Privacy Policy #

The protection and security of your personal data is important to us. This privacy policy explains how we process your data when you use our Reunicorn app, what rights you have in this regard, and how you can exercise these rights.

1. Controller and contact details #

The entity responsible for data processing on our app is:
WTF Kooperative eG
Forsmannstr. 14 b
22303 Hamburg

2. Processing in Connection With Our App #

Reunicorn is a decentralized and end-to-end encrypted application. This means that your personal data is not stored on central servers, but exclusively locally on your device and encrypted for contacts and, if applicable, other persons within the network.

We only process data when it is technically necessary.

2.1 Provision of the App #

Purposes: In order for you to use the app’s features, the data is transmitted in encrypted form via the Veilid peer-to-peer network. This ensures particularly data protection-friendly operation without a central server.
To ensure that information shared with your contacts is available even when the sender and recipient are not online at the same time, this encrypted data may be temporarily stored on the devices of other people participating in the Veilid network. We do not have access to this data at any time.

Categories of Data: Profile and location data, if you actively share it, is stored in encrypted form on the network. In addition, technically necessary metadata is processed.

Recipients:

• People participating in the Veilid network
• Operators of DNS servers that support initial peering

Legal Basis: Art. 6 (1) (b) GDPR (contract or pre-contractual measures).

Storage Period: The data is stored locally on your device until you delete it and decentralized in the Veilid network.

2.2 Using the App #

Purposes: Certain information is automatically processed as soon as the app is used. When you download the app, certain necessary information is transmitted to the app store you have selected.

Categories of Data: In particular, your username, email address, customer number, time of download, payment information, and individual device identification number may be processed. This data is processed exclusively by the respective app store and is beyond our control.

Recipients:

• Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Privacy policy: https://www.apple.com/de/legal/privacy/de-ww/
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy?hl=de&gl=de.
• The Commons Conservancy, Science Park 400, 1098 XH, Amsterdam, The Netherlands. Privacy policy: https://f-droid.org/de/2024/03/08/privacy-design-of-fdroid.org-webservers.html.

Legal Basis: Art. 6(1)(b) GDPR (contract or pre-contractual measures).

Storage Period: We do not store any personal data.

2.3 Location Sharing, Map Functions, and Geocoding #

Purposes: We use the services of MapTiler AG for the map and address function. Location data is only shared with your contacts if you activate this feature.

Categories of Data: Current or planned locations, technical usage data when accessing maps and searching for addresses.

Recipients:

• MapTiler AG, Switzerland. Zugerstrasse 22, 6314 Unterägeri, Switzerland. Privacy policy: https://www.maptiler.com/privacy-policy/.

Legal Basis: Art. 6 para. 1 lit. b GDPR (contract or pre-contractual measures).

Storage Period: We do not store any personal data.

2.4 Push Notifications #

Purposes: You can optionally receive push notifications. In order to use push notifications, a consistent token is generated after consent is given, which is transmitted to the WTF server without disclosing your IP address or other user details and is used to send push notifications to your device.

Categories of Data:

• The token identifying the device.

Recipients:

• Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork Ireland. Privacy policy: https://www.apple.com/de/legal/privacy/de-ww/
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy?hl=de&gl=de.

Legal Basis: Consent (Art. 6 (1) (a) GDPR)

Storage Period: We do not store any personal data.

2.5 In-App Purchases #

Purposes: Payment processing may be carried out via app store operators in order to activate additional functions.

Categories of Data: Transaction and payment data, without us having access to payment details.

Recipients:

• Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork Ireland. Privacy policy: https://www.apple.com/de/legal/privacy/de-ww/
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy?hl=de&gl=de.

Legal Basis: Art. 6 para. 1 lit. b GDPR.

Storage Period: We do not store any personal data.

2.6 App Permissions #

Purposes: In order to provide its functions, the app requires access to certain data. Some of this data is necessary for the use of the app, while other data is optional. Access is required for the following Purposes:

• Internet access: This is required to enable you to connect with other participants.
• Camera access (optional): This enables QR codes to be scanned.
• Location access (optional): This is required if the current location is to be shared with a contact.
• Background location access (optional): This is required if the current location is to be shared over a period of time.
• Contact access (optional): This is required to update contacts from the phone book in the app. The contact data is stored locally in the app.
• Storage (optional): Images can be uploaded from your device as profile pictures in the app and shared with contacts there.
• Calendar access (optional): Calendar entries can be loaded into the app to share them as temporary locations with contacts. Temporary locations can be entered from the app into the calendar on your device as appointments.

Categories of Data: The permissions set are stored locally on your device. You can change them at any time in your device settings.

Legal Basis: The legal basis here is Section 25 (2) No. 2 TDDDG. Device access is access that is necessary for the provision of the respective function.

Storage Period: We do not store any personal data.

2.7 Contact #

Purposes: When you contact us by email, the information you provide us with is processed to the extent necessary to respond to the inquiry and any requested measures.

