HelpTap App - Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data"), the purposes for which we process them, and the scope of this processing. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "Online Offer").

The terms used are not gender-specific.

Effective date: May 23, 2025

Table of Contents

• Preamble
• Controller
• Overview of Processing
• Relevant Legal Bases
• Transfer of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Payment Procedures
• Provision of the Online Offer and Web Hosting
• Use of Cookies
• Registration, Login, and User Account
• Contact and Request Management
• Communication via Messenger
• Plugins and Embedded Functions and Content

Controller

Maximilian Wolf
Wuhrt 2
24217 Barsbek, Germany

Email: maximilian.wolf@designed-by-wolf.com

Overview of Processing

The following overview summarizes the types of data processed, the purposes of their processing, and the categories of data subjects.

Types of Data Processed

• Inventory data
• Payment data
• Location data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication, and procedural data
• Log data

Categories of Data Subjects

• Service recipients and clients
• Interested parties
• Communication partners
• Users
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Organizational and administrative procedures
• Feedback
• Provision of our online offer and user-friendliness
• Information technology infrastructure
• Business processes and economic procedures

Relevant Legal Bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations in your or our country of residence or establishment may apply. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (Art. 6(1)(f) GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection laws apply in Germany. This includes, in particular, the Federal Data Protection Act (BDSG), which contains specific provisions regarding the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases including profiling. State data protection laws of individual federal states may also apply.

Note on the applicability of the GDPR and the Swiss DPA: This privacy policy serves to provide information pursuant to both the Swiss Federal Act on Data Protection (DPA) and the General Data Protection Regulation (GDPR). For the sake of broader geographical applicability and clarity, the terminology used in the GDPR is employed. Specifically, instead of the terms used in the Swiss DPA such as "processing" of "personal data", "overriding interest", and "sensitive personal data", the GDPR terms "processing", "legitimate interest", and "special categories of data" are used. The legal significance of the terms, however, continues to be determined according to the Swiss DPA within its scope of applicability.

Transfer of Personal Data

In the course of our processing of personal data, it may occur that this data is transmitted to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Internal data transfer: We may transfer personal data to other departments or units within our organization or grant them access to this data. If the data transfer serves administrative purposes, it is based on our legitimate business and operational interests or takes place if it is necessary to fulfill our contractual obligations or if there is consent from the data subjects or a legal basis for such transfer.

International Data Transfers

Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or this occurs in the context of using third-party services or disclosing/transmitting data to other individuals, entities, or companies (evident from the postal address of the respective provider or explicitly stated in the privacy policy), it is always carried out in compliance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by the European Commission's adequacy decision on July 10, 2023. Additionally, we have concluded Standard Contractual Clauses (SCCs) with the respective providers that comply with the EU Commission’s specifications and define contractual obligations for data protection.

This dual safeguard ensures comprehensive protection of your data: the DPF serves as the primary protective mechanism, while the SCCs act as an additional safety net. If changes to the DPF occur, the SCCs provide a reliable fallback option. This ensures your data remains appropriately protected despite any political or legal changes.

We inform you whether individual service providers are certified under the DPF and whether SCCs are in place. Further information about the DPF and a list of certified companies is available on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, equivalent safeguards apply, particularly Standard Contractual Clauses, explicit consents, or legally mandated transfers. Information about third-country transfers and applicable adequacy decisions can be found on the European Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Data Storage and Deletion

We delete personal data processed by us in accordance with legal requirements as soon as the underlying consent is revoked or no other legal grounds for processing exist. This applies in cases where the original purpose for processing no longer applies or the data is no longer needed. Exceptions apply when statutory obligations or special interests require longer retention or archiving of the data.

This especially includes data that must be retained for commercial or tax law reasons or whose storage is necessary for legal enforcement or for protecting the rights of others, whether individuals or legal entities.

Our privacy notices provide additional details about storage and deletion specific to certain processing operations.

If multiple storage periods or deletion deadlines apply to a piece of data, the longest period always prevails.

If a deadline is not explicitly tied to a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships, the triggering event is the date of termination or other conclusion of the legal relationship.

Data retained not for its original purpose but due to legal requirements or other reasons is processed solely for the purposes that justify its continued retention.

