Privacy Policy

Last updated: June 2026

This privacy policy applies to the use of the mobile app "Mini.Meet" (the "app") and the website www.minimeet-app.de.

Mini.Meet is intended exclusively for adults (aged 18 and over) and is not directed at children or minors. I do not knowingly process personal data of persons under 18. Should I become aware that data of a minor has been provided to me without the required consent, I will delete it.

1. Data Controller

Robert Göhler
Weintraubenstraße 16
01099 Dresden
Germany
Email: hallo@minimeet-app.de

2. Data Collected

Account and usage

  • Email address (for registration and login)
  • Display name (self-chosen, optional)
  • Profile picture (optional)
  • Location data (only during active use, e.g. during a visit)
  • Visit data (location, time, who/what was along, comment)
  • Friend relationships and group memberships
  • Reactions, messages, planned visits

Technical data

  • Device type, OS version, app version
  • Push token (Apple APNs / Google FCM) for notifications
  • IP address (technically necessary for any server request)
  • Crash and error diagnostic data (see Crash Diagnostics section)

Future: in-app purchases

  • Purchase / subscription status (via RevenueCat, once enabled)

The website does not set cookies or run tracking. Requests to the website and the backend (API) generate server-log data (IP address, timestamp, requested path, status code) for operational purposes and abuse detection.

3. Purpose of Processing

  • provide core app features (visits, map, friends, planning)
  • make visits and locations visible only to confirmed friends
  • send push notifications about reactions, requests and updates
  • diagnose crashes and errors to improve app stability
  • collect aggregated operational metrics (e.g. daily usage, peak load, error rates) — anonymously, to ensure stable app operation
  • in the future, display local Partner Places for families and count their views anonymously (see section 9)
  • fulfil legal obligations

4. Legal Bases

  • Art. 6(1)(b) GDPR — performance of contract (providing app features, managing your account)
  • Art. 6(1)(a) GDPR — consent (location access, push notifications)
  • Art. 6(1)(f) GDPR — legitimate interest (app stability, security and error diagnostics)
  • Art. 6(1)(c) GDPR — legal obligations, where applicable

5. Data Sharing

Location data and visits are shared exclusively with your confirmed friends. No further sharing with third parties takes place unless required by law or explicitly authorised by you. Technically necessary processing by data processors (see section 8) is based on data processing agreements pursuant to Art. 28 GDPR.

6. Retention

  • Account and profile data: until account deletion
  • Visit data: until account deletion or deletion of individual visits
  • Location data: not stored permanently — only during active visits
  • Crash / error data: up to 30 days
  • Server logs: up to 14 days for abuse detection

7. Data Security and Hosting

The Mini.Meet backend (REST API, database, authentication, push delivery) is operated on self-hosted servers in Germany — no third-party cloud provider outside the EU is used. All data is transmitted using TLS encryption. Access to user data is restricted to the respective account; the backend enforces authorisation checks at the database level.

8. Third Parties and Processors

Crash and error diagnostics (self-hosted)

Crash reports are processed on self-hosted servers in Germany (GlitchTip, open-source software, running on the same infrastructure as the rest of the backend — no external processor). On crashes or unexpected errors, the following data is collected:

  • stack trace and error message
  • device information (model, OS version, app version)

The IP address is technically unavoidable at receive time (every HTTP connection carries one), but GlitchTip scrubs it automatically before storage (scrub_ip_addresses); it never reaches the database. Performance tracing and session replay are disabled. Personally identifiable context (sendDefaultPii) is disabled. Crash data is automatically deleted after 30 days. App settings allow you to opt out of crash reporting at any time. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable app operation). Since processing happens exclusively on our own infrastructure, no third-party data processing agreement is required.

