← Knowledr

Privacy

Last updated: 18 May 2026

Controller

Markus Wildgruber
Lisztstraße 4
93053 Regensburg
Germany

Email: support@knowledr.app
Phone: +49 176 40429097
Imprint: /impressum

Overview of processing

The following overview summarises the types of data processed, the purposes of their processing and the categories of data subjects involved.

Types of data processed

  • Inventory data (e.g. names, addresses).
  • Contact data (e.g. email, phone).
  • Content data (e.g. messages or feedback submitted by users).
  • Usage data (e.g. pages visited, time spent, interactions).
  • Meta, communication and procedural data (e.g. IP addresses, timestamps, identifiers).
  • Log data (e.g. server logs, access times).

Categories of data subjects

  • Users of our online service.
  • Communication partners.

Purposes of processing

  • Provision of our online service and user-friendliness.
  • Communication and inquiry management.
  • Security and abuse prevention.
  • Aggregate service-quality monitoring.
  • Advertising (with consent).
  • Information-technology infrastructure.

The following overview lists the legal bases under the GDPR on which we process personal data. Please note that in addition to GDPR rules, national data-protection law in your or our country of residence may apply. Where a specific legal basis is decisive in an individual case, we identify it in the relevant section.

  • Consent (Art. 6 (1) (a) GDPR) — the data subject has given consent for processing for one or more specific purposes.
  • Performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR) — processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 (1) (c) GDPR) — processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 (1) (f) GDPR) — processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided those interests are not overridden by the interests, fundamental rights or freedoms of the data subject.

National data-protection rules in Germany. In addition to the GDPR, national data-protection rules apply in Germany. These include in particular the Federal Data Protection Act (BDSG), which contains special rules on rights of access, erasure, objection, processing of special categories of personal data, processing for other purposes and automated decision-making including profiling. State data-protection laws may also apply.

Security measures

In accordance with legal requirements and taking into account the state of the art, implementation costs and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Measures include in particular safeguarding the confidentiality, integrity and availability of data through control of physical and electronic access, of access to data and of its entry, transmission, security and separation. We have also established procedures to ensure the exercise of data subject rights, data deletion and reactions to data threats. We consider the protection of personal data already during the development and selection of hardware, software and procedures, applying the principles of data protection by design and by default.

Securing online connections via TLS/SSL. We use TLS encryption to protect user data transmitted via our online services from unauthorised access. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. A site secured by an SSL/TLS certificate is indicated by HTTPS in the URL — a signal to users that their data is transmitted securely and encrypted.

Transmission of personal data

In the course of our processing, personal data may be transmitted to or disclosed to other entities, companies, legally independent organisational units or persons. Recipients may include, for example, IT service providers or providers of services embedded in a website. In such cases we observe legal requirements and conclude appropriate contracts or agreements that serve the protection of your data with the recipients of your data.

International data transfers

Data processing in third countries. Where we transmit data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or where this occurs in the context of using third-party services or disclosing data to other persons, entities or companies (recognisable, for instance, from the provider's postal address or an explicit reference to a third-country transfer in this Privacy Policy), this is always done in accordance with legal requirements.

For data transfers to the United States we rely primarily on the EU-US Data Privacy Framework (DPF), recognised as a safe legal framework by an adequacy decision of the EU Commission dated 10 July 2023. Additionally, we have concluded EU Standard Contractual Clauses (SCCs) with the relevant providers, setting out contractual obligations to protect your data.

This twofold safeguard ensures comprehensive protection: the DPF forms the primary protection layer, while the SCCs provide a reliable fallback. For each provider listed below we indicate whether they are DPF-certified and whether SCCs apply. More information on the DPF and a list of certified companies is available at dataprivacyframework.gov.

General information on storage and deletion

We delete personal data in accordance with legal requirements as soon as the underlying consent is withdrawn or no further legal basis for processing exists. Exceptions apply where legal obligations or compelling interests require longer retention or archiving. In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal claims or for the protection of the rights of other natural or legal persons, must be archived accordingly.

