Privacy Policy for Movana

As of: 09.02.2026

This Privacy Policy provides information about the processing of personal data when using the Movana app and related web features at movana.app.

1. Controller

The controller within the meaning of the GDPR is:

Robin Brockhaus
Bleichstrasse 18
33102 Paderborn
Germany
E-mail: info@movana.app

2. What data we process

We process personal data only to the extent required for operating the app, providing its functions, and ensuring platform security.

2.1 Account data and authentication

Processed data:

  • E-mail address
  • Login data (password hash for password-based login)
  • Session and authentication information

Purpose:

  • Registration, login, account management, account security

Legal basis:

  • Art. 6 para. 1 lit. b GDPR (performance of a contract)
  • Art. 6 para. 1 lit. f GDPR (abuse prevention, IT security)

2.2 Profile and community data

Processed data (depending on your input):

  • Name, username, profile picture
  • Profile description, city, sports, skill level, preferences
  • Organization details (for organization accounts)
  • Social interactions (followers, follow requests, friend relationships)

Purpose:

  • Displaying your profile in the app
  • Matching, user networking, and community functions

Legal basis:

  • Art. 6 para. 1 lit. b GDPR

2.3 Private profile data

Processed data (for permitted purposes only):

  • Date of birth
  • Optional: phone number
  • Optional: more precise location data (e.g. stored coordinates)

Purpose:

  • Age-related functions, account management, location features

Legal basis:

  • Art. 6 para. 1 lit. b GDPR
  • Art. 6 para. 1 lit. a GDPR (where consent is required, e.g. location permission on device)

2.4 Activity and event data

Processed data:

  • Event title, description, sport reference, time, location/coordinates
  • Participation status (pending/approved/rejected)
  • Event-related settings (e.g. approvals, capacities)

Purpose:

  • Organizing and participating in sports activities
  • Displaying suitable events and event communication

Legal basis:

  • Art. 6 para. 1 lit. b GDPR

2.5 Chat and communication data

Processed data:

  • Message content (text, and if applicable image/metadata)
  • Conversation and participant data
  • Delivery and read information (e.g. read_at)

Purpose:

  • Communication between users (direct and group chat)

Legal basis:

  • Art. 6 para. 1 lit. b GDPR

2.6 Moderation, security, and trust data

Processed data:

  • Reports, block lists, moderation status
  • Ratings/reliability and karma indicators
  • Technical security incidents

Purpose:

  • Abuse prevention
  • Enforcement of community rules
  • Protection of users and platform integrity

Legal basis:

  • Art. 6 para. 1 lit. f GDPR (legitimate interest in secure platform operation)
  • Art. 6 para. 1 lit. b GDPR (contractual provision of secure platform features)

2.7 Push notifications

Processed data:

  • Push token (FCM token)
  • Notification content (title, text, type, technical IDs)

Purpose:

  • Delivery of app notifications (e.g. new message, event update)

Legal basis:

  • Art. 6 para. 1 lit. a GDPR (consent in operating system for push)
  • Art. 6 para. 1 lit. b GDPR (notification feature as part of the service)

2.8 Analytics and usage data (Google Analytics for Firebase)

Processed data:

  • Event data on app usage (e.g. screen views, interaction events)
  • App instance/installation identifiers
  • Technical device and app metadata (e.g. operating system, app version)
  • Where applicable, derived usage/audience information in analytics reports

Specific event examples from the app:

  • search_performed
  • matching_feed_impression
  • activity_joined
  • activity_detail_viewed
  • Automatic screen tracking via analytics observer

Purpose:

  • Error analysis, product improvement, usage statistics

Legal basis:

  • Art. 6 para. 1 lit. a GDPR (consent)
  • Section 25 para. 1 TDDDG, where information is stored on or read from the end device

Important implementation note:

  • Analytics should only be activated after valid consent. Without a consent mechanism, there is a compliance risk.

2.8a Website analytics (Umami, self-hosted)

On our website movana.app we use Umami in a self-operated instance at analytics.movana.app.

Processed data:

  • Visited page URL and timestamp
  • Referrer information (origin page)
  • Technical browser/device information (e.g. browser type, operating system, device type)
  • Shortened or technically processed connection information (e.g. IP address in pseudonymized form)

Purpose:

  • Website reach measurement
  • Technical and content optimization of the website

Legal basis:

  • Art. 6 para. 1 lit. f GDPR (legitimate interest in statistical evaluation and secure website operation)
  • If, in a different technical configuration, information is stored on or read from the end device, this is done only on the basis of consent pursuant to Section 25 para. 1 TDDDG.

