Privacy Policy for the "Transportflow" App and Associated Website

As of: April 10, 2026

Note: This is an informal English translation provided for convenience only. In case of any discrepancy between this translation and the original German version, the German version shall prevail. The German version is available at transportflow.me/datenschutz.

Preamble

With the following Privacy Policy, we would like to inform you about the types of personal data ("data") we process, for what purposes, and to what extent in connection with the provision of our mobile application.

We have developed the App in accordance with the principle of data minimization ("Privacy by Design"). With the exception of subscription management, all network connections made by the App are exclusively directed to our own server infrastructure located in Germany.

The terms used in this policy are gender-neutral.

Controller

Hanns Adrian Böhme

Prießnitzstr. 39

01099 Dresden

Germany

Email: transportflow@hannsadrian.de

Phone: +49 351 65877307

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing.

Types of data processed:

Location data (GPS coordinates)
Usage and log data (e.g. IP addresses, access times, connection search queries)
Contractual and payment data (anonymized purchase receipts/tokens, subscription status)
Contact data (e.g. email addresses in support requests)
Local data (settings, favorites – not processed by us, see below)

Purposes of processing:

Provision of App functionalities (routing, timetable information, map display)
Processing of In-App purchases and activation of Pro features
Ensuring the technical stability and security of our infrastructure
Responding to user inquiries and providing support

Legal Bases

Consent (Art. 6(1)(a) GDPR): For the processing of location data (GPS)
Performance of a contract (Art. 6(1)(b) GDPR): For the provision of core App functions, routing, and processing of the Pro subscription
Legitimate interests (Art. 6(1)(f) GDPR): For maintaining server stability, IT security, and error analysis
Legal obligation (Art. 6(1)(c) GDPR): Retention obligations for accounting transactions

Detailed Information on the App's Processing Activities

1. Location Data (GPS)

To enable route planning from your current location and to display nearby stops on the map or in list form, the App requests permission to access your location data (GPS coordinates) via your device's operating system.

Processing: When you use this feature, your current location is transmitted to our servers in order to perform the relevant timetable or route calculation. The data is processed exclusively in the volatile memory of our servers to respond to your request in real time, and is neither permanently stored nor linked to a personal profile.

Legal basis: Consent (Art. 6(1)(a) GDPR)

Withdrawal: You may withdraw your consent at any time in your device's system settings (iOS / Android) by revoking the App's location permission.

2. Provision of App Services and Map Data (API Infrastructure)

When you search for a connection or move the map, the App sends requests to our backend servers. Unlike many other apps, we host not only the timetable logic but also the map tiles on our own infrastructure. No data is transmitted to third-party map providers (such as Google Maps or the OpenStreetMap Foundation).

Data processed: IP address, date and time of the request, volume of data transferred, operating system used, search parameters (e.g. origin/destination)

Purpose: Delivery of timetable data, real-time data, generated route paths (shapes), and map tiles

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and legitimate interests in server stability and security (Art. 6(1)(f) GDPR)

Hosting provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. We have concluded a Data Processing Agreement (DPA) with Hetzner in accordance with Art. 28 GDPR. Log files (including IP addresses) are stored for a maximum of 14 days for the purpose of detecting, analyzing, and defending against attacks on our infrastructure (in particular DDoS attacks and brute-force attempts), and are then deleted automatically. This retention period is necessary because attack patterns frequently develop over several weeks, coordinated attacks are often repeated at staggered intervals, and forensic analysis of past requests may be required to identify and block attacking systems. A shorter retention period would technically prevent effective protective measures.

3. Local Data Storage Only (Favorites & Settings)

Your privacy matters to us. Any locations you save as favorites, your recent search history, and your individual App settings remain exclusively on your device.

We do not transmit this data to our servers.
We have no access to this data.
If you delete the App, this data will also be deleted from your device (unless you use your operating system's backup system, e.g. iCloud). Since no processing of this data takes place on our end, this is not subject to the GDPR. We mention this solely for the purpose of transparency.

4. In-App Purchases and Subscription Management (Pro Version)

We offer paid features ("Pro Subscription") within the App as In-App purchases. Payment processing is handled exclusively via the respective App Store (Apple App Store or Google Play Store). We do not receive payment data (such as account numbers or credit card details) from the stores, but only a confirmation of the purchase (a so-called "receipt" or token).

For technical verification, management of feature activations, and validation of subscription status, we use the service RevenueCat.

How it works: The App communicates with RevenueCat and transmits a purely randomly generated, anonymous ID (RCAnonymousID) along with the anonymized purchase receipt from the App Store. RevenueCat uses this ID to verify whether you are entitled to the Pro features. No real names, location data, email addresses, or route histories are sent to RevenueCat.

Service provider: RevenueCat Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA.

Data protection at RevenueCat: RevenueCat is certified to SOC 2 Type II and acts as our data processor pursuant to Art. 28 GDPR. We have a Data Processing Addendum (DPA) in place with RevenueCat, which incorporates the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR (Module 2, Controller to Processor) as an integral component; these automatically apply as the transfer mechanism for the transmission of data to the USA. In addition, we currently rely on the adequacy decision of the European Commission pursuant to Art. 45 GDPR (EU–U.S. Data Privacy Framework, DPF), under which RevenueCat Inc. is certified. For further information, see: revenuecat.com/privacy and revenuecat.com/dpa.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

5. Support and Contact

When you contact us (e.g. by email or via a reporting function within the App to report errors in route paths), we process your information in order to handle your request.

