Privacy Policy

Introduction

This Privacy Policy explains how Lilia Technologies GmbH processes personal data in connection with our website, the LILIA app (Android, iOS, Web App) and general company operations.

It is structured to cover the website (#website), the app (#app) and company‑wide processing (#company). A direct link to the app section can be used for the Play Store listing.

Controller & Contact

Controller: Lilia Technologies GmbH, Kalmünzergasse 5, 93047 Regensburg, Germany.

Managing Director: Fabian Ben Boerschmann.

Register: Local Court of Regensburg, HRB 21328. VAT ID: DE451966932.

Contact for privacy inquiries: support@mylilia.de.

Data Protection Officer: not appointed (currently not required).

Supervisory authority: Bavarian Data Protection Authority (BayLDA), Promenade 18, 91522 Ansbach, Germany, poststelle@lda.bayern.de.

Scope & Audience

Applies to www.mylilia.de, www.mylilia.com and the LILIA app (Android, iOS, Web App).

Our services are intended primarily for adults and are not directed at children. Individuals under 16 should use the app only with parental consent.

Website Processing (#website)

Hosting: Namecheap, Inc., EU datacenter (Amsterdam, NL). Server: Apache 2.4.65, Linux, MariaDB 10.6.

Server logs: IP address, timestamp, referrer, browser, OS – purposes: security/operations (Art. 6(1)(f) GDPR). Retention: up to 30 days (provider‑dependent).

Contact forms/newsletter: currently not active; once introduced, this policy will be updated incl. legal bases and retention.

Embedded services: Google Maps currently used only inside the app (login area) – see app section.

Cookies/TTDSG & Consent

We use a consent management platform (cookie banner) to obtain and record consent for cookies/similar technologies and related data processing (Art. 6(1)(c) GDPR in conjunction with § 25 TTDSG; for optional tracking Art. 6(1)(a) GDPR).

The specific tool will be named once implemented. Until then, non‑essential cookies/SDKs are activated only with consent.

Lifetimes of individual cookies/local‑storage entries are maintained in a separate cookie/SDK list.

App Processing (#app)

Platforms: Android (Google Play), iOS (Apple App Store), Web App.

Some functions are available without an account. For advanced features, registration is required (first/last name, address, email, date of birth/age, employer/company, training year). Legal basis: contract/performance (Art. 6(1)(b) GDPR).

Sign‑in options: Google, Apple, Facebook, or email/password. The respective provider shares the data necessary for authentication (Art. 6(1)(b) GDPR).

Payments: PayPal for in‑app payments; data processed include name, email, address, payment and transaction details (Art. 6(1)(b) GDPR).

Location data: for maps/navigation (“learning path”) the device location (GPS/Wi‑Fi/cell) may be processed. Only with consent/OS permission; may be transmitted to map providers (e.g., Google Maps) for display. Legal basis: consent (Art. 6(1)(a) GDPR).

Device identifiers & usage/diagnostic data: device ID, push token, crash reports, usage data (if analytics enabled). Purposes: provision, troubleshooting, optimization; depending on category based on contract (b) or legitimate interests (f), and for marketing/analytics on consent (a).

Push, crash reporting, analytics, A/B testing/remote config: currently planned/evaluated; activation may require prior consent. Purely functional remote configuration may rely on legitimate interests (f).

Advertising SDKs: not in use at present; any future use will require prior consent and transparent disclosure here.

Account & Data Deletion

Accounts can be deleted in the app under “Profile → Delete account” or via the web app (“My account”).

After confirmation, the account and associated personal data are deleted without undue delay, no later than within 30 days. Support: support@mylilia.de.

Residual data in backups are overwritten on schedule unless statutory retention obligations apply.

Legal Bases (Art. 6 GDPR)

Consent (Art. 6(1)(a)): e.g., optional location, marketing/analytics, push, A/B testing.

Contract/performance (Art. 6(1)(b)): registration/account, app usage, payment processing.

Legal obligation (Art. 6(1)(c)): statutory retention under tax/commercial laws.

Legitimate interests (Art. 6(1)(f)): IT security, fraud prevention, debugging, optimization, efficient communication.

Recipients & Processors

Hosting/backend: Hetzner Online GmbH (Germany/Finland).

Cloud storage/backups: Wasabi Technologies Inc. (USA/EU region where configured).

Payments: PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) and, where applicable, PayPal Inc. (USA).

Productivity/communications: Google Workspace (Google Ireland Ltd.).

SSO/push/crash/analytics/remote config (as used): Google/Firebase, Apple (APNs/Sign‑in with Apple), Meta (Facebook Login).

CRM/support/marketing (if used): Zoho Corporation B.V.

Processor agreements (DPAs) are in place with all processors. No disclosure to third parties for advertising purposes.

International Data Transfers

Where providers outside the EEA are used (in particular the USA), transfers rely on appropriate safeguards (notably EU Standard Contractual Clauses – “SCCs”) and, where necessary, additional measures.

See the provider list in this policy for details on recipients and transfer mechanisms.

Retention & Deletion

Server logs up to 30 days (provider‑dependent).

Account/contract data for the duration of the relationship; statutory retention up to 10 years (commercial/tax laws).

Usage/diagnostic data until the purpose ceases or consent is withdrawn/objected to; crash data kept briefly (technically required).

Backups overwritten on a rolling schedule (e.g., 30–90 days).

Security (TOMs)

Transport encryption (TLS), encryption at rest, role‑based access control (RBAC) and multi‑factor authentication for sensitive accounts.

Regular access reviews, staff training on privacy/security, logging/monitoring, and defined incident procedures (Art. 33/34 GDPR).

Device security/MDM and policies (passwords, BYOD, remote work) are in place or being enhanced.

Data Subject Rights

You have the right of access, rectification, erasure, restriction, data portability, and to object to processing based on Art. 6(1)(f) GDPR.

You may withdraw consent at any time with effect for the future.

Please contact support@mylilia.de. We respond without undue delay, at the latest within one month (extendable by up to two months for complex cases).

Right to Lodge a Complaint

You may lodge a complaint with a supervisory authority, in particular with the Bavarian Data Protection Authority (BayLDA), Promenade 18, 91522 Ansbach, Germany.

Changes & Effective Date

We will update this policy if our processing or the legal framework changes. Effective date: 2025-08-27.