Privacy Policy
This policy explains which personal data we process in the GeoWunder app and on geowunder.com — pursuant to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR). California residents will find a CCPA / CPRA addendum at the end.
1. Controller
The controller within the meaning of Art. 4(7) GDPR is:
Skills4Life GbR
Represented by: Martin Albers and Ulrich Koj
Salierring 44
50677 Köln
Germany
Phone: +49 (0)221 3 46 58 80
Email: info@skills4life.de
Data-protection inquiries about the GeoWunder app and geowunder.com should be sent to info@skills4life.de.
We are not legally required to appoint a data protection officer.
2. At a glance
The table below summarises which data we process for which purpose. Details follow below.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| User ID, optional email, sign-in provider | Account, login | Art. 6(1)(b) GDPR | until account deletion |
| Location data (GPS) during an active rallye | Navigation, waypoint detection, party mode | Art. 6(1)(b) GDPR | Solo: until rallye is deleted; party: until pin expires (max. ~24h) |
| Uploaded photos and videos | Solving tasks, proof media | Art. 6(1)(b) GDPR | until rallye or account is deleted |
| Photo data for AI verification | Automated task verification | Art. 6(1)(b) GDPR | not stored at the AI provider (passed through only) |
| Nickname, score, chat messages in party mode | Multiplayer gameplay | Art. 6(1)(b) GDPR | until pin expires (max. ~24h) |
| Device info, crash reports, usage statistics | Stability, product improvement | Art. 6(1)(a) GDPR (consent) | max. 14 months |
| Email address for sign-in links | Magic-link login | Art. 6(1)(b) GDPR | transactional, not archived |
3. Account and sign-in
You can use GeoWunder anonymously first — a technical device identifier is generated locally. If you sign in, depending on the chosen provider we process:
- Sign in with Apple: Apple sends us a pseudonymous user ID and — if you allow it — your real or Apple-masked email address.
- Google Sign-In: Google sends us a user ID, your display name, and your email address.
- Anonymous account: only a technical Firebase identifier is created; no profile data.
- Magic link via email: we send you a sign-in link to your email. Delivery is handled by Resend (see Section 13).
Processor: Firebase Authentication (Google Ireland Limited / Google LLC).
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention: until you delete your account.
4. Location data (GPS)
The core function of GeoWunder is to use your location to guide you between stations of a rallye and automatically detect that you have reached a waypoint. We process your GPS coordinates only during an active session.
4.1 Foreground and background location (iOS)
To reliably capture progress and to enable Live Activities on the lock screen, the app requests the iOS "Always" location permission. We only use background location while a rallye is running. You can revoke this permission anytime in iOS Settings.
4.2 Sharing location in party mode
When you join a group rallye ("party mode"), your current game progress — including your position on the route — is shared with the other participants of the same session. This data lives in a temporary session (pin) and is automatically deleted at the latest about 24 hours after the session ends.
Legal basis: Art. 6(1)(b) GDPR (contract performance); for party mode additionally Art. 6(1)(a) GDPR (consent by joining the session).
5. Uploaded photos and videos
Two distinct types of media can appear when you build and play rallyes — we treat them differently:
5.1 Media uploaded by tour creators
When you build your own rallye, you can upload intro videos, reference images for image tasks, and video task material. These files are stored in our encrypted cloud-storage (Firebase Storage). They are visible only to you and — in group sessions — to fellow players in the same session.
Storage location: Google Cloud Storage, region europe-west6 (Zurich, Switzerland).
Processor: Google Ireland Limited / Google LLC.
Legal basis: Art. 6(1)(b) GDPR.
Retention: until you delete the rallye or your account (server-side account deletion automatically removes these files as well).
5.2 Photo proofs captured while playing (photo missions)
For photo tasks while playing, you take a picture with the camera or pick one from your library. This image is not stored in our cloud. It is passed through to the AI service for verification only (details in Section 6) and discarded after the analysis. We only store the verification result (solved / not solved) next to your progress, never the image itself.
Legal basis: Art. 6(1)(b) GDPR.
Retention: none — the image leaves our backend as soon as the AI returns the answer.
6. AI image verification
To automatically verify photo tasks we send the captured image to an AI service (Google Gemini via Vertex AI). The image is used only for immediate analysis and discarded afterwards; use of the image for training the AI models is contractually excluded.
