Datenschutzerklärung | Sicher Daten schützen – Jetzt informieren

Privacy Policy

Status: March 2026

Language and Binding Versions

This English version of the Privacy Policy is a legally binding document for all users who register for or use the Alma App in a language other than German.

A German version is available at alma-app.eu/datenschutz. For users whose App language is set to German, the German version applies.

Where the Alma App displays this Privacy Policy in any other language, this is a machine translation provided for convenience only. In the event of any inconsistency, the applicable binding version (German or English) shall prevail.

Key Facts at a Glance

Who I am: Bastian Matzen / Alma Softwareentwicklung (Sole Proprietorship), Kienitzer Str. 113, 12049 Berlin, Germany. Contact: privacy@alma-app.eu | www.alma-app.eu

Your data with me:

✅ Secure: Encrypted storage exclusively within the EU (Frankfurt am Main).

✅ Private: No data transfer to third parties (except to your emergency contacts in an emergency).

✅ Voluntary: Health data and many other details are completely optional.

✅ Controlled: You can view, modify, or delete everything at any time.

✅ Transparent: No hidden data usage, no selling of your data.

Your Rights: Access, rectification, deletion, data portability, objection, withdrawal of consent – all possible at any time.

Complaints can be lodged with: Berlin Commissioner for Data Protection and Freedom of Information (datenschutz-berlin.de). Users in the EEA may also contact the supervisory authority in their country of habitual residence. Users in the United Kingdom may contact the Information Commissioner's Office (ico.org.uk). Users in Switzerland may contact the Federal Data Protection and Information Commissioner (FDPIC).

1. Controller and Contact

I am the controller responsible for data processing in the context of the Alma App, within the meaning of the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Swiss Federal Act on Data Protection (FADP/DSG), and other applicable data protection laws:

Bastian Matzen Alma Softwareentwicklung (Sole Proprietorship) Kienitzer Str. 113 12049 Berlin Germany

Contact Options

For privacy questions (preferred): privacy@alma-app.eu

For technical support: support@alma-app.eu

Website: www.alma-app.eu

1a. UK Representative

In accordance with Article 27 of the UK GDPR, we have appointed the following representative in the United Kingdom for data protection matters:

Aron Harris Flat 7 324 Lewisham High Street SE13 6JZ London United Kingdom

Email: privacy@alma-app.eu

2. Overview of the App and its Functions

Alma is a personal safety and communication app with two main functions:

2.1 Alma Safety Net (Only with Connect+ Subscription)

Automatic safety check-ins at defined time windows.

Automatic notification of your emergency contacts if a check-in is missed.

Optional transmission of location and health information in an emergency.

2.2 Alma Moments (Free)

Social network for sharing moments with up to 30 connections.

Automatic post in the social feed if a check-in is missed (if enabled).

Mutual confirmation of friendships required.

2.3 Minimum Age

The use of the Alma App is permitted for persons aged 16 and over. Persons under 16 years of age may not use the App. By registering, you confirm that you are at least 16 years old.

3. What Data is Processed?

3.1 Mandatory Data upon Registration

To use the App, I require the following data (Legal basis: Art. 6(1)(b) GDPR – Performance of a contract):

Email address – for account creation, communication, and password reset.

Password – stored in encrypted form and used for account security.

First name – for personalization and display to your contacts.

Last name – for full identification.

3.2 Optional Profile Data

You may voluntarily provide the following data (Legal basis: Art. 6(1)(a) GDPR – Consent):

Profile picture – for personalization and social functions.

Date of birth – for age verification.

Phone number – as an alternative contact method.

Address – for emergency information.

Bio – for social functions.

City – for social functions and search.

3.3 Health Data (Connect+ only, completely optional)

These special categories of data pursuant to Art. 9 GDPR are processed only with your explicit consent.

Collected data: Blood type, allergies, medications, medical conditions, pets, house key info, other emergency information.

Legal basis: Art. 9(2)(a) GDPR (Explicit consent).

Security: This data is stored using AES-256 encryption and is only transmitted to your confirmed emergency contacts in an emergency.

3.4 Location Data (Optional)

Location tracking is completely optional and can be operated in three modes (Legal basis: Art. 6(1)(a) GDPR – Consent):

Save on Check-In – Location is captured manually only when checking in.

Always Send – Location is updated in the background. Technically, only the last known location is saved; the previous one is overwritten.

Disabled – No location is captured or shared.

Note: Location data is automatically deleted after 30 days of inactivity.

3.5 Check-In Data

During check-ins, the following data is captured:

Check-in time – for safety monitoring (Retention: 90 days for Connect+).

Device information – for error analysis (Retention: 90 days).

Last known location – for emergency notifications (Retention: max. 30 days, overwritten).

3.6 Social Data (Alma Moments)

When using social functions, the following data is processed: Posts (text, images, videos), comments, likes, connections, and mood emojis.

Legal basis: Art. 6(1)(b) GDPR (Performance of a contract to provide social functions) and Art. 6(1)(a) GDPR (for voluntary content).

3.7 Technical Data

The following technical data is processed for the operation of the App:

Device type & OS – for app optimization and error analysis (Legal basis: Art. 6(1)(f) GDPR).