The following general retention periods apply under German law:

  • 10 years — books and records, annual financial statements, inventories, management reports, opening balance sheets and related working instructions (§147 (1) (1) + (3) AO, §14b (1) UStG, §257 (1) (1) + (4) HGB).
  • 8 years — accounting vouchers such as invoices and cost receipts (§147 (1) (4) and (4a) + (3) AO, §257 (1) (4) + (4) HGB).
  • 6 years — other business records, including received and sent commercial letters and documents relevant to taxation (§147 (1) (2), (3), (5) + (3) AO, §257 (1) (2) and (3) + (4) HGB).
  • 3 years — data needed to address potential warranty and damages claims or similar contractual rights, based on the regular statutory limitation period of three years (§§195, 199 BGB).

Rights of data subjects

You have the following rights under the GDPR (Articles 15 to 21):

  • Right to object: you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data is processed for direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing, including profiling to the extent it is related to such direct marketing.
  • Right to withdraw consent: you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right of access: you have the right to request confirmation as to whether data concerning you is being processed, and access to that data together with further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: you have the right to request the completion of data concerning you or the rectification of inaccurate data.
  • Right to erasure and restriction of processing: you have the right to request the immediate erasure of data concerning you, or alternatively a restriction of processing.
  • Right to data portability: you have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to have it transmitted to another controller.
  • Right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The competent authority for the controller is the Bavarian State Office for Data Protection Supervision (BayLDA), lda.bayern.de.

You can exercise these rights at any time by contacting support@knowledr.app. We respond within one month per Art. 12 (3) GDPR. Where you have an account, you can also exercise the rights to erasure (Art. 17) and portability (Art. 20) directly via Profile → Delete account / Export my data.

Provision of online service and web hosting

We process user data in order to make our online services available. To this end we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: usage data; meta, communication and procedural data; log data (logfiles relating to logins and to access of data and access times).
  • Data subjects: users of our online services.
  • Purposes and legitimate interests: provision of our online services and user-friendliness; information-technology infrastructure; security measures.
  • Legal basis: legitimate interests (Art. 6 (1) (f) GDPR).

Further notes on processes and providers:

  • Cloudflare, Inc. (web hosting, edge CDN, DDoS protection): we operate our web frontend on Cloudflare Pages and route all traffic through Cloudflare's edge network for DDoS protection and TLS termination. Cloudflare receives request metadata including IP address, user-agent, requested URL and resolved country code. Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Legal basis: legitimate interests (Art. 6 (1) (f) GDPR). Privacy policy: cloudflare.com/privacypolicy. Data Processing Addendum: cloudflare.com/cloudflare-customer-dpa. Third-country transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses. Retention of HTTP logs: up to 30 days per Cloudflare's standard policy.
  • Collection of access data and logfiles. Access to our online service is logged in the form of server logfiles. These can include the requested page or file, date and time of the request, transferred data volumes, success indicator, browser type and version, the user's operating system, the referrer URL and as a rule IP addresses and the requesting provider. Server logfiles can be used for security purposes (e.g. to prevent overload of servers, in particular in the case of DDoS attacks) and to ensure server utilisation and stability. Legal basis: legitimate interests (Art. 6 (1) (f) GDPR). Erasure: logfile information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further retention is necessary for evidentiary purposes is excluded from erasure until the relevant incident has been finally clarified.

Cookies and consent management

We use cookies and similar technologies that store information on users' devices and read it from those devices. These may be used for functionality, security, comfort and for analysis of visitor flows. We use cookies in accordance with legal requirements: where required we obtain users' prior consent; where consent is not required, we rely on our legitimate interests, in particular where storage and reading of information is essential for delivering content and functions explicitly requested. Consent can be withdrawn at any time.

