Zum Inhalt springen

Privacy Policy

1. Scope and Overview

This Privacy Policy applies to the website pg-apps.de and all mobile applications by PG Apps, currently InvestLearn and LegoHub (collectively referred to as “Services”). Where specific provisions apply only to certain apps, this is expressly indicated.

This Privacy Policy informs you about what personal data we collect, how we process it, and what rights you have. Personal data is any information that can be used to identify you personally.

2. Controller

The controller responsible for data processing:

Günter Schmitt
Königsberger Str. 41
78073 Bad Dürrheim
Germany

Email: devapp.pg@gmail.com

3. Data We Collect

3.1 Data Collected in Our Apps

When using our apps, the following data may be collected:

  • Account Data: Email address, username, password (stored as an encrypted hash only). A verification email with a confirmation link is sent to your email address during registration.
  • Third-Party Sign-In (Apple Sign-In / Google Sign-In): As an alternative to email registration, you may sign in via Apple or Google. In this case, the respective provider transmits your name and email address to us. With Apple Sign-In, you may choose the “Hide My Email” option — Apple then generates a unique relay address (e.g., xyz@privaterelay.appleid.com) that forwards emails to your real address without revealing it to us. No password is stored on our end for third-party sign-ins; authentication is handled entirely by the respective identity provider.
  • Usage Data: Level progress, achievements, app settings, device type.
  • InvestLearn-specific: Portfolio data in the trading simulator (virtual capital only — no real financial transactions), learning progress, quiz results, subscription status (Free/Premium).
  • AI Coach (InvestLearn only): All inputs and conversations with the AI Coach “Boersi” (German) For Premium users, simulated portfolio data may also be transmitted to the AI Coach for analysis.
  • LegoHub-specific: Collection data, scanned sets, wishlists.
  • Subscription Data (Premium users): App user ID, purchase receipts, subscription status, transaction history, device identifiers (IDFV/Android ID). Actual payment processing is handled by Apple/Google; we do not have access to your payment instruments (e.g., credit card details).

3.2 Data Collected on This Website

  • Feedback Portal: Feedback text, categories, app selection, optionally your name.
  • Contact Form: Name, email address, message, and optionally uploaded file attachments (images, PDF; max. 3 files, max. 1.5 MB each). Attachments are transmitted exclusively via email and are not stored separately. Emails are sent via Resend (Plus Five Five, Inc., USA) as email service provider. The Resend Privacy Policy applies. A Data Processing Agreement (DPA) is part of the Resend Terms of Service. Transfer mechanism: Resend is certified under the EU-US Data Privacy Framework (DPF). EU Standard Contractual Clauses (SCCs) serve as an additional safeguard.
  • Server Log Files: IP address, browser type, access time (automatically collected by hosting provider Vercel).

3.3 Feedback System and Vote Deduplication

To prevent multiple voting in the feedback portal, we create an anonymized device hash. Technical device information (screen resolution, color depth, timezone, language, platform, hardware concurrency, and Canvas/WebGL renderer information) is read and combined locally in the browser into a cryptographic hash value (SHA-256). This hash is then combined server-side with your IP address and hashed again, making it impossible to trace back to individual device characteristics.

  • Purpose: Spam protection and ensuring fair voting (one vote per device).
  • Data processed: Hashed device fingerprint (not reversible to individual data points).
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the integrity of the feedback system).
  • Retention: The hash is stored in Firebase Firestore and deleted after a maximum of 12 months.

4. Purposes and Legal Basis for Processing

We process your data for the following purposes:

  • Providing our Services: Account creation, storage of your progress and settings, AI Coach functionality, subscription management. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) — these activities are necessary to provide the services you have requested.
  • Email Verification: Sending a verification email during registration. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in fraud prevention).
  • Feedback and Support: Processing your inquiries and improving our services. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (legitimate interest in service improvement).
  • Website Analytics: Anonymous analysis of website usage and performance via Vercel Analytics. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our web offering). You may object to this processing at any time (see Section 9).
  • Server Log Files: Technical operation and security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring secure operation).

