Privacy Policy

Effective: Nov 5, 2025 · Version: v1.1

Controller

Micha Helbig, Zuckerbergweg 50, 38124 Braunschweig, Germany
Email: info@graffiti-world.com
You can send any privacy inquiries to this address.

Summary

Graffiti World is a location-based app for creating and viewing geo‑anchored graffiti on a world map.

Data categories

• Authentication & account data (required to paint and sign in): username, email address, optional avatar; password stored as a secure hash; when using third‑party providers (e.g., Google, Facebook), the identifiers transmitted by those providers.
• Camera access (optional): used only to take and upload an optional profile photo (avatar); granting permission is optional. You may instead upload an existing image and can revoke the permission at any time in your device settings.
• Location data (only with consent): display your position, link your graffiti to places, suggest nearby graffiti and friends.
• User content (UGC): graffiti including position, timestamps, visibility.
• Usage/technical data: interactions, IP address, device/OS, app version, server logs.

Purposes & legal bases

• App, accounts, community – Art. 6(1)(b) GDPR
• Location features – Art. 6(1)(a) GDPR (consent; revocable). We use your location to show graffiti near you and to suggest friends nearby, if you have enabled this. You can disable access to your location at any time via your device’s system settings. After disabling, the app receives no further location data and no further processing or transfer of such data occurs.
• Security/abuse prevention (logs) – Art. 6(1)(f) GDPR
• Analytics & app improvement (Firebase Analytics) – Art. 6(1)(f) GDPR (legitimate interest)
• Legal obligations – Art. 6(1)(c) GDPR

Authentication

We use Google Firebase Authentication for sign‑in. You can sign in using email/password or via third‑party providers such as Google or Facebook.

At a minimum, the following data is processed: email address or third‑party identifier, time of sign‑in, and possibly a user UID. This processing serves to securely identify your account and to associate your content such as graffiti.

Maps (OpenStreetMap)

In‑app attribution: © OpenStreetMap contributors. Details: openstreetmap.org/copyright. When loading tiles, IP address, user agent, and timestamps may be processed by the tile server.

Recipients

• Hosting: self‑managed V‑server at Hetzner (EU/DE)
• Map provider: OpenStreetMap / tile server
• Analytics: Google Firebase Analytics
• Authentication: Google Firebase Authentication
• Internal: admin/moderation (e.g., for handling reports)

Retention

• Account & content: until deleted or as required.
• Location data: automatically deleted after 30 days. The last known location remains stored to show nearby graffiti and suggest friends.
• Logs: about 30 days (longer if needed for incident clarification).
• Consents: until withdrawn (withdrawals are logged).

Delete account

In the app via “Delete account”. Your user account is permanently (hard) deleted — all personal account data is removed. Your content (e.g., graffiti) is initially marked as “soft deleted”: image, location, and user linkage are removed or anonymized; internal reference IDs may remain for system integrity but contain no personal information.

Your rights

Access, rectification, erasure, restriction, portability, objection (Art. 15–21 GDPR); withdrawal of consent at any time; right to lodge a complaint with a supervisory authority.

Minors

Not intended for children under 16. Where consent is the legal basis, parental consent may be required.

Security

Transport encryption, server hardening, access restrictions; full security cannot be technically guaranteed.

Analytics (Firebase)

The app uses Google Firebase Analytics, provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Firebase Analytics collects anonymized event data to understand and improve app usage.

No individual user profiles with personal information are created, and no names or email addresses are linked with Firebase Analytics. Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in improving app functionality. In some cases, data may be transferred to the United States; Google is certified under the EU‑U.S. Data Privacy Framework. Certification details: www.dataprivacyframework.gov/s/participant-search (search term: Google LLC).

In the app settings, you will find an option “Disable analytics”. When enabled, collection via Firebase Analytics is disabled.