Menu

Defapp Privacy Policy 

Last updated: February 22, 2026

1. Controller

Jens Remer
Albrechtstr. 15b
12099 Berlin, Germany
Email: mail@defapp.de
Legal Notice: http://www.defapp.de/impressum/

2. Subject Matter of this Privacy Policy

This Privacy Policy explains how we process personal data in the Defapp mobile app. Defapp is a mobile app that combines different sensors of the end device in order to attract attention and to offer a way to gain time in potentially dangerous situations (e.g., through alarm sounds, visual effects, etc.). 

In addition, Defapp – depending on the scope of functions and the selected setting – enables the optional triggering and forwarding of calls for help:

  • Optional Private / Device-to-Device: calls for help to known contacts (linked via QR code).
  • Optional to users in spatial proximity (Nearby).

Some of these functions may still be in a test, pilot, or implementation phase and may not be available in all versions of the app.

Defapp operates without traditional user accounts (no name, no email, no phone number required). Pseudonymous identifiers are used.

3. Not an Emergency Call App / Liability Notice

Defapp is not a governmental or official emergency call service and does not replace an emergency call.

It is not guaranteed that a call for help sent via Defapp will result in any response or assistance. In community mode, other users alone decide voluntarily and on their own responsibility whether and how they respond.

The availability of the app and the delivery of messages may be affected in particular by technical disruptions, network outages, server issues, or restrictions of third-party providers (e.g., push services).

Defapp assumes no liability for the absence, delay, or non-delivery of calls for help or notifications.

In acute or life-threatening dangerous situations, the official emergency number must be called immediately.

Defapp’s liability remains unaffected in cases of intent or gross negligence as well as in cases of injury to life, body, or health.

4. What Data Do We Process?

4.1 Pseudonymous Identification and Device Data

  • Firebase Anonymous User ID (UID)
  • deviceId (app-internal pseudonymous device identifier)
  • Push token (FCM/APNs) for the delivery of push notifications

Purposes: operation of the app, push delivery, abuse prevention, security.
Legal bases: Art. 6(1)(b) GDPR (provision of the app functions) and Art. 6(1)(f) GDPR (security/abuse prevention).

4.2 Location Data

Location data is processed only after active permission has been granted. 

Privacy by Design:

  • Conversion into an H3 grid cell (approx. 600 m diameter)
  • No permanent storage of exact coordinates
  • No location history
  • No movement profiles

Exact coordinates – if they are part of a call for help – are processed exclusively for immediate forwarding as part of the push process and are not stored on the server side.

Purposes: triggering/transmission of calls for help, orientation for recipients.
Legal bases: Art. 6(1)(a) GDPR (consent via location permissions/confirmations) and Art. 6(1)(b) GDPR (provision of the “call for help” function).

4.3 Height/Floor Hint (Optional, Estimate)

The app may process an estimated floor hint (e.g., “probably 1st floor”). This may be based on device sensors (e.g., barometer). This is an estimate, not an exact altitude measurement.

Purpose: better orientation in multi-story buildings.
Legal basis: Art. 6(1)(b) GDPR (provision of the function) and, where applicable, Art. 6(1)(a) GDPR (depending on the consent/opt-in implementation).

4.4 Data Relating to Calls for Help (Event Data)

Depending on the function, calls for help may contain technical/event-related information (e.g., time, type of call for help, rough Nearby grid cell, or floorHint). We avoid unnecessary personal content.

Purpose: delivery/display of the call for help.
Legal basis: Art. 6(1)(b) GDPR.

4.5 Technical Security and Abuse Prevention Data

To secure operation and prevent abuse, technical data may be generated, e.g.:

  • Rate-limit events, timestamps, app version, error codes
  • Validations to protect against automated requests (e.g., Firebase App Check)

Purposes: security, stability, abuse prevention, cost control.
Legal basis: Art. 6(1)(f) GDPR.

No Analytics/Tracking: We do not use user-related tracking or advertising/analytics tools in the app (e.g., no Facebook Pixel, no Google Analytics/Firebase Analytics).

4.6 Technical and Organizational Measures

We use exclusively:

  • TLS encryption
  • Pseudonymization
  • No GPS server persistence
  • Rate limiting
  • AppCheck / Device Attestation
  • Access restriction

Backend services are restricted to the eu.west3 (EU) region.

4.7 International Data Transfers

Although our backend region is restricted to EU data centers, processing by Google LLC or Apple Inc. may occur in connection with push notifications.

These companies have their headquarters in the United States.

To the extent that a transfer to a third country occurs, it is based on appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses).

4.8 Retention Period

Push tokens: as long as valid

  • Nearby cell: current status only
  • No location history

4.9 Rights of Data Subjects

  • Access
  • Erasure
  • Rectification
  • Restriction
  • Objection
  • Data portability
  • Complaint to a supervisory authority

5. Minors

The app is intended for persons aged 16 and older, but it is not necessarily restricted by the app store operators. Use by persons under 16 is recommended only with the consent of their legal guardians. 

 

6. Push Notifications

Defapp uses push notifications (FCM/APNs) to deliver calls for help. For this purpose, a push token of your device is stored and managed.

Important:

  • No exact coordinates are displayed in the preview of the push notification.
  • Exact coordinates (if they are part of the call for help) are forwarded only as push data to authorized recipients so that they can open the location after opening the notification (e.g., in Google Maps).

Legal basis: Art. 6(1)(b) GDPR (functionality). You grant permission for push notifications via the settings of your device.

