Privacy Policy

Last updated: 06.04.2026

1. Controller

This Privacy Policy applies to all services operated by:

Berger & Rosenstock GbR
Dieselstraße 22e
61231 Bad Nauheim
Germany
Email: moin@berger-rosenstock.de

Berger & Rosenstock GbR is the data controller within the meaning of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

2. Scope of Application

This Privacy Policy applies worldwide to:

  • Our corporate website (berger-rosenstock.de)

  • All associated product and landing page domains

  • All mobile, desktop, and web-based applications and services published or operated by us, including iOS, Android, macOS, and web applications published by us

  • Backend systems and APIs

  • Our official social media profiles

  • Communication via email, contact forms, or newsletters

If a specific service requires additional privacy disclosures, these will be provided within that service.

3. Categories of Personal Data Processed

Depending on how you interact with our services, we may process:

  • Identification data (e.g., name, email address)

  • Communication data (messages, support inquiries)

  • Technical data (IP address, browser type, device identifiers)

  • Usage data (app interaction, system logs)

  • Transaction-related data (processed by app stores, not directly by us)

We do not knowingly collect special categories of personal data unless voluntarily provided.

4. Legal Bases for Processing (EEA/UK)

If you are located in the EU, EEA, or United Kingdom, processing is based on:

  • Art. 6(1)(a) GDPR – Consent

  • Art. 6(1)(b) GDPR – Performance of a contract

  • Art. 6(1)(c) GDPR – Legal obligation

  • Art. 6(1)(f) GDPR – Legitimate interest

For users outside these jurisdictions, processing occurs in accordance with applicable local laws.

5. Website Hosting (MailerLite)

Our websites and landing pages are hosted by:

MailerLite Limited
Dublin, Ireland

Technical data processed may include:

  • IP address

  • Access timestamps

  • Requested URL

  • Browser and device data

Purpose:

  • Website delivery

  • Stability

  • Security

  • Fraud prevention

Legal basis: Legitimate interest.

MailerLite acts as a processor under Art. 28 GDPR where applicable.

6. Application Infrastructure (Civo)

Our backend and application infrastructure is hosted via:

Civo Ltd
United Kingdom

Processing may include:

  • Server logs

  • API requests

  • IP addresses

  • System diagnostics

Purpose:

  • Application performance

  • Security

  • Monitoring

  • Error resolution

Appropriate data processing agreements have been implemented where required.

7. Distribution via App Stores

Our mobile applications are distributed via:

  • Apple App Store

  • Google Play Store

Apple and Google process personal data independently, including:

  • Account information

  • Payments

  • Download analytics

  • Store statistics

We are not responsible for processing conducted by these providers.

8. Data Processing Within Apps

Within our iOS, macOs, Android apps and WebApps we process personal data only as necessary to provide core functionality.

This may include:

  • Device information

  • Technical identifiers

  • User-submitted content

  • Support communications

We do not sell personal data.

We do not use personal data for behavioral advertising without explicit consent.

8.1 Upload and Processing of User-Generated Data in the Context of Interactive Features

Where the functionality of our digital products and services — including, without limitation, iOS applications, Android applications, macOS applications, and web-based applications and services operated by Berger & Rosenstock GbR — requires the transmission of user-generated or user-attributed data to our server infrastructure, such processing is carried out exclusively to the extent technically necessary for the provision of the requested feature.

8.2 Categories of Data Subject to Upload

Depending on the specific feature utilised, the following categories of personal data may be transmitted to and stored on our servers:

  • User-submitted identifiers, including usernames, display names, or pseudonyms, whether real or fictional, as entered voluntarily by the user
  • Activity-related data generated within the application or service, including but not limited to scores, game results, progress states, session outcomes, or comparable user-generated metrics
  • Technical identifiers required for the unambiguous assignment of data records, including device identifiers or session tokens, to the extent necessary for the feature's operation
  • Any other data voluntarily submitted by the user in the context of interactive features, including profile data, preferences, or user-defined settings

The specific categories of data processed in connection with any given feature will be disclosed to the user within the relevant application or service at the point of data collection.

8.3 Purpose and Legal Basis

The processing of data described in Section 8.1 and 8.2 serves exclusively the purpose of providing the interactive feature requested by the user (e.g., global or regional leaderboards, cross-device progress synchronisation, user profile management, or comparable functionality). No data uploaded pursuant to this section is used for purposes of behavioural profiling, targeted advertising, or sale to third parties.

