Privacy Policy

Last updated: 2026-04-01

The following Privacy Policy applies to the use of the rondre mobile application ("App") for iOS and Android, as well as our website rondre.com and any related subdomains (collectively, the "Service"). It explains how we collect, use, store, and protect your personal data, and what rights you have with respect to your data.

If you have any questions about this Privacy Policy, please contact us at any time using the details provided in Section II below.

I. General Information

We, rondre (Inh. Andreas Krause, Zechenstr. 5, 51103 Cologne, Germany; hereinafter referred to as "rondre", "we", "us", or "our"), take the protection of your personal data very seriously and strictly comply with applicable data protection laws, in particular the EU General Data Protection Regulation (GDPR).

This Privacy Policy explains what personal data we collect when you use our Service, why we collect it, how we use and store it, with whom we share it, and how you can exercise your rights as a data subject at any time.

In accordance with the GDPR, you have various rights with respect to your personal data, including — under certain conditions — the right to object to particular types of data processing. Where such a right to object exists, it is clearly indicated in the relevant section of this Privacy Policy.

II. Name and Contact Details of the Controller

The controller responsible for data processing within the meaning of the GDPR is:

rondre
Inh. Andreas Krause
Zechenstr. 5
51103 Cologne, Germany
Tel: +49 (0)221 80090637
Email: help@rondre.com

For all data protection enquiries, please contact us at the address above, subject line: "Data Protection".

III. Purposes of Data Processing, Legal Basis, and Recipients

1. Visiting our Website (rondre.com)

When you visit rondre.com, our web server automatically collects and stores information in server log files that your browser transmits. This includes:

• Browser type and version
• Operating system
• Referrer URL (previously visited page)
• Accessed pages and URLs
• IP address of the accessing device
• Date and time of the server request

This data is not combined with other data sources and is used solely to ensure the technical operation, security, and stability of our website. No conclusions about your identity can be drawn from this data, and we make no attempt to draw any. Log data is stored for a maximum of 7 days and then automatically deleted or anonymized.

The legal basis for this processing is Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the proper, stable, and secure operation of our website.

Our website is hosted on servers operated by Strato AG, Pascalstraße 10, 10587 Berlin, Germany, which acts as a data processor on our behalf pursuant to Art. 28 GDPR. All servers are located in Germany. No data is transferred to third countries.

⚠ Right to object: Where processing is based on Art. 6(1)(f) GDPR, you have the right to object at any time on grounds relating to your particular situation (Art. 21 GDPR).

2. Contact (Email and In-App Contact Form)

If you contact us by email (e.g. at help@rondre.com) or via the in-app Contact form, the personal data you provide — such as your email address, the content of your message, and any optional file attachment (PDF or image) — will be stored and used solely to handle your enquiry.

When you use the in-app Contact form, your email address (pre-filled from your account if available) and message are required. You may optionally attach a file (PDF or image). The attachment is transmitted to us via our email infrastructure (Strato AG, Germany) and is not stored on our servers; it is only included in the email we receive.

We may retain your contact data in an internal request management tool. We review retention necessity every two years; statutory archiving obligations may require longer retention.

The legal basis is Art. 6(1)(f) GDPR (our legitimate interest in properly handling your enquiry) and, where applicable, Art. 6(1)(a) GDPR (your consent). You may withdraw consent at any time with effect for the future by contacting us at the details in Section II.

3. Use of the rondre App

When you download and use the rondre App, the following personal and usage data are collected and processed on our servers. Our servers are operated by Strato AG, Germany, acting as a data processor pursuant to Art. 28 GDPR.

3.1 Account Identifier (Device ID)

When you first open the rondre App, a unique 25-character identifier ("Profile ID") is automatically generated on your device and stored locally. This identifier is transmitted to our servers with every API request and serves as your account ID. It is generated from a timestamp and random characters and contains no personally identifiable information by itself.

We also record the date your account was created (account_created_at) and the date of your most recent app launch (account_last_login) to operate your account and detect inactive accounts eligible for deletion (see Section 3.6).

The legal basis is Art. 6(1)(b) GDPR — processing is necessary to provide you with the Service.

We additionally declare the collection of your device identifier in our App's Privacy Manifest (PrivacyInfo.xcprivacy) in accordance with Apple's requirements, categorized as "App Functionality" and not used for tracking.

3.2 Email Address (optional)

You may voluntarily link an email address to your account for the sole purpose of account recovery (i.e. restoring access to your data on a new device). Providing an email address is entirely optional and not required to use any core feature of rondre.

When you provide your email address, we send a 6-digit verification code to that address via our email service provider (Strato AG SMTP servers, Germany). The verification code is stored temporarily in our database and deleted immediately after successful verification. We store your email address and verification status (account_email, account_email_verified) on our servers.

You may remove your linked email address at any time within the App, as long as it has not yet been verified. After verification, you may contact us at help@rondre.com to request removal.

The legal basis is Art. 6(1)(a) GDPR (your explicit, voluntary consent). You may withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We declare the collection of email addresses in our App's Privacy Manifest (PrivacyInfo.xcprivacy), categorized as "App Functionality" and not used for tracking.