Recipient: Google Ireland Limited (via Vertex AI).
Processing region: EU — europe-west4 (Netherlands). No third-country transfer of this image data takes place.
Legal basis: Art. 6(1)(b) GDPR.
7. AI tour generation
When you request an AI-generated tour, we send your input (location, theme, target group, difficulty, language) to Google Gemini via Vertex AI. The AI proposes stations, descriptions and tasks. You must not enter personal data of third parties.
The AI's response is stored in your personal rallye library and is visible only to you until you actively share it (e.g. by starting a group session).
Recipient: Google Ireland Limited (via Vertex AI).
Processing region: EU — europe-west4 (Netherlands). No third-country transfer.
Legal basis: Art. 6(1)(b) GDPR.
8. Maps and place data (Google Maps Platform)
To display maps, compute routes and enrich place information we use the Google Maps Platform (Maps SDK, Places API, Routes API). When you use maps, technical data — including your IP address and a coarse location — is transmitted to Google.
We do not persistently store Google Maps Content. Concretely: each tour function call fetches the Maps fields it needs (place name, type classification, photo references, address) fresh from the Places API and discards them afterwards. Our database retains only the identifiers Google explicitly permits to keep indefinitely — place IDs and coordinates — and our own AI-generated enrichments (description texts, mission hints). These AI enrichments are not Maps Content and may be retained for up to 12 months from creation.
Details on Google's processing: policies.google.com/privacy.
Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (legitimate interest in functional navigation).
9. Multiplayer chat in party mode
In party mode you can send messages to fellow players. These messages are stored within the temporary session and visible only to the participants of the same session.
We do not perform real-time content moderation. If you encounter content that violates our terms or applicable law, use the "Report" function. Reported content is sent to us and reviewed.
Retention: until the session ends, at the latest about 24 hours after.
Legal basis: Art. 6(1)(b) GDPR.
10. Live Activities and push notifications (iOS)
On iOS devices, GeoWunder can show "Live Activities" on the lock screen and in the Dynamic Island so you can see live game information (position, scores) without opening the app. Our backend pushes score updates via the Apple Push Notification service (APNs).
Recipient: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA.
Third-country transfer: US, EU Standard Contractual Clauses.
Legal basis: Art. 6(1)(b) GDPR; push messages are sent only if you allowed them in system settings.
11. Usage statistics (Firebase Analytics) and crash reports (Crashlytics)
To improve the app, we collect only with your consent anonymous usage events (e.g. "rallye started", "task solved") plus device and version info. Analytics events are linked to your Firebase user ID, never to your real name. We do not profile for advertising and never sell, rent or share your data for marketing.
If the app crashes, Firebase Crashlytics sends a crash report with stack trace, device and version data, and your Firebase user ID to Google. We use this strictly for debugging.
You can revoke your consent at any time under Settings → Privacy → Anonymous usage statistics. No further analytics or crash data will be sent thereafter.
Recipient: Google LLC. For Firebase Analytics there is a joint controllership (Art. 26 GDPR) between us and Google; see firebase.google.com/terms/data-processing-terms.
Retention: 14 months (Firebase Analytics default, configurable), up to 90 days for Crashlytics crash data.
Legal basis: Art. 6(1)(a) GDPR (consent).
12. App verification (Firebase App Check)
To deter abuse of our backend, we use Firebase App Check (Apple App Attest / Google Play Integrity). Device- and installation-specific attestation tokens are generated; no content or personal data is evaluated.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and abuse protection).
13. Email delivery (Resend)
We use Resend to deliver sign-in links and, where applicable, system notifications. We send your email address and the relevant token to Resend.
Recipient: Resend, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA.
Third-country transfer: US, EU Standard Contractual Clauses.
Legal basis: Art. 6(1)(b) GDPR.
14. In-app purchases
Once GeoWunder leaves the closed beta, certain features ("AI coins") can be acquired via in-app purchase. Payment is handled exclusively by Apple (App Store) and Google (Play Store). We only receive a confirmation of your purchase — never payment data such as card numbers.
During the closed beta, in-app purchases are not active.
Recipients: Apple Inc. (iOS), Google LLC (Android).
Legal basis: Art. 6(1)(b) GDPR.