Storage duration: the following types of cookies are distinguished by storage duration:

  • Temporary cookies (session cookies): deleted at the latest when the user leaves the online service and closes their device (e.g. browser or mobile app).
  • Permanent cookies: remain stored even after the device has been closed; e.g. login status can be saved, or preferences displayed directly when the user revisits the site. Unless otherwise specified, you should assume permanent cookies have a storage duration of up to two years.

General opt-out information. You can withdraw consent at any time and object to processing in accordance with statutory provisions, including via your browser's privacy settings.

Processed data, legal basis and consent management:

  • Essential storage (no consent required, §25 (2) TTDSG): Supabase authentication cookies (sb-access-token, sb-refresh-token); Cloudflare bot-management cookie (__cf_bm); local storage of your consent decision; session storage for anti-abuse frequency capping.
  • Marketing storage (consent required): Google AdMob and AdSense cookies and advertising identifiers for personalised ads. Managed through Google Funding Choices, a certified IAB TCF v2.2 consent management platform. Legal basis: consent (Art. 6 (1) (a) GDPR, §25 (1) TTDSG). You can withdraw or change your consent at any time via the "Cookie settings" link in the footer of any page.

Contact and inquiry management

When you contact us (e.g. by post, email or in-app feedback form), the data provided is processed to the extent necessary to answer the contact request and any measures requested.

  • Types of data processed: contact data (e.g. email addresses); content data (e.g. messages, feedback); meta, communication and procedural data.
  • Data subjects: communication partners.
  • Purposes: communication; organisational and administrative processes; feedback.
  • Legal basis: performance of a contract and pre-contractual requests (Art. 6 (1) (b) GDPR); legitimate interests (Art. 6 (1) (f) GDPR).

Account, registration and authentication

You can create an account using your email address (passwordless one-time code) or by signing in with Google. An anonymous session is created automatically on first visit so you can play before signing up; if you later create an account, your anonymous play history is linked to that account so progress and scores are preserved.

  • Types of data processed: inventory data (email address, optional username and avatar URL, generated user ID); for Google sign-in, the Google account identifier and the verified email address as released by Google.
  • Data subjects: registered users.
  • Purposes: provision of the account, authentication, syncing scores and progress across devices.
  • Legal basis: performance of a contract (Art. 6 (1) (b) GDPR).

Further notes on providers:

  • Supabase Inc. (authentication and database hosting): we use Supabase for managed PostgreSQL hosting and authentication. Supabase processes your account identifier, email, sign-in timestamps and (for OTP) email-delivery telemetry. Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992, with processing infrastructure in the EU and the United States. Legal basis: performance of a contract (Art. 6 (1) (b) GDPR). Privacy policy: supabase.com/privacy. DPA: supabase.com/legal/dpa. Third-country transfer: Standard Contractual Clauses.
  • Google OAuth ("Sign in with Google"): if you choose to sign in with Google, Google authenticates you against your Google account and provides us with a stable identifier plus your verified email. We do not receive your password. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (with onward transfers to Google LLC in the United States). Legal basis: performance of a contract (Art. 6 (1) (b) GDPR). Privacy policy: policies.google.com/privacy. Third-country transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses.
  • Upstash, Inc. (Redis-based session storage): Upstash provides the Redis store we use for active game sessions, rate-limit counters and account-deletion confirmation tokens. Personal data is limited to the generated session/token IDs. Provider: Upstash, Inc., 2261 Market Street #4226, San Francisco, CA 94114, USA. Legal basis: performance of a contract (Art. 6 (1) (b) GDPR); legitimate interests for rate-limiting (Art. 6 (1) (f) GDPR). Third-country transfer: Standard Contractual Clauses.

Game data, leaderboards and anti-abuse

We process gameplay data so that you can play, see your progress and appear on leaderboards. Anti-abuse measures (per-user question-pool watermarking, rate limits and flagging) protect the integrity of competitive features.

