OURS
ende

Privacy Policy

This policy explains what data OURS collects, why, and how we protect it. We follow GDPR principles and store as little personal data as we possibly can.

What this policy covers

This policy applies to the OURS marketing website and the OURS mobile app. It explains what personal data we process, on what legal basis (GDPR Art. 6), and the rights you have. The data controller is named in our Impressum.

Data we process on this website

  • Newsletter signups: when you submit your email, we store it in our Resend audience to send launch updates. Legal basis: your consent (Art. 6(1)(a)). You can unsubscribe at any time using the link in every email we send.
  • Server logs: our hosting provider (Vercel) records standard request metadata (IP, user-agent, timestamp) for up to 30 days for security and abuse prevention. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Pageview log (`site_visits`): we record path, locale, country (derived from IP at request time, IP itself not stored), and a hashed user-agent for each page view to understand which pages people read. No third-party analytics, no advertising cookies, no cross-site tracking. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Language preference cookie (`NEXT_LOCALE`): a single first-party cookie that remembers your language choice. Strictly necessary; no consent required under § 25 (2) Nr. 2 TDDDG.

Data we process in the OURS mobile app

  • Account details: email address (required for authentication), username, display name, optional avatar and bio. Sign in with Apple and Sign in with Google are also supported — those providers share an opaque user identifier and your verified email with us.
  • Content you create: items you lend (title, category, photos, condition, metadata), your contact relationships with other users, lending transactions and the messages exchanged inside lending threads.
  • Push notification token: stored only if you enable push notifications. We send the token to Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) via Expo Push to deliver notifications. Tokens older than 180 days are removed automatically.
  • Crash diagnostics: uncaught errors are reported to Sentry to help us debug. Before upload we strip personal data: auth headers and cookies are redacted, email addresses in messages and breadcrumbs are replaced, and automatic identity attribution is disabled (`sendDefaultPii: false`). To group crashes we use only a random per-install identifier (install ID) that is not linked to your account, email address or name.
  • Product analytics: we use PostHog (EU hosting) to understand which features are used and where flows are abandoned. It uses the same random install ID — not linked to your account, email address or name — and email addresses and access tokens are stripped before sending. We additionally keep the in-product `events` table, which records actions you take (e.g. you lent an item) so we can award badges and levels.

Sub-processors

The following processors handle data on our behalf under GDPR Art. 28 contracts:

  • Supabase (Supabase Inc.) — database, authentication and file storage. Region: EU (Frankfurt).
  • Vercel (Vercel Inc.) — website and admin dashboard hosting. Region: Frankfurt (`fra1`).
  • Sentry (Functional Software, Inc.) — mobile crash reporting.
  • PostHog (PostHog, Inc.) — mobile product analytics. Region: EU.
  • Resend (Resend, Inc.) — transactional + newsletter email delivery.
  • Apple (APNs) and Google (FCM) via Expo — push notification delivery.

How long we keep your data

  • Account data: for as long as your account exists. When you delete your account, your name, avatar and bio are immediately redacted; the account record itself is permanently erased after a 30-day grace period (a nightly cron job sweeps soft- deleted profiles). Past lending threads are preserved with your name shown as "Deleted user" so the other party's loan history stays coherent.
  • Item photos and avatars: stored in private buckets (5 MB limit, image-only MIME types), accessible only via short-lived signed URLs and gated by row- level security so only you and your accepted contacts can view your item photos.
  • Push tokens: 180 days from last refresh, then automatically purged.
  • Crash diagnostics: retained according to Sentry's default retention (90 days).

Your rights under the GDPR

You have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object (Art. 21), and to lodge a complaint with a supervisory authority (Art. 77). To exercise any of these rights, email privacy@ours-app.net. Most rights can also be exercised directly inside the app under Settings → Privacy — including "Download my data" (Art. 15 / 20) and "Delete account" (Art. 17).

Contact

Data controller and full legal address: see Impressum.