Privacy Policy

Last updated: 29 May 2026

1. Scope

This privacy policy applies to the website https://helioporeo.app and to the mobile app "Helioporeo" (iOS, Android). The controller responsible in both cases is the person named under "Controller".

2. Controller

The controller responsible for data processing on the website and in the app is:

Raphael Kirchner
Vorwerkstr. 11
20357 Hamburg
Germany
E-mail:

[Anti-Spam: JavaScript required]

The controller is the natural or legal person who, alone or jointly with others, decides on the purposes and means of processing personal data.

Legal basis: Art. 13(1)(a) GDPR

3. Privacy at a Glance (Website)

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the "Controller" section.

How do we collect your data?

Data is collected on the one hand by you providing it to us (e.g. when you contact us by e-mail). Other data is collected automatically when you visit the website by our IT systems — essentially technical data such as browser type, operating system or time of page access.

What do we use your data for?

The data is used exclusively for the error-free provision of the website. Your usage behaviour is not analysed.

What rights do you have regarding your data?

A detailed list of your rights and our contact details for exercising them can be found below in the section "Your Rights (GDPR)".

4. Hosting (Strato)

We host the content of our website with an external provider:

Strato AG
Otto-Ostrowski-Straße 7, 10249 Berlin, Germany
Data processor (data processing agreement in place)
Privacy policy

Purpose: Stable, performant and secure delivery of the website.

Data processed:

  • IP address
  • Browser type and version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable hosting); where consent was obtained, additionally Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

5. Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us.

Purpose: Technically error-free display and optimisation of the website; defence against attacks.

Data processed:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address

Note: This data is not merged with other data sources.

Legal basis: Art. 6(1)(f) GDPR

6. Cookies

This website uses only essential cookies. No tracking, advertising or analytics cookies are used. The following overview lists the cookies in use.

COOKIE_CONSENT

Purpose: Stores that the cookie notice has been displayed or confirmed, so that it is not shown again on every visit.

Storage duration: 1 year

Legal basis: Art. 6(1)(f) GDPR; § 25(2) TDDDG.

SESSION_ID

Purpose: Unique session ID for server-side functions, in particular persistence of the language setting during a session.

Storage duration: Session (deleted when the browser is closed)

Legal basis: Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR; § 25(2) TDDDG.

On the first visit to the website, a notice about the essential cookies in use may be displayed. Only cookies that are necessary for the functioning of the website are set. Consent for non-necessary cookies is not requested, as no tracking, advertising or analytics cookies are used. You can manage the use of cookies at any time via your browser settings or delete cookies that have been set.

Further details: /en/cookies.html

7. No Analytics, Tracking or Advertising Services

Neither the website nor the app uses analytics, tracking or advertising services such as Google Analytics, Firebase Analytics, Crashlytics, Amplitude, Mixpanel, AdMob, reCAPTCHA, or embedded YouTube or Vimeo players. Fonts are served locally.

Where third-party providers such as RevenueCat or Expo are mentioned in this privacy policy, their use is exclusively for functional purposes such as purchase management, support or software updates.

8. Data Processing in the "Helioporeo" App

The app works without a user account and without its own backend server. Personal data is generally stored only locally on your device. Transmission to third parties occurs exclusively in the cases described below.

8.1 Data Stored Locally on the Device

Purpose: App functionality without a server (home location, saved locations, groups, UI settings, slot size, premium cache).

Home location

  • Display name
  • Time zone
  • Latitude
  • Longitude
  • Country code

Saved additional locations and location groups

UI language, slot size, last opened group, premium flag

No transmission to third parties or to us.

Storage duration: Until the app is uninstalled or until reset via the app settings ("Reset to example content").

Legal basis: Art. 6(1)(b) GDPR (contract performance / provision of app functionality)

8.2 Location Access (GPS)

Purpose: One-time determination of the home location on first launch of the app.

Accuracy: Lowest accuracy (Location.Accuracy.Lowest); sufficient for determining the time zone.

Frequency: Once on first launch; thereafter only if you manually reset the home location.

Transmission: No sharing with third parties; coordinates are stored exclusively locally on your device.

If denied: The app remains usable if permission is denied; the home location can be selected manually from the offline location catalogue included in the app.

Withdrawal: You can withdraw consent at any time via your operating system's location settings.

Legal basis: Art. 6(1)(a) GDPR (consent granted via the location request of your operating system)

8.3 Location Search (Offline, GeoNames)

The location search in the app uses an SQLite database embedded in the app, based on the freely available GeoNames dataset (cities5000, licence CC BY 4.0). No online geocoding request takes place; your search queries do not leave your device.

8.4 In-App Purchases and Purchase Management (RevenueCat)

RevenueCat, Inc.
535 Mission St, 14th Floor, San Francisco, CA 94105, USA
Privacy policy
Third-country transfer to the USA; safeguarded by standard contractual clauses pursuant to Art. 46(2)(c) GDPR.