Our legitimate interest within the meaning of Art. 6(1)(f) GDPR lies in ensuring trouble-free operation, improving our services, and preventing fraud.

5. Third-Party Services and Data Transfers

5.1 Firebase / Google Cloud

We use Firebase (Google Ireland Ltd. / Google LLC, USA) for authentication and data storage.

  • Data processed: Email address, password hash, account creation date, last sign-in time, usage data, learning progress, simulated portfolio data.
  • Storage location: USA (Firebase Authentication stores data in the USA by default).
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in secure infrastructure).
  • US data transfer: Google is certified under the EU-US Data Privacy Framework (DPF). EU Standard Contractual Clauses (SCCs) serve as an additional safeguard. The Data Processing Agreement (DPA) is automatically incorporated into the Firebase Terms of Service.
  • More information: https://firebase.google.com/support/privacy

5.2 Anthropic / Claude (AI Coach — InvestLearn only)

In our app InvestLearn, we use Claude (Anthropic PBC, USA) as the AI assistant powering the Finance Coach “Boersi”.

  • Data processed: Chat messages and inputs to the AI Coach. For Premium users, simulated portfolio data, transaction history, and dividend data from the trading simulator may also be transmitted.
  • Retention at Anthropic: Anthropic retains API inputs and outputs for a maximum of 30 days, after which they are automatically deleted. Exceptions apply for violations of Anthropic's Usage Policy or legal retention requirements.
  • No model training: Anthropic does not use data from its commercial API to train its AI models. This is contractually established in the Commercial Terms of Service.
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract) — the AI Coach is the contractually owed service that you request by creating an account and using the feature.
  • US data transfer: EU Standard Contractual Clauses (SCCs, Module 2 — controller to processor). The DPA is automatically incorporated into Anthropic's Commercial Terms of Service.
  • More information: https://privacy.anthropic.com

5.3 RevenueCat (In-App Purchases and Subscriptions)

We use RevenueCat Inc. (USA) to manage in-app purchases and subscriptions.

  • Data processed: App user ID, purchase receipts, subscription status and type, transaction history. Device identifiers (IDFV/Android ID) are only collected if explicitly enabled in the app configuration.
  • Storage location: USA (AWS servers).
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  • US data transfer: EU Standard Contractual Clauses (SCCs). The DPA is available in the RevenueCat dashboard under Settings → Legal.
  • More information: https://www.revenuecat.com/privacy

5.4 Vercel (Website Hosting and Analytics)

This website is hosted by Vercel Inc. (USA).

Vercel Analytics and Speed Insights: These services operate without cookies — no cookies are stored on your device and no information is accessed from your device. Only anonymized, aggregated data is collected (e.g., page views, load times, device type). Visitors are identified via a server-side request hash that is discarded after 24 hours. It is not possible to identify individual persons.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our web offering).

Right to object: You may object to the analysis of your website usage at any time by contacting us at devapp.pg@gmail.com.

US data transfer: Vercel is certified under the EU-US Data Privacy Framework (DPF). EU Standard Contractual Clauses serve as an additional safeguard.

More information: https://vercel.com/legal/privacy-policy

5.5 Apple App Store / Google Play Store

Payment processing for in-app purchases and subscriptions is handled directly by Apple Inc. or Google LLC as independent controllers (independent controllers under GDPR, no data processing agreement). We do not have access to your payment instruments (e.g., credit card or bank account details).

US data transfer: Apple relies on EU Standard Contractual Clauses (SCCs) for international data transfers. Google LLC is additionally certified under the EU-US Data Privacy Framework (DPF) and also employs SCCs as a supplementary safeguard.

The respective privacy policies of Apple and Google apply.

6. Cookies and Tracking

6.1 Website

Our website does not use tracking cookies or advertising cookies. Only technically necessary cookies are used (e.g., session cookies for Firebase authentication). Vercel Analytics and Speed Insights operate entirely without cookies (see Section 5.4).