15. Visiting geowunder.com
When you open the website, technically necessary data (IP address, date/time, user agent) is logged by our hosting provider Google Firebase Hosting. These logs serve solely the technical delivery of the page and defence against attacks. They are not combined with other data sources.
The "Inter" font is served from our own servers — there is no transmission to third parties. We do not set cookies and we do not use analytics tools on the website.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable delivery).
16. Processors and third-country transfer
We rely on the following processors:
| Processor | Purpose | Processing region |
|---|---|---|
| Google Ireland Limited (Vertex AI) | AI image verification, AI tour generation, place enrichment, embeddings | EU — europe-west4 (Netherlands) |
| Google Ireland Limited / Google LLC (Firebase) | Authentication, Firestore, Storage, Cloud Functions, Hosting, App Check, Google Maps Platform | Firestore + Storage + Functions: europe-west6; Authentication / Maps / App Check: global Google infrastructure (may include the US) |
| Google LLC (Crashlytics, Analytics) | Crash reports, anonymous usage statistics (opt-in only) | USA |
| Apple Inc. | Push Notification service (APNs), Sign in with Apple, App Store purchases | USA |
| Resend, Inc. | Transactional email delivery (sign-in links) | USA |
Data residency for AI processing: All content we send to Gemini (photos, tour themes, location inputs, free text) is processed exclusively within Vertex AI europe-west4 (Netherlands). This data does not leave the EU.
Data residency for backend: Firestore, Cloud Storage and Cloud Functions are pinned to europe-west6. The authentication and platform components (Firebase Auth, App Check, Maps APIs) are operated by Google as global services and may route requests through US infrastructure.
Remaining third-country transfers (opt-in Crashlytics/Analytics, Apple services, Resend, Google platform components) are based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and — where applicable — the EU-US Data Privacy Framework (adequacy decision of 10 July 2023).
17. Retention and deletion
We store personal data only as long as needed for the stated purposes:
- Party-mode sessions (pin, players, chat, location): automatically deleted at the latest about 24 hours after the session ends.
- Solo rallyes and uploaded media: until you delete them or remove your account.
- Enrichment data for public places (AI-generated descriptions): up to 12 months from creation.
- Rate-limit counters (e.g. for sign-in links): 2 hours.
- Analytics and Crashlytics: max. 14 months / 90 days respectively.
- Server logs: max. 14 days.
When you delete your account in the app (Settings → Delete account), all data tied to your identifier — including uploaded photos and videos and your rallyes — is removed. Orphaned session data under pins is cleaned up by the 24-hour process above.
18. Your rights
Under the GDPR you have the following rights:
- Access to data we hold about you (Art. 15 GDPR).
- Rectification of inaccurate data (Art. 16 GDPR).
- Erasure ("right to be forgotten", Art. 17 GDPR).
- Restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR).
- Objection to processing based on legitimate interests (Art. 21 GDPR).
- Withdrawal of consent with effect for the future (Art. 7(3) GDPR).
- Complaint to a supervisory authority (Art. 77 GDPR).
Send access and deletion requests informally by email to info@skills4life.de. You can perform account deletion yourself under Settings → Delete account.
19. Competent supervisory authority
For you the competent supervisory authority is generally the one of your German federal state. Ours, as the controller's place of establishment, is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
www.ldi.nrw.de
20. Obligation to provide data
Providing data is neither required by law nor by contract. You are not obliged to create an account or use the app. However, without providing the relevant data you can only use the app to a limited extent or not at all.
21. Security (Art. 32 GDPR)
We use technical and organisational measures to protect your data against unauthorised access, loss, or tampering:
- All traffic encrypted over HTTPS / TLS 1.2+.
- Data at rest in Firebase Firestore and Firebase Storage encrypted with AES-256.
- Firebase App Check with Apple App Attest / Google Play Integrity to deter inauthentic backend calls.
- Restrictive Firestore security rules — each account can only access its own data; admin-level backend functions are server-side only.
- Rate-limiting on public endpoints (sign-in links, report, feedback form).
- Regular updates of dependencies and response to known vulnerabilities.
- Pseudonymisation where possible (e.g. IPs in the feedback form are hashed, not stored in plain text).
