Privacy Policy

Last updated: March 4, 2025

1. Introduction

This Privacy Policy explains how Agnosphere GmbH, the provider of privma, ("we," "our," or "us") collects, uses, shares, and protects your personal information. As a data controller based in Germany, we are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR).

2. Purpose of Processing and Legal Basis

Our service helps you manage and understand your digital privacy across various platforms. We process your data for the following purposes, each with its specific legal basis under GDPR Article 6:

  • Service Provision - Legal basis: Contract (Art. 6(1)(b) GDPR)
    • To provide you with insights about your digital presence
    • To facilitate the exercise of your data privacy rights
  • Platform Connections - Legal basis: Consent (Art. 6(1)(a) GDPR)
    • To enable connection with third-party platforms of your choice
    • To retrieve and analyze data from connected platforms
  • Security Measures - Legal basis: Legal Obligation (Art. 6(1)(c) GDPR)
    • To maintain the security and functionality of our service
    • To prevent unauthorized access and fraud

3. Contact Information

Data Controller:
Agnosphere GmbH
Leopoldstr. 31
80802 München
Germany
Email: contact@privma.eu

4. Categories of Personal Data

We process the following categories of personal data:

  • Basic account information (email, account settings)
  • Authentication data for account security
  • Platform connection data when you choose to connect third-party services
  • Data retrieved from connected platforms based on your consent
  • Technical data necessary for service operation:
    • IP addresses for security and fraud prevention
    • Browser type and version for service compatibility
    • Device identifiers for security purposes
    • Access timestamps for security logging
    • Session identifiers for secure authentication

5. Platform-Specific Data Collection

For each platform you connect, we collect specific types of data through their respective Data Portability APIs, based on your explicit consent:

Data Protection for All Platform Integrations:

  • All platform data is collected through official Data Portability APIs
  • Each platform integration follows the respective platform's security requirements
  • You have granular control over which data types we can access
  • You can modify or revoke platform permissions at any time
  • Platform data is only processed for the purposes you've explicitly consented to

Google Services

Through Google's Data Portability API:

  • Chrome History and Activity Data
  • Maps Activity and Location History
  • Search Activity and Patterns
  • Shopping and Commercial Activity
  • YouTube Activity and Content Interactions

TikTok

Through TikTok's Data Portability API:

  • Profile Information (username, bio, profile media)
  • Posts and Videos (including privacy settings and content information)
  • Activity Data (interactions and engagement metrics)
  • Connection Data (following/follower information)

Amazon

Through Amazon's Data Portability API:

  • Customer Profile Information
  • Order History (physical and digital)
  • Shopping Preferences and Lists
  • Product Reviews and Ratings
  • Search and Browsing History

Facebook

Through Facebook's Transfer Your Information (TYI) API:

  • Profile Information and Settings
  • Posts and Shared Content
  • Activity Log and Interactions
  • Connection Data (friends, followers, following)

All data is collected through official Data Portability APIs, in compliance with GDPR Article 20. You can control exactly which data types we can access through granular consent settings, and you can modify or revoke these permissions at any time through your privacy settings.

6. Data Retention

We retain your personal data for specific, limited periods:

  • Account Data: Immediately deleted upon account deletion request
  • Platform Data: Immediately deleted upon platform disconnection
  • Authentication Tokens: Automatically deleted upon expiration
  • Technical Logs: Maximum of 7 days
  • Cache Data: Deleted upon expiration or platform disconnection

When you request deletion of your data, we ensure immediate removal across all our systems in accordance with GDPR Article 17 (Right to Erasure). Any data retained for technical purposes (such as logs) is fully anonymized.

7. Data Location and Processing

Your personal data is primarily processed within the European Economic Area. Specifically:

  • All primary data storage is in Frankfurt, Germany through Supabase GmbH
  • We prioritize EEA-based infrastructure and service providers
  • Where technical processing occurs outside the EEA, we ensure appropriate safeguards are in place

We maintain strict data protection and sharing policies across all platform integrations (Google, TikTok, Amazon, and Facebook):

  • Currently, we process platform data solely for providing our service features and do not share it with third parties except as necessary for service operation (such as with our EEA-based service providers)
  • We employ industry-standard security measures to protect your personal data. These include encryption during transmission (transport encryption) and storage (encryption at rest), as well as other technical and organizational measures that comply with the state of the art and ensure the confidentiality, integrity, and availability of your data. These measures are regularly reviewed and adapted to current threats to ensure an adequate level of protection in accordance with Art. 32 GDPR
  • Access to platform data is strictly limited to authorized purposes you've consented to
  • Data from different platforms is processed separately and only combined with your explicit consent
  • All platform data is automatically deleted when you disconnect the respective platform

8. Service Providers

We use the following EU-based service providers, all bound by data processing agreements:

  • Supabase GmbH (EU) - Authentication and data storage
  • Plausible Analytics (EU) - Privacy-friendly analytics
  • Vercel (EU Region) - Application hosting

9. Cookies and Local Storage

We use only strictly necessary cookies:

  • Authentication Cookie (sb-auth-token): Session duration
  • Security Cookie (csrf-token): Session duration
  • Session Management (sb-refresh-token): 7 days

We use local storage for user preferences and temporary data, which remains on your device and is not transmitted to our servers.

10. Your Rights

Under the GDPR, you have the following rights:

  • Right to access your personal data (Art. 15 GDPR)
  • Right to rectification of inaccurate data (Art. 16 GDPR)
  • Right to erasure ('right to be forgotten') (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)

To exercise these rights, contact us at contact@privma.eu. You also have the right to lodge a complaint with a supervisory authority.

11. Data Portability

In accordance with GDPR Article 20, you can export your data at any time in JSON format. This includes:

  • All platform data
  • Account settings and preferences
  • Platform connection history
  • Generated insights and analysis

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to you before they take effect.

13. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Germany

14. Children's Data

Our service is not directed at children under the age of 16, and we do not knowingly collect or process personal data from children under this age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete this information as soon as possible.

15. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you. While we may use automation to analyze data and provide insights, these processes are for informational purposes only, and all significant decisions regarding your data are made with human oversight.