Privacy Policy

Last updated: [YYYY-MM-DD]

This Privacy Policy explains how Ontoryx (“Ontoryx”, “we”, “us”, “our”) collects, uses, and protects personal data when you use the Ontoryx mobile application (the “App”) and the website ontoryx.com (together, the “Service”). We comply with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data Controller

The controller responsible for the processing of your personal data is:

[Your Full Name]
[Street and House Number]
[Postal Code and City]
[Country]
Email: [[email protected]]

2. Data We Process

2.1 Account Data

When you create an account, we process:

• Email address
• Password (stored as a salted hash — we never see your plain-text password)
• Display name you choose
• Account creation and last-login timestamps

2.2 Content You Create

While using the Service you may create or submit:

• Groups you create or join
• Answers you submit to conversation prompts
• Reactions or interactions with other users' answers

This content is visible to other members of the same group. Do not share information you would not want other group members to see.

2.3 Technical Data

When you use the Service, the following is processed automatically:

• IP address (temporarily, for security and abuse prevention)
• Device type, operating system, and app version (for crash diagnostics and compatibility)
• Request timestamps and error logs

2.4 Notifications

Ontoryx uses local notifications only. Reminders and new-answer alerts are scheduled and shown by your device, not sent from our servers. We do not collect device push tokens, and no third-party push service (such as Firebase Cloud Messaging or Apple Push Notification service) is used for content.

2.5 Cookies and Tracking

The website ontoryx.com does not set marketing or analytics cookies. The App does not use third-party advertising or analytics SDKs.

3. Purposes and Legal Bases

• Providing the Service (account, groups, messaging features) — Art. 6(1)(b) GDPR (performance of a contract).
• Security, fraud, and abuse prevention — Art. 6(1)(f) GDPR (legitimate interests).
• Communication about your account (password resets, service notices) — Art. 6(1)(b) GDPR.
• Compliance with legal obligations — Art. 6(1)(c) GDPR.

4. Recipients and Processors

We engage carefully selected processors that act on our behalf under a data processing agreement pursuant to Art. 28 GDPR:

• Supabase, Inc. — authentication, database, and realtime backend. Data is hosted in EU region servers where available. See supabase.com/privacy.
• Email delivery provider — used by Supabase to send transactional emails (verification, password reset). No marketing emails are sent.
• Apple App Store and Google Play — for app distribution. Their own privacy terms apply when you download the App.
• GitHub Pages — hosts this website. Server log data (including IP address) may be processed briefly by GitHub for operational and security purposes. See GitHub's Privacy Statement.

We do not sell personal data and we do not share it for advertising purposes.

5. International Data Transfers

Some of our processors may transfer personal data to countries outside the European Economic Area (EEA). Where this happens, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (Art. 46 GDPR) and additional technical measures where necessary.

6. Retention

• Account data — retained while your account exists. Deleted on account deletion (see Section 8) within 30 days, except where statutory retention periods apply.
• Content you created — removed from group views on deletion; backups may persist for up to 30 days before being purged.
• Security logs — typically retained for up to 90 days.

7. Security

We apply appropriate technical and organisational measures to protect personal data, including transport encryption (TLS), encryption at rest for our database provider, row-level security rules that isolate user data, and hashed password storage. No system is perfectly secure; use a strong, unique password and keep your device locked.

8. Your Rights

Under GDPR you have the right to:

• Access the personal data we hold about you (Art. 15)
• Have inaccurate data corrected (Art. 16)
• Have your data erased (Art. 17) — you may delete your account from within the App, or by contacting us
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Withdraw any consent you have given, without affecting lawfulness of processing based on that consent before its withdrawal (Art. 7(3))

To exercise any of these rights, email [[email protected]]. We will respond within one month of receiving your request.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77 GDPR).

10. Children

Ontoryx is not directed at children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Automated Decision-Making

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the current version. Material changes will be communicated in the App or by email where appropriate.

13. Contact

Questions about this Privacy Policy or your personal data? Email [[email protected]].

This Privacy Policy is provided in English. In the event of conflict with any translation, the English version prevails.

← Back to Ontoryx