Privacy Policy

Effective Date: October 28, 2025
Last Updated: October 28, 2025

1. Controller and Data Protection Officer (Verantwortlicher und Datenschutzbeauftragter)

The controller for data processing is the operator of wohnli. Contact details can be found in our Impressum.

For GDPR inquiries: If you have questions about your data or wish to exercise your rights, please contact us through the application support features.

2. Legal Basis for Processing (Rechtsgrundlage der Verarbeitung)

We process your data based on the following legal grounds under GDPR Article 6:

  • Article 6(1)(b) - Contract Performance: Processing necessary for providing the task management service
  • Article 6(1)(f) - Legitimate Interest: For security, fraud prevention, service improvement, and cookieless analytics
  • Article 6(1)(a) - Consent: Only for optional features requiring explicit consent (none currently active)

3. Information We Collect (Erhobene Daten)

Account Information

When you create an account, we collect:

  • Email address (for authentication) - Legal basis: Contract performance
  • Name or display name - Legal basis: Contract performance
  • Household membership information - Legal basis: Contract performance
  • Account preferences and settings - Legal basis: Contract performance

Usage Data

We automatically collect information about how you use the Service:

  • Task creation, completion, and modification activities - Legal basis: Contract performance
  • Points earned and spent - Legal basis: Contract performance
  • Gambling/betting activities and outcomes - Legal basis: Contract performance
  • Login times and session duration - Legal basis: Contract performance
  • Cookieless analytics data (page views, feature usage) - Legal basis: Legitimate interest
  • Application performance and error data - Legal basis: Legitimate interest

Analytics Note: Usage analytics are collected without cookies or persistent storage. Data is processed anonymously and cleared on page refresh.

2. How We Use Your Information

We use your information to:

  • Provide the Service: Enable task management, points tracking, and household collaboration
  • Calculate Points: Track task completions, streaks, and bonus awards
  • Enable Sharing: Allow household members to view shared activities and statistics
  • Improve the Service: Analyze usage patterns to enhance features and performance
  • Communicate: Send important updates about the Service
  • Ensure Security: Detect and prevent fraudulent activities

3. Information Sharing Within Households

When you join a household, the following information becomes visible to other household members:

  • Your name/display name
  • Tasks you've completed and when
  • Points earned and current point balance
  • Streak information and bonus awards
  • Gambling activities and outcomes
  • General activity statistics

Important: Your email address and account settings remain private and are not shared with other household members.

4. Third-Party Data Processors (Auftragsverarbeiter)

We use the following third-party services as data processors under GDPR Article 28:

Google Firebase

Purpose: User authentication, secure login

Data shared: Email address, authentication tokens

Location: EU/US (Google Cloud Platform)

Legal basis: Contract performance (Art. 6(1)(b))

Safeguards: Google's EU Standard Contractual Clauses

Privacy Policy: Google Privacy Policy

PostHog Analytics (Cookieless)

Purpose: Usage analytics, performance monitoring

Data storage: Memory only - no cookies or persistent storage

Location: EU (Frankfurt, Germany)

Legal basis: Legitimate interest (Art. 6(1)(f)) - minimal processing

Safeguards: EU-based, cookieless, session-only data

Privacy Policy: PostHog Privacy Policy

Cookieless Implementation: No persistent tracking, no session recordings, data cleared on page refresh.

Hosting Infrastructure

Purpose: Application hosting, data storage

Data shared: All application data (encrypted)

Location: EU datacenter

Legal basis: Contract performance (Art. 6(1)(b))

Safeguards: EU-based hosting, encryption at rest

Contract: Data Processing Agreement in place

International Data Transfers

When data is transferred outside the EU (Google Firebase), we ensure adequate protection through:

  • Standard Contractual Clauses approved by the EU Commission
  • Additional technical and organizational measures
  • Regular adequacy assessments

5. Data Storage and Security

We implement appropriate security measures to protect your information:

  • Encrypted data transmission using HTTPS
  • Secure authentication through Firebase
  • Regular security updates and monitoring
  • Limited access to personal data by authorized personnel only

Your data is stored securely and is only accessible by you and authorized household members.

Administrative Access (Administrativer Zugriff)

System administrators ("authorized personnel") have limited access to user account data, including email addresses, for specific legitimate purposes only:

  • Customer Support: Resolving technical issues and answering support requests
  • Account Management: Managing subscriptions, billing, and account settings
  • Security & Abuse Prevention: Detecting and preventing fraudulent activities, spam, or abuse
  • Legal Compliance: Responding to legal requests and ensuring regulatory compliance
  • Service Maintenance: Performing necessary database maintenance and troubleshooting

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR)

Safeguards: All administrative access is logged and audited. Access logs are retained for 90 days for accountability and security purposes.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account Data: Retained until account deletion
  • Task History: Retained for household continuity
  • Points History: Retained for fairness and tracking purposes
  • Usage Analytics: Anonymized data may be retained longer for service improvement

7. Your GDPR Rights (Ihre Rechte nach DSGVO)

Under GDPR, you have comprehensive rights regarding your personal data:

Right of Access (Art. 15 GDPR)

Request information about your data and processing activities

Right to Rectification (Art. 16 GDPR)

Correct inaccurate personal data

Right to Erasure (Art. 17 GDPR)

"Right to be forgotten" - delete your data

Right to Data Portability (Art. 20 GDPR)

Export your data in machine-readable format

Right to Restrict Processing (Art. 18 GDPR)

Limit how we process your data

Right to Object (Art. 21 GDPR)

Object to processing based on legitimate interest

How to Exercise Your Rights

You can exercise most rights directly in the application settings, or contact us through the support features.

Response Time: We will respond to your request within 30 days (GDPR Art. 12).

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in your EU country of residence.

8. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your privacy rights in accordance with applicable data protection laws.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy in the application. Changes will be effective immediately upon posting.

11. Cookies and Data Storage (Cookies und Datenspeicherung)

We use minimal essential cookies and cookieless analytics:

✅ Essential Cookies (Required)

Authentication Session: Login security and CSRF protection

Theme Preference: Remember dark/light mode choice

Duration: Session (auth) / 1 year (theme)

Legal basis: Necessary for service operation

📊 Cookieless Analytics

PostHog Analytics: Usage patterns, performance monitoring

Storage: Memory only - no persistent tracking

Duration: Page session only (cleared on refresh)

Legal basis: Legitimate interest (minimal processing)

🚫 What We DON'T Use

  • No tracking cookies or persistent analytics storage
  • No third-party advertising cookies
  • No session recordings or screen captures
  • No cross-site tracking or fingerprinting

Cookie Management: Only essential cookies are used. You can disable them in browser settings, but this may affect functionality. No consent required for cookieless analytics.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

For GDPR-specific inquiries: Please clearly indicate that your inquiry relates to data protection rights under GDPR when contacting us.

← Back to App