7. Device-to-Device Linking (Private Contacts)

Defapp makes it possible to link two devices directly with each other (“Device-to-Device”) by scanning a QR code of the recipient device.

When such a QR code is scanned, the following are processed:

  • the pseudonymous UID of the recipient device
  • as well as technical identifiers for push delivery

in order to be able to send future calls for help directly to this device.

The QR code does not contain plain-text data (e.g., name, email address, or phone number).

Only a pseudonymous assignment between two devices is created. This link can be deleted at any time within the app.

Location data is not stored permanently as part of the Device-to-Device link. If a call for help contains location information, the rules described above for forwarding location data apply.

Purposes: enabling direct calls for help between known devices.
Legal basis: Art. 6(1)(b) GDPR (provision of the app function).

8. Nearby (Community Function)

Defapp offers an optional “Nearby” function, which can be used to transmit calls for help to users in the nearby area.

8.1 Activation and Consent

Use of Nearby is voluntary and takes place exclusively after active activation by you.
Both sending and receiving Nearby calls for help require express consent within the app.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR.

You can deactivate Nearby at any time in the settings.

8.2 Processing of Location Data

If Nearby is activated, the app processes location information exclusively for the purpose of the technical delivery of calls for help in your area.

The following applies:

  • No exact GPS coordinates are permanently stored on our servers.
  • Instead, your location is converted locally on your device into a so-called H3 grid cell (hexagonal map tile).
  • Only the identifier of this grid cell (e.g., “Cell ID”) is transmitted to our servers.
  • This grid cell covers an area of approximately 600 meters in diameter.

Our servers therefore do not know your exact position, but only a roughly gridded area unit.

8.3 No Movement Profiles

  • There is no permanent location tracking.
  • No movement profiles are created.
  • No history of your previous locations is stored.
  • Only your currently active grid cells are stored as long as receiving Nearby is activated.

Your grid cell is updated exclusively:

  • when you trigger this manually,
  • when the app starts (if activated),
  • or during active app use subject to technical limitations.

8.4 Technical Limitations to Protect Your Data

To avoid unnecessary data transmission and to protect your privacy, the following safeguards apply:

  • Location updates occur only at certain time intervals.
  • For Nearby calls for help, the following applies: at most one send every 15 minutes and a maximum of 4 attempts within 24 hours.
  • Automatic updates when leaving or changing the current area occur only while the app is being used in the foreground and only up to a speed of 130 km/h.
  • When sending Nearby calls for help, the backend takes your defined availability times into account.

These measures serve both data protection and abuse prevention.

8.5 Exact Position in Calls for Help

If a call for help contains an exact position:

  • It is not permanently stored on our servers.
  • It is used exclusively for direct delivery as part of the push process.
  • The exact position is displayed only when you actively tap the notification (e.g., opening it in a map app).

8.6 Deactivation

You can deactivate Nearby at any time.
After deactivation, your grid cell assignment will no longer be updated.

9. Defapp Pro (In-App Purchase) via Apple App Store / Google Play

Certain functions (e.g., sending push notifications and future features) require the purchase of Defapp Pro (currently EUR 2.99 per year).

The purchase is made as an in-app purchase via:

  • Apple App Store (Apple)
  • Google Play (Google)

Payment processing notice: Payment processing and subscription management are carried out by Apple or Google. As a rule, we do not receive complete payment data (e.g., no credit card data). Depending on the platform, we may receive information about the subscription status (e.g., active/expired) or a transaction/order identifier in order to unlock access to Pro functions.

Purposes: provision of Pro functions, billing/status verification, abuse barrier, and cost control.
Legal bases: Art. 6(1)(b) GDPR (contract/service “Pro”) and Art. 6(1)(f) GDPR (abuse prevention/cost containment).

The privacy notices of the app store providers also apply:

  • Apple: https://www.apple.com/legal/privacy/
  • Google: https://policies.google.com/privacy

10. Recipients / Service Providers (Processors)

For technical operation, we use in particular services of Google/Firebase:

  • Firebase Authentication (Anonymous Auth)
  • Firebase Cloud Messaging (FCM)
  • Firebase Firestore (e.g., token registry, receiver configuration)
  • Firebase Cloud Functions (server logic, push fan-out)
  • Firebase App Check (protection against abuse)

Additionally: Apple Push Notification Service (APNs) for iOS.

Third-country transfer: Depending on the service, processing may also take place outside the EU/EEA. Where required, we base transfers on appropriate safeguards (e.g., EU Standard Contractual Clauses) and the data protection mechanisms provided by the providers.

11. Retention Period

We store data only for as long as necessary for the respective purpose:

  • Push tokens: as long as required for delivery; invalid tokens are deactivated.
  • Receiver data: as long as Nearby is activated or until users delete/deactivate it.
  • Security/rate-limit data: only as long as necessary for abuse prevention.

Exact location data is not stored permanently on the server side.

12. Your Rights

Under the GDPR, you have in particular the following rights:

  • Access (Art. 15), rectification (Art. 16), erasure (Art. 17)
  • Restriction (Art. 18), data portability (Art. 20)
  • Objection (Art. 21), withdrawal of consent (Art. 7(3))

Because Defapp operates without plain-text data, exercising your rights may require you to enable us to make an assignment (e.g., an identifier/UID displayed in the app, if available).

You may also lodge a complaint with a data protection supervisory authority.

13. Changes to this Privacy Policy

We adapt this Privacy Policy if functions or processing activities change. The current version is available in the app and/or on our website.