App version – for support and updates (Legal basis: Art. 6(1)(f) GDPR).

FCM Token – for push notifications (Legal basis: Art. 6(1)(b) GDPR).

Time zone – for correct check-in times (Legal basis: Art. 6(1)(b) GDPR).

Server Logfiles – for infrastructure security and defense against attacks (Legal basis: Art. 6(1)(f) GDPR).

3.8 Marketing Communication (Optional)

Only if you have consented during registration or later in the settings by checking the box, will I process your email address and name to send tips, app news, and updates (Newsletter).

Legal basis: Art. 6(1)(a) GDPR (Consent).

Unsubscribe: You can unsubscribe at any time via the unsubscribe link in every email or in the App's notification settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4. Purposes of Data Processing

I process your data for the following purposes:

Contract Performance (Art. 6(1)(b) GDPR): Provision of the App, check-ins, alerting, subscription management.

Consent (Art. 6(1)(a) GDPR): Health data, location sharing, optional profile info, marketing.

Legitimate Interests (Art. 6(1)(f) GDPR): Fraud prevention, technical security, troubleshooting.

Legal Obligations (Art. 6(1)(c) GDPR): Retention obligations, requests from authorities.

Note on Automated Decision-Making: No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you. The triggering of alarms is based exclusively on the time windows and rules (If-Then logic) defined by you personally.

5. Data Recipients and Processors

5.1 Service Providers

I work with the following service providers to operate the App:

Google Firebase (Google Ireland Ltd.) – for hosting, database, and authentication. Location: Frankfurt am Main (europe-west3). Data protection guarantee: EU-US Data Privacy Framework (DPF), Google Cloud DPA.

RevenueCat – for subscription management (processed data: subscription status, purchase time, pseudonymous App User ID, transaction metadata). Location: USA (AWS). Data protection guarantee: EU Standard Contractual Clauses (SCCs), DPA. For transfers from the United Kingdom: UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs. For transfers from Switzerland: compliance with the requirements of the FADP/DSG.

Mailgun (Sinch) – for email delivery. Location: EU. Data protection guarantee: DPA, GDPR compliant.

Algolia – for user search. Location: EU. Data protection guarantee: DPA, GDPR compliant.

5.2 Conditional Data Transfer (Notification Channels)

Transfer to these services only occurs if your emergency contact explicitly chooses these channels:

Meta (WhatsApp Cloud API) – only if WhatsApp is selected by the contact. Meta is certified under the EU-US Data Privacy Framework. For transfers from the United Kingdom, the UK Extension to the EU-US DPF additionally applies.

Telegram – Use of Telegram only occurs if your emergency contact actively selects this channel themselves. In this case, your contact consents directly to data processing by Telegram (potentially on servers outside the EU).

5.3 No Data Transfer to Third Parties

Your data is not sold.

No transfer for third-party advertising purposes.

No transfer to data brokers.

Exception: Your emergency contacts receive the information you have released in an emergency.

6. Data Storage and Deletion

6.1 Storage Location

All data is primarily stored in the European Union (Frankfurt am Main, Google Cloud region europe-west3).

6.2 Storage Duration & Automatic Deletion

Check-In History: Automatically deleted after 90 days.

Location Data: Automatically deleted after 30 days of inactivity (or continuously overwritten).

Server Logfiles: Automatically deleted after 90 days (for error analysis/defense against attacks).

Invitation Links: Automatically deleted after 7 days.

Health Data: Deletion after 12 months of inactivity.

Account Data: Deletion after 24 months of inactivity.

Reminders before Inactivity Deletion:

After 12 months without login: Automatic deletion of health data; reminder email sent.

After 13 months without response: Further reminder.

After 23 months of inactivity: Final warning email.

After 24 months without response: Complete account deletion.

Exception for Active Subscriptions: As long as a paid Connect+ subscription is active, no automatic inactivity deletion takes place.

Billing Data: Billing data (name, address, transaction information) is stored for 10 years in accordance with tax retention obligations (§ 147 AO). This data is kept separate from usage data.

Deleted Accounts are permanently and irrevocably removed after a grace period of 30 days.

Important: Upon account deletion request, usage ends immediately. From this point on, no check-in reminders, alarms, or other notifications will be triggered – neither to you nor to your emergency contacts. Additionally, your profile in Alma Moments will no longer be visible. The final physical deletion of all data occurs after the grace period of 30 days.

7. Data Security

I employ modern security standards:

Encryption: TLS 1.2+ for data transmission (Transit) and storage on AES-256 encrypted servers (At Rest) for sensitive data.

Access Control: Firebase Security Rules, strict authentication.

App Security: Firebase App Check, optional biometric protection (Connect+), separate settings lock.

8. Your Rights

You have the following rights at any time (pursuant to Art. 15-21 GDPR):

Access & Data Export: In the app under Settings → Privacy.

Rectification: You can edit all profile and health data yourself in the app.

Erasure: You can delete individual data or your entire account directly in the app.

Restriction of Processing (Art. 18 GDPR): You can request the restriction of processing, e.g. if you contest the accuracy of your data or if the processing is unlawful.

