Privacy Policy

1. Controller

The controller within the meaning of Article 4(7) GDPR is:

Appgineering GbR
Represented by the managing partners Kevin Neitola, Simon Großmann and Nick Thissen
Hauptstr. 22
38173 Dettum
Germany

Email: info@appgineering.com
Phone: +49 (0) 531 4811 27 69

We have not appointed a data protection officer because we are not legally required to do so under Section 38 BDSG. Privacy-related enquiries can be sent to the addresses above or to info@stopcoffee.app.

2. Scope of this policy

This policy applies to:

• our website https://stopcoffee.app and all subdomains we operate;
• the iOS app “StopCoffee – Quit Caffeine” distributed via the Apple App Store; and
• the Android app “StopCoffee” distributed via the Google Play Store (package com.appgineering.stopcoffee).

Services and websites operated by third parties (for example the app stores themselves, the platforms behind “Sign in with Apple” or “Sign in with Google”) are subject to those providers’ own privacy policies. Where third parties act as our processors under Article 28 GDPR, we have entered into the required data processing agreements.

3. Legal bases for processing

Unless stated otherwise below, the following legal bases apply to our processing activities:

• Article 6(1)(a) GDPR – consent (e.g. for optional push notifications);
• Article 6(1)(b) GDPR – performance of a contract or pre-contractual measures (e.g. providing the app to a registered user, processing subscriptions);
• Article 6(1)(c) GDPR – compliance with a legal obligation (e.g. tax retention obligations);
• Article 6(1)(f) GDPR – our legitimate interest, in particular delivering and securing the website, fixing bugs and crashes, and preventing fraud and abuse.

Where we rely on consent under Article 6(1)(a) GDPR, you can withdraw it at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

4. Website

4.1 Hosting and delivery

The static files of stopcoffee.app are stored on Amazon Web Services (AWS) S3 in the region eu-central-1 (Frankfurt am Main, Germany) and delivered worldwide via the content-delivery network Amazon CloudFront. Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg.

When you call up our website, your browser automatically transmits the following information to the CDN edge node, which records it in short-lived access logs in order to deliver the page and protect against attacks:

• truncated IP address of the requesting device;
• date and time of the request;
• URL and HTTP method of the request;
• HTTP status code and amount of data transferred;
• referring URL;
• user-agent string (browser type, version, operating system).

Legal basis: Article 6(1)(f) GDPR. Our legitimate interest is the technically secure, stable and efficient provision of our website. CDN logs are deleted or rotated after a maximum of 14 days unless we are required to retain them longer for security-incident investigation. A data processing agreement under Article 28 GDPR is in place with AWS.

4.2 Web analytics (Umami)

We use Umami Analytics — a privacy-friendly open-source web analytics tool that we host ourselves on infrastructure inside the European Union at analytics.appgineering.com.

Umami works without cookies, does not store any individually identifiable data, does not create cross-site profiles and does not pass any data to third parties. It only collects aggregated counts of page views, the page URL, the referrer, the country (derived from the IP address on the fly and then discarded), and a hash that allows it to recognise the same visitor within the same day without storing the underlying IP. We do not store IP addresses.

Because Umami does not store or read information on your device and does not collect personal data, no consent under Section 25 TDDDG (German Telecommunications and Telemedia Data Protection Act) is required. The legal basis for the limited aggregated processing is Article 6(1)(f) GDPR; our legitimate interest is to understand in aggregate which content is read so that we can improve it.

4.3 Cookies and local storage

The website does not set any tracking cookies, advertising cookies or comparable identifiers on your device. Only strictly necessary technical storage (e.g. remembering your language preference) may be used; this is exempt from the consent requirement of Section 25(2) TDDDG.

4.4 Contact by email

If you contact us by email, we process the data you provide (at least your email address and the content of your message) for the purpose of handling your enquiry. Legal basis is Article 6(1)(b) GDPR (if the enquiry concerns a contract) or Article 6(1)(f) GDPR (otherwise). Emails are deleted as soon as your enquiry has been finally dealt with, unless statutory retention obligations require longer storage. Provision of your email address and message content is not a statutory requirement; if you do not provide them, we cannot respond to your enquiry (Article 13(2)(e) GDPR).

