# Privacy Policy
**Last updated:** [DATE]
This Privacy Policy explains how Rewind, operated by Elias Ilk, collects, uses, and protects your personal data when you use the Rewind app. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR).
---
## 1. Who We Are
**Controller responsible for data processing:**
Elias Ilk
4115 Kleinzell im Mühlkreis
Austria
Email: eliasdevelopmentss@gmail.com
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at the email address above.
---
## 2. What Data We Collect
### 2.1 Data you provide directly
**Account information**
When you create an account, we collect your username, display name, and optionally a profile photo and a short bio. Your username must be unique and is publicly visible to other users.
**Shared photos**
When you choose to share a photo from your device's gallery, we upload the photo and a compressed thumbnail to our servers. Shared photos are automatically and permanently deleted after 24 hours.
**Location data**
If you choose to include location information when sharing a photo, we store the location name and GPS coordinates extracted from the photo's metadata. Including location is optional — you can remove it before sharing. Location data is deleted together with the photo after 24 hours.
**Date and time of photos**
If you choose to include the date and time a photo was taken, we store this information alongside the shared photo. This is optional and can be removed before sharing.
**Captions**
You may add a short text caption (max. 100 characters) to shared photos. Captions are deleted together with the photo after 24 hours.
**Social interactions**
We store records of likes you give to photos, friend requests you send and receive, and accepted friendships. These are stored until you remove them or delete your account.
**Reports**
If you report a photo or user, we store the report including the reason you selected, in order to review it manually.
### 2.2 Data collected automatically
**Account identifier**
When you sign in, Firebase Authentication assigns you a unique user ID (UID). This ID is used to link all your data within the App.
**Push notification token**
If you grant permission for push notifications, we store a device token (FCM token) to deliver notifications about likes and friend requests. You can revoke this permission at any time in your iOS Settings.
**Usage statistics**
We store anonymized counters of how many photos you have swiped through and shared, for the purpose of displaying statistics within the App.
**IP addresses**
Our infrastructure provider Google Firebase may process your IP address as part of standard server operations. We do not directly access or store IP addresses ourselves.
### 2.3 Data we do not collect
- We do not collect your real name, phone number, or email address (unless you use email-based sign-in)
- We do not access photos you do not explicitly choose to share
- We do not read any other files on your device
- We do not collect precise location in the background — location is only read from photo metadata when you share a photo
---
## 3. How We Use Your Data
| Purpose | Legal basis |
| ------------------------------------------------------------- | ------------------------------------------------------------------------ |
| Providing the App and its core features | Contract performance (Art. 6 para. 1b GDPR) |
| Sending push notifications for likes and friend requests | Your consent (Art. 6 para. 1a GDPR) |
| Processing location data from shared photos | Your consent, given per photo at share time (Art. 6 para. 1a GDPR) |
| Displaying advertisements via Google AdMob (personalized) | Your consent via App Tracking Transparency prompt (Art. 6 para. 1a GDPR) |
| Displaying advertisements via Google AdMob (non-personalized) | Legitimate interest (Art. 6 para. 1f GDPR) |
| Operating our infrastructure and ensuring security | Legitimate interest (Art. 6 para. 1f GDPR) |
| Handling content moderation reports | Legitimate interest (Art. 6 para. 1f GDPR) |
---
## 4. How Long We Keep Your Data
| Data | Retention period |
| ---------------------------------------------------------------- | -------------------------------------------------------- |
| Shared photos and associated data (location, caption, timestamp) | 24 hours from time of sharing — then permanently deleted |
| Likes | Until you unlike the photo or the photo is deleted |
| Friend relationships | Until you remove the friendship or delete your account |
| Notifications | 30 days, maximum 100 per user |
| Reports | Until manually reviewed and deleted by us |
| Account data (profile, username, settings) | Until you delete your account |
| Push notification token | Until you delete your account or revoke permission |
---
## 5. Who We Share Your Data With
We do not sell your personal data to any third party.
We use the following third-party service providers who process data on our behalf as data processors under GDPR Art. 28:
**Google Firebase** (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
We use Firebase for authentication, database storage (Firestore), file storage, cloud functions, and push notifications. Google processes data in accordance with its Data Processing Agreement.
Privacy Policy: https://policies.google.com/privacy
**Google AdMob** (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
We use AdMob to display native advertisements in the swipe feed. If you have granted tracking permission via the App Tracking Transparency prompt, AdMob may show personalized ads. If you deny tracking permission, AdMob will show non-personalized ads. You can change your choice at any time under iOS Settings → Privacy & Security → Tracking.
Privacy Policy: https://policies.google.com/privacy
No other third parties have access to your personal data.
---
## 6. International Data Transfers
Google Firebase and Google AdMob may transfer and process your data in countries outside the European Economic Area (EEA), including the United States. Google relies on Standard Contractual Clauses (SCCs) approved by the European Commission as a safeguard for these transfers. For more information, see Google's Privacy Policy.
---
## 7. Advertising
Rewind displays native advertisements from Google AdMob approximately every 10 photos in the swipe feed. These ads are clearly labeled as "Sponsored".
If you grant tracking permission via the App Tracking Transparency prompt (required by Apple on iOS), AdMob may personalize ads based on your interests and activity across other apps and websites. If you deny tracking permission, you will still see ads but they will not be personalized.
You can change your tracking preference at any time under:
**iOS Settings → Privacy & Security → Tracking → Rewind**
---
## 8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
**Right of access (Art. 15 GDPR)**
You have the right to request a copy of the personal data we hold about you.
**Right to rectification (Art. 16 GDPR)**
You have the right to correct inaccurate personal data. You can update your profile directly within the App.
**Right to erasure (Art. 17 GDPR)**
You have the right to request deletion of your personal data. You can delete your account directly within the App under Settings → Delete Account. This permanently removes all your data from our servers.
**Right to restriction of processing (Art. 18 GDPR)**
You have the right to request that we restrict the processing of your data in certain circumstances.
**Right to data portability (Art. 20 GDPR)**
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
**Right to object (Art. 21 GDPR)**
You have the right to object to processing based on legitimate interest.
**Right to withdraw consent (Art. 7 para. 3 GDPR)**
Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at: eliasdevelopmentss@gmail.com
We will respond within 30 days.
---
## 9. Children's Privacy
Rewind is not directed at children under the age of 13. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will delete their account and all associated data immediately.
If you believe a child under 16 has created an account, please contact us at eliasdevelopemtss@gmail.com.
---
## 10. Security
We take appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. These include:
- Encrypted data transmission (HTTPS/TLS)
- Firebase Security Rules that restrict data access to authorized users only
- Photos automatically deleted after 24 hours
- Access to our systems is restricted to authorized personnel only
No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but we are committed to protecting your data using industry-standard practices.
---
## 11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you within the App and update the "Last updated" date at the top of this document. Your continued use of the App after changes are posted constitutes your acceptance of the updated policy.
---
## 12. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:
Elias Ilk
eliasdevelopmentss@gmail.com