6.2 Apps

Our apps do not use cookies. Authentication data is managed via Firebase tokens, which are technically necessary for the app to function.

7. Data Retention

Data CategoryRetention Period
Account data (email, username)Duration of account; after account deletion, immediate removal from live systems; complete deletion from backup systems within 90 days
Usage data (progress, portfolio, settings)Duration of account; after account deletion, immediate removal from live systems; complete deletion from backup systems within 90 days
AI Coach conversations (at Anthropic)Maximum 30 days at Anthropic; deleted within 30 days after account deletion on our end
Subscription and transaction data (RevenueCat)Duration of account; immediately removed at RevenueCat upon deletion; RevenueCat retains data up to 6 years after contract termination
Subscription and purchase dataDuration of account; commercially relevant data up to 8 years per German tax and commercial law (§§ 147 AO, 257 HGB)
Contact form dataAfter completion of processing, no later than 6 months
Feedback portal dataFor the duration of product improvement, maximum 12 months
Device hash (vote deduplication)Maximum 12 months
Vercel Analytics dataAnonymized; no personal reference, no deletion required
Server log filesMaximum 30 days

Where statutory retention obligations exist (in particular §§ 147 AO, 257 HGB under German law), the affected data will be retained for the legally required period and subsequently deleted.

8. Data Provision Requirements

Providing your email address and a username is required for account creation and use of the AI Coach. Without this information, the service cannot be provided.

Basic learning features of the apps (e.g., reading lessons) may be partially available without creating an account. An account is required for saving progress, accessing the AI Coach, and Premium features.

9. Your Rights

You have the following rights regarding your personal data at any time:

  • Right of Access (Art. 15 GDPR): You may request information about your stored data.
  • Right to Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
  • Right to Erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply. You can delete your account at any time in the app settings.
  • Right to Restriction (Art. 18 GDPR): You may request restriction of the processing of your data.
  • Right to Data Portability (Art. 20 GDPR): You may request export of your data in a structured, machine-readable format.
  • Right to Object (Art. 21 GDPR): You may object to the processing of your data based on Art. 6(1)(f) GDPR (legitimate interest) at any time. This applies in particular to processing by Vercel Analytics.

To exercise your rights, please contact us at: devapp.pg@gmail.com

10. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. The AI Coach generates responses to your inputs but does not make automated decisions that have legal effect on you.

11. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.

The competent supervisory authority for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Heilbronner Straße 35
70191 Stuttgart, Germany
https://www.baden-wuerttemberg.datenschutz.de

12. Data Security

We use SSL/TLS encryption for the transmission of your data. Passwords are stored exclusively as cryptographic hash values. Our services and the third-party providers we use are protected by current security measures.

13. Minimum Age and Protection of Minors

Our services are intended for persons aged 16 and older in accordance with Art. 8(1) GDPR. We do not knowingly collect personal data from persons under 16 years of age. If we become aware that a person under 16 has provided us with personal data, we will delete such data without delay.

Minors aged 16 to 17: Free use of our apps is permitted under the applicable provisions of limited legal capacity (§§ 106–113 BGB under German law). Purchasing a Premium subscription requires the consent of a parent or legal guardian. Parents can manage and restrict access through Family Sharing (Apple) or Family Link (Google) as well as through the built-in Screen Time feature.

14. Information for US Users

We are based in Germany and primarily subject to the EU General Data Protection Regulation (GDPR). We do not sell your personal data, and we do not share your personal data with third parties for their own marketing purposes.

If you are a California resident: Given our current scale of operations, we do not meet the thresholds for CCPA/CPRA applicability. However, you may still exercise your rights as described in Section 9 above.

If you are under 13 years of age, you may not use our services.

15. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in applicable law or our services. The current version is always available on this page. We will notify you of material changes by email or in-app notification.

Last updated: February 2026