2.9 Device permissions and local storage

Depending on function and your selection, we use:

  • Location permission (e.g. for location selection and distance features)
  • Photo gallery/camera access (e.g. for profile and group images)
  • Local app storage values (e.g. UI hints, dialog status)

Legal basis:

  • Art. 6 para. 1 lit. a GDPR (consent via operating system, where required)
  • Art. 6 para. 1 lit. b GDPR (functionally necessary storage)
  • In Germany, additionally where applicable Section 25 TDDDG

2.10 Location collection, map display, and place search (including Google Maps/Komoot)

If you use the location function in the app, we distinguish between:

  1. Actively requested device location (GPS)
  • The app determines your current location only after your permission in the operating system.
  • Processed data: latitude/longitude (where applicable with high precision), derived place name.
  • Purpose: location suggestion, distance/radius features, event location selection.
  1. Place search via text input (Komoot Photon API)
  • When searching for places/addresses, your search terms are transmitted to photon.komoot.io.
  • Processed data: search text, technical connection data (e.g. IP address, header/user agent), response data with place suggestions (including coordinates and address components).
  • Purpose: provision of place suggestions for location/event selection.
  1. Map display (Google Maps)
  • For displaying a map in the app, resources are loaded from Google Maps.
  • Processed data: technical connection data (e.g. IP address, header/user agent), map/API requests, timestamp, and device-related metadata.
  • Purpose: provision of the map view in the app.
  1. Reverse geocoding of current location
  • For converting coordinates into readable place/address details, geocoding services of Google Maps and, where applicable, operating system providers can be used (e.g. Apple/Google, depending on end device).

Legal basis:

  • Art. 6 para. 1 lit. a GDPR (location permission on device)
  • Art. 6 para. 1 lit. b GDPR (provision of the requested app function)
  • Art. 6 para. 1 lit. f GDPR (stable and user-friendly place search)

2.11 Data sources where data is not collected directly from you (Art. 14 GDPR)

We receive certain data not directly from you but from other users, especially when:

  • you are reported by other users
  • you are blocked by another user
  • you are included by another user in social/interactive features (e.g. follow requests, group/invitation features)

Affected data categories:

  • User IDs of the involved persons
  • Report reason, free-text details, status and processing notes
  • Relationship and interaction data (e.g. blocked, invited, requested)

Purposes and legal basis:

  • Abuse prevention and moderation (Art. 6 para. 1 lit. f GDPR)
  • Provision of secure community features (Art. 6 para. 1 lit. b GDPR)

3. Recipients and processors

We use technical service providers that process data on our behalf or are integrated as independent controllers.

3.1 Specific recipients (current status)

  1. Hosting provider for self-hosted infrastructure
  • Provider: dashserv.io / Felix Gassan (Realtox Media), Talweg 4s, 21149 Hamburg, Germany
  • Purpose: server and hosting operations for app backend (self-hosted Supabase stack)
  • Categories: account data, profile/event/chat/moderation data, technical operations data
  • Server location according to provider: Germany
  1. Supabase (self-hosted software stack)
  • Role: open-source system operated by us for database, authentication, realtime, and storage
  • Note: in self-hosted operation, Supabase is regularly not an additional external recipient; the primary recipient is the selected hosting provider
  • Only if individual managed components are used:
  • Provider: Supabase Pte. Ltd., 65 Chulia Street, #46-01 OCBC Centre, Singapore 049513
  1. Google Firebase Cloud Messaging (FCM)
  • Provider:
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Where applicable Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Purpose: push notifications
  • Categories: push token, delivery metadata, notification content
  1. Google Analytics for Firebase
  • Provider:
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Where applicable Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Purpose: usage analytics and product optimization
  • Categories: see section 2.8
  1. Umami Analytics (website, self-hosted)
  • Operator: Robin Brockhaus (own instance at analytics.movana.app)
  • Purpose: website reach analytics and optimization
  • Categories: see section 2.8a
  1. Map/geoservices
  • OpenStreetMap Foundation (OSMF), St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom (tile infrastructure)
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and, where applicable, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google Maps Platform: map display/geocoding)
  • Komoot GmbH (Photon API via photon.komoot.io) for place search/geocoding via search input
  • Where applicable geocoding services of operating system providers (e.g. Apple/Google), if used by device features

Where required, data processing agreements are concluded with service providers.

3.2 Recipients within the app (visibility)

Depending on privacy settings and function, other logged-in users can in particular see the following data:

  • Profile information (e.g. name/username, profile image, description, sport reference, city)
  • Event information created by you
  • Interaction data where functionally required (e.g. participation/follow status)

In particular, private profile data (e.g. phone number, exact location from private tables) is not intended for other users, unless actively shared by you in content.

