Privacy Policy for the Barande

1. Controller

Controller within the meaning of the General Data Protection Regulation (GDPR):

Samsoun Behaein
Grünhofer Weg 42
13581 Berlin
Germany

Email: connect@barande.app
Legal Notice: barande.app/legal/impressum

2. Hosting

a) Website Hosting (Vercel)

We host our website at Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When you visit our website, Vercel automatically collects so-called server log files (IP address, date/time, browser type, operating system, referrer URL).

The collection is based on Art. 6 Para. 1 lit. f GDPR. Data transfer to the USA is based on the standard contractual clauses of the EU Commission.

3. Backend Infrastructure (Supabase)

For the backend infrastructure, our PostgreSQL database, user authentication, and file storage, we use Supabase (Supabase, Inc., Sunnyvale, CA, USA). Data is processed on AWS servers. We have configured the storage location to data centers within the EU (Frankfurt).

a) Registration and User Account

Upon registration, we process your email address and an encrypted password. Legal basis: Art. 6 Para. 1 lit. b GDPR.

b) Database

Profile data, trips, bookings, and reviews are stored in our database. Legal basis: Art. 6 Para. 1 lit. b GDPR.

c) File Uploads (Storage)

Uploaded images (profile pictures, package photos) are stored in Supabase Storage. Legal basis: Art. 6 Para. 1 lit. b GDPR.

4. Cookies and Local Storage

Our website uses cookies for core functions:

• Supabase Session Cookies: For your login status (Art. 6 Para. 1 lit. b/f GDPR).
• Localization (NEXT_LOCALE): For your language setting.

Our mobile app uses secure device storage (Expo SecureStore) instead of cookies to store authentication tokens.

We do not use tracking or marketing cookies that require consent by default.

5. Contact and Forms

When you contact us via email or a form, your details are stored for processing. Legal basis: Art. 6 Para. 1 lit. b or f GDPR.

6. Third-Party Logins (Social Sign-In)

a) Google Sign-In

We offer login via Google (Google Ireland Limited, Dublin, Ireland). We receive your email address and basic profile information. Legal basis: Art. 6 Para. 1 lit. a and b GDPR.

b) Apple Sign-In [NEW]

We offer login via Apple (Apple Inc., Cupertino, CA, USA). Depending on your choice, we receive your email address (potentially a relay address generated by Apple) and your name. Legal basis: Art. 6 Para. 1 lit. a and b GDPR.

7. Analysis and Error Monitoring [NEW]

a) PostHog (Product Analysis)

We use PostHog (PostHog, Inc., San Francisco, CA, USA) to analyze the use of our app. PostHog collects pseudonymized usage data such as screens viewed, click events, and device information. If you are logged into the app, your user ID is transmitted to PostHog to better understand usage patterns.

PostHog processes data on servers in the EU or the USA. The legal basis is our legitimate interest in improving our services (Art. 6 Para. 1 lit. f GDPR).

b) Sentry (Error and Crash Reporting)

To detect and fix technical errors, we use Sentry (Functional Software, Inc., San Francisco, CA, USA). In the event of an error, the following data is automatically transmitted to Sentry:

• Error message and stack trace
• Device type, operating system, and app version
• Your user ID (if logged in)

Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in the stability and error correction of our app). Data transfer to the USA is based on standard contractual clauses.

8. Map Service and Location Data [NEW]

a) Google Maps

We use the Google Maps API (Google Ireland Limited) to display maps and for location searches. Your search queries and potentially your IP address are transmitted to Google. Legal basis: Art. 6 Para. 1 lit. b and f GDPR.

b) Location Data

With your explicit permission (device authorization), we can access your device location to suggest the best meeting point. This data is not stored permanently. Legal basis: Art. 6 Para. 1 lit. a GDPR (consent).

9. Push Notifications [NEW]

If you activate push notifications, a device-specific token (push token) is transmitted to our server and stored in your user profile. This token allows us to send you notifications about bookings, messages, and status changes. You can deactivate push notifications at any time in the device settings. Legal basis: Art. 6 Para. 1 lit. a and b GDPR.

10. Device Information [NEW]

Our app collects basic device information (e.g., device model, operating system version, language and region settings) for technical optimization and error analysis. This data is not linked to your name. Legal basis: Art. 6 Para. 1 lit. f GDPR.

11. Google Fonts (Locally Hosted)

We use Google Fonts integrated locally. No connection to Google servers is established and no data is transmitted to Google.

12. Children and Minors [NEW]

Our platform is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has transmitted data to us, we will delete it immediately.

13. Your Rights as a Data Subject

You have the following rights at any time:

• Right to access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to withdraw consent (Art. 7 Para. 3 GDPR)
• Right to object (Art. 21 GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise these rights, please contact: connect@barande.app

14. Retention Period

We store your data only as long as necessary for the stated purposes or as required by legal retention periods. After the purpose has ceased to exist, the data is routinely deleted.

15. Overview of Third-Country Transfers [NEW]