Legal

Privacy Policy

Last updated October 20, 2018

Privacy Policy for TOROH

Last updated: November 2025

1. Data Controller

This application is operated by a private individual:

Jeff Schramm
E-mail: openai@j3ff.de

The App is not operated by a registered company.
Processing of personal data is carried out under the European General Data Protection Regulation (GDPR).

2. Purpose and Scope of Data Processing

TOROH is a cross-platform application (Android, iOS, Web) that enables users to discover, organize, and interact with restaurant information.
The App processes personal data only to the extent necessary for providing and improving its services.

a) Authentication and Account Management

  • Authentication via Supabase Auth (email/password, Magic Link, OAuth via Google or Apple)
  • Data stored: user ID, e-mail address, session tokens, profile information
  • Data hosting: Supabase EU region (Amsterdam) operated by Supabase Inc., San Francisco, USA

Purpose: Login management, synchronization of favorites, profiles, and social connections
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

b) Location and Map Data

  • Access to device location is optional and requires explicit consent
  • Location is used only for proximity searches and not permanently stored
  • Map and restaurant data are provided by Google Places API and OpenStreetMap

Legal basis: Art. 6(1)(a) GDPR (consent)

c) User-Generated Content

  • The App stores content such as favorites, notes, restaurant lists, photos, and social connections
  • Uploaded media are stored in Supabase Storage with metadata (file size, MIME type, uploader ID)
  • Public profiles may be visible to other users if enabled

Legal basis: Art. 6(1)(b) GDPR (service functionality)

d) Feedback and Communication

  • Users can submit bug reports or feature requests via the in-app Feedback Board
  • Data stored: title, description, status, user ID, optional e-mail
  • Purpose: internal improvement of the App

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining service quality)

e) Notifications

  • Push notifications use Firebase Cloud Messaging (Google LLC)
  • Device tokens are stored for message delivery only
  • No marketing or advertising notifications are sent

Legal basis: Art. 6(1)(a) GDPR (consent)

f) Analytics and Logs

  • No third-party analytics tools (e.g. Google Analytics) are used
  • Local diagnostic logs (flutter_*.log) remain on the device and are not transmitted automatically

Legal basis: Art. 6(1)(f) GDPR (technical maintenance and debugging)

3. Data Sharing and Processors

Data may be processed by trusted external service providers under GDPR-compliant agreements:

Provider Purpose Location Legal Safeguard
Supabase Inc. Authentication, database, storage, realtime EU (Amsterdam) / USA EU Standard Contractual Clauses (Art. 46 GDPR)
Google LLC Places API, Maps, Firebase Messaging, OAuth USA EU Standard Contractual Clauses (Art. 46 GDPR)
OpenStreetMap Foundation Map tiles and geodata UK Adequacy Decision (UK GDPR)

No data is sold or transferred to third parties for advertising or profiling.

4. Data Retention and Deletion

  • Account data is deleted immediately upon user request via the in-app Delete Account feature
  • Media and feedback entries are removed automatically or upon deletion request
  • Local caches (Hive, SharedPreferences) can be manually cleared in the App settings
  • Backups on Supabase servers follow a limited retention policy for recovery purposes

5. User Rights (GDPR Articles 15–22)

You have the following rights:

  • Access to your stored data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure (“right to be forgotten”, Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing (Art. 21)
  • Withdrawal of consent at any time (Art. 7(3))

Requests can be sent to openai@j3ff.de.
Responses will be provided within the legal time frame of one month.

6. International Data Transfers

The App may transfer data to countries outside the EU (e.g. USA) when using Supabase or Google services.
Such transfers are protected by EU Standard Contractual Clauses and data processing agreements ensuring GDPR compliance.

7. Data Security

  • All communication between the App, Web Client, and Supabase backend is TLS-encrypted
  • Authentication tokens and passwords are securely hashed and never stored in plain text
  • Access to data is limited to authenticated sessions only

8. Children’s Privacy

TOROH is not directed toward children under the age of 16.
No personal data of minors is knowingly collected or stored.
If such data is discovered, it will be deleted immediately upon notice.

9. Changes to This Privacy Policy

This Privacy Policy may be updated to reflect legal or technical changes.
The current version is always available in the App under “Privacy Policy”.

10. Contact

For privacy inquiries or GDPR-related requests, please contact:

Jeff Schramm
E-mail: openai@j3ff.de

© 2025 Jeff Schramm – All rights reserved