Privacy Policy

1. Introduction

We appreciate your interest in our app RateMyBuy. Protecting your personal data is very important to us. This privacy policy provides comprehensive information about which data we collect, how we use it, whether we share it with third parties, and what rights you have.

This privacy policy applies worldwide to all users and takes into account the requirements of the EU GDPR, UK GDPR, CCPA/CPRA (California, USA), PIPEDA (Canada), Privacy Act (Australia) and other international data protection laws.

2. Controller

Controller responsible for data processing:

Nils Klemp & Leon Röder
c/o MDC Management#3703
Welserstraße 3
87463 Dietmannsried
Germany

Email: support@klemp-roeder.com

A data protection officer is not required under Art. 37 GDPR as we do not conduct large-scale regular monitoring of individuals.

3. Data We Process

3.1 Automatically collected data

• IP address (shortened/anonymized)
• Device type, operating system, app version
• Time and duration of usage

Server location: Germany (Google Firebase data center in Frankfurt). Google may access infrastructure outside the EU for maintenance purposes (e.g., USA).

3.2 Analytics data

We use Firebase Analytics to analyze app usage. The following data may be collected:

• Interactions within the app
• Language settings, country
• Device technical information

Data is stored in a pseudonymized form.

When creating an account, each user can individually decide whether to allow the use of Firebase Analytics. This consent is voluntary and can be changed or revoked at any time in the app settings.

3.3 Advertising data (Google AdMob)

To finance the app, we use Google AdMob. The following data may be processed:

• Advertising IDs (Advertising ID / IDFA)
• IP address (anonymized)
• Interactions with ads
• Approximate location data

On the first launch of the app, depending on the user's location, consent for personalized ads is collected via the Google AdMob User Messaging Platform (UMP). Google decides whether this consent is required based on applicable data protection laws (e.g., in the EU or UK).

Users can change their decision regarding personalized ads at any time in the app settings.

Google may act as an independent controller for personalized advertising. For more information, see the Google Privacy Policy.

3.4 Crash and performance data

Through Firebase Crashlytics and Performance Monitoring, we collect technical data on app crashes and stability.

The use of Firebase Crashlytics only occurs if the user explicitly consents during registration. This decision can be changed at any time in the app settings.

3.5 Consent history and policy versions

To comply with legal documentation requirements, we also store:

• Whether and when the user agreed to or rejected the use of Firebase Analytics
• Whether and when the user agreed to or rejected the use of Firebase Crashlytics
• Date and version of accepted privacy policies
• Date and version of accepted content policies

This information serves solely as proof that consents were properly collected and documented. It is not used for analytics or advertising purposes. Google, especially AdMob, may collect data for its own purposes. More information can be found in the Google Privacy Policy.

3.6 User-generated content and account data

To provide the app’s functionality and community features, we store the following data:

Account data

• User ID: Unique identifier of your account
• Username: Your chosen username and a normalized version for uniqueness
• Email address: Your email address and its verification status
• Profile picture: If uploaded, your profile picture
• Registration date: Time of account creation and completion
• Last login: Timestamp of your last login for each device, including platform
• Profile status: Indicates whether your profile is fully set up
• Preferred currency: Your selected currency preference
• Language: Your selected language setting, needed for localization
• Device IDs: Required for identifying devices and managing FCM
• FCM token: Token including creation and update timestamps, used only for push notifications

Content and activities

• Posts: Uploaded product images, descriptions, comments, stated prices and currency, number of received comments, average rating, ratings including userId, creation date
• Ratings: Submitted ratings, rating text, timestamp
• Comments: Written comments and replies with timestamps and associated ratings
• Activity statistics: Number of posts created, number of ratings given
• Reports: Reports regarding users, comments, replies and posts incl. content, text, data and statistics
• Feed: Each user has a feed collection with references to posts
• Notification center: Each user has a denormalized notifications collection for received comments and replies, plus possible admin messages

Social interactions

• Friends list: List of added friends (user IDs)
• Friend requests: Sent and received requests including timestamps
• Blocked users: List of blocked users (user IDs)

Purpose: These data are necessary to provide the core functionality of the app, including creating and managing content, interacting with other users, and personalizing your profile.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract – provision of the app services)

Authentication is handled through Firebase Authentication (Google LLC), acting as a data processor under Art. 28 GDPR.

Storage duration: These data are stored in Firebase Firestore, Cloud Storage, and Firebase Authentication as long as your account exists. When you delete your account via “Delete account”, all associated data is permanently deleted or anonymized within 30 days unless legal retention obligations apply. Backups may remain for up to 90 days but will also be permanently deleted afterward.

4. Purpose of Data Processing

• Operation and maintenance of the app
• Error analysis and improvement
• Usage statistics and advertising
• Compliance with legal obligations
• Proof of consent and policy versions

5. Legal Bases

EU / UK

• Art. 6(1)(b) GDPR – performance of a contract
• Art. 6(1)(f) GDPR – legitimate interest
• Art. 6(1)(a) GDPR – consent (e.g., advertising, analytics, crashlytics)
• Art. 6(1)(c) GDPR – legal obligation (documentation of consent)
• Non-personalized ads may be shown based on legitimate interest under Art. 6(1)(f) GDPR.

6. Data Sharing

Data is only shared with:

• Google LLC (Firebase, AdMob)
• Legal obligations
• Legitimate interests (e.g., protection against abuse)

Data transfers to the USA are based on the EU-U.S. Data Privacy Framework. If data is transferred to other third countries, this only occurs based on appropriate safeguards under Art. 46 GDPR (e.g., EU standard contractual clauses). A data processing agreement according to Art. 28 GDPR has been concluded with Google LLC.

7. Storage Duration

• Analytics data: 14 months
• Crashlytics: until resolved, max. 90 days
• Advertising data: according to AdMob requirements
• Consent history: as long as the account exists or until all data is deleted
• Account data: until the account is deleted or 30 days after a deletion request

8. User Rights

EU / UK / Switzerland

• Access, correction, deletion
• Restriction of processing
• Data portability
• Withdrawal of consent

USA (CCPA/CPRA)

• Right to know
• Right to delete
• Opt-out of data sharing

Canada / Australia

Right to access, correct or delete personal data.

Account management and data deletion

Using the “Delete account” option in the app settings, users can permanently delete their account and all associated personal data. After deletion, all stored data is removed or anonymized unless legal retention obligations apply.

You can exercise your data protection rights at any time via email to support@klemp-roeder.com. We will process your request according to applicable privacy laws.

9. Consent & Opt-Out

• Firebase Analytics: opt-out via app or device settings
• AdMob: personalized ads can be disabled in app or device settings
• CCPA: email support@klemp-roeder.com for opt-out requests
• Consents (e.g., analytics, crashlytics, ads) can be changed or withdrawn at any time in the app settings.

10. Data Security

We take technical and organizational measures to protect your data. However, no data transmission over the internet can guarantee absolute security.

11. Children and Youth Protection

Our app is not directed at children under 16 years of age. We do not knowingly collect data from children as defined under COPPA.

12. Changes to this Privacy Policy

We reserve the right to update this privacy policy if necessary. The current version is always available in the app.