The legal basis for such processing is, depending on the nature of the feature and the applicable jurisdiction:

  • Art. 6(1)(a) GDPR — where the user has provided freely given, specific, informed, and unambiguous consent prior to the upload, as obtained through an in-app or in-service consent mechanism; or
  • Art. 6(1)(b) GDPR — where the processing is objectively necessary for the performance of a service or feature explicitly requested by the user and cannot reasonably be provided without the transmission of the relevant data.

Where consent constitutes the applicable legal basis, the user retains the right to withdraw such consent at any time without prejudice to the lawfulness of processing carried out prior to withdrawal. Withdrawal of consent may result in the unavailability of the relevant feature but shall not affect access to core functionality of the application or service.

8.4 Data Transmission and Storage

Data transmitted pursuant to this section is stored on server infrastructure operated by or on behalf of Berger & Rosenstock GbR. Current infrastructure providers are identified in Section 6 of this Privacy Policy. Where data is processed by third-party infrastructure providers acting as processors, appropriate data processing agreements pursuant to Art. 28 GDPR have been or will be concluded.

8.5 Retention and Deletion

Data uploaded pursuant to this section is retained only for the duration operationally required by the relevant feature. Upon permanent discontinuation of a feature or service, associated data will be deleted or anonymised within a reasonable timeframe. Users may request the deletion of their uploaded data at any time by contacting moin@berger-rosenstock.de. Such requests will be processed in accordance with the applicable legal requirements and the rights set out in Section 13 of this Privacy Policy.

8.6 Voluntary Participation

Participation in features that involve the upload of user-generated data is voluntary. Users who decline to provide consent or who choose not to utilise such features will not be excluded from the core functionality of the relevant application or service, except where the upload of data is technically inseparable from the feature itself, in which case the user will be informed accordingly at the point of interaction.

9. Newsletter & Communications

If you subscribe to updates, we process:

  • Email address

  • Optional voluntary information

Delivery is handled via MailerLite (Ireland).

Consent may be withdrawn at any time.

Double opt-in procedures are implemented where required by law.

10. Social Media Platforms

We maintain profiles and publish content on:

  • YouTube (Google)

  • Instagram (Meta)

  • Facebook (Meta)

  • LinkedIn

These platforms act as independent controllers for data processed through their services.

Please consult their respective privacy policies.

11. International Data Transfers

Due to our global operations, personal data may be transferred outside your country of residence.

For EU/EEA users, transfers outside the EEA are safeguarded by:

  • Adequacy decisions

  • Standard Contractual Clauses (SCCs)

  • Other legally recognized safeguards

For UK users, transfers comply with UK GDPR transfer requirements.

12. Data Retention

We retain personal data only as long as necessary for:

  • Contractual obligations

  • Legal compliance

  • Legitimate business interests

Data no longer required is securely deleted or anonymized.

13. Your Rights (GDPR & UK GDPR)

You may have the right to:

  • Access your data

  • Correct inaccurate data

  • Request deletion

  • Restrict processing

  • Data portability

  • Object to processing

  • Withdraw consent

To exercise your rights, contact:
moin@berger-rosenstock.de

You may lodge a complaint with your local supervisory authority.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have the right to:

  • Know what personal information is collected

  • Request deletion

  • Request correction

  • Opt-out of sale or sharing (we do not sell personal data)

  • Non-discrimination for exercising privacy rights

To exercise California rights, contact:
moin@berger-rosenstock.de

15. Other U.S. State Privacy Laws

Where applicable, residents of certain U.S. states (e.g., Virginia, Colorado, Connecticut, Utah) may have similar rights regarding access, deletion, correction, and opt-out rights.

We do not engage in targeted advertising without appropriate consent.

16. Children’s Privacy

Our services are not directed to children under 13 (or higher minimum age where applicable).

We do not knowingly collect personal data from children without parental consent.

17. Data Security

We implement appropriate technical and organizational measures to protect personal data against:

  • Unauthorized access

  • Accidental loss

  • Misuse

  • Alteration

However, no system can guarantee absolute security.

18. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

19. Do Not Track Signals

Some browsers transmit “Do Not Track” signals. As there is no uniform industry standard, we do not currently respond differently to such signals.

20. Changes to this Privacy Policy

We may update this Privacy Policy to reflect:

  • Legal changes

  • Service modifications

  • Infrastructure updates

The updated version will be published on our website with an updated revision date.