Privacy Policy

1. Data Controller

The data controller under the General Data Protection Regulation (GDPR) is:

Marc Stellmacher
Wiesenweg 1
21755 Hechthausen
Germany
Email: info@pick-a-do.com

A Data Protection Officer is not legally required (Art. 37 GDPR, § 38 BDSG) as the mandatory appointment criteria are not met.

2. Data Collected

When using Pickado, the following data is collected and processed:

• Registration data: email address, username, encrypted password
• Profile data: avatar configuration (DiceBear), optional profile picture, avatar ring setting
• Usage data: swipe decisions, session participations, matches, watchlist, movie ratings
• Device data: push notification token (optional), platform (iOS/Android), device language, app version
• Communication data: emails for registration (verification) and password reset
• Error diagnostics: crash reports (stack traces, device type, OS version) — without personal content such as email or username
• Payment data: processed exclusively through Apple or Google. We only receive an anonymized purchase ID, no payment method information.

Additionally, when visiting this website (www.pick-a-do.com), our hosting provider processes server-side technically necessary access data (server logs: IP address, timestamp, user agent, requested URL). Legal basis is Art. 6(1)(f) GDPR (legitimate interest in operational security). These logs are deleted after a maximum of 30 days.

3. Purposes and Legal Basis

Processing of personal data is based on the following grounds:

• Art. 6(1)(b) GDPR — Performance of contract: providing App functions (account, swipes, sessions, matches, watchlist), processing premium subscriptions.
• Art. 6(1)(a) GDPR — Consent: push notifications, personalized advertising, optional profile picture, App Tracking Transparency (iOS). Consent can be withdrawn at any time.
• Art. 6(1)(f) GDPR — Legitimate interest: error diagnostics and stability (Sentry crash reports), fraud and abuse prevention, rate limiting, non-personalized advertising to fund the free version.
• Art. 6(1)(c) GDPR — Legal obligation: tax-related retention requirements for payment-relevant data (where applicable).

4. Recipients and Processors

To provide the App and website, we use the following service providers. Data processing agreements under Art. 28 GDPR are in place with all processors:

• Supabase (Supabase Inc., USA) — backend, database, authentication and file storage. Data stored in Frankfurt, Germany (EU). Encrypted in transit and at rest.
• Expo/EAS (650 Industries Inc., USA) — app infrastructure, over-the-air updates, push notification relay.
• Apple Push Notification Service (Apple Inc., USA) and Firebase Cloud Messaging (Google LLC, USA) — delivery of push notifications to iOS and Android devices respectively.
• Brevo (Sendinblue SAS, France) — transactional email delivery (registration verification, password reset).
• RevenueCat (RevenueCat Inc., USA) — in-app purchase and subscription management. Receives a pseudonymized user ID (UUID).
• Google AdMob (Google Ireland Ltd., Ireland, with data processing by Google LLC, USA) — advertisements in the free version. Advertising ID, IP address and device information are processed. Users can choose between personalized and non-personalized ads in advance.
• Sentry (Functional Software Inc. d/b/a Sentry, USA) — error and crash tracking. We filter personal content (email, IP addresses) before transmission.
• TMDb (The Movie Database, USA) — providing movie and series data via our backend API. No personal data is transmitted to TMDb; requests are made exclusively server-side from our backend.
• Vercel (Vercel Inc., USA) — hosting of this website (static pages, invite deep links).

As platform operators, Apple (USA) and Google (USA) receive platform-typical data during installation, updates and purchases under their own privacy policies.

5. International Data Transfers

Some service providers we use are based in the USA. For transfers of personal data to the USA, we rely on:

• EU-US Data Privacy Framework (DPF) — where the provider is certified (e.g. Google, Apple, Supabase).
• Standard Contractual Clauses (SCC) of the EU Commission under Art. 46(2)(c) GDPR — for all other US providers.

Despite these safeguards, the USA does not offer a level of data protection comparable to the EU. In particular, US authorities may access data under certain conditions.

6. Push Notifications

Push notifications are optional and can be disabled at any time in the profile settings or device settings. The push token is deleted from our database upon deactivation. Legal basis is Art. 6(1)(a) GDPR (consent).

7. Advertising and App Tracking Transparency (iOS)

In the free version, advertisements are shown via Google AdMob. On first launch we ask whether you prefer personalized or non-personalized ads. This setting can be changed at any time in the profile under "Ad settings".

On iOS, the system also asks whether the App may track your activities across other apps and websites (App Tracking Transparency). Without your consent, only non-personalized ads are shown.

No advertising is shown in the premium version.

8. Camera and Photos

To upload a profile picture we require access to the camera and/or photo library. Permission is requested upon first use and can be revoked at any time in the system settings. Using a profile picture is optional — a customizable avatar is available as an alternative.

9. Data Sharing within the App

Within a session, other participants only see the user's username and avatar. Individual swipe decisions are never disclosed — only matches are shown to all session participants.

Invite codes allow other persons to join the respective session only; they grant no access to user profiles or watchlists.

10. Cookies on this Website

This website does not set its own tracking or analytics cookies and does not embed analytics tools (e.g. Google Analytics). Technically necessary cookies may be used by the hosting provider (Vercel) to ensure operation. Legal basis is § 25(2)(2) TTDSG and Art. 6(1)(f) GDPR.

11. Data Retention

• Account data: as long as the user account exists.
• Session and swipe data: for the duration of the session and for display in history.
• Solo sessions: deleted immediately when ended.
• Watchlist: until the user removes the entry or deletes the account.
• Crash reports (Sentry): 90 days, then automatically deleted.
• Website server logs: max. 30 days.
• Tax-relevant billing data: up to 10 years (§ 147 AO) insofar as Apple/Google transmits such data to us.

Upon account deletion, all personal data is irreversibly removed from our systems within 30 days, with the exception of data subject to statutory retention.

12. Your Rights

Under the GDPR you have the following rights:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Withdrawal of consent (Art. 7(3) GDPR)

To exercise your rights, an informal email to info@pick-a-do.com is sufficient. You can also delete your account and all personal data yourself at any time in the App (Profile → Delete account).

13. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority competent for us is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover, Germany
Phone: +49 511 120-4500
Email: poststelle@lfd.niedersachsen.de

14. Automated Decision-Making / Profiling

We do not carry out automated decision-making including profiling within the meaning of Art. 22 GDPR. The movie and series recommendations shown in the App are based on non-personalized popularity and trending data from TMDb as well as the filters selected by the user.

15. Minors

The App is intended for persons aged 16 and older. Personal data of children under 16 is not knowingly collected. If we become aware that a child under 16 has created an account without parental consent, we will delete it without undue delay.

16. Data Security

We employ appropriate technical and organizational measures to protect your data: TLS encryption of all transmissions, server-side password hashing, row-level access control in the database, rate limiting against abuse and regular security updates of dependencies.

17. Changes

This privacy policy may be updated to reflect changes in legal requirements or App features. The current version is always available in the App under Profile → Privacy Policy and here at www.pick-a-do.com/privacy. For material changes, we will notify you separately.