Privacy Policy

1. Controller / Verantwortlicher

Company: tiny apps UG (haftungsbeschränkt)
Managing Director / Geschäftsführer: Maximilian Daub
Email: datenschutz@tpwrtr.app
Website: https://tpwrtr.app

2. Data We Collect

2.1 Account Information (via Google OAuth)

When you sign up using Google Sign-In, we collect:

• Email address: Used for account identification and communication
• Name: Displayed in your profile (you can edit this)
• Profile picture: Optional, displayed in the user interface

Legal basis: Art. 6(1)(b) GDPR (contract performance) - necessary for account creation and service provision.

2.2 Usage Data

We automatically collect:

• Typing test results: Words per minute (WPM), accuracy, errors, timestamps
• Progress data: Personal bests, test history
• Preferences: Theme selection, test mode preferences

Legal basis: Art. 6(1)(b) GDPR (contract performance) - necessary to provide the typing trainer service.

2.3 Analytics Data (with your consent)

If you accept cookies, we collect anonymized usage data via PostHog (EU instance):

• Page views and navigation patterns
• Test started/completed/abandoned events
• Feature usage statistics
• Browser type and device information

Legal basis: Art. 6(1)(a) GDPR (consent) - you can withdraw consent anytime via cookie settings.

Data processor: PostHog Inc., EU instance (eu.i.posthog.com)
Location: European Union
Privacy policy: https://posthog.com/privacy

3. How We Use Your Data

• Account management: Create and maintain your account
• Service provision: Store and display your typing test results and progress
• Product improvement: Analyze usage patterns (anonymized) to improve features
• Communication: Send important service updates (rarely, only when necessary)

We do NOT:

• Sell or share your data with third parties
• Use your data for advertising or marketing
• Access your Gmail, Google Drive, or other Google services

4. Data Storage & Security

4.1 Where We Store Your Data

All user data is stored in the European Union:

• Supabase (EU region): Account data, test results, preferences
• PostHog (EU instance): Anonymized analytics data

No data transfer outside the EU. We comply with GDPR data localization requirements.

4.2 Security Measures

• HTTPS encryption for all connections
• Password-less authentication (OAuth + magic links only)
• Regular security updates and monitoring
• Access controls and encrypted database storage

5. Data Retention

We retain your data as follows:

• Active accounts: Data stored as long as your account is active
• Deleted accounts: Data deleted within 30 days of account deletion
• Analytics data: Anonymized data retained for up to 12 months

6. Your Rights (GDPR)

Under GDPR, you have the following rights:

6.1 Right to Access (Art. 15 GDPR)

You can view and download all your personal data anytime in Account Settings → “Download My Data”.

6.2 Right to Rectification (Art. 16 GDPR)

You can edit your name and preferences in Account Settings.

6.3 Right to Erasure (Art. 17 GDPR)

You can delete your account anytime in Account Settings → “Delete Account”. All your data will be permanently deleted within 30 days.

6.4 Right to Data Portability (Art. 20 GDPR)

You can export your data as JSON via Account Settings → “Download My Data”.

6.5 Right to Object (Art. 21 GDPR)

You can object to data processing by deleting your account or disabling analytics cookies.

6.6 Right to Lodge a Complaint

If you believe we are not complying with GDPR, you can file a complaint with your local data protection authority or the German Federal Commissioner for Data Protection and Freedom of Information (BfDI):

Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Website: https://www.bfdi.bund.de/

7. Cookies

We use the following types of cookies:

7.1 Essential Cookies (No Consent Required)

• Authentication cookies: Keep you logged in (Supabase session tokens)
• Security cookies: Protect against CSRF attacks
• Preference cookies: Remember your theme choice (dark/light mode)

7.2 Analytics Cookies (Consent Required)

• PostHog cookies: Track anonymized usage patterns (only if you accept)

You can manage your cookie preferences anytime by clicking “Cookie Settings” in the footer.

For more details, see our Cookie Policy.

8. Third-Party Services

8.1 Google OAuth

Purpose: User authentication
Data shared: Email, name, profile picture
Privacy policy: https://policies.google.com/privacy

8.2 Supabase

Purpose: Database and authentication infrastructure
Location: European Union
Privacy policy: https://supabase.com/privacy

8.3 PostHog (Optional, with Consent)

Purpose: Product analytics
Location: EU instance (eu.i.posthog.com)
Privacy policy: https://posthog.com/privacy

8.4 Vercel

Purpose: Website hosting
Privacy policy: https://vercel.com/legal/privacy-policy

9. Children's Privacy

tpwrtr is designed for users aged 16 and older. We do not knowingly collect data from children under 16 without parental consent (GDPR requirement for Germany).

If you believe we have inadvertently collected data from a child under 16, please contact us at datenschutz@tpwrtr.app, and we will delete it immediately.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the “Last updated” date at the top of this page
• Notify you via email or a prominent notice on the website

We encourage you to review this policy periodically.

11. Contact Us

If you have questions about this privacy policy or how we handle your data, please contact us:

Email: datenschutz@tpwrtr.app
Company: tiny apps UG (haftungsbeschränkt)
Geschäftsführer: Maximilian Daub

We will respond to your inquiry within 30 days (GDPR requirement).