Categories of Data: Identifying data (e.g., names), contact data (e.g., email), content data (e.g., entries in online forms).

Recipients:

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen

Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 (1) (b) GDPR) or legitimate interest in effectively responding to inquiries (Art. 6 (1) (f) GDPR).

Storage Period: Contract fulfillment and pre-contractual inquiries (Art. 6 (1) (b) GDPR) or legitimate interest in effectively responding to inquiries (Art. 6 (1) (f) GDPR).

3. Profiles on Social Networks #

We have profiles on social networks. Our social media profiles complement our website and offer you the opportunity to interact with us. As soon as you access our social media profiles on social networks, the terms and conditions and data processing guidelines of the respective operators apply. The data collected about you when using the services is processed by the networks and, if necessary, also transferred to countries outside the European Union where there is no adequate level of protection for the processing of personal data. We have no influence on data processing in social networks, as we are users of the network just like you. Information on this and on which data is processed by the social networks and for what purposes the data is used can be found in the privacy policy of the respective network listed below. We use the following social networks:

3.1 Mastodon #

Our page is available at: https://floss.social/@reunicorn.
Our instance is operated by floss.social.
The privacy policy of the instance is available at: https://floss.social/privacy-policy

Purposes: We process personal data as a controller when you send us inquiries via social media profiles. We process this data in order to respond to your inquiries.

Legal Basis: The processing is based on our legitimate interest (Art. 6 (1) (f) GDPR). The interest lies in the respective purpose.

Storage Period: We do not store any personal data outside the network.

4. General Information about Recipients #

When we process your data, it may be necessary to transfer or disclose your data to other recipients. In the sections on processing above, we name the specific recipients as far as we can. If recipients are located in a country outside the EU, we indicate this separately under the individual points listed above. Unless we expressly refer to an adequacy decision, no adequacy decision exists for the respective recipient country. In these cases, we will agree on appropriate safeguards in the form of standard contractual clauses to ensure an adequate level of data protection (unless other appropriate safeguards, such as binding corporate rules, are in place). You can access the current versions of the standard contractual clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
In addition to these specific recipients, data may also be transferred to other categories of recipients. These may be internal recipients, i.e., persons within our company, but also external recipients. Possible recipients may include, in particular:

• Our employees who are responsible for processing and storing the data and whose employment relationship with us is governed by a confidentiality obligation.
• Service providers who act as processors bound by our instructions. These are primarily technical service providers whose services we use when we cannot provide certain services ourselves or when it is not reasonable for us to do so.

5. General Information on the Storage Period #

You can delete your locally stored data at any time via the app or the settings in your operating system. Due to the decentralized design, we cannot guarantee the deletion of your data on your contacts’ devices.

6. Automated Decision-Making and Obligation to Provide Data #

We do not use automated decision-making that has a legal effect on you or similarly significantly affects you.

7. Data Subjects Rights #

You have the following rights, provided that the legal requirements are met. To exercise these rights, you can contact us at the address you are familiar with.

• Art. 15 GDPR – Right of Access:
  You have the right to obtain from us confirmation as to whether personal data concerning you is being processed, and, where that is the case, access the personal data and the circumstances surrounding the processing.
• Art. 16 GDPR – Right to Rectification:
  You have the right to request that we correct inaccurate personal data concerning you without delay. Taking into account the purposes of the processing, you also have the right to request that incomplete personal data be completed, including by means of a supplementary statement.
• Art. 17 GDPR – Right to Erasure:
  You have the right to request that we erase personal data concerning you without undue delay.
• Art. 18 GDPR – Right to Restriction of Processing:
  You have the right to request that we restrict processing.
• Art. 20 GDPR – Right to Data Portability:
  In the event of processing based on consent or for the performance of a contract, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance from us or to have the data transmitted directly to the other controller, where technically feasible.
• Art. 77 GDPR in conjunction with § 19 BDSG – Right to Lodge a Complaint with a Supervisory Authority:
  You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes applicable law.

8. In particular, Right to Object and Withdrawal of Consent #

• Art. 21 GDPR – Right to Object:
  You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is necessary for the purposes of our legitimate interests or for the performance of a task carried out in the public interest or in the exercise of official authority.
  If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
  If we process your personal data for direct marketing purposes, you have the right to object to the processing at any time. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
  You can raise your objection at any time with future effect via one of the contact addresses known to you.
• Withdrawal of Consent: You can revoke your consent at any time with future effect via one of the contact addresses known to you.

9. Obligation to Provide Data #

You have no contractual or legal obligation to provide us with personal data. However, without the data you provide, we are unable to offer you our services.

10. No Cookies #

The app does not use cookies or similar tracking mechanisms.

11. Comments or Questions #

We take every conceivable precaution to protect and secure your data. We welcome your questions and comments about data protection. If you have any questions about the collection, processing, or use of your personal data, or if you wish to request information, correction, blocking, or deletion of data, or withdraw consent you have given, please contact us using the contact details provided above.

December 2025