  • Types of data processed: gameplay telemetry (the swipes you make, timing, scores, streaks); the questions you have seen; participation in friend challenges; a public profile (username and country code) when shown on leaderboards — you can opt out at any time via Profile → Settings → "Show me on leaderboards", in which case your scores still count toward your personal stats but are no longer displayed publicly; anti-abuse watermarks (a cohort tag associated with your account); a flagged status set if our system detects abuse.
  • Data subjects: registered and anonymous players.
  • Purposes: provision of the game; competitive features; aggregate quality monitoring; abuse prevention.
  • Legal basis: performance of a contract (Art. 6 (1) (b) GDPR) for gameplay and leaderboards; legitimate interests (Art. 6 (1) (f) GDPR) for anti-abuse measures.
  • Erasure: game results, swipe history, watermark assignments and friend-challenge records are cascade-deleted when you delete your account. Aggregate event records may be retained without identifier for service-quality monitoring under Art. 6 (1) (f) GDPR.

Advertising

The service is free and supported by advertising. We use Google AdMob in the mobile apps and Google AdSense on the web. Consent for personalised advertising and any advertising identifiers is collected and managed by Google Funding Choices, a certified IAB TCF v2.2 consent management platform. Without your consent, no personalised advertising data is processed; users in EU/EEA/UK regions are shown only non-personalised ads or no ads.

  • Types of data processed (with consent): IP address, advertising identifier (IDFA on iOS, GAID on Android), browser/device characteristics, ad-interaction data.
  • Data subjects: users who consented to personalised advertising.
  • Purposes: selection, delivery and frequency-capping of advertising; measurement of campaign performance.
  • Legal basis: consent (Art. 6 (1) (a) GDPR, §25 (1) TTDSG). You can withdraw consent at any time via the "Cookie settings" link in the footer.
  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with onward transfers to Google LLC in the United States. Privacy policy: policies.google.com/privacy. Third-country transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses.

Age verification

When you create an account you confirm that you are at least 16 years of age, the relevant threshold for valid consent under Art. 8 GDPR in Germany. The timestamp of your confirmation is stored on your account and as an entry in our internal consent log, which records the purpose, decision, source surface and timestamp of each consent decision. We retain this log to comply with the burden of proof under Art. 7 (1) GDPR.

  • Types of data processed: age-confirmation timestamp; consent-log entry.
  • Data subjects: registered users at signup.
  • Legal basis: performance of a contract (Art. 6 (1) (b) GDPR); legal obligation regarding documentation of consent (Art. 7 (1) GDPR).

Changes and updates

Please review this Privacy Policy regularly. We will adjust it as changes in our data processing require. We will notify you as soon as the changes require a participation on your part (e.g. consent) or other individual notification.

Where we list addresses and contact information of companies and organisations in this policy, please note that these may change over time; please verify them before making contact.

Glossary

This section provides an overview of the terms used in this Privacy Policy. Where terms are legally defined, the legal definitions apply.

  • Inventory data: essential information needed to identify and manage contractual partners, user accounts, profiles and similar associations. Includes personal and demographic information such as names, contact data, dates of birth and specific identifiers (e.g. user IDs).
  • Content data: information generated in the course of creating, editing and publishing content. May include text, images, video, audio and other multimedia content, including metadata describing such content.
  • Contact data: essential information enabling communication with persons or organisations, including phone numbers, postal addresses, email addresses, social-media handles and messaging identifiers.
  • Meta, communication and procedural data: information about how data is processed, transmitted and managed; e.g. IP addresses, timestamps, identifiers, communication channels and audit logs.
  • Usage data: information capturing how users interact with digital products, services or platforms — features used, time spent on specific pages, navigation paths, usage frequency, timestamps, device data.
  • Personal data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
  • Log data: information about events or activities logged in a system or network — typically timestamps, IP addresses, user actions, error messages and other operational details used for analysis, security monitoring and reporting.
  • Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, including collection, analysis, storage, transmission and erasure.

Adapted from a structure generated with Datenschutz-Generator.de by Dr. Thomas Schwenke; translated to English and tailored to Knowledr's actual data processing. The German source is retained at docs/legal/datenschutz-de.html.