3.3 Service-specific documentation

  • dashserv imprint: https://dashserv.io/legal/impressum
  • dashserv privacy: https://dashserv.io/legal/datenschutz
  • Firebase Analytics: https://firebase.google.com/docs/analytics
  • Firebase Analytics Data Collection: https://firebase.google.com/docs/analytics/configure-data-collection
  • Umami: https://umami.is/
  • Umami Docs: https://umami.is/docs
  • Google Maps Platform Terms: https://cloud.google.com/maps-platform/terms
  • Google Privacy Policy: https://policies.google.com/privacy
  • Komoot Photon API: https://photon.komoot.io/
  • Komoot privacy: https://www.komoot.com/de-de/privacy
  • Supabase Data Processing Addendum (only for managed Supabase components): https://supabase.com/legal/dpa
  • Supabase Terms (only for managed Supabase components): https://supabase.com/terms

4. Transfers to third countries

Where data is transferred to recipients outside the EU/EEA (e.g. by global cloud or push/analytics services), this is done only in compliance with GDPR requirements, in particular based on:

  • adequacy decisions (where available)
  • standard contractual clauses (SCCs) and additional safeguards

For Google/Firebase, processing in the USA cannot be excluded.
For integrated map/geosearch services (e.g. Google Maps Platform, Komoot Photon API, Apple/Google geocoding), processing outside the EU cannot be fully excluded depending on service configuration.
In self-hosted Umami operation at analytics.movana.app, processing is generally performed through hosting infrastructure controlled by us in Germany/EU.

In self-hosted operation with a German hoster, core processing of the app backend is generally carried out in Germany/EU; transfers to third countries may still arise through integrated third-party services (e.g. push, analytics, geocoding).

5. Storage period and deletion

The following retention rules currently apply:

  1. Account data (auth/account)
  • Storage: until account deletion
  1. Profile, event, participation, follow, and chat data
  • Storage: until content deletion by user or account deletion
  • Note: technical recovery data in backups may continue to exist for a limited period (see point 6)
  1. Moderation data (reports/block lists)
  • Storage: until moderation purpose ceases to apply and beyond that only where required for legal enforcement/abuse prevention
  • Rule: regular review of necessity
  1. Push token
  • Storage: until token change, logout, deactivation, or account deletion
  1. Local app data on end device
  • Storage: until app deletion, cache deletion, or reset by the user
  1. Server logs and backups (self-hosted operation)
  • specific periods:
  • log retention: according to necessity for operational security and error analysis
  • backup retention: according to necessity for failover and restoration
  1. Analytics data (Google/Firebase)
  • Storage: according to the settings in the used Firebase/Google Analytics project
  • specific retention:
  • according to the retention setting stored in the used Firebase/Google Analytics project
  1. Analytics data (website/Umami)
  • Storage: according to the retention period configured in the self-operated Umami instance
  • specific retention:
  • according to local retention configuration of the instance analytics.movana.app

6. Obligation to provide data

  1. Certain data is required for registration and contractual use (in particular e-mail address, login/session data, and necessary basic account management data).
  2. Without this mandatory data, a user account cannot be provided or maintained.
  3. Additional information (e.g. profile description, images, optional location/contact data) is generally voluntary, but may be required for individual functions.

7. Your rights

Under the GDPR you have, in particular, the following rights:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing based on Art. 6 para. 1 lit. f GDPR (Art. 21 GDPR)
  • Withdrawal of granted consent with effect for the future (Art. 7 para. 3 GDPR)

To exercise your rights, contact us at: info@movana.app.

7.1 Withdrawal and opt-out in practice

  1. Push notifications:
  • Withdrawal via operating system settings (iOS/Android) and additionally via app functions, where available.
  1. Location permissions:
  • Withdrawal at any time via operating system settings.
  1. Analytics consent:
  • Withdrawal should be possible through in-app consent management.
  • If no consent management has been implemented yet, there is an implementation need in this respect.
  1. Website analytics (Umami):
  • You can technically prevent tracking via browser/device settings (e.g. script blocker or disabled JavaScript).

8. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Competent supervisory authority:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Kavalleriestr. 2-4
40213 Dusseldorf
Germany
Phone: +49 211 38424-0
E-mail: poststelle@ldi.nrw.de
Web: https://www.ldi.nrw.de/

9. Automated decision-making and matching

Movana uses rule-based scoring and matching logic (e.g. for creating sport partner/event suggestions). There is no solely automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

10. Data security

We implement technical and organizational measures according to the state of the art to protect personal data against loss, misuse, and unauthorized access.

11. Account deletion

You can delete your account in the app settings. Assigned data is then removed or restricted according to technical and legal requirements, unless retention obligations or legitimate reasons prevent this.

Note on analytics data:

  • App-related analytics data may continue to exist in Google/Firebase systems according to their technical processes and configured retention periods.
  • Website-related Umami data is generally not directly account-related and is deleted according to local Umami retention settings.

12. Changes to this Privacy Policy

We may update this Privacy Policy if legal, technical, or product-related conditions change. The currently valid version published in the app or at movana.app/en/privacy-policy applies.