Privacy Policy

1. Controller
Responsible for data processing is Toba UG (Haftungsbeschränkt) (see Imprint).
A Data Protection Officer is not appointed pursuant to Art. 37 GDPR, as there is no legal obligation to do so.

2. General
This privacy policy clarifies the nature, scope, and purpose of the collection and use of personal data within the "KasusKnacker" application. We take the protection of your personal data very seriously.
This app is not directed at children under 16 years of age. We do not knowingly process personal data of children.

3. Legal Bases for Processing
The processing of personal data is based on the following legal grounds:
- Art. 6(1)(b) GDPR (Contract performance): For providing app functionality, account management, synchronization of learning progress, and payment processing.
- Art. 6(1)(f) GDPR (Legitimate interest): For anonymous analytics to improve app quality and user experience.

4. Hosting & Infrastructure (Firebase)
This app is currently hosted on Google Firebase. Primary data storage takes place in data centers within the European Union (Frankfurt region). Processing by Google Ireland Limited as well as for support and security measures in third countries (particularly the USA) cannot be entirely excluded. Transfers are based on Standard Contractual Clauses and, where applicable, adequacy decisions.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google is certified under the EU-US Data Privacy Framework.
Legal basis: Art. 6(1)(b) GDPR (contract performance)

We use hosting and infrastructure providers as processors (Art. 28 GDPR). If the hosting or infrastructure provider changes, the purpose and legal bases of processing remain unchanged. We will inform you of such changes in this privacy policy; where consent is required, we will obtain it in advance.

5. Firebase Authentication
For authentication, we use Firebase Authentication (Google Ireland Limited). The following data is processed:
- User ID (unique identifier)
- Email address
- Account creation timestamp
- Last sign-in timestamp
- Authentication provider information (Google, Apple, or Email)
- Password hash (for email sign-in, never stored in plain text)

Primary data storage takes place in the EU (Frankfurt region). Processing for support and security measures in third countries cannot be entirely excluded.
Legal basis: Art. 6(1)(b) GDPR (contract performance)

6. Analytics (Aptabase)
To improve app stability and understand usage patterns, we use Aptabase, a privacy-focused analytics service. Aptabase does not use cookies and collects only anonymous, aggregated data:
- Device type and operating system
- App version
- Anonymous usage events

No personal data such as email addresses, IP addresses, or learning content is collected or transmitted.
Provider: Aptabase. Data is hosted in the European Union.
Privacy Policy: aptabase.com/legal/privacy
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our app)
Our legitimate interest lies in the anonymous analysis of usage to improve stability and functionality. Users may object to this processing at any time (Art. 21 GDPR) by contacting us.

6a. Error Monitoring (Sentry)
For detecting and fixing technical errors, we use Sentry, an error monitoring service. When an error occurs, the following data is collected:
- Error reports and stack traces
- Device type, operating system, and app version
- Truncated IP address (for country-level geolocation)
- Timestamp of the error

No email addresses, learning content, or other personal information is collected. Data is used exclusively for error resolution and automatically deleted after 90 days.
Provider: Functional Software, Inc. (Sentry), USA. Primary data processing takes place in the EU (Frankfurt). Access by the provider in the context of support and security measures as well as processing in third countries (particularly the USA) cannot be entirely excluded. Transfers are based on Standard Contractual Clauses and, where applicable, adequacy decisions.
Privacy Policy: sentry.io/privacy
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in app security and stability)
Our legitimate interest lies in the early detection and resolution of errors to ensure stable app operation.

7. What data we process
a) When visiting the app (Guest Mode):
Your learning progress (XP, Hearts, Streak) is stored locally on your device (LocalStorage). No transfer to our servers takes place unless you sign in.

b) When signing in (Registered User):
If you sign in via Google Sign-In or Apple Sign-In, we process the following data to sync your progress:
- Email address (for identification)
- Provider User ID (unique identifier)
- Your chosen nickname/username
- Learning progress data (XP, Level, Mistake rates, Streak)
This data is stored in the Firebase Cloud Firestore database.
Legal basis: Art. 6(1)(b) GDPR (contract performance)

c) Google Sign-In:
For authentication, we use Google Sign-In. Data is exchanged with Google Ireland Limited. Google Privacy Policy: policies.google.com/privacy

d) Apple Sign-In:
For authentication on iOS devices, we also offer Apple Sign-In. The following data is processed:
- Apple User ID (unique identifier)
- Email address (if you allow sharing; with “Hide My Email” we receive an anonymized relay address)
Provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA.
Privacy Policy: apple.com/legal/privacy
Data transfer note: Apple is certified under the EU-US Data Privacy Framework.

e) Email Sign-In:
You can also register directly with your email address and a password. The following data is processed:
- Email address (for identification and communication)
- Password (stored encrypted)
Authentication is handled via Firebase Authentication. Your password is never stored in plain text.