Further notes on processing procedures, operations, and services:

• Data retention and deletion periods under German law:
  • 10 years – Retention of books and records, annual financial statements, inventories, management reports, opening balance sheet and related organizational documents (§ 147 Para. 1 No. 1 in conjunction with Para. 3 AO, § 14b Para. 1 UStG, § 257 Para. 1 No. 1 in conjunction with Para. 4 HGB).
  • 8 years – Accounting documents such as invoices and cost receipts (§ 147 Para. 1 Nos. 4 and 4a in conjunction with Para. 3 Sentence 1 AO and § 257 Para. 1 No. 4 in conjunction with Para. 4 HGB).
  • 6 years – Other business documents: received business letters, copies of sent business letters, and other documents relevant for taxation such as time sheets, cost accounting documents, calculation records, price tags, and payroll documents not already considered accounting records, and cash register strips (§ 147 Para. 1 Nos. 2, 3, 5 in conjunction with Para. 3 AO, § 257 Para. 1 Nos. 2 and 3 in conjunction with Para. 4 HGB).
  • 3 years – Data necessary for potential warranty and compensation claims or similar contractual claims and rights, including associated inquiries, based on previous business experience and common industry practices, stored for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Payment Methods

As part of contractual and other legal relationships, due to legal obligations, or based on our legitimate interests, we offer data subjects efficient and secure payment options. To this end, we use service providers in addition to banks and credit institutions (collectively referred to as "payment service providers").

The data processed by the payment service providers includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, amount, and recipient-related details. This information is required to carry out the transactions. However, the entered data is only processed and stored by the payment service providers. That means we do not receive any account or credit card-related information, only confirmations or negative notifications regarding the payment. The data may be transmitted by the payment service providers to credit agencies for identity and credit checks. For this, we refer to the terms and privacy policies of the respective payment service providers.

The terms and conditions and data protection notices of the respective payment service providers apply to payment transactions and can be accessed on their respective websites or within transaction applications. We also refer to these for more information and to assert withdrawal, access, and other data subject rights.

• Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. contract subject, duration, customer category); Usage data (e.g. page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g. IP addresses, timestamps, ID numbers, involved persons). Contact data (e.g. mailing and email addresses or phone numbers).
• Affected persons: Service recipients and clients; business and contractual partners. Interested parties.
• Purposes of processing: Fulfillment of contractual services and obligations. Business processes and operational procedures.
• Retention and deletion: Deletion as stated in the section "General Information on Data Storage and Deletion".
• Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Apple Pay: Payment services (technical integration of online payment methods); Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); Website: https://www.apple.com/de/apple-pay/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.
• Google Pay: Payment services (technical integration of online payment methods); Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); Website: https://pay.google.com/intl/de_de/about/. Privacy policy: https://policies.google.com/privacy.
• Stripe: Payment services (technical integration of online payment methods); Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); Website: https://stripe.com; Privacy policy: https://stripe.com/de/privacy. Third-country transfer basis: Data Privacy Framework (DPF).

Provision of Online Offer and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or end device.

• Types of data processed: Usage data (e.g. page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g. IP addresses, timestamps, ID numbers, involved persons). Log data (e.g. log files concerning logins or data retrieval or access times).
• Affected persons: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.). Security measures.
• Retention and deletion: Deletion as stated in the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Collection of access data and log files: Access to our online offering is logged in the form of "server log files." These log files may include the address and name of accessed web pages and files, date and time of access, transferred data volumes, success messages, browser type and version, user's operating system, referrer URL (previously visited site), and typically IP addresses and the requesting provider. The server log files are used for security purposes (e.g. to prevent server overload from abusive attacks such as DDoS) and to ensure server load and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data retained for evidence purposes is exempt from deletion until the incident is fully resolved.

Use of Cookies

The term "cookies" refers to functions that store and retrieve information on users' devices. Cookies can serve various purposes, such as ensuring functionality, security, and comfort of online offerings, as well as analyzing visitor flows. We use cookies in accordance with legal requirements. Where required, we obtain users' prior consent. If not necessary, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide explicitly requested content and features—such as saving settings and ensuring functionality and security. Consent may be revoked at any time. We clearly inform users about the scope and use of cookies.

Notes on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent exists, it is the legal basis. Without consent, we rely on legitimate interests as described above and in the relevant services and procedures.

