Privacy Policy – CombAny

This Privacy Policy applies to the CombAny app (iOS, Android) and the web platform at app.combany.de. It describes only the features and data processing activities that are actually implemented.

1. Controller pursuant to GDPR

Name: René Gäng

Address: Kolpingstraße 62, 68753 Waghäusel, Germany

Email: info@combany.de

Website: combany.de

For questions regarding data protection, please contact us at the email address above.

2. What data we process

CombAny is a server-based collaboration platform. All content you create in the app is stored on our servers to enable teamwork in groups ("Waben"). There is no purely local data storage for platform content.

2.1 Account data

Name and display name
Email address
Password (stored as a cryptographic hash, never in plain text)
Profile picture / avatar
Memberships in Waben and assigned roles

2.2 Platform content

All content you create in CombAny is stored server-side:

Waben (Teams): name, description, settings, member list
Topics: title, content, status, creation date
Discussions: posts, comments, reactions
Tasks: title, description, assignments, status, due dates
Votes: questions, answer options, submitted votes
Direct messages: content, timestamps, sender and recipient ID
Shifts: entries, notes, time periods
Archive entries: archived content with metadata

2.3 File attachments

Images: JPG, PNG, WEBP, GIF (max. 5 MB per file, max. 5 files per message)
Documents: PDF, DOC, DOCX, TXT
Used in: discussions, direct messages, avatars
Storage: in our database or on Cloudflare R2 (S3-compatible storage)

All files are checked for file type and content before storage (MIME type and magic bytes validation).

2.4 Technical and security data

Session data: session ID, timestamps (for secure login)
Audit logs: security-relevant actions (e.g. login, password change, account deletion)
Push tokens: device tokens for push notifications (iOS/Android)
Notification settings: your preferences for notification types
API keys: self-created keys for external integrations
Webhook registrations: URLs for external systems that you configure yourself

2.5 Payment data

Subscription status and selected plan
Stripe Customer ID and Subscription ID

Payment data (credit card numbers etc.) is processed exclusively by Stripe and is not stored on our servers.

2.6 AI usage data

Log of AI requests: type, timestamp, tokens used
Text content transmitted to the AI (from discussions, tasks, votes)

3. Purpose and legal basis of processing

Data type	Purpose	Legal basis
Account data	Registration, authentication, account management	Art. 6(1)(b) GDPR (contract)
Platform content	Provision of collaboration features	Art. 6(1)(b) GDPR (contract)
File attachments	File sharing in Waben and direct messages	Art. 6(1)(b) GDPR (contract)
Session data	Secure login and session management	Art. 6(1)(b) GDPR (contract)
Audit logs	Security and abuse prevention	Art. 6(1)(f) GDPR (legitimate interest)
Push tokens	Sending notifications (only with permission)	Art. 6(1)(a) GDPR (consent)
AI usage data	Provision of AI-powered features	Art. 6(1)(a) GDPR (consent)
Stripe data	Subscription management and payment processing	Art. 6(1)(b) GDPR (contract)

4. Sharing data with third parties

We only share your data with third parties to the extent necessary to provide the app's features.

4.1 OpenAI LLC (USA)

Purpose: Providing AI features (coaching, text improvement, summarisation, analysis)
Data transmitted: Text content you explicitly send to an AI feature
Storage at OpenAI: max. 30 days, no training on API data
Third-country transfer: USA, based on Standard Contractual Clauses (SCC, Art. 46 GDPR)
Privacy policy: openai.com/policies/privacy-policy

4.2 Stripe Inc. (USA)

Purpose: Payment processing and subscription management
Data transmitted: Email address, subscription status, payment transactions
Standard: PCI-DSS certified
Third-country transfer: USA, based on SCC
Privacy policy: stripe.com/privacy

4.3 Expo Inc. (USA)

Purpose: Sending push notifications (iOS and Android)
Data transmitted: Push token of your device, notification content
Note: Only active if you have allowed push notifications
Third-country transfer: USA, based on SCC
Privacy policy: expo.dev/privacy

4.4 Cloudflare R2 (Cloudflare Inc., USA)

Purpose: Storage of file attachments and avatars
Data transmitted: uploaded files (images, documents, avatars)
Third-country transfer: USA/EU, based on SCC
Privacy policy: cloudflare.com/privacypolicy

CombAny does not use any Google services (no Google Fonts, no Google Analytics, no Firebase), no Microsoft Azure, and no external tracking or analytics SDKs.

5. Storage duration

Data category	Storage duration
Account data	Until account deletion
Platform content (topics, discussions, tasks, votes, DMs)	Until account deletion or manual deletion
File attachments	Until deletion of the associated content or the account
Session data	Until session expiry or logout
Audit logs	90 days (automatic purge)
AI usage logs	90 days (automatic purge)
Push tokens	Until account deletion or push deactivation
Stripe subscription data	Until account deletion; longer if required by law (invoices: 10 years)
Data at OpenAI	Max. 30 days (per OpenAI API policies)

6. Your rights under GDPR

Right	How to exercise in CombAny
Right of access (Art. 15)	On request by email
Right to rectification (Art. 16)	Directly in the app settings
Right to erasure (Art. 17)	App → Settings → Delete account
Right to restriction (Art. 18)	On request by email
Right to data portability (Art. 20)	App → Settings → Export data
Right to object (Art. 21)	On request by email
Withdrawal of consent	At any time in the app settings (AI, push)

Contact for exercising your rights: info@combany.de

Right to lodge a complaint: State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (LfDI BW) — lfd.bwl.de

7. App permissions

Permission	Purpose
Network access	Required — necessary for all app features
Push notifications (iOS/Android)	Optional — for notifications about new content. Can be revoked at any time in system settings.
Photo / file access (gallery)	Optional — only when you upload files from your gallery. No automatic access.

CombAny does not use the camera API, microphone, or location services. There is no access to contacts, calendar, or other system content.

8. Data security

Encrypted transmission via HTTPS/TLS
Passwords are stored exclusively as a cryptographic hash
Secure session tokens with automatic expiry
Two-pass file validation (MIME type + magic bytes) on uploads
Rate limiting to protect against brute-force attacks and abuse
Audit logging of security-relevant actions

9. AI-powered features

The following features transmit text content to OpenAI for processing:

Feature	What is transmitted
Coaching assistant	Your entered text / question
Text improvement	The text you want to improve
Discussion summary	Content of the selected discussion
Vote analysis	Question and results of the vote
Archive insights	Metadata and content of the archive entry

AI processing takes place exclusively server-side. There is no AI processing on your device. The use of all AI features is voluntary — all other platform features are fully usable without AI.

10. Account deletion and data export

Account deletion

Account can be deleted at any time via: App → Settings → Delete account

A password entry is required for confirmation
All personal data will be deleted within 30 days
Exception: invoice data subject to statutory retention obligations (max. 10 years)
Important: Uninstalling the app without deleting your account does not delete any server-side data

Data export

Data export can be requested via: App → Settings → Export data

Includes: account data, platform content, memberships
Legal basis: Art. 20 GDPR (data portability)

11. Changes to this Privacy Policy

We update this policy as needed to reflect changes in legal requirements or new features. The current version is available at combany.de/datenschutz and within the app. For material changes, we will notify you by email or in-app notification.