Privacy Policy

Last updated: 13 June 2026

This Privacy Policy explains how personal data is collected, used, stored and erased when you use the Ontoryx mobile application (the "App") and the website ontoryx.com (together, the "Service"). Processing is carried out in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller within the meaning of Art. 4 (7) GDPR is:

Georg Riepe
Borsigstraße 5
10115 Berlin
Germany
Email: [email protected]

For all questions concerning data protection, please use the email address above. A data protection officer is not appointed, as the statutory thresholds (§ 38 BDSG) are not met.

2. Categories of Personal Data Processed

2.1 Account data

When you create an Ontoryx account, the following data is stored by the authentication backend (Supabase, see Section 5):

Email address
Password, stored exclusively as a salted bcrypt hash — the plain-text password is never stored and cannot be retrieved
Account identifier (UUID) and technical metadata such as account-creation timestamp, email-confirmation timestamp, and last-sign-in timestamp

In parallel, a row is created in the application database with your account identifier and a public display name of your choosing (the display name is unique across the Service).

2.2 Content you create

Groups: the group name (max. 30 characters), a category (philosophy / relationships / not so deep), a timezone, and a six-character invite code generated by the server. Groups are limited to 30 members. You may be either the owner of a group or a member.
Daily answers: free text of up to 100 words that you submit in response to the group's daily question (the database additionally caps stored answer text at 2,000 characters as a technical safeguard). Each user may submit at most one answer per group per day. You can edit your own answer at any time while it is still displayed; the time of the most recent edit is stored with the answer and the answer is flagged as "edited" in the user interface. Editing overwrites the previous text in place — prior versions are not retained.
Voice answers: instead of text, you may record a short voice answer (up to approximately 120 seconds). Recording requires your explicit microphone permission, which is requested by your device's operating system; you can decline it or revoke it at any time in your device settings. The recording is stored as an audio file (together with its duration) in Supabase Storage (see Section 5.1) and is made available to other group members through short-lived signed links (valid for about one hour). The same one-answer-per-group-per-day rule applies, and the same retention rules as for text answers apply to the audio (see Section 7.2).
Comments: text replies (up to 1,000 characters) that you can post on other members' answers within a group. Each comment stores your account identifier and your display name. You can edit or delete your own comments while the parent answer is still displayed; editing overwrites the previous text in place and the comment is flagged as "edited" in the user interface.
Reactions: emoji reactions to other members' answers. Your account identifier is stored together with the emoji you selected.

All content you submit inside a group is visible to every current member of that group. Do not share information in Ontoryx that you would not want other group members to see.

2.3 Technical data

When the App or website communicates with the backend or with my processors' servers, the following data is processed automatically:

IP address of the requesting device
Date and time of the request
HTTP method, requested resource and response status
User agent (operating system, device type, app or browser version)

This data is processed by the website host and by Supabase for the purpose of operating the Service, preserving IT security, and investigating abuse. It is not combined with other data held about you for marketing, profiling or advertising purposes.

2.4 Push notifications

With your permission, Ontoryx sends push notifications to let you know when something happens in your groups — for example when another member posts an answer, comments on your answer, or reacts to it. Push delivery works as follows:

The first time you are signed in, your device's operating system asks whether you want to allow notifications. If you decline, no push notifications are sent. You can change this at any time in your device settings.
If you allow notifications, your device is issued a push token by Firebase Cloud Messaging (FCM, a Google service — see Section 5.5). This token, together with your platform (iOS or Android) and the app version, is stored in the application database so that notifications can be addressed to your device. Tokens are removed when you sign out, when they are replaced, and when you delete your account.
When a push-worthy event occurs, a server-side function sends the notification to your device(s) through FCM, and on Apple devices onward through the Apple Push Notification service (APNs — see Section 5.6). The message payload is metadata only: the event type, the relevant group/answer identifiers, the actor's display name, and an unread counter for the app icon badge. The actual text or audio of answers and comments is never transmitted through FCM or APNs; the App fetches the content from the backend only after you open it.

In addition, Ontoryx uses local device notifications (via the operating-system notification APIs through the flutter_local_notifications library) for daily reminders and to surface in-app alerts while the App is open. These are scheduled and displayed entirely on your own device.