5. iOS and Android apps

5.1 Data stored locally on your device

After installation, the apps create a local database on your device. Until you create an account, all the information you enter (drink logs, tapering plan, settings, streaks) stays exclusively on the device and is not transmitted to us.

Storing this data, as well as authentication tokens, push tokens and the locally cached copy of your synced content, on your device is strictly necessary for us to provide the service you have explicitly requested by installing and using the App. The corresponding storage and read operations therefore fall under the necessity exemption of Section 25(2) No. 2 TDDDG and do not require separate consent.

5.2 User account (Supabase Auth)

To use features that synchronise your data across devices (or restore them after a re-install), you can create a user account. We offer three sign-up methods:

• Email and password — we process your email address and a salted password hash;
• Sign in with Apple — we receive the user identifier issued by Apple and, depending on your selection, your email address (either your real address or a private relay address generated by Apple);
• Sign in with Google — we receive the user identifier issued by Google and your email address (and, where you grant access, your name and profile picture).

Account data is stored with our processor Supabase in the European Union (see Section 7). Legal basis is Article 6(1)(b) GDPR (performance of the user contract). We retain account data for as long as you keep your account. If you delete your account, the associated personal data is deleted within 30 days, unless statutory retention obligations (e.g. under tax or commercial law) require longer storage; the data is then restricted from further processing.

Information pursuant to Article 14 GDPR. Where you sign in with “Sign in with Apple” or “Sign in with Google”, part of the account data we receive (your provider user identifier, the email address, and — for Google, if you grant access — your name and profile picture) is not obtained from you directly but from the respective identity provider. The source of these data is Apple Inc. / Apple Distribution International Ltd. or Google LLC / Google Ireland Limited. We use these data exclusively for the purpose of creating and operating your user account on the basis of Article 6(1)(b) GDPR.

Provision of account data (Article 13(2)(e) GDPR). Providing an email address (or using Sign in with Apple / Sign in with Google) is not a statutory requirement, but it is necessary to create a user account. Without an account, the cloud-sync, multi-device and subscription-restore features cannot be provided; the App can however continue to be used in local-only mode.

5.3 Synchronised app content

If you are signed in, the following content is synchronised between your device and our backend so that you can access it on any device: your tapering goal and plan, your drink log, your streaks, your in-app preferences. This data is linked to your account identifier. Legal basis is Article 6(1)(b) GDPR.

5.4 Push notifications

The apps can send push notifications (e.g. reminders for your tapering plan or daily check-ins). For this purpose:

• on iOS a device token is generated by Apple’s push service (Apple Push Notification service, “APNs”) and stored with us, so that we can address notifications to your device;
• on Android a registration token is generated by Google’s push service (Firebase Cloud Messaging, “FCM”) and stored with us for the same purpose.

Push notifications are only sent if you have actively granted the notification permission in the operating-system dialog of your device. Legal basis is Article 6(1)(a) GDPR (your consent at OS level). You can withdraw your consent at any time by disabling notifications for the app in your device settings or by deleting the app. Push tokens are deleted as soon as you withdraw consent or delete your account.

The content of push messages is processed by Apple (APNs) or Google (FCM) for the sole purpose of delivering the message to your device. The push tokens themselves are pseudonymous identifiers and do not contain any directly identifying information.

5.5 In-app purchases and subscriptions

Some features of the app are offered as a paid subscription (Freemium model). The actual payment transaction is handled exclusively by the platform operator (Apple on iOS, Google on Android); we do not receive your payment data (such as credit-card or bank details).

To know whether you are entitled to use paid features on a given device, we use RevenueCat as a processor (see Section 7). RevenueCat receives from the app and from the app store: a pseudonymous app user ID (which, for signed-in users, is the Supabase user ID, otherwise a device-generated identifier), the product identifier, the purchase, renewal and expiration date, the country of the app store, the platform, the app version, and a transaction identifier provided by the store. RevenueCat does not receive your email address or your name.

Legal basis is Article 6(1)(b) GDPR (performance of the subscription contract) and Article 6(1)(c) GDPR for any retention required under tax and commercial law. Subscription-related records are retained for the duration of the subscription and afterwards for up to ten years where statutory retention applies (Section 257 HGB, Section 147 AO).