RevenueCat (in-app purchases / subscriptions)

Provider: RevenueCat, Inc., USA. Data transfer to the USA based on the EU-US Data Privacy Framework (where RevenueCat, Inc. is certified) and, additionally, the EU Standard Contractual Clauses. RevenueCat manages subscriptions and one-time purchases across platforms (Apple App Store / Google Play Store). Only the following is transferred:

  • anonymised app user ID (no real name, no email)
  • purchase / subscription status, platform (iOS / Android)
  • technical data to verify the store receipt

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (efficient cross-platform subscription handling). The data processing agreement (Data Processing Addendum) with RevenueCat, Inc. is integrated into their Terms of Use and was accepted on account sign-up. The full text is available at revenuecat.com/dpa.

Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM)

Providers: Apple Inc. (iOS) and Google Ireland Ltd. (Android). To deliver push notifications, an anonymous device token is processed. The app only sends notification content; APNs/FCM handle delivery. Legal basis: Art. 6(1)(a) GDPR (your consent on first enabling push permissions).

OpenStreetMap, Overpass API and OpenFreeMap (maps and POIs)

To display maps and find playgrounds, data from OpenStreetMap-based services is used. When loading map tiles or POI data, your device's IP address is transmitted to the respective server — technically unavoidable. No personalised tracking takes place.

Reverse geocoding (place name on check-in)

Provider: Apple Inc. (iOS) or Google Ireland Ltd. (Android). When you create a visit, the chosen coordinate (GPS, manual pin or playground) is converted once into a short place name (e.g. street, district or city) by your operating system's geocoder. The coordinate may be transmitted to Apple or Google via the operating system's standard interface. The resulting place name is shown only to your confirmed friends in the visit notification. Legal basis: Art. 6(1)(a) GDPR.

Apple App Store / Google Play Store

The app is distributed through the Apple and Google stores; their respective privacy policies apply additionally.

9. Partner Places and anonymous usage statistics

Alongside playgrounds and parks from OpenStreetMap, the app may in the future also display so-called "Partner Places" — local, family- or location-related businesses (e.g. cafés, ice-cream shops, family restaurants, child-friendly stores) shown as partner pins on the map. Partner Places are clearly labelled as such; if a placement is paid, the pin additionally carries the label "Sponsored placement".

Self-imposed restrictions

Only local, family- or location-related businesses are accepted. Advertising directed at children (e.g. toy manufacturers, streaming services or games for kids) is excluded. No behavioural targeting and no personalised advertising takes place.

Which placements do you see?

Partner Places are shown purely based on location — every user in the same region sees the same pin. No usage profile is evaluated to decide which pin you are shown. No advertising identifiers (IDFA on iOS, AAID on Android) are used.

Anonymous view statistics

Once the feature is active, the server will count anonymously for each Partner Place how often the pin is displayed and tapped. This statistic carries no link to your person — no user ID, session ID or other identifier. The values are passed on to the respective partner exclusively in aggregated form as a performance report. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in transparent performance measurement within partner contracts).

Operations monitoring

Aggregated metrics about the overall app usage (e.g. number of visits per day, peak load times, error rates) are made visible on self-hosted Grafana dashboards. These reports are anonymous and serve solely to ensure stable operation and capacity planning. No person-level tracking takes place. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable app operation).

10. Your Rights (Art. 15 ff. GDPR)

  • access to data stored about you (Art. 15 GDPR)
  • rectification of inaccurate data (Art. 16 GDPR)
  • erasure ("right to be forgotten", Art. 17 GDPR)
  • restriction of processing (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • objection to processing (Art. 21 GDPR)
  • withdrawal of any consent (Art. 7(3) GDPR) with effect for the future
  • complaint to a supervisory authority (Art. 77 GDPR) — in Germany e.g. the Saxon Data Protection Commissioner

You can manage and delete your account directly in the app under the profile tab. A step-by-step guide to deletion (also by email) is available at Delete account. For any other requests, contact me at hallo@minimeet-app.de.

11. Changes to this Policy

I reserve the right to adapt this privacy policy to reflect changes in the law or in the scope of features. You will be informed of significant changes in the app or via email. The version valid at the time of use applies.