2.5 Activity data for unread indicators

To show unread counters on the home screen and on the app icon, Ontoryx records, per group, the timestamp at which you last opened that group (a "last seen" time). Content created by other members after that time is counted as unread. This timestamp is stored on your group-membership record and is not visible to other members.

2.6 Analytics, tracking, cookies, third-party scripts

Ontoryx does not use any third-party analytics, crash-reporting, advertising or tracking SDKs in the App. The website ontoryx.com does not set analytics or marketing cookies. Only strictly necessary, session-scoped cookies or local storage entries required for the password-reset flow (Supabase Auth) are used; these are removed at the end of the session.

The password-reset page loads the official Supabase JavaScript client from the public module CDN esm.sh on the fly. When you open that page, your browser therefore establishes a connection to esm.sh, which inevitably transmits your IP address, user-agent and the requested script URL to the CDN operator. No cookies are set by that request and no tracking pixels are loaded. See esm.sh for that provider's own terms.

3. Purposes of Processing and Legal Bases

Providing the Service — creating and maintaining your account, enabling you to create and join groups, submitting and displaying daily answers (text or voice), comments and reactions, sending transactional emails (email confirmation, password reset, email-change confirmation) — Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual measures).
Push notifications — registering your device push token and delivering activity notifications about your groups. The notification permission you grant at the operating-system level acts as your consent (Art. 6 (1) (a) GDPR); the underlying processing also serves the performance of the contract (Art. 6 (1) (b) GDPR). You can withdraw this at any time by disabling notifications in your device settings.
Security, abuse prevention and IT integrity — processing of log and technical data to detect, prevent and investigate attacks, misuse and outages — Art. 6 (1) (f) GDPR (legitimate interests in a secure and stable Service).
Compliance with legal obligations — in particular obligations under the GDPR, the BDSG and tax/commercial law where applicable — Art. 6 (1) (c) GDPR.
Communication regarding your requests — when you email us — Art. 6 (1) (b) or (f) GDPR.

4. Recipients Within the Service

Because Ontoryx is a group-based application, certain data is visible to other users of the Service:

Your display name is visible to every member of every group you join, and is also copied into each answer you submit so that it remains readable even if you later change it.
Your answers (text or voice), comments and reactions are visible — and voice answers are audible — in real time to every member of the group in which you posted them. If you edit an answer or comment, an "edited" indicator and the updated content become visible to the other members of the group; the previous version is overwritten and not retained.
Your group memberships are visible to other members of the same group.
Your email address is not visible to other users.
Your internal account identifier (UUID) is not shown in the user interface, but it is stored inside the emoji-reaction lists attached to answers you reacted to and can in principle be read by other members of the same group through the database API. It contains no personal information on its own.

Anyone who possesses a group's six-character invite code can attempt to join that group until the 30-member cap is reached. Treat invite codes as semi-public.

5. Processors and Third-Party Services

I rely on the following processors that act on my behalf under a data processing agreement pursuant to Art. 28 GDPR, as well as on the third-party services disclosed below:

5.1 Supabase

Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992, provides authentication, the PostgreSQL database, realtime websockets, object storage, server-side functions and transactional email delivery for Ontoryx. All account data, profile data, groups, group memberships, answers, comments and reactions are stored in a Supabase-managed PostgreSQL instance configured in the European Union (EU) region; voice-answer audio files are stored in Supabase Storage in the same EU region. Server-side functions hosted by Supabase generate the daily question, enforce retention, dispatch push notifications and clean up expired audio. Supabase also processes server-side request and authentication logs on my behalf. See supabase.com/privacy.

5.2 Website hosting (Cloudflare Pages)

The website ontoryx.com, including this page, the password-reset page, the email-confirmed landing page and the support page, is served via Cloudflare Pages, a service of Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA (with EU entity Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 München, Germany). Cloudflare operates a global edge network; your request is typically served from the Cloudflare data centre geographically closest to you. In that context Cloudflare processes request metadata, in particular your IP address, user-agent, requested URL and response status, for the purpose of delivering the site, protecting it against abuse (DDoS, bot traffic) and basic operational analytics on my behalf. No Cloudflare analytics cookies or tracking scripts are injected into the site. See Cloudflare's Privacy Policy.

5.3 App distribution platforms

The App is distributed via the Apple App Store (Apple Inc.) and the Google Play Store (Google LLC). When you download or update the App, these platforms act as independent controllers for the data they collect in that context. Their own privacy terms apply.