Purpose: Management and verification of the premium unlock (e.g. creating additional location groups) and mapping of purchase and restore processes in the app stores.

Data processed:

  • Anonymous RevenueCat AppUserID (no real name, no e-mail)
  • Purchase, restore and entitlement events from the App Store or Play Store
  • Premium entitlement status ("pro" yes/no)
  • Technical SDK data (e.g. device and OS version, app version, IP address at time of connection)

We do not receive payment data (credit card number, bank details) or real names. Billing is handled exclusively by the respective app store.

Legal basis: Art. 6(1)(b) GDPR (contract performance for the premium purchase); additionally Art. 6(1)(f) GDPR (legitimate interest in abuse prevention).

8.5 Support Contact from within the App (Customer Center)

In the app, you can send a support request (e.g. bug report) via the RevenueCat Customer Center from the app settings. You voluntarily provide an e-mail address and free text. A real name is not required; you may use any e-mail address, including a pseudonymous one.

RevenueCat, Inc.
535 Mission St, 14th Floor, San Francisco, CA 94105, USA
Privacy policy
Third-country transfer to the USA; safeguarded by standard contractual clauses pursuant to Art. 46(2)(c) GDPR.

Purpose: Responding to your request; error analysis.

Data processed:

  • The e-mail address voluntarily provided by you
  • The free text of your request
  • Accompanying metadata from RevenueCat (e.g. anonymous AppUserID, app/device version)

The request is delivered to our support address

[Anti-Spam: JavaScript required]
via RevenueCat's infrastructure.

Storage duration: We store your request and responses for as long as necessary to process and document the matter. Support requests are deleted regularly, no later than 24 months after the request is closed, unless statutory retention obligations or legitimate reasons for longer storage exist.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in processing user requests) or Art. 6(1)(b) GDPR where the request is related to contract performance.

8.6 App Stores and Payment Processing

The app is distributed via the following app stores. The privacy policies of the respective store apply to installation and purchase. We receive from the stores only the information required for contract processing — generally aggregated or pseudonymised — via RevenueCat (see above).

Apple App Store

Controller: Apple Distribution International Ltd., Hollyhill Industrial Estate, Cork, Ireland

Privacy policy

Google Play Store

Controller: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy policy

Legal basis: Art. 6(1)(b) GDPR

8.7 Software Updates (Expo / EAS Update)

650 Industries, Inc. (Expo)
Endpoint: https://u.expo.dev/dd6d10f2-b301-4da1-98d5-e9ef05d0a873
Privacy policy
Third-country transfer to the USA; safeguarded where required by standard contractual clauses and/or other appropriate safeguards pursuant to Art. 44 et seq. GDPR.

Purpose: Delivery of JavaScript and asset updates without a new store build (so-called over-the-air update). Used for maintenance and rapid bug fixes.

Data processed:

  • Platform (iOS/Android)
  • App version, runtime version, last loaded update ID
  • IP address (technically during the HTTP request)

The connection is established directly from the app to the update server. The technical data incurred in this process is used exclusively for the provision and verification of updates.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintainability and bug fixing)

8.8 Overview of App Permissions Requested

Location (foreground)

Reason: One-time determination of the home location on first launch (see section 8.2).

Optional

9. Your Rights (GDPR)

You have the following rights with regard to personal data concerning you at any time:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent given (Art. 7(3) GDPR) — the lawfulness of processing carried out before withdrawal remains unaffected
  • Right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR)

Please direct requests to exercise your rights to:

[Anti-Spam: JavaScript required]
.

The competent supervisory authority at the controller's place of business is: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (https://datenschutz-hamburg.de/).

10. Storage Duration

Unless a more specific storage duration is stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or withdraw your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing it (e.g. tax or commercial law retention periods); in the latter case, deletion will occur once those reasons no longer apply.

11. General Notes on the Legal Bases for Data Processing

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, where special categories of data within the meaning of Art. 9(1) GDPR are processed. In the event of express consent to the transfer of personal data to third countries, data processing also takes place on the basis of Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access to information on your end device, data processing additionally takes place on the basis of § 25(1) TDDDG. Consent can be withdrawn at any time. Where your data is required for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data where this is required for the fulfilment of a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also take place on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. Information on the applicable legal basis in each individual case is provided in the preceding sections of this privacy policy.

12. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognise an encrypted connection by the fact that the address bar of the browser changes from "http://" to "https://" and by the padlock symbol in your browser bar. When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

13. Objection to Advertising Emails

The use of contact details published as part of the imprint obligation for the purpose of sending unsolicited advertising and informational materials is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, e.g. via spam emails.

14. Children

Our website and app are not specifically directed at children under the age of 16. We do not knowingly collect personal data from children under the age of 16. If we become aware that a child has transmitted personal data to us without the consent of a parent or guardian, we will delete this data without delay.

15. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to reflect changes to our services (e.g. new providers). The version in force at the time of your visit is always the applicable one. The date of the last amendment can be found at the beginning of this policy.