Provision of subscription data (Article 13(2)(e) GDPR). Provision of the purchase data through the app store is contractually necessary to unlock paid features; without it, no paid features can be activated. The basic (Freemium) functions of the App remain available without a subscription.

5.6 Diagnostics and crash reports

On iOS, Apple may make aggregated, anonymous statistics about app crashes, energy consumption and feature usage available to us through “App Analytics” and “TestFlight”. This requires that you have enabled the option “Share With App Developers” in iOS Settings → Privacy & Security → Analytics & Improvements. We have no way of switching this on by ourselves; the data we receive is already aggregated by Apple and does not allow us to identify individual users.

On Android, Google may provide us with aggregated technical statistics (e.g. crash and ANR rates) through the Google Play Console / Android vitals if you have opted in to sharing diagnostic data with Google Play. Again, we cannot turn this on ourselves and the data is aggregated by Google before it reaches us.

We do not use third-party crash- or analytics SDKs (such as Firebase Crashlytics or Google Analytics for Firebase) inside the apps.

5.7 Permissions requested by the apps

The apps request only the permissions that are necessary for the respective features:

• Notification permission (only if you want reminders);
• Network access (required to talk to our backend, to sync and to process in-app purchases).

The apps do not collect your precise or coarse location, do not access your contacts, calendar, microphone, camera or photo library, and do not use any advertising identifiers (IDFA on iOS, AAID on Android). There are no advertisements in the apps.

6. Recipients and categories of recipients

Personal data is only disclosed to third parties to the extent necessary to provide the Service and only on the legal bases set out above. Recipient categories include:

• hosting and infrastructure providers (AWS, Supabase) acting as processors under Article 28 GDPR;
• app-store operators (Apple, Google) for download, updates and payment processing;
• push-notification providers (Apple APNs, Google FCM);
• subscription-management provider (RevenueCat) acting as processor under Article 28 GDPR;
• tax advisors, auditors and authorities to the extent required by law;
• courts and authorities, where we are legally obliged to disclose data.

We do not sell personal data and do not use it for advertising profiling.

7. Third-party services in detail

7.1 Amazon Web Services (AWS) – website hosting and CDN

Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg. Hosting region for our S3 buckets: eu-central-1 (Frankfurt). CloudFront serves cached content from edge nodes worldwide; where data is processed outside the EEA, AWS relies on the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR, and AWS Inc. (US) is additionally self-certified under the EU–US Data Privacy Framework (Article 45 GDPR). A data processing agreement under Article 28 GDPR is in place. AWS Privacy Notice.

7.2 Supabase – authentication and database

Provider: Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992. We use Supabase as a processor for user authentication, the application database and file storage. Our Supabase project is hosted in a European Union region; data at rest is encrypted and traffic is encrypted in transit. Although project data is stored in the EU, Supabase, Inc. is established in Singapore (a third country without an EU adequacy decision); the data processing agreement under Article 28 GDPR therefore incorporates the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR for any controller-level access by Supabase, Inc. and for support access from outside the EU. Supabase Privacy Policy.

7.3 RevenueCat – subscription management

Provider: RevenueCat, Inc., 535 Mission Street, 14th Floor, San Francisco, CA 94105, USA. RevenueCat acts as our processor for managing in-app purchase entitlements across iOS and Android. Data is transferred to the United States; the transfer is safeguarded by the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR, which form part of our data processing agreement with RevenueCat under Article 28 GDPR. RevenueCat Privacy Policy.

7.4 Apple – App Store, Sign in with Apple, APNs, App Analytics

Provider for users in the EU: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. When you download or update the iOS app, when you use Sign in with Apple, when you make an in-app purchase or when push notifications are sent to your device, Apple processes the related data as an independent controller for its own purposes and may transfer data to its parent company in the United States; according to Apple’s own privacy policy this transfer is safeguarded by the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR. The in-app purchase contract is concluded directly between you and Apple Distribution International Ltd.; we are not a party to that contract. Apple Privacy Policy.

7.5 Google – Play Store, Sign in with Google, FCM, Play Console

Provider for users in the EEA: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you download or update the Android app, when you use Sign in with Google, when you make an in-app purchase or when push notifications are sent to your device, Google processes the related data as an independent controller for its own purposes and may transfer data to its parent company Google LLC in the United States. The transfer is safeguarded by the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR; Google LLC is additionally self-certified under the EU–US Data Privacy Framework on the basis of the European Commission’s adequacy decision of 10 July 2023 (Article 45 GDPR). The in-app purchase contract is concluded directly between you and Google Ireland Limited; we are not a party to that contract. Google Privacy Policy.