5.4 esm.sh (module CDN)

The password-reset page (ontoryx.com/reset-password) loads the Supabase JavaScript client at runtime from the public module CDN esm.sh. The operator of that CDN will receive the requesting browser's IP address and user-agent as part of the HTTP request. The CDN is only contacted on that single page; no personal data is intentionally sent to it, no cookies are set, and the request is not used for analytics or tracking purposes on my behalf.

5.5 Google / Firebase Cloud Messaging

Push notifications are delivered through Firebase Cloud Messaging (FCM), a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (with Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The App integrates only the Firebase Cloud Messaging component; it does not use Firebase Analytics, Firebase Crashlytics, or other Firebase products. For the purpose of delivering notifications, FCM processes the device push token and the metadata-only message payload described in Section 2.4 (no answer or comment content). Google may also process the token and related delivery data as described in its own terms. See Firebase Privacy & Security and Google's Privacy Policy.

5.6 Apple Push Notification service

On Apple devices, the notification is delivered the final step to your device via the Apple Push Notification service (APNs), operated by Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. APNs processes the device token and the metadata-only payload to deliver the notification. See Apple's Privacy Policy.

5.7 Categories of processors and services not used

Ontoryx does not use any third-party analytics provider, advertising network, crash-reporting SDK (such as Firebase Crashlytics or Sentry), or social-login provider. Apart from Firebase Cloud Messaging (used solely to deliver push notifications, Section 5.5) no Firebase or other Google product is integrated.

I do not sell personal data and I do not share it for advertising purposes.

6. International Data Transfers

All Ontoryx application data (accounts, profiles, groups, memberships, answers, reactions) is stored on Supabase infrastructure located in the European Union and therefore does not leave the EU as part of normal Service operation.

Some of the providers listed above have their corporate seat, or operate infrastructure, outside the European Economic Area — in particular Cloudflare, Inc. (United States), Supabase, Inc. (Singapore), Google LLC and Apple Inc. (United States, for push-notification delivery), and the operator of the esm.sh CDN. To the limited extent that edge delivery, administrative access, support, log processing, the delivery of push notifications (device token and metadata-only payload), or the loading of the Supabase JavaScript client on the password-reset page results in a transfer of personal data to a third country that does not benefit from an adequacy decision under Art. 45 GDPR, such transfers are safeguarded by EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR and, where appropriate, by additional technical and organisational measures. (Push notifications to Apple devices are routed via Apple's EU entity where applicable.)

7. Retention and Erasure

Retention at a glance. Daily answers (text and voice) and the comments and reactions attached to them are automatically erased by the server within about two days (see 7.2). Account, profile and group-membership data is retained while your account exists and is erased when you request account deletion (see 7.1).

7.1 Account, profile and group memberships

Your account (email, password hash, account identifier, timestamps) and your profile (display name, email copy) are retained for as long as your account exists. Group memberships persist while your account exists and you have not left the group.

You can delete your account at any time directly within the App, under Profile → Delete account. After a typed confirmation step, the App calls a server-side function that executes the following in a single operation:

Removes your account identifier from the emoji-reaction lists stored on other users' answers, so that no trace of your reactions remains on content that is not deleted together with your account.
Deletes your row in the authentication system. A database foreign-key cascade then immediately removes: your profile row; all your group memberships; all answers and comments you authored; your stored push tokens; and any groups of which you were the owner (which also removes the remaining members of those groups from the affected groups).
Any voice-answer audio files you uploaded are removed from storage by the scheduled cleanup within at most two days of the answer expiring or your account being deleted (see 7.2); they are in any case no longer reachable through the App once the answer entry is gone.

The deletion is immediate and irreversible. After it completes, no personal data associated with your account remains in the Ontoryx application database. Short-lived copies may persist in Supabase's managed database backups for up to 30 days before being overwritten, and in security or request logs (IP address, timestamps) for the log-retention period described in 7.4; these copies are not used for any other purpose and cannot be used to restore the deleted account.

If you prefer not to delete your account from within the App, you may alternatively exercise your right to erasure (Art. 17 GDPR) by emailing [email protected] from the address associated with your account. I will process such requests within 30 days.