Storage duration: With regard to storage duration, we distinguish between:

• Temporary cookies (also: session cookies): These are deleted at the latest when the user leaves the online offering and closes their device (e.g. browser or mobile app).
• Permanent cookies: These remain stored even after the device is closed. They can retain login status and display preferred content on revisits. Data collected via cookies may also be used for audience measurement. Unless we inform users of specific types and durations of cookies (e.g. during consent), assume these are permanent and stored for up to two years.

General information on revocation and objection (opt-out): Users may revoke their consents at any time and may also object to processing under legal provisions, including via their browser’s privacy settings.

• Types of data processed: Meta, communication, and procedural data (e.g. IP addresses, timestamps, ID numbers, involved persons).
• Affected persons: Users (e.g. website visitors, online service users).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further information on processing activities, procedures, and services:

• Processing cookie data based on consent: We use a consent management solution to obtain users' consent for the use of cookies and related processing. This procedure collects, logs, manages, and enables revocation of consents, especially regarding technologies that store, read, and process information on user devices. The consent declarations are stored to avoid re-asking and to demonstrate consent as required by law. Storage takes place server-side and/or via cookie ("opt-in cookie") or similar technology, linked to a specific user/device. Unless specified, general guidance applies: consent storage duration is up to two years. A pseudonymous user identifier is created, along with the timestamp, scope (e.g. cookie categories and/or providers), and information about browser, system, and device used. Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Registration, Login, and User Account

Users can create a user account. During registration, required information is indicated and processed for account provision based on contractual obligations. Processed data includes login information (username, password, email address).

When using registration/login functions and the user account, we store the IP address and the timestamp of each user action. This storage is based on our legitimate interests and those of users in preventing abuse and unauthorized use. Data is not shared with third parties unless required for enforcing our claims or by law.

Users may be informed via email about processes relevant to their user account, such as technical changes.

• Types of Data Processed: Master data (e.g., full name, residential address, contact details, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or image-based messages and posts as well as related information, such as authorship or creation time); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Log data (e.g., log files related to logins or data retrieval or access times).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online offer and user-friendliness.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion." Deletion after termination.
• Legal Bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing procedures, methods and services:

• Registration with pseudonyms: Users may use pseudonyms as usernames instead of real names; Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• User profiles are not public: User profiles are not publicly visible or accessible.

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, phone or via social media) as well as within the framework of existing user and business relationships, the information of the contacting persons is processed insofar as this is necessary to answer contact requests and any requested measures.

• Types of Data Processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or image-based messages and posts as well as related information such as authorship or creation time); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta-, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data Subjects: Communication partners.
• Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further notes on processing procedures, methods and services:

• Contact form: When contacting us via our contact form, by email or other communication channels, we process the personal data transmitted to us in order to answer and handle the respective request. This usually includes details such as name, contact information, and, if applicable, further information provided to us and necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Communication via Messenger

We use messengers for communication purposes and therefore ask you to observe the following notes regarding the functionality of the messengers, encryption, use of metadata from communication, and your options to object.

You can also reach us via alternative methods, such as email. Please use the contact options provided to you or listed in our online offer.

In case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means the content of the messages is not visible, not even to the messenger providers themselves. You should always use a current version of the messengers with encryption enabled to ensure encryption of message content.

However, we additionally point out to our communication partners that while messenger providers cannot see the content, they can find out whether and when communication partners communicate with us, as well as technical information about the device used by the communication partners and, depending on their device settings, also location information (so-called metadata) is processed.

Notes on legal bases: If we ask communication partners for permission before communicating via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not ask for consent and they contact us, for example, on their own initiative, we use messengers in relation to our contractual partners and in the context of contract initiation as a contractual measure, and for other interested parties and communication partners on the basis of our legitimate interests in fast and efficient communication and fulfilling the needs of our communication partners via messenger. Furthermore, we point out that we do not initially transmit the contact data communicated to us to the messengers without your consent.

• Data Subjects: Communication partners.
• Purposes of Processing: Communication.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as "third parties"). These can be, for example, graphics, videos, or maps (collectively referred to as "content").

The integration always requires that the third-party providers process the IP address of the users because without the IP address they could not send the content to their browsers. The IP address is therefore necessary for the display of this content or functions. We strive to use only such content whose respective providers use the IP address only for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user's device and may include, among other things, technical information about the browser and operating system, referring websites, visit time, and other usage data of our online offer, but can also be linked with such information from other sources.

