Privacy Policy

Effective date: 01.05.2025

1. Controller & contact

Rooftop Moments UG (haftungsbeschränkt)
80469 Munich, Germany.
Amtsgericht München
HRB 285456
DE365019392
E-mail: law@rooftopmoments.de

2. Scope

This Policy describes how we collect, use and share personal data when you use our mobile Apps, website and related services (“Service”).

3. What data we process

Category	Examples	Retention
App Requests	Text prompts, images, audio files you submit for AI processing	Up to 24 hours (transient cache)
Abuse-prevention IDs	Pseudonymised salted-hash identifier, request counters	7 days
Device / Log Data	IP address*, device model, OS version, crash logs, timestamps	30 days
Store purchase data	Territory, product ID, price, purchase timestamp (as provided by Apple/Google)	As required for tax & accounting (up to 10 years under German law)

*We truncate or hash IP addresses where technically feasible.

4. Legal bases (GDPR art. 6)

Contract (art. 6 (1)(b)) – to deliver the App’s core features you request.
Legitimate interest (art. 6 (1)(f)) – to prevent abuse and secure our systems.
Consent (art. 6 (1)(a) & art. 9 (2)(a)) – for optional processing of special-category data (e.g. health information) that you choose to send.
Legal obligation (art. 6 (1)(c)) – to comply with tax or regulatory duties.

5. How we use the data

Provide, maintain and improve the Apps.
Forward your requests to third-party AI models and return their output.
Detect, prevent and mitigate misuse and fraud.
Generate anonymous aggregate insights (never linked back to a person).

6. Recipients & international transfers

Subject to appropriate safeguards we share data with:

OpenAI LLC (USA) – ChatGPT, DALL·E and related models.
Google LLC (USA) – Gemini models.
Apple Inc. / Google LLC – for in-app purchases, crash reporting and analytics within their ecosystems.
Service partners we may add (cloud hosting, error tracking), bound by confidentiality and processing agreements.

Where data is transferred outside the European Economic Area we rely on EU Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework.

7. User rights (GDPR, CPRA)

You have the right to:

Access, correct or delete your personal data.
Restrict or object to processing.
Data portability.
Withdraw consent at any time (without affecting prior processing).
Lodge a complaint with your supervisory authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit or the authority in your EU country).

California residents have the rights to know, delete and (where applicable) opt-out of “sale” or “sharing” of personal data. We do not “sell” personal data as defined by the CPRA.

8. Children’s privacy

The Service is not directed to children under 16. We do not knowingly process personal data of children. If you believe we have collected it, please contact us.

9. Security

We apply encryption in transit (TLS 1.2+) and at rest, least-privilege access, and regular deletion of transient caches. No method of transmission or storage is 100 % secure.

10. Future SDKs & analytics

If we integrate additional third-party SDKs (e.g. analytics, advertising) we will update this Policy and, where required, obtain consent via the App settings.

11. Changes

We may revise this Policy. Material changes will be announced in-app or on our website at least 14 days before they take effect.

12. Contact

Questions? E-mail law@rooftopmoments.de