8. Purpose of Processing
Storage serves exclusively to provide the app functionality, specifically syncing your learning status across different devices.

9. Data Retention
- Account data: Your data is stored until you delete your account, or 3 years after your last activity (in case of inactivity).
- Analytics data (Aptabase/Simple Analytics): Only anonymous, aggregated data is collected that contains no personal information.
- Payment data (RevenueCat): According to RevenueCat's retention policy.

10. Your Rights & Deletion
You have the right to access, rectification, and deletion of your data at any time. You can irrevocably delete your account and all associated data yourself at any time using the "Delete Account" function in the profile menu.

Your rights at a glance:
- Right to access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)

11. Payment Processing & Subscriptions
For processing in-app purchases and subscriptions, we use the payment services of the respective app stores (Apple App Store, Google Play Store). Financial transactions are processed exclusively through these services. We do not store any credit card or banking information ourselves.

For the technical management of subscriptions and purchases, we use the service RevenueCat (RevenueCat, Inc., USA). Pseudonymized App User IDs and purchase status information are transmitted to provide your premium content across devices. RevenueCat processes data exclusively on our behalf based on a Data Processing Agreement (Art. 28 GDPR).
RevenueCat Privacy Policy: revenuecat.com/privacy
Legal basis: Art. 6(1)(b) GDPR (contract performance)

12. Data Transfers to Third Countries
RevenueCat, Inc. is a company based in the USA. The transfer of personal data to the USA is based on the EU-US Data Privacy Framework (adequacy decision of the EU Commission pursuant to Art. 45 GDPR) as well as Standard Contractual Clauses (Art. 46(2)(c) GDPR). RevenueCat is certified under the EU-US Data Privacy Framework.
More information: revenuecat.com/dpa

13. Cookies & Local Technologies
This app does not use any advertising or tracking cookies. We exclusively use technologies that are strictly necessary for the secure and functional operation of the app:
- Firebase Auth: Cookies for secure authentication and session management when you are logged in.
- RevenueCat: Cookies or similar technologies to ensure security during payment transactions and for fraud prevention (web context only).
As these cookies are technically necessary for the provision of the service, they do not require separate consent (opt-in).

14. Web Fonts
This app uses so-called Web Fonts for the uniform representation of fonts. These are provided locally by our server. When you open the app, your browser loads the required web fonts into its browser cache. For this purpose, the browser does not establish a connection to Google servers. No data is transmitted to Google Fonts.

15. Website Analytics (Simple Analytics)
For our website (kasusknacker.com), we use Simple Analytics, a privacy-first analytics service. Simple Analytics does not use cookies, does not track visitors across websites, and does not collect any personal data. Only aggregated, anonymous page view statistics are collected (such as page views and referrer information).
We respect the "Do Not Track" browser setting—if enabled, no data is collected at all.
Provider: Simple Analytics B.V., The Netherlands.
Privacy Policy: simpleanalytics.com/privacy-policy
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analyzing website usage)
Our legitimate interest lies in analyzing aggregated usage data to improve our website. Users may object to this processing (Art. 21 GDPR) by enabling the “Do Not Track” setting or by contacting us.

16. Social Media Presence
We maintain profiles on Instagram, Facebook, Pinterest, and X. When you visit these profiles, the respective platforms process personal data under their own responsibility. We only receive aggregated statistics (e.g., reach or engagement) and no personal data unless you contact us directly via these platforms. In that case, we process the data you provide to respond to your request.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in communication and outreach)

17. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

Competent supervisory authority:
Unabhängiges Datenschutzzentrum Saarland
Fritz-Dobisch-Straße 12
66111 Saarbrücken, Germany
Email: poststelle@datenschutz.saarland.de
Website: datenschutz.saarland.de

18. Updates to this Privacy Policy
This privacy policy is currently valid as of: January 30, 2026.
Due to the continued development of our app or changes in legal or regulatory requirements, it may become necessary to update this privacy policy. For material changes that affect your rights or introduce new processing, we will inform you in advance; where required, we will obtain your consent. We will notify you within the app or on the website (e.g., via a notice/banner). Re-acceptance is only required where consent is legally required.

Start practicing German today.

Join thousands of learners who practice German grammar with KasusKnacker.

Download on the App Store
Get it on Google Play
Open in Web Browser