Privacy Policy
Last updated: 14 June 2025
1. Who We Are
Controller. Kaizen Apps – Lennard Zieten, Am Fillerberg 10, 27793 Wildeshausen, Germany, ☎ +49 152 553 766 73, ✉ kaizen.workflow.app+support@gmail.com.
Data-Protection Contact. We are not required to appoint a formal DPO under Art. 37 GDPR at our current scale; please contact the Controller directly for privacy matters.
2. Scope
This policy covers the Kaizen iOS & Android apps, kaizen.app marketing site, and forthcoming web-app (collectively, the “Service”).
3. Data We Collect
| Category | Examples | Source | Mandatory | Retention |
|---|---|---|---|---|
| Account | Email, hashed password, language | user input | Yes | While account active + 24 months idle then deletion |
| Subscription / Purchase | Apple/Google Order ID, RevenueCat customer ID | app-store APIs | Only for Pro | 10 years (tax law) |
| Usage Metrics | Feature clicks, session length (Firebase/GA) | automated | No | 26 months (Google Analytics default) |
| Diagnostics | Crash logs, error traces (Firebase Crashlytics) | automated | No | 180 days |
| Device | OS version, model, IP (fraud & security) | automated | Yes | 24 months |
| Cookies / Local Storage | Session cookie, CSRF token | automated | Yes | Session or 12 months |
| Future optional | Location for “travel time”, Contacts for “shared tasks” | user opt-in | n/a | TBD (documented before launch) |
We do not intentionally collect (i) special-category data under Art. 9 GDPR, (ii) data from children under 16 (EEA) / 13 (US), or (iii) advertising identifiers such as IDFA/AAID.
4. Legal Bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide & authenticate the Service | Contract performance |
| Process Pro payments | Contract + legal obligation (tax) |
| Diagnostics & anti-fraud | Legitimate interests (LIA available on request) |
| Marketing emails | Consent (opt-in, withdraw any time) |
| Future location / contacts | Consent |
5. How We Use Data
- Operate, maintain, and improve the Service;
- Process transactions and manage subscriptions;
- Provide support (SLA 5 business days);
- Detect spam, abuse, and fraud;
- Comply with finance and tax regulations.
6. Sharing & Disclosure
| Recipient | Role | Safeguard |
|---|---|---|
| Google Firebase (hosting, auth, analytics, crash) | Processor | SCC 2021/914/EU + EU-US DPF |
| Google Analytics (web) | Processor | consent mode; SCC + DPF |
| RevenueCat (subscription ledger) | Processor | SCC + DPF |
| Stripe (web payments) | Processor | SCC + DPF self-cert. |
| Apple / Google (in-app payments) | Independent controllers | App Store / Play Store T&Cs |
| Authorities / courts | Where legally required | Art. 6 (1)(c) GDPR |
We never “sell” or “share” personal data for cross-context behavioural advertising as defined by CPRA § 1798.140.
7. International Transfers
Data may be processed in the United States. Transfers rely on:
- Standard Contractual Clauses 2021/914/EU;
- EU-US Data Privacy Framework adequacy decision 2023/1795 (10 July 2023);
- Recognised adequacy of Switzerland for Swiss users (rev. FADP 2023).
8. Retention
We keep personal data only as long as necessary (Art. 5 (1)(e) GDPR). Specific periods appear in Section 3; legal invoices are stored 10 years under German AO/HGB.
9. Security
We apply encryption in transit/at rest, access controls, annual ISO 27001-aligned penetration tests, and incident response plans in line with Art. 32 GDPR.
10. Your Rights
10.1 EEA / UK
Access, rectification, erasure, restriction, portability, objection, withdraw consent at any time, and the right not to be subject to automated decisions (Art. 22). Complaints: Lower Saxony DPA, Prinzenstr. 5, 30159 Hannover, Germany.
10.2 Switzerland
Swiss users enjoy equivalent rights under the revised FADP 2023; supervisory authority: EDÖB.
10.3 United States
California (CPRA/CCPA) – rights to know, delete, correct, opt-out of sale/share, limit sensitive data (see Appendix A).
Colorado CPA, Virginia CDPA, Utah UCPA – access, delete, opt-out of targeted ads/profiling.
Requests: kaizen.workflow.app+privacy@gmail.com (from your signed-in email) or the in-app “Privacy Request” form. We verify identity and reply within 30 days.
10.4 Do Not Track
Browsers may send “DNT” signals. Kaizen currently does not change its behaviour in response (CalOPPA § 22575).
11. Children
Kaizen is not directed to minors under 16 (EEA) / 13 (US). If we learn we have collected data in breach of this rule, we delete it promptly (COPPA).
12. Cookies & Similar Technologies
The marketing site sets first-party session cookies and Firebase/Google Analytics tags only after consent via our banner (Google Consent Mode v2). You can change choices anytime via “Cookie Settings”. The web-app stores only an auth token in localStorage.
13. Automated Decision-Making
Kaizen does not make decisions that produce legal or similarly significant effects solely based on automated processing (Art. 22 GDPR).
14. Security-Breach Notification
If a breach is likely to pose a risk to your rights and freedoms, we will notify you and the competent regulator without undue delay (Art. 33 GDPR; FADP Art. 24).
15. Changes
Material changes will be posted at least 14 days before they take effect and communicated by email and in-app banner.
16. Contact
Questions or complaints: kaizen.workflow.app+privacy@gmail.com or the postal address in Section 1.
Appendix A – California Notice at Collection (CPRA § 1798.100)
| Category of PI | Examples | Purpose | Retention | Sold / Shared? |
|---|---|---|---|---|
| Identifiers | Email, IP, device ID | Provide service, security | See § 3 | No |
| Commercial info | Purchase history, Order ID | Process payments | 10 yrs | No |
| Internet / app activity | Feature clicks, session length | Improve product | 26 mo | No |
| Geolocation (approx.) | IP-derived city | Fraud-prevention | 24 mo | No |
| Sensitive PI (login) | Hashed password | Auth | Account life | No |
We do not collect precise geolocation, biometric, or other CPRA-defined Sensitive Personal Information for additional purposes.
You may exercise California rights via the channels in Section 10.3.