7.2 Daily answers, comments and voice recordings

Daily answers (text or voice), the comments posted on them and the emoji reactions attached to them are short-lived. An answer is shown to the group on the day it is written and remains visible the following day only to members who themselves answered that day (the "yesterday" view); after that it is no longer shown. Deletion happens on two levels:

A server-side function (ensure_daily_question) runs when a group is opened on a new day; it selects the new daily question and deletes answers older than the previous day.
A scheduled nightly job (purge-stale-answers, 04:00 UTC) deletes any answer with a date_key older than two days, so that even groups with no activity cannot retain stale entries. Comments and reactions are stored together with their answer and are removed automatically when the answer is deleted.
For voice answers, the audio file in Supabase Storage is deleted by a separate scheduled job (cleanup-voice, 04:10 UTC) that removes any voice recording older than two days. This covers both expired answers and recordings belonging to deleted accounts.

The effective lifetime of an answer and its attached content is therefore between a few hours and a maximum of about two days.

You can edit your own answer or comment at any time while it is still displayed; editing overwrites the previous text in place and the prior version is not retained. You can delete your own comments directly. Individual answers do not have a separate manual delete button — they are erased automatically within the window described above, and account-wide erasure is always available via Profile → Delete account (see 7.1).

Your stored push token (Section 2.4) is retained while your account exists and the device remains registered; it is deleted when you sign out, when the device issues a new token, and when you delete your account.

7.3 Groups

Group records (name, invite code, owner, timezone) are retained while the group exists. The owner can delete the group at any time; all members can leave a group at any time. When a group is deleted, its memberships and any remaining answers are removed together with it.

7.4 Logs

Server-side request and authentication logs held by Supabase and Cloudflare are retained by those providers for a limited period in accordance with their respective privacy notices, typically no longer than 90 days, and are used solely for security, abuse prevention and operations.

7.5 Statutory retention

Where German or EU law requires longer retention (e.g. tax or commercial-law obligations), the corresponding data is retained for the statutory period and its processing is restricted accordingly until the obligation ends.

8. Security

I apply appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect personal data:

TLS 1.2+ encryption for all traffic between the App/website and the backend
Password storage as salted bcrypt hashes by Supabase Auth
Row-level security (RLS) policies in the PostgreSQL database so that each user can only read and modify data they are authorised to access
Voice-answer audio kept in a private storage bucket, reachable only by group members and only through short-lived signed links (valid for about one hour)
Separation of authentication and application data
Encryption at rest as provided by Supabase's managed database infrastructure
Principle of least privilege for administrative access

No system can be made perfectly secure. Please use a strong, unique password for your account and keep your device locked.

9. Your Rights

Under the GDPR, you have the following rights with regard to your personal data:

Access (Art. 15) — obtain confirmation of processing and a copy of your data
Rectification (Art. 16) — have inaccurate data corrected
Erasure (Art. 17) — have your data deleted, subject to the limitations of Art. 17 (3) GDPR; see Section 7.1 for the in-App "Delete account" function and for the email alternative
Restriction of processing (Art. 18)
Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format
Objection (Art. 21) — object, on grounds relating to your particular situation, to processing based on legitimate interests
Withdraw consent (Art. 7 (3)) — where processing is based on consent; withdrawal does not affect the lawfulness of processing before withdrawal

To exercise any of these rights, email [email protected] from the email address associated with your account. I respond to valid requests without undue delay and at the latest within one month of receipt (Art. 12 (3) GDPR). This period may be extended by a further two months for complex requests; you will be informed in that case.

10. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). The authority competent for me is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61
10555 Berlin, Germany
www.datenschutz-berlin.de

11. Children

Ontoryx carries an App Store age rating of 13+ (the exact rating may vary by region). In addition, the digital-consent age under Art. 8 GDPR ranges from 13 to 16 depending on the EU member state — for example, 16 in Germany. If you are below the digital-consent age in your jurisdiction, valid use of Ontoryx requires the consent of a parent or legal guardian. If I become aware that an account has been created in violation of the applicable minimum age or without the required parental consent, the account and all associated data will be deleted.

12. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR, including profiling, takes place in connection with the Service.

13. Changes to this Policy

This Privacy Policy may be updated to reflect changes in the Service or applicable law. The "Last updated" date at the top of this page reflects the current version. Material changes will be communicated in-App or by email to the address on your account before they take effect, where legally required.

This Privacy Policy is provided in English. In the event of a conflict with any translation, the English version prevails.

← Back to Ontoryx