Location Data

Our app collects and uses location data to provide functions such as displaying your current location on the map & transmitting emergency location. Location data is recorded in real time. Location data is processed locally on your device & transmitted to our servers where it is processed. We use GPS to determine your location. Location data is only stored on your device. Location data is not shared with third parties. You can disable location services at any time in your device settings. Please note that certain functions of the app may then be unavailable or only partially available.

Notes on legal bases: If we ask users for their consent to use third-party services, the legal basis of data processing is the permission granted. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

• Types of Data Processed: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta-, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Location data (information about the geographic position of a device or person).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offer and user-friendliness.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing procedures, methods and services:

• Google Maps: We integrate the maps of the service "Google Maps" by Google. The data processed may particularly include IP addresses and location data of users; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for international data transfers: Data Privacy Framework (DPF).

Created with the free privacy policy generator by Dr. Thomas Schwenke

Specific Provisions for Users in India

Age Restriction: Use of HelpTap in India is restricted to persons aged 18 or older. If you are under 18, you may only use this app with the explicit consent of a parent or legal guardian. By using the app, you represent that you are either above 18 or have parental consent. Grievance Redressal: In compliance with the Digital Personal Data Protection Act (DPDP), if you have any questions or complaints regarding your data, please contact our Grievance Officer:

Grievance Officer: Maximilian Wolf

Email: helptap.app@gmail.com

Response Time: We acknowledge grievances within 72 hours and aim to resolve them within 30 days. Consent Withdrawal: You have the right to withdraw your consent for data processing at any time by deleting your account.

Data Processing for Emergency Alerts

Scope: When you use the app and an alert is triggered, we collect and process your current GPS coordinates, the calculated address, your username, your email address, the time an app function was triggered (timestamp), which other app users information was/will be sent to, and (if provided) your name and phone number.

Purpose: This data is stored on Firebase servers to provide the emergency alert service and to make the information accessible to your saved emergency contacts.

Storage and Deletion: The data is stored on our servers until you manually delete your emergency history in the app or delete your account. Emergency contacts receive this data, and it may remain stored locally on their devices.

Section: Children's Privacy

We do not knowingly process data from minors under 18 without parental consent. We collect the user's birth year to determine age-related requirements. If a user is a minor, we process location data and personal identifiers based on the parental consent confirmed by the user during the registration process.

User Account and Registration

When you create a user account in our app, we collect and store the information provided by you on the servers of our service provider Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). This processing is carried out for the purpose of contract fulfillment and to provide the app's core functionalities.

Service Provider & Storage (Firebase)

Your data is stored and processed on servers provided by Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

Data Residency: While we aim to store data within the European Economic Area (EEA), Google may process data globally. To ensure an adequate level of data protection for our German and Indian users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and consistent with the Indian Digital Personal Data Protection (DPDP) Act.

Push Notifications (FCM Token)

To send you functional updates and notifications, we use the Firebase Cloud Messaging (FCM) Token. This token is a unique identifier for your device and is required for the technical delivery of messages. You can manage notification permissions at any time within your device settings.

Data Retention

We retain your account data for as long as your account is active. If you choose to delete your account, your data will be erased from our active Firebase databases within 30 days, unless we are legally required to archive specific information (e.g., for tax or compliance reasons).

Your Rights & Grievance Redressal

Under the GDPR and the DPDP Act, you have the right to access, correct, or delete your personal data.

Inquiries: For any data-related requests or complaints, please contact our Grievance Officer at: helptap.app@gmail.com

Response Time: We commit to acknowledging your request within 48 hours and resolving grievances within the statutory period of 15 days (India) or 30 days (EU).

User Communication & Location Sharing

Our app allows you to send and receive notifications to and from other users. When you trigger a notification, certain personal data, such as your username, email address, and precise location data (including address and GPS coordinates), are transmitted to the recipient. This information also includes a timestamp that records when the notification was sent.

By using this feature, you expressly consent to the transmission of this data to the recipients you select and to this information being processed and stored on our servers. We use this data solely to provide the notification feature and other app functions. We do not sell or share this location data with third parties.

Languages

Our privacy policy and terms of use are available in several languages. Please feel free to contact us if you have any questions.

HelpTap App - Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data"), the purposes for which we process them, and the scope of this processing. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "Online Offer").

The terms used are not gender-specific.