Withdrawal of Consent: You can withdraw consent (e.g. location, health data, marketing) at any time in the settings. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

Right to Object (Art. 21 GDPR): If data processing is based on legitimate interests (Art. 6(1)(f) GDPR), you have the right to object at any time for reasons arising from your particular situation.

Right to Lodge a Complaint: You may contact the competent data protection supervisory authority. For users in Germany, this is the Berlin Commissioner for Data Protection and Freedom of Information (datenschutz-berlin.de). Users in the European Economic Area (EEA) may contact the supervisory authority in their country of habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at edpb.europa.eu. Users in the United Kingdom may contact the Information Commissioner's Office (ICO): ico.org.uk. Users in Switzerland may contact the Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch.

9. Special Processing Situations

9.1 Emergency Notification (Connect+ only)

In the event of a missed check-in, your emergency contacts will be notified. Only the data you have stored in your profile and authorized for release (e.g., location, health info) will be transmitted. Legal basis:

Art. 6(1)(b) GDPR (Performance of a contract)

Art. 9(2)(a) GDPR (Explicit consent for health data)

Supplementarily Art. 9(2)(c) GDPR (Protection of vital interests), to ensure physical integrity in an emergency.

9.2 Inviting Emergency Contacts

To protect the privacy of third parties, you do not enter the contact details of other persons directly into the App.

Link Creation: You generate a personal invitation link in the App.

Sending: You send this link to your trusted person via a channel of your choice (e.g., WhatsApp, Email).

Registration: Your trusted person opens the link and independently enters their contact details and desired notification channel. As long as the link is not used, no data of your contacts is stored. Unused links expire after 7 days.

9.3 You as an Emergency Contact

If you accept an invitation, you consent to your provided contact details (Name, Email/Phone/Handle) being stored for emergency notification purposes. You can unsubscribe at any time via an opt-out link in the messages.

9.4 Remote Setup (Connect+)

You can temporarily grant a trusted person access (via a generated code) to set up the App for you and manage settings. Once successfully connected, this access remains until you revoke it in the App. For your security, all changes made by the trusted person are logged (Audit Log).

Legal basis: Art. 6(1)(b) GDPR (Performance of a contract, function initiated by user).

10. Third-Party Authentication

Google Sign-In: Transmitted data includes email, name, profile picture. (Privacy: policies.google.com/privacy)

Apple Sign-In: Transmitted data includes email (or relay address) and name. (Privacy: apple.com/legal/privacy)

11. Push Notifications

I use push notifications for check-in reminders, alarms, and social interactions.

Legal basis: Art. 6(1)(b) GDPR (for contractual functions like alarms) and Art. 6(1)(f) GDPR (for social notices).

Control: You can manage most notification types in the App settings. Critical safety notifications are part of the core service.

12. Analysis and Troubleshooting

12.1 Firebase Analytics

I use Firebase Analytics in a data-minimized configuration to ensure App stability and fix errors.

Privacy Measures: No advertising IDs (IDFA/AAID) are collected. IP anonymization is enabled.

Purpose: Anonymized crash and usage statistics for technical optimization.

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in the error-free operation and security of the App).

12.2 Firebase Crashlytics

In the event of App crashes, technical details (stack trace, device info) are sent to fix the error. No directly identifying data is stored in the crash report.

12.3 ePrivacy and Electronic Communications

Access to certain device functions and the storage of technical information on the device (e.g., FCM tokens) may be subject to national laws implementing the ePrivacy Directive (2002/58/EC). In the United Kingdom, the Privacy and Electronic Communications Regulations 2003 (PECR) apply. In Switzerland, the provisions of the Telecommunications Act (TCA/FMG) apply. Where consent is required under the respectively applicable law, it is obtained prior to the relevant access.

13. Changes to this Privacy Policy

I reserve the right to amend this Privacy Policy. In the event of significant changes, you will be informed via the App or email. The current version is always available in the App and on the website.

14. International Data Transfers

Primary data storage takes place in the European Union (Frankfurt am Main). Where data is transferred to service providers outside the EEA (see Section 5), I rely on the following safeguards:

EU-US Data Privacy Framework (DPF): For transfers to US-based companies certified under the DPF (e.g., Google, Meta).

EU Standard Contractual Clauses (SCCs): For transfers to companies not certified under the DPF (e.g., RevenueCat).

For transfers from the United Kingdom: I use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as well as the UK Extension to the EU-US DPF, where applicable.

For transfers involving Switzerland: I comply with the requirements of the Swiss Federal Act on Data Protection (FADP/DSG), including recognition of adequacy decisions by the Federal Council and the use of standard contractual clauses where required.

For further details on individual service providers, see Section 5.

15. Users Outside the EU/EEA, United Kingdom, and Switzerland

For users in countries not covered by the GDPR, UK GDPR, or Swiss FADP, the Provider applies the same technical and organisational measures as for users within the GDPR's scope. Mandatory data protection provisions of the user's country of habitual residence remain unaffected.

16. Contact

Bastian Matzen Alma Softwareentwicklung Kienitzer Str. 113 12049 Berlin