22. Children and young people
GeoWunder is intended for users aged 13 and older. We do not knowingly process personal data of children under 13 — this age limit also aligns with the US Children's Online Privacy Protection Act (COPPA). If you become aware that a child under 13 is using our app, please notify info@skills4life.de; we will delete the data without undue delay.
For users between 13 and 15 (Art. 8 GDPR), processing of personal data — in particular optional analytics consent and transfers to third-country processors — is permitted only with the consent of the parents or legal guardians. By accepting this policy, minors confirm that such consent has been obtained.
In a school or educational context, teachers can let their classes use the app anonymously (no personal account) — in that case no real names or email addresses are collected.
23. Cookies and similar technologies
The geowunder.com website does not use cookies. There are no tracking, analytics or marketing pixels. The app stores settings and session data only locally on your device (app sandbox); these are not cookies under § 25 TTDSG (German TDDDG).
24. Automated decisions
Automated AI evaluation of photos serves only the gameplay (task solved / not solved). There is no automated decision in the sense of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.
25. Law-enforcement requests
We only disclose your data to law-enforcement or other authorities when legally compelled to do so (e.g. by court order). Each request is reviewed for legality and proportionality.
26. Changes to this policy
We may amend this policy when the legal situation or the functions of our app change. Material changes will be announced at least four weeks in advance inside the app. The current version is always available at geowunder.com/en/privacy.
CCPA / CPRA Addendum — California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you additional rights. This addendum supplements the GDPR sections above; in case of conflict, this addendum prevails for California residents.
A. Categories of personal information we collect
In the 12 months preceding the date below we have collected the following CCPA categories of personal information:
- Identifiers — Firebase user ID, optional email address, IP address (when visiting the website).
- Commercial information — (only after public launch) records of in-app purchases.
- Geolocation data — precise location during an active rallye.
- Internet / device activity — opt-in analytics events, crash reports, browser type when visiting the website.
- Audio / visual — photos and videos you upload as task solutions.
- Inferences — none (we do not build behavioural profiles).
We do not collect: government IDs, financial-account info, biometric data, health data, precise religious or political opinions, sexual-orientation data, or genetic data.
B. Sources of personal information
- Directly from you (sign-in, in-app input, uploads).
- From your device (location, device info).
- From sign-in providers you choose (Apple, Google).
C. Business and commercial purposes
We use the categories above for:
- providing and operating the GeoWunder app and website,
- customer support and responding to inquiries,
- fixing bugs and improving stability (crash reports),
- analytics — only with your opt-in — to improve the product,
- preventing fraud and abuse,
- complying with legal obligations.
D. Recipients
We share personal information with the following categories of recipients, only to the extent needed for the purposes above:
- Service providers — Google (Firebase, Maps Platform, Generative AI), Apple (sign-in, APNs), Resend (email).
- Other players — only in party-mode sessions, only the data needed for multiplayer (nickname, position, chat).
- Authorities — only when legally compelled.
E. "Sale" or "sharing" of personal information
We do not sell your personal information for monetary or other valuable consideration. We do not share your personal information for cross-context behavioural advertising. We have no signals to honour for the Global Privacy Control (GPC) because we operate no advertising mechanisms.
F. Your California rights
- Right to know what personal information we collect, the sources, and recipients.
- Right of access — request a copy of your personal information.
- Right to correct inaccurate personal information.
- Right to delete personal information.
- Right to limit use of sensitive personal information (we collect none beyond what is needed to operate the service).
- Right to opt-out of sale / sharing — not applicable; we do neither.
- Right to non-discrimination — exercising your rights will not result in different prices or service levels.
G. How to submit a request
Send a verifiable consumer request by email to info@skills4life.de with the subject "CCPA request". Include enough information so that we can reasonably verify your identity (e.g. the Firebase user ID associated with the request, the email address on file).
You may use an authorized agent to submit a request on your behalf — please attach a signed permission. We will respond within 45 days; if we need more time, we will notify you and extend by up to another 45 days.
H. Shine the Light
California Civil Code §1798.83 lets California residents request information about disclosures we have made of personal information to third parties for their direct marketing purposes. We do not share data for third-party direct marketing, so we have nothing to disclose here.
I. Retention
We retain personal information only as long as needed to provide the service or to comply with legal obligations. See Section 17 above for category-level retention periods.