Effective date: May 23, 2025

Table of Contents

• Preamble
• Controller
• Overview of Processing
• Relevant Legal Bases
• Transfer of Personal Data
• International Data Transfers
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Payment Procedures
• Provision of the Online Offer and Web Hosting
• Use of Cookies
• Registration, Login, and User Account
• Contact and Request Management
• Communication via Messenger
• Plugins and Embedded Functions and Content

Controller

Maximilian Wolf
Wuhrt 2
24217 Barsbek, Germany

Email: maximilian.wolf@designed-by-wolf.com

Overview of Processing

The following overview summarizes the types of data processed, the purposes of their processing, and the categories of data subjects.

Types of Data Processed

• Inventory data
• Payment data
• Location data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication, and procedural data
• Log data

Categories of Data Subjects

• Service recipients and clients
• Interested parties
• Communication partners
• Users
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Organizational and administrative procedures
• Feedback
• Provision of our online offer and user-friendliness
• Information technology infrastructure
• Business processes and economic procedures

Relevant Legal Bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations in your or our country of residence or establishment may apply. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (Art. 6(1)(f) GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection laws apply in Germany. This includes, in particular, the Federal Data Protection Act (BDSG), which contains specific provisions regarding the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases including profiling. State data protection laws of individual federal states may also apply.

Note on the applicability of the GDPR and the Swiss DPA: This privacy policy serves to provide information pursuant to both the Swiss Federal Act on Data Protection (DPA) and the General Data Protection Regulation (GDPR). For the sake of broader geographical applicability and clarity, the terminology used in the GDPR is employed. Specifically, instead of the terms used in the Swiss DPA such as "processing" of "personal data", "overriding interest", and "sensitive personal data", the GDPR terms "processing", "legitimate interest", and "special categories of data" are used. The legal significance of the terms, however, continues to be determined according to the Swiss DPA within its scope of applicability.

Transfer of Personal Data

In the course of our processing of personal data, it may occur that this data is transmitted to other entities, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Internal data transfer: We may transfer personal data to other departments or units within our organization or grant them access to this data. If the data transfer serves administrative purposes, it is based on our legitimate business and operational interests or takes place if it is necessary to fulfill our contractual obligations or if there is consent from the data subjects or a legal basis for such transfer.

International Data Transfers

Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or this occurs in the context of using third-party services or disclosing/transmitting data to other individuals, entities, or companies (evident from the postal address of the respective provider or explicitly stated in the privacy policy), it is always carried out in compliance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by the European Commission's adequacy decision on July 10, 2023. Additionally, we have concluded Standard Contractual Clauses (SCCs) with the respective providers that comply with the EU Commission’s specifications and define contractual obligations for data protection.

This dual safeguard ensures comprehensive protection of your data: the DPF serves as the primary protective mechanism, while the SCCs act as an additional safety net. If changes to the DPF occur, the SCCs provide a reliable fallback option. This ensures your data remains appropriately protected despite any political or legal changes.

We inform you whether individual service providers are certified under the DPF and whether SCCs are in place. Further information about the DPF and a list of certified companies is available on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, equivalent safeguards apply, particularly Standard Contractual Clauses, explicit consents, or legally mandated transfers. Information about third-country transfers and applicable adequacy decisions can be found on the European Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Data Storage and Deletion

We delete personal data processed by us in accordance with legal requirements as soon as the underlying consent is revoked or no other legal grounds for processing exist. This applies in cases where the original purpose for processing no longer applies or the data is no longer needed. Exceptions apply when statutory obligations or special interests require longer retention or archiving of the data.

This especially includes data that must be retained for commercial or tax law reasons or whose storage is necessary for legal enforcement or for protecting the rights of others, whether individuals or legal entities.

Our privacy notices provide additional details about storage and deletion specific to certain processing operations.

If multiple storage periods or deletion deadlines apply to a piece of data, the longest period always prevails.

If a deadline is not explicitly tied to a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships, the triggering event is the date of termination or other conclusion of the legal relationship.

Data retained not for its original purpose but due to legal requirements or other reasons is processed solely for the purposes that justify its continued retention.

