain permissions on your device:

Internet access

Purpose: Required for syncing wishlists across devices and sharing lists with others.
Legal basis: Art. 6(1)(b) GDPR (contract performance)

Local notifications (optional)

Purpose: To remind you of upcoming occasions (e.g. birthdays, Christmas).
Legal basis: Art. 6(1)(a) GDPR (consent)

Notifications are stored locally on your device, contain no personal data, and are not sent to our servers. You can disable them in app or device settings.

Local data storage

Purpose: The app stores your authentication session locally (AsyncStorage) so you don’t have to log in every time.
Legal basis: Art. 6(1)(b) GDPR (contract performance)

Session data is stored encrypted on your device and remains until you sign out or uninstall the app.

Permissions we do NOT request

The app does not request access to: location, contacts, camera, microphone, calendar, phone numbers, photos/media files, or SMS.

7. Data transfers and service providers

General

We only share personal data with third parties if:

• You have given explicit consent (Art. 6(1)(a) GDPR),
• it is necessary to fulfil our contractual obligations (Art. 6(1)(b) GDPR),
• there is a legal obligation (Art. 6(1)(c) GDPR), or
• it is based on legitimate interests and no overriding interest of yours exists (Art. 6(1)(f) GDPR).

Supabase (backend services)

Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992
Purpose: authentication, database, real-time updates, hosting
Processed data: email addresses, hashed passwords, wishlist data, auth tokens
Legal basis: Art. 6(1)(b) GDPR and Art. 28 GDPR (processing on our behalf)
Data transfer: Supabase processes data in the EU or as described in its privacy policy: https://supabase.com/privacy

We have a data processing agreement with Supabase to ensure GDPR-compliant processing.

Sentry (error tracking and monitoring)

Provider: Sentry, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA (EU-US DPF certified)
Purpose: identify and fix technical errors and monitor stability
Data: error messages/stack traces, device info (OS, app version, device type), technical logs, session replay on severe errors, IP address
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stability); DPA in place
Privacy: https://sentry.io/legal/dpa/

Sentry processing cannot be disabled because it is required for app stability.

Expo Updates (over-the-air updates)

Provider: Expo, 340 S Lemon Ave #4133, Walnut, CA 91789, USA
Purpose: deliver app updates without full store downloads
Data: app version, anonymised device ID, update status
Legal basis: Art. 6(1)(f) GDPR (legitimate interest); Privacy: https://expo.dev/privacy

Amazon Associates (affiliate program)

Provider: Amazon Europe Core S.à.r.l., 5 Rue Plaetis, L-2338 Luxembourg
Purpose: product links may be converted to affiliate links so we can earn a commission on purchases made via these links.

How it works: you add an Amazon link to a wish; the app detects Amazon links; when opened, the link is tagged with our affiliate ID; if a purchase is made, we receive a commission.

Data: Amazon collects data about purchases made via affiliate links under its own responsibility. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in monetisation). Amazon is certified under the EU-US DPF. Privacy: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010.

Note: Once you open an Amazon link, Amazon’s privacy policy applies.

8. Error tracking

To ensure stability, we use Sentry (see Section 7). When an error occurs, the following data is collected automatically: error type/message, time, device info (OS, app version, device type), technical details of the cause, and for severe errors a short session replay (only at the moment of the error).

Data is used solely for troubleshooting and improving stability, not for marketing. Legal basis: Art. 6(1)(f) GDPR.

9. Your rights

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent at any time with future effect
• Right to lodge a complaint with a supervisory authority

To exercise your rights, contact info@dearlist.de.

10. Data security

We use technical and organisational security measures to protect your personal data against manipulation, loss, destruction, or unauthorised access, and we continuously improve these measures.

Technical measures

• Encrypted communication (HTTPS/TLS) between the app and our servers
• Passwords stored only in hashed form
• Access to data only after successful authentication
• Row Level Security in the database so users can access only their own data
• Session tokens with limited validity and regular renewal

Organisational measures

• Data access restricted to authorised staff
• Regular security reviews and updates
• Data processing agreements with all service providers
• Regular database backups

Please note that no internet transmission is completely secure. Absolute protection cannot be guaranteed.

11. Deletion of data and account

Deleting wishes and lists

You can delete individual wishes, entire wishlists, or leave shared lists at any time. Deleted data is removed from our database and cannot be restored.

Deleting your account

You can delete your account in the app at any time. This deletes your account and authentication data, all wishlists you created, your wishes, your reservations, and your memberships in shared lists. Deleted data cannot be restored.

Statutory retention: We may retain certain data if legally required.

12. Changes to this policy

We may update this policy to reflect legal requirements or changes to our services. The current version is available at any time in the app and on our website.

Last updated: December 2025