Privacy Policy

Last Updated: July 13, 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

Charly Suchanek
[Street and House Number]
[Zip Code and City]
Austria
Email: [Your official contact email]

2. General Data Processing

The "Lernstube" app only processes personal data insofar as this is necessary to provide a functional application as well as the offered contents and services. The actual user content (e.g., specific study times) is encrypted locally on the device using End-to-End Encryption (E2EE) / Zero-Knowledge architecture. The server has no access to the unencrypted content of this data. The legal basis for the provision of the app is the fulfillment of a contract pursuant to Art. 6(1)(b) GDPR.

3. App Provision and Log Files (Anti-Abuse)

To ensure the security and stability of the server infrastructure and to prevent abuse, we collect general network usage data (e.g., ingress/egress traffic, connection duration). Strictly no content data is read or evaluated. The legal basis is our legitimate interest in securing our systems pursuant to Art. 6(1)(f) GDPR.

4. Authentication (Login)

For account creation and login, we use the following Single Sign-On providers and Email authentication:

  • Google Sign-In (Google Ireland Limited, Ireland)
  • Apple Sign-In (Apple Inc., USA)
  • Email & Password

To establish identity, basic data (such as email address or authentication tokens) is transmitted to our service provider, Supabase, to manage the login status. The legal basis is Art. 6(1)(b) GDPR (Contract fulfillment).

5. In-App Friend Lists and Storage (Servers in Zurich)

To provide core app functions (e.g., sharing study times with friends), friendship links are stored based exclusively on In-App usernames. There is absolutely no access to your device's local address book or contacts. The encrypted data and metadata (timestamps) are hosted on servers of our processor (Supabase) located in Zurich, Switzerland. The European Commission has issued an adequacy decision for Switzerland pursuant to Art. 45 GDPR, guaranteeing a level of data protection equivalent to the EU. The legal basis for processing is Art. 6(1)(b) GDPR.

6. Push Notifications (Firebase Cloud Messaging)

To notify you about relevant events, we use Firebase Cloud Messaging (FCM) provided by Google. When you grant permission for push notifications, your device is assigned an anonymous, unique FCM token. This token, along with your IP address, is transmitted to Google's servers to deliver notifications. The content of the notifications is not analyzed for advertising purposes. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You can revoke this consent at any time in your device's system settings.

7. Anti-Tampering & Integrity

We implement integrity check mechanisms to ensure that the app has not been tampered with and is running on genuine devices. For this, we use services provided by the operating system manufacturers (Google Play Protect / App Attest). These services process device-specific technical data to generate security certificates. The legal basis is our legitimate interest in protecting the app infrastructure pursuant to Art. 6(1)(f) GDPR.

8. Personalized Advertising (Google AdMob)

To finance the app, we display advertisements using Google AdMob. AdMob uses cookies, device identifiers (e.g., Android Advertising ID or Apple IDFA), and location data to serve relevant ads. The processing for personalized advertising takes place exclusively on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR, obtained via the Google UMP SDK dialog shown when you start the app. You can adjust your privacy settings and revoke your consent at any time within the app settings.

9. Data Transfers to Third Countries (USA)

Some of our service providers (Google, Apple, Supabase) process data in the USA. The transfer of data is based on the adequacy decision of the EU Commission (EU-US Data Privacy Framework). Where a service is not covered by this framework, we have concluded Standard Contractual Clauses (SCCs) with the respective providers.

10. Storage Duration and Data Deletion

Personal data is deleted or blocked as soon as the purpose of storage ceases to apply. Based on the recorded timestamps, the app automatically deletes outdated, encrypted records from the server. If you delete your account, all associated identification data, In-App friend lists, and tokens will be removed from our servers immediately.

11. Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR, and you have the following rights vis-à-vis the data controller:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority (e.g., the Austrian Data Protection Authority) if you believe that the processing of your personal data violates the GDPR.

To exercise these rights, please contact us using the email address provided above.