7.6 Umami Analytics – self-hosted

Umami is operated by us in the European Union; no separate provider is involved.

8. Third-country transfers

Data processing occurs primarily within the European Union or the European Economic Area. Where the processors and independent controllers listed in Section 7 transfer data to a third country — in particular the United States or Singapore — the transfer is safeguarded by one of the following measures:

• the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR, on which we rely as the principal safeguard for transfers to RevenueCat (US), Apple (US controller affiliates) and Supabase, Inc. (Singapore);
• the European Commission’s adequacy decision of 10 July 2023 concerning the EU–US Data Privacy Framework, on which we rely additionally where a US recipient is, at the time of the transfer, actively self-certified under that framework (Article 45 GDPR — this is currently the case for Google LLC and AWS Inc.);
• additional technical and organisational measures, in particular encryption in transit and at rest.

Copies of the Standard Contractual Clauses and further information about the safeguards in place can be obtained from us by writing to info@stopcoffee.app.

9. Storage periods

• Account data: for as long as your account exists; deleted within 30 days after you delete the account.
• App content synced to the backend: deleted together with the account.
• Push tokens: deleted when you withdraw the notification permission or delete the app or account.
• Subscription records: for the term of the subscription and, where statutory retention applies, up to ten years (Section 257 HGB, Section 147 AO).
• Email correspondence: deleted once the matter is finally resolved, unless statutory retention obligations require longer storage.
• Website server / CDN logs: automatically rotated after at most 14 days.
• Aggregated analytics (Umami): for as long as needed for trend analysis; no individual storage.

10. Your rights

Under the GDPR, you have the following rights with regard to your personal data:

• Right of access (Article 15 GDPR);
• Right to rectification (Article 16 GDPR);
• Right to erasure — “right to be forgotten” (Article 17 GDPR);
• Right to restriction of processing (Article 18 GDPR);
• Right to data portability (Article 20 GDPR);
• Right to object to processing based on Article 6(1)(f) GDPR (Article 21 GDPR);
• Right to withdraw consent at any time with effect for the future (Article 7(3) GDPR);
• Right to lodge a complaint with a supervisory authority (Article 77 GDPR).

To exercise your rights, please contact us at info@stopcoffee.app. You can also delete your account directly inside the app on either platform: open the Profile tab, tap Settings, scroll to the Account section, and choose Delete Account. This triggers immediate deletion of the personal data linked to your account.

The supervisory authority competent for us is:
Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover, Germany
Phone: +49 (0)511 120-4500
Email: poststelle@lfd.niedersachsen.de
Website: https://lfd.niedersachsen.de

You may, however, also contact the data protection supervisory authority of your habitual residence or place of work (Article 77(1) GDPR).

12. Children

Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. Where consent is the legal basis for processing in relation to an information-society service offered directly to a child, that consent is only lawful if the child is at least 16 years old; for children below that age, the consent must be given or authorised by the holder of parental responsibility (Article 8(1) GDPR). Germany has not made use of the option in Article 8(1) GDPR to lower the age, so the 16-year threshold applies. If you become aware that a child under 16 has provided us with personal data, please contact us so that we can delete that information.

13. Automated decision-making and profiling

We do not use automated decision-making, including profiling, within the meaning of Article 22(1) and (4) GDPR.

14. Data security

We take appropriate technical and organisational measures pursuant to Article 32 GDPR to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include transport encryption (HTTPS/TLS) for all data transmitted between your device, our backend and our processors, encryption of data at rest on the database layer, role-based access controls and regular security reviews.

15. Changes to this privacy policy

We may update this privacy policy to reflect changes in our Service or in the legal framework. The current version is always available at https://stopcoffee.app/privacy. We will inform you about material changes in an appropriate manner, e.g. by a notice inside the app.

Last updated: 25 May 2026 (revision 2)

16. Contact

For any privacy-related questions or to exercise your rights, please contact:

Appgineering GbR
Hauptstr. 22, 38173 Dettum, Germany
Email: info@stopcoffee.app / info@appgineering.com