Further notes on processing procedures, operations, and services:

• Data retention and deletion periods under German law:
  • 10 years – Retention of books and records, annual financial statements, inventories, management reports, opening balance sheet and related organizational documents (§ 147 Para. 1 No. 1 in conjunction with Para. 3 AO, § 14b Para. 1 UStG, § 257 Para. 1 No. 1 in conjunction with Para. 4 HGB).
  • 8 years – Accounting documents such as invoices and cost receipts (§ 147 Para. 1 Nos. 4 and 4a in conjunction with Para. 3 Sentence 1 AO and § 257 Para. 1 No. 4 in conjunction with Para. 4 HGB).
  • 6 years – Other business documents: received business letters, copies of sent business letters, and other documents relevant for taxation such as time sheets, cost accounting documents, calculation records, price tags, and payroll documents not already considered accounting records, and cash register strips (§ 147 Para. 1 Nos. 2, 3, 5 in conjunction with Para. 3 AO, § 257 Para. 1 Nos. 2 and 3 in conjunction with Para. 4 HGB).
  • 3 years – Data necessary for potential warranty and compensation claims or similar contractual claims and rights, including associated inquiries, based on previous business experience and common industry practices, stored for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Payment Methods

As part of contractual and other legal relationships, due to legal obligations, or based on our legitimate interests, we offer data subjects efficient and secure payment options. To this end, we use service providers in addition to banks and credit institutions (collectively referred to as "payment service providers").

The data processed by the payment service providers includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, amount, and recipient-related details. This information is required to carry out the transactions. However, the entered data is only processed and stored by the payment service providers. That means we do not receive any account or credit card-related information, only confirmations or negative notifications regarding the payment. The data may be transmitted by the payment service providers to credit agencies for identity and credit checks. For this, we refer to the terms and privacy policies of the respective payment service providers.

The terms and conditions and data protection notices of the respective payment service providers apply to payment transactions and can be accessed on their respective websites or within transaction applications. We also refer to these for more information and to assert withdrawal, access, and other data subject rights.

• Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. contract subject, duration, customer category); Usage data (e.g. page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g. IP addresses, timestamps, ID numbers, involved persons). Contact data (e.g. mailing and email addresses or phone numbers).
• Affected persons: Service recipients and clients; business and contractual partners. Interested parties.
• Purposes of processing: Fulfillment of contractual services and obligations. Business processes and operational procedures.
• Retention and deletion: Deletion as stated in the section "General Information on Data Storage and Deletion".
• Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Apple Pay: Payment services (technical integration of online payment methods); Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); Website: https://www.apple.com/de/apple-pay/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.
• Google Pay: Payment services (technical integration of online payment methods); Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); Website: https://pay.google.com/intl/de_de/about/. Privacy policy: https://policies.google.com/privacy.
• Stripe: Payment services (technical integration of online payment methods); Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); Website: https://stripe.com; Privacy policy: https://stripe.com/de/privacy. Third-country transfer basis: Data Privacy Framework (DPF).

Provision of Online Offer and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or end device.

• Types of data processed: Usage data (e.g. page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features); Meta, communication, and procedural data (e.g. IP addresses, timestamps, ID numbers, involved persons). Log data (e.g. log files concerning logins or data retrieval or access times).
• Affected persons: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.). Security measures.
• Retention and deletion: Deletion as stated in the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Collection of access data and log files: Access to our online offering is logged in the form of "server log files." These log files may include the address and name of accessed web pages and files, date and time of access, transferred data volumes, success messages, browser type and version, user's operating system, referrer URL (previously visited site), and typically IP addresses and the requesting provider. The server log files are used for security purposes (e.g. to prevent server overload from abusive attacks such as DDoS) and to ensure server load and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data retained for evidence purposes is exempt from deletion until the incident is fully resolved.

Use of Cookies

The term "cookies" refers to functions that store and retrieve information on users' devices. Cookies can serve various purposes, such as ensuring functionality, security, and comfort of online offerings, as well as analyzing visitor flows. We use cookies in accordance with legal requirements. Where required, we obtain users' prior consent. If not necessary, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide explicitly requested content and features—such as saving settings and ensuring functionality and security. Consent may be revoked at any time. We clearly inform users about the scope and use of cookies.

Notes on data protection legal bases: Whether we process personal data using cookies depends on consent. If consent exists, it is the legal basis. Without consent, we rely on legitimate interests as described above and in the relevant services and procedures.

