weniger

Privacy Policy

This privacy policy explains which personal data is processed when you use weniger, for which purposes this happens, and which rights you have in that context.

1. Controller

The controller responsible for data processing is the operator named in the legal notice.

2. Scope

This privacy policy applies to the weniger website, the mobile app, and the related transactional emails.

3. Data processed

  • Account data such as email address, password hash, preferred language, currency, timezone, and display settings.
  • Profile data such as nickname and linked sign-in methods.
  • Challenge data such as challenge names, periods, members, invitations, expenses, rankings, and derived insights.
  • Session and security data such as session information, device names, timestamps of recent use, IP addresses, user-agent data, and hashed refresh tokens.
  • Turnstile and step-up security data such as challenge action, signed challenge state, verification status, short-lived challenge tickets, and hashed risk indicators.
  • Consent data for the analytics category, including timestamps of your decision.
  • Transactional communication data for confirmation, invitation, login, security, and password-reset emails.

4. Purposes of processing

  • Providing and securing user accounts.
  • Running private challenges and showing rankings, insights, and projections.
  • Sending required service and security messages.
  • Preventing abuse, analysing errors, ensuring IT security, and documenting security-relevant actions.
  • Measuring website and mobile-app usage with Google Analytics where you have consented.

5. Legal bases

  • Art. 6(1)(b) GDPR for providing the account, challenge features, and necessary communication.
  • Art. 6(1)(c) GDPR where statutory retention or proof obligations apply.
  • Art. 6(1)(f) GDPR for IT security, abuse prevention, rate limiting, and device/session management.
  • Art. 6(1)(a) GDPR together with Section 25(1) TDDDG for Google Analytics on the website and in the mobile app, plus optional analytics consent.

6. Hosting, infrastructure, and recipients

  • Hosting and database infrastructure currently run at Hetzner in Germany.
  • Transactional emails are currently sent through Strato as SMTP provider.
  • Bot and abuse protection for risk-based auth flows is handled through Cloudflare Turnstile (Cloudflare, Inc., USA).
  • If you consent to analytics, website usage data and mobile-app event data are transmitted to Google Analytics. In the mobile app this happens only while signed in through a server-side relay.
  • Apart from that, personal data is shared with third parties only where this is necessary for operation, legally required, or based on your express consent.

7. Analytics with Google Analytics

Google Analytics is used on the website and in the mobile app only after your prior consent. In the mobile app, transmission happens only while signed in through a server-side relay.

This may include page views and screen views, technical browser and device information, limited usage data, referrer information, consent status, and statistical event data.

Your consent is voluntary and can be withdrawn at any time with effect for the future through the cookie settings.

8. Cloudflare Turnstile (abuse and bot defense)

For risk-based auth requests (especially registration, login, forgot-password requests, or magic-link requests), Cloudflare Turnstile can be required as an additional security step.

The Turnstile script is loaded only when needed in a step-up flow, not as global always-on tracking.

This can involve processing IP address, browser and device metadata, hostname, challenge action, timestamp, Turnstile token, and derived verification or risk signals.

Legal basis is Art. 6(1)(f) GDPR (legitimate interest in IT security, abuse prevention, bot defense, and protection against credential-stuffing and automated auth attacks).

To protect this website, Cloudflare generally processes Turnstile signals as a processor on behalf of the website operator; additionally, Cloudflare may process certain signals as a controller to improve bot detection.

Recipient is Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA; server-side validation is done through the Turnstile siteverify endpoint.

Turnstile tokens and related challenge tickets are short-lived and processed only for the technical security check.

More information: https://developers.cloudflare.com/turnstile/ and https://www.cloudflare.com/privacypolicy/.

9. Third-country transfers

When Google Analytics is used, transfers of personal data to recipients outside the EU or EEA, especially in the United States, cannot be ruled out.

When Cloudflare Turnstile is used, transfers of personal data to recipients outside the EU or EEA, especially in the United States, cannot be ruled out.

Google Analytics processing takes place only after your consent. Cloudflare Turnstile processing is based on legitimate interests for security. Further information is available in the providers' privacy notices.

10. Retention

  • Account data is generally stored until the account is deleted unless statutory retention obligations apply.
  • Challenge, invitation, and expense data remains stored until account deletion or until the relevant data is removed where required for service provision.
  • Session and security data is stored only as long as needed for authentication, security, and abuse prevention, including short-lived Turnstile challenge tickets.
  • Consent data is stored until withdrawal or until a new decision replaces the previous one.
  • After account deletion, personal usage data is removed or anonymized; any remaining retention is limited to what is legally required.

11. Cookies, local storage, and similar technologies

  • Required cookies and session storage are used for login, session security, CSRF protection, and language settings.
  • Consent choices are stored in the browser so your decision can be respected on later visits.
  • Non-essential analytics technologies are activated only after consent.

12. Mobile app, push, and device functions

The mobile app processes account data, challenge data, and local settings in line with the purposes described above.

Push notifications remain optional. Mobile analytics is sent to Google Analytics only after analytics consent and only while signed in through a server-side relay.

13. Data subject rights

  • Right of access to the personal data concerning you.
  • Right to rectification of inaccurate data.
  • Right to erasure where legal requirements are met.
  • Right to restriction of processing.
  • Right to data portability for data you have provided.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time with effect for the future.

14. Data export and account deletion

Your account provides a structured, machine-readable export of your portable data as a ZIP file with JSON and CSV files.

The export includes account data, settings, challenge memberships, your own expenses, and open invitations. Shared data is exported only with the minimum context required for portability.

After account deletion, personal data is deleted or anonymized; legally required residual records are retained only to the necessary extent.

Contact for privacy enquiries

legal@smtyyy.de

Right to complain

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement.