Menu

Privacy Policy – Defapp

Last updated: February 22, 2026

1. Controller

The controller responsible for data processing in the mobile app “Defapp” is:

Jens Remer
Albrechtstr. 15b
12099 Berlin
Germany
Email: mail@defapp.de
Legal notice: https://www.defapp.de/impressum

If you have any questions about data protection, you can contact us at any time.

2. What is Defapp?

Defapp is a mobile application intended to help you gain time, attract attention, or quickly inform potential helpers in potentially dangerous situations.

Depending on the installed app version and the features you activate, you may:

  • Use local alarm functions on your own device
  • Send emergency alerts directly to trusted devices (device-to-device)
  • Send or receive alerts from people nearby (“Nearby”)
  • Send alerts to defined public areas (Public Areas)
  • Record a short evidence video in defense mode

Defapp works without traditional user accounts.
You are not required to provide your name, email address, or phone number.

Instead, pseudonymous technical identifiers are used.

3. Not an Official Emergency Service

Defapp is not an official emergency service and does not replace emergency numbers.

We cannot guarantee that an alert will be received, delivered, or acted upon.

In life-threatening situations, you must immediately contact the official emergency services in your country.

4. What Data We Process

We only process data that is technically necessary to provide the features you choose and to protect the system against misuse.

4.1 Pseudonymous Identifiers and Push Functionality

These data are processed only if you activate features that require push notifications (for example device-to-device alerts, Nearby, or Public Areas).

If you use only local alarm functions, no push registration takes place.

When you activate a push-based feature:

  • An anonymous Firebase UID is assigned to your device
  • An internal app device identifier is stored
  • A push token (FCM/APNs) is registered

These identifiers do not contain personal information such as your name or email address. They are used solely for technical message delivery and system security.

Legal basis:
Article 6(1)(b) GDPR (provision of the selected service) and Article 6(1)(f) GDPR (legitimate interest in system security and abuse prevention).

4.2 Location Data

Location data are processed only if you actively grant permission.

Nearby Reception

If you activate Nearby reception (“Option: Receive push notifications → From Defapp users nearby”), your current location is converted locally on your device into an H3 grid cell (approximately 600 meters in diameter).

Only this grid cell identifier is transmitted to our servers – not your exact GPS position.

We do not:

  • store location history
  • create movement profiles
  • permanently store precise GPS coordinates on our servers

Only your currently active grid cell is stored while Nearby is enabled.

The legal basis is your consent pursuant to Article 6(1)(a) GDPR.

You can deactivate Nearby reception at any time in the app settings.

4.3 Exact Location in an Alert (Optional)

When sending an alert, you can optionally activate the function “Add current location.”

Only if you actively select this option will your exact GPS position be included in the alert.

This precise location:

  • is not permanently stored on our servers
  • is not analyzed
  • is not aggregated
  • is not used for profiling

It is processed solely for the technical purpose of immediate transmission to authorized recipients via push notification.

Legal basis:
Article 6(1)(b) GDPR and, for Nearby, additionally your consent under Article 6(1)(a) GDPR.

You decide each time whether to include your exact position.

4.4 Defense Mode and 5-Second Evidence Video

Defapp offers an optional defense mode.
When you actively trigger this mode, your device can automatically record a short video (approximately 5 seconds).

4.4.1 Important Principles

  • Recording only occurs after you actively trigger the mode.
  • There is no hidden or continuous background recording.
  • There is no permanent surveillance function.

4.4.2 Local Processing Only

The video is created and stored exclusively on your device.

We do not:

  • store the video on our servers
  • upload it to our systems
  • analyze it
  • perform facial recognition
  • conduct biometric identification

4.4.3 Possible Content

The video may capture other individuals, for example a person posing a threat.

Such footage may contain personal data of third parties.

The feature is intended solely for emergency or defense situations.

4.4.4 Optional SMS Transmission

You may choose to send the video using your device’s built-in SMS/MMS application.

In that case:

  • The transmission occurs via your mobile carrier.
  • We do not receive a copy of the video.
  • We do not store or access the transmitted content.

The processing of phone numbers and message delivery is governed by your mobile carrier agreement.

Legal basis:
Article 6(1)(b) GDPR (provision of the feature) and Article 6(1)(f) GDPR (legitimate interest in personal safety and evidence preservation).
In actual emergency situations, Article 6(1)(d) GDPR (protection of vital interests) may also apply.

4.5 Public Areas and Administrators

Public Areas are created by an “Owner.”

The Owner may appoint administrators. Administrators have the same management rights as the Owner, including the ability to delete a Public Area.

This ensures that areas can be removed even if the original device is lost.

When scanning a QR code, only technical identifiers (such as areaId or join tokens) are processed.

Legal basis:
Article 6(1)(b) GDPR and Article 6(1)(f) GDPR.

4.6 Abuse Prevention

To protect the system from spam or misuse, we apply technical safeguards such as rate limits and validation mechanisms.

In certain cases, alerts may not be forwarded automatically if abuse patterns are detected.

These measures are solely intended to ensure system security and stability.

If you believe a restriction was applied in error, you can contact us.

Legal basis:
Article 6(1)(f) GDPR.

5. Service Providers

For technical operation, we use services including:

  • Firebase Authentication
  • Firebase Firestore
  • Firebase Cloud Functions
  • Firebase Cloud Messaging
  • Firebase App Check
  • Apple Push Notification Service

These providers process data on our behalf under Article 28 GDPR.

6. International Data Transfers

Although our backend systems are restricted to EU regions, push notification services may involve processing by Google LLC or Apple Inc. in the United States.

Where personal data are transferred to third countries, appropriate safeguards are applied in accordance with Article 46 GDPR, including EU Standard Contractual Clauses and, where applicable, certifications under the EU–US Data Privacy Framework.

7. Data Retention

We store personal data only as long as technically necessary.

  • Push tokens: until invalid or deleted
  • Nearby grid cells: only current status
  • Public Area data: while active
  • Security and rate-limit data: generally up to 30 days
  • Exact GPS data: no permanent storage
  • Evidence videos: never stored on our servers

Backups are regularly overwritten.

8. App Store Providers (Apple App Store / Google Play)

Defapp is distributed via third-party platforms, in particular the Apple App Store and Google Play Store.

When downloading, installing, updating the app, or making in-app purchases, personal data may be processed by the respective platform provider (e.g., Apple Inc. or Google LLC).

This processing is carried out independently by the respective provider and is subject to their own privacy policies. We have no control over this data processing.

For more information, please refer to:

Apple: https://www.apple.com/legal/privacy/
Google: https://policies.google.com/privacy

9. Your Rights

Under the GDPR, you have the right to:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability
  • Objection
  • Withdraw consent

Since Defapp operates without personal account data, you may need to provide your app UID to allow us to identify your records.

You also have the right to lodge a complaint with a supervisory authority.

10. Minors

Defapp is generally intended for users aged 16 and older.

If you are younger than 16, you should only use the app with the consent of your legal guardians.

11. Changes to This Policy

We may update this Privacy Policy if features or legal requirements change. The current version is available within the app and on our website.