Storage duration: With regard to storage duration, we distinguish between:

• Temporary cookies (also: session cookies): These are deleted at the latest when the user leaves the online offering and closes their device (e.g. browser or mobile app).
• Permanent cookies: These remain stored even after the device is closed. They can retain login status and display preferred content on revisits. Data collected via cookies may also be used for audience measurement. Unless we inform users of specific types and durations of cookies (e.g. during consent), assume these are permanent and stored for up to two years.

General information on revocation and objection (opt-out): Users may revoke their consents at any time and may also object to processing under legal provisions, including via their browser’s privacy settings.

• Types of data processed: Meta, communication, and procedural data (e.g. IP addresses, timestamps, ID numbers, involved persons).
• Affected persons: Users (e.g. website visitors, online service users).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further information on processing activities, procedures, and services:

• Processing cookie data based on consent: We use a consent management solution to obtain users' consent for the use of cookies and related processing. This procedure collects, logs, manages, and enables revocation of consents, especially regarding technologies that store, read, and process information on user devices. The consent declarations are stored to avoid re-asking and to demonstrate consent as required by law. Storage takes place server-side and/or via cookie ("opt-in cookie") or similar technology, linked to a specific user/device. Unless specified, general guidance applies: consent storage duration is up to two years. A pseudonymous user identifier is created, along with the timestamp, scope (e.g. cookie categories and/or providers), and information about browser, system, and device used. Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Registration, Login, and User Account

Users can create a user account. During registration, required information is indicated and processed for account provision based on contractual obligations. Processed data includes login information (username, password, email address).

When using registration/login functions and the user account, we store the IP address and the timestamp of each user action. This storage is based on our legitimate interests and those of users in preventing abuse and unauthorized use. Data is not shared with third parties unless required for enforcing our claims or by law.

Users may be informed via email about processes relevant to their user account, such as technical changes.

• Types of Data Processed: Master data (e.g., full name, residential address, contact details, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or image-based messages and posts as well as related information, such as authorship or creation time); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Log data (e.g., log files related to logins or data retrieval or access times).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online offer and user-friendliness.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion." Deletion after termination.
• Legal Bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing procedures, methods and services:

• Registration with pseudonyms: Users may use pseudonyms as usernames instead of real names; Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR).
• User profiles are not public: User profiles are not publicly visible or accessible.

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, phone or via social media) as well as within the framework of existing user and business relationships, the information of the contacting persons is processed insofar as this is necessary to answer contact requests and any requested measures.

• Types of Data Processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or image-based messages and posts as well as related information such as authorship or creation time); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta-, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
• Data Subjects: Communication partners.
• Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online offer and user-friendliness.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further notes on processing procedures, methods and services:

• Contact form: When contacting us via our contact form, by email or other communication channels, we process the personal data transmitted to us in order to answer and handle the respective request. This usually includes details such as name, contact information, and, if applicable, further information provided to us and necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Communication via Messenger

We use messengers for communication purposes and therefore ask you to observe the following notes regarding the functionality of the messengers, encryption, use of metadata from communication, and your options to object.

You can also reach us via alternative methods, such as email. Please use the contact options provided to you or listed in our online offer.

In case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means the content of the messages is not visible, not even to the messenger providers themselves. You should always use a current version of the messengers with encryption enabled to ensure encryption of message content.

However, we additionally point out to our communication partners that while messenger providers cannot see the content, they can find out whether and when communication partners communicate with us, as well as technical information about the device used by the communication partners and, depending on their device settings, also location information (so-called metadata) is processed.

Notes on legal bases: If we ask communication partners for permission before communicating via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not ask for consent and they contact us, for example, on their own initiative, we use messengers in relation to our contractual partners and in the context of contract initiation as a contractual measure, and for other interested parties and communication partners on the basis of our legitimate interests in fast and efficient communication and fulfilling the needs of our communication partners via messenger. Furthermore, we point out that we do not initially transmit the contact data communicated to us to the messengers without your consent.

• Data Subjects: Communication partners.
• Purposes of Processing: Communication.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion".
• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b) GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as "third parties"). These can be, for example, graphics, videos, or maps (collectively referred to as "content").

The integration always requires that the third-party providers process the IP address of the users because without the IP address they could not send the content to their browsers. The IP address is therefore necessary for the display of this content or functions. We strive to use only such content whose respective providers use the IP address only for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user's device and may include, among other things, technical information about the browser and operating system, referring websites, visit time, and other usage data of our online offer, but can also be linked with such information from other sources.

Location Data

Our app collects and uses location data to provide functions such as displaying your current location on the map & transmitting emergency location. Location data is recorded in real time. Location data is processed locally on your device & transmitted to our servers where it is processed. We use GPS to determine your location. Location data is only stored on your device. Location data is not shared with third parties. You can disable location services at any time in your device settings. Please note that certain functions of the app may then be unavailable or only partially available.

Notes on legal bases: If we ask users for their consent to use third-party services, the legal basis of data processing is the permission granted. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

• Types of Data Processed: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta-, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons). Location data (information about the geographic position of a device or person).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offer and user-friendliness.
• Retention and Deletion: Deletion according to the information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing procedures, methods and services:

• Google Maps: We integrate the maps of the service "Google Maps" by Google. The data processed may particularly include IP addresses and location data of users; Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy. Basis for international data transfers: Data Privacy Framework (DPF).

Created with the free privacy policy generator by Dr. Thomas Schwenke

Specific Provisions for Users in India

Age Restriction: Use of HelpTap in India is restricted to persons aged 18 or older. If you are under 18, you may only use this app with the explicit consent of a parent or legal guardian. By using the app, you represent that you are either above 18 or have parental consent. Grievance Redressal: In compliance with the Digital Personal Data Protection Act (DPDP), if you have any questions or complaints regarding your data, please contact our Grievance Officer:

Grievance Officer: Maximilian Wolf

Email: helptap.app@gmail.com

Response Time: We acknowledge grievances within 72 hours and aim to resolve them within 30 days. Consent Withdrawal: You have the right to withdraw your consent for data processing at any time by deleting your account.

Data Processing for Emergency Alerts

Scope: When you use the app and an alert is triggered, we collect and process your current GPS coordinates, the calculated address, your username, your email address, the time an app function was triggered (timestamp), which other app users information was/will be sent to, and (if provided) your name and phone number.

Purpose: This data is stored on Firebase servers to provide the emergency alert service and to make the information accessible to your saved emergency contacts.

Storage and Deletion: The data is stored on our servers until you manually delete your emergency history in the app or delete your account. Emergency contacts receive this data, and it may remain stored locally on their devices.

Section: Children's Privacy

We do not knowingly process data from minors under 18 without parental consent. We collect the user's birth year to determine age-related requirements. If a user is a minor, we process location data and personal identifiers based on the parental consent confirmed by the user during the registration process.

User Account and Registration

When you create a user account in our app, we collect and store the information provided by you on the servers of our service provider Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). This processing is carried out for the purpose of contract fulfillment and to provide the app's core functionalities.

Service Provider & Storage (Firebase)

Your data is stored and processed on servers provided by Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

Data Residency: While we aim to store data within the European Economic Area (EEA), Google may process data globally. To ensure an adequate level of data protection for our German and Indian users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and consistent with the Indian Digital Personal Data Protection (DPDP) Act.

Push Notifications (FCM Token)

To send you functional updates and notifications, we use the Firebase Cloud Messaging (FCM) Token. This token is a unique identifier for your device and is required for the technical delivery of messages. You can manage notification permissions at any time within your device settings.

Data Retention

We retain your account data for as long as your account is active. If you choose to delete your account, your data will be erased from our active Firebase databases within 30 days, unless we are legally required to archive specific information (e.g., for tax or compliance reasons).

Your Rights & Grievance Redressal

Under the GDPR and the DPDP Act, you have the right to access, correct, or delete your personal data.

Inquiries: For any data-related requests or complaints, please contact our Grievance Officer at: helptap.app@gmail.com

Response Time: We commit to acknowledging your request within 48 hours and resolving grievances within the statutory period of 15 days (India) or 30 days (EU).

User Communication & Location Sharing

Our app allows you to send and receive notifications to and from other users. When you trigger a notification, certain personal data, such as your username, email address, and precise location data (including address and GPS coordinates), are transmitted to the recipient. This information also includes a timestamp that records when the notification was sent.

By using this feature, you expressly consent to the transmission of this data to the recipients you select and to this information being processed and stored on our servers. We use this data solely to provide the notification feature and other app functions. We do not sell or share this location data with third parties.

Languages

Our privacy policy and terms of use are available in several languages. Please feel free to contact us if you have any questions.