Privacy Policy

1. Controller

Christopher Arm
Rennbaumer Straße 44
42349 Wuppertal
Germany

Email: chris@adopture.com
Phone: +49 162 4234924

No Data Protection Officer (DPO) is required as fewer than 20 persons are permanently engaged in the automated processing of personal data.

2. Overview of Processing

Types of Data Processed

• Account data (name, email address)
• Authentication data (session data, IP address, user agent)
• Payment data (Stripe customer ID)
• Usage and analytics data (SDK events, device context)
• Communication data (email addresses for OTP delivery)

Categories of Data Subjects

• Customers (Adopture dashboard account holders)
• End users of customer apps (whose data is collected via the Adopture SDK)

3. Legal Bases

The processing of personal data is based on the following legal grounds under the GDPR:

• Art. 6(1)(b) GDPR – Performance of a contract: account creation, billing, service provision.
• Art. 6(1)(f) GDPR – Legitimate interest: session security, fraud prevention, service improvement.
• Art. 6(1)(a) GDPR – Consent: optional OAuth login (e.g. GitHub, Google).

4. Account Registration

When you register, we collect the following data: name, email address, and email verification status.

Purpose: Account creation and service provision.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention: Until account deletion.

5. Authentication & Sessions

We use session cookies (HTTP-only) that are technically necessary for the login process. No consent is required under § 25(2) TDDDG (German Telecommunications Digital Services Data Protection Act).

As part of session management, the following data is stored:

• IP address
• User agent (browser/device identifier)

This data serves security and fraud detection purposes.

OTP Verification

For authentication, 6-digit one-time codes are sent via email. These codes expire automatically after 5 minutes.

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

6. Social Login (Optional)

You may optionally sign in via GitHub or Google. This is voluntary and only initiated when you actively choose to do so.

Data received from the provider: Account ID, name, email address, access tokens.

Legal basis: Art. 6(1)(a) GDPR (consent – you actively choose the provider).

7. Payment Processing

Payments are processed by Stripe, Inc. (USA). We only store the Stripe customer ID locally. All payment card data is handled directly by Stripe (PCI DSS compliant).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Stripe Privacy Policy: https://stripe.com/privacy

8. Email Communication

For sending OTP verification codes, we use Resend, Inc. (USA).

• Purpose: Sending verification codes only.
• From: noreply@adopture.com
• No marketing emails are sent.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

9. SDK Analytics Data

Adopture processes analytics data on behalf of its customers (as a processor pursuant to Art. 28 GDPR).

Data Collected via the SDK

• Hashed daily/monthly user IDs (SHA256, not reversible)
• Session ID
• Event type and event name
• OS and device context
• App version
• Screen dimensions
• Locale (language setting)

Geographic Location

Location is derived from the IP address using a local MaxMind GeoLite2 database. IP addresses are NEVER stored – they are used solely for geo-lookup and immediately discarded afterwards (privacy by design).

No cookies, no fingerprinting, and no personally identifiable information (PII) is collected.

Retention: 2 years (ClickHouse TTL), configurable per app.

For details on this processing, see our Data Processing Agreement at /dpa.

Legal basis: Art. 6(1)(b) GDPR (contract with the customer) and Art. 28 GDPR (processor agreement).

10. Third-Party Processors

11. International Data Transfers

Some of our processors are based in the USA. Transfers of personal data to third countries are safeguarded by:

• EU Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR.
• EU-US Data Privacy Framework – adequacy decision per Art. 45 GDPR for certified US companies.

12. Data Retention

13. Your Rights

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)

To exercise your rights, contact us at: chris@adopture.com

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
https://www.ldi.nrw.de

15. Obligation to Provide Data

The provision of the following data is required for entering into a contract:

• Name and email address: Required for account creation.
• Payment information: Required for paid plans.

Without providing this data, the service cannot be used.

16. Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

17. Cookies

We only use essential session cookies (Better Auth, HTTP-only). No analytics, tracking, or marketing cookies are used.

No consent is required as these cookies are technically necessary under § 25(2) TDDDG.

18. Changes to This Privacy Policy

We may update this privacy policy from time to time. The date at the top of this page indicates the last revision.