Data processed: Email address (if provided), content of your message, and where applicable, application-related diagnostic data (e.g. App version, operating system used), if you include this.

Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) and our legitimate interest in improving the App and fixing errors (Art. 6(1)(f) GDPR).

Retention period: Support requests are stored for the duration of their processing. Requests not related to a paid purchase are deleted no later than 12 months after the conclusion of processing. Requests related to an In-App purchase (e.g. in connection with withdrawal, warranty, or subscription management) are retained for 6 years due to statutory retention obligations under commercial and tax law (§ 147 of the German Tax Code / AO; § 257 of the German Commercial Code / HGB) and deleted thereafter.

6. Provision of Our Website and Web Hosting

In addition to our mobile App, we operate an informational website at transportflow.me. This website is hosted on exactly the same infrastructure at Hetzner Online GmbH (see section 2).

Processing: When you use the website for purely informational purposes (without registering or otherwise submitting information to us), we only collect the personal data that your browser transmits to our server (so-called server log files). This includes: IP address, date and time of the request, content of the request (specific page), volume of data transferred, the website from which the request originates (referrer URL), browser type and version, and operating system used.

Purpose: This data is technically necessary to display our website to you and to ensure the stability and security of our IT systems (e.g. to defend against hacking attempts).

Legal basis: Our legitimate interest in the secure and error-free provision of our web offering (Art. 6(1)(f) GDPR).

Retention period: Log files are stored for a maximum of 14 days, consistent with App traffic, and are then automatically deleted. (Note: We do not use consent-requiring tracking cookies or third-party analytics tools on our website.)

Security Measures

In accordance with legal requirements and taking into account the state of the art, we implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

Encryption (HTTPS/TLS): All communication between the App on your device and our servers (Hetzner), as well as with RevenueCat, is encrypted in accordance with the current state of the art.
Data minimization: As described above, all significant traffic requests are routed exclusively through our own servers in order to technically prevent the uncontrolled transfer of metadata to third parties (e.g. through the integration of external map providers).

Rights of Data Subjects

As a data subject, you have various rights under the GDPR (Arts. 15–21 GDPR):

Right of access: You may request confirmation of whether and what personal data we process about you. (Note: Since the App functions without a user account and we do not store any identifying data beyond the IP address used at the time of a request, access requests may in practice yield no results due to a lack of identifiability pursuant to Art. 11 GDPR.)
Right to rectification and erasure: You have the right to have inaccurate data corrected or to have your data deleted (e.g. by revoking GPS access or requesting deletion of support emails).
Right to withdraw consent: Consent given (e.g. for location access) may be withdrawn at any time via your operating system settings.
Right to object: You may object at any time to the processing of your data on the basis of legitimate interests.
Right to restriction of processing: You have the right to request the restriction of processing of your personal data where the legal conditions for doing so are met (Art. 18 GDPR). Since the App functions without a user account and we do not maintain any permanently stored records attributable to you during ordinary App use, this right will generally not be applicable in practice.
Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller (Art. 20 GDPR). Since the App functions without a user account and no permanent user profiles are created, this right will generally not be applicable in practice. An exception may apply to support correspondence, to the extent that it contains personal data.
Right to lodge a complaint with a supervisory authority: If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent data protection supervisory authority. The authority with jurisdiction over us is:

Sächsische Datenschutz- und Transparenzbeauftragte (SDTB)

P.O. Box 11 01 32

01330 Dresden

Germany

Email: post@sdtb.sachsen.de

Website: www.datenschutz.sachsen.de

Automated Decision-Making and Profiling

We do not engage in automated decision-making within the meaning of Art. 22 GDPR. No decisions are made that are based solely on automated processing – including profiling – and that produce legal effects concerning you or similarly significantly affect you. We do not create user profiles.

Data Protection Officer

No data protection officer has been appointed, as the legal requirements for a mandatory appointment pursuant to Art. 37 GDPR in conjunction with § 38 of the German Federal Data Protection Act (BDSG) are not met. For data protection-related inquiries, please contact the controller directly using the contact details provided above.

Changes and Updates

We ask that you regularly review the content of this Privacy Policy. We will update the Privacy Policy whenever changes to the App or legal requirements make this necessary. If the changes require your renewed consent, we will obtain this within the App.

Definitions

Personal data: All information relating to an identified or identifiable natural person (e.g. an email address or an IP address).
Processing: Any operation carried out in connection with personal data (collection, storage, transmission, evaluation, deletion).
Data processor: A natural or legal person who processes personal data on behalf of and under the instructions of the controller (i.e. us), such as Hetzner or RevenueCat.
IP address: A unique sequence of numbers that identifies a device on the internet. It is technically necessary in order for our server to send data packets (such as search results or map tiles) back to your smartphone.

← Back to homepage