3.3 Financial Data (Transactions and Categories)

The core functionality of rondre is to record and organize your personal financial data. When you use the App, the following data is collected and stored on our servers:

• Transaction name, amount, and date
• Category name, search keywords ("needles"), time period setting, and optional monthly budget
• Book name and associated settings

This data is associated with your account via your Profile ID. It is used solely to provide the App's finance tracking features and is never used for advertising, profiling, or any purpose other than operating the Service.

We declare the collection of financial information in our App's Privacy Manifest (PrivacyInfo.xcprivacy), categorized as "App Functionality" and not used for tracking.

The legal basis is Art. 6(1)(b) GDPR — processing is necessary to perform the contract (i.e. to provide you with the Service's core features).

Your financial data is stored for as long as your account and the corresponding book exist. You may delete individual transactions or categories within the App at any time. Deleting a book permanently removes all associated transactions, categories, and uploads from our servers.

3.4 Uploaded Files (CSV and PDF)

If you choose to upload a CSV file or a PDF bank statement, the file is transmitted to our servers over an encrypted HTTPS connection and stored temporarily for processing. Uploaded files are associated with your account and stored in a secure directory on our servers (operated by Strato AG, Germany). File metadata (type, filename, upload date, processing status, error reason) is stored in our database.

Uploaded files may contain sensitive financial data. We process them solely for the purpose of automatically importing transactions into your account. Files that have been successfully processed may be removed from our servers periodically; we do not retain them for any other purpose.

The legal basis is Art. 6(1)(b) GDPR — processing is necessary to provide the file import feature you have chosen to use.

3.5 API Access Logs and Security

All communication between the App and our servers occurs over HTTPS (TLS encryption). Every API request is additionally signed with HMAC-SHA256 to prevent unauthorized access. Our servers (Strato AG, Germany) may log standard server-side access data (e.g. IP address, timestamp, request type) for the purposes of security, abuse prevention, and system integrity.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and lawful operation of our systems, prevention of unauthorized access, and protection of our users' data.

Access log data is retained only as long as necessary for the stated security purposes and is deleted or anonymized within 7 days thereafter.

⚠ Right to object: Where processing is based on Art. 6(1)(f) GDPR, you have the right to object at any time on grounds relating to your particular situation (Art. 21 GDPR). However, where log data is strictly necessary for the security and lawful operation of the Service, an objection may not be fully implementable.

3.6 Inactive Account Deletion

We reserve the right to delete free accounts that have shown no app activity (no API calls) for at least six consecutive months. We record account_last_login for this purpose. The legal basis is Art. 6(1)(f) GDPR — our legitimate interest in maintaining a clean and secure database, and Art. 6(1)(b) GDPR — as outlined in our Terms of Use.

3.7 Profile Name and Profile Image

You may optionally set a display name and upload a profile image within the App. Both are entirely voluntary and not required to use any feature of rondre.

• Profile name: A text name of up to 25 characters, stored in our database (account_name).
• Profile image: An image file uploaded by you, which is processed server-side (resized to a maximum of 400×400 pixels and converted to JPEG format) and stored on our servers (operated by Strato AG, Germany) at a path linked to your account (assets/users/YYYY-MM-DD/PROFILEID.jpg).

If you have set a profile name or profile image, these are displayed alongside transactions you create to the other members of any shared book you belong to. They are not publicly accessible beyond your shared books.

You may delete your profile name and profile image at any time within the App. Deletion removes the data from our servers immediately.

The legal basis for processing your profile name and profile image is Art. 6(1)(a) GDPR — you provide this data voluntarily. You may withdraw your consent at any time by deleting your profile name or image within the App. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3.8 Bank Support Requests

Within the Bank Statement upload screen, you may submit a bank support request via the "Bank not supported?" option. When you do so, the following data is collected:

• Your email address (required, for us to respond to your request)
• A message describing your bank (required)
• A PDF bank statement from the bank in question (required)

The submitted PDF bank statement may contain sensitive financial data (e.g. transaction history, account number, IBAN, your full name). We process this file solely to evaluate whether support for the submitted bank can be implemented in a future version of rondre. The PDF is transmitted directly via our email infrastructure (Strato AG, Germany) as an attachment and is not stored on our servers. Your email address and message are transmitted and stored via our email infrastructure (Strato AG, Germany) and are subject to the same retention review as other contact data (see Section III.2).

We will not use any data submitted through bank support requests for any purpose other than evaluating bank compatibility. Financial data contained in the PDF will not be extracted, processed, or stored beyond what is technically necessary for that evaluation.

The legal basis is Art. 6(1)(a) GDPR — you provide this data voluntarily by explicitly choosing to submit the request. You may contact us at help@rondre.com at any time to request early deletion of a submitted file.

4. Shared Books

rondre allows you to share a book with other users using a Share ID and Share Password. When you share a book or join a shared book, all members of that book can view and modify its contents (transactions, categories). The data processing described in Sections 3.3, 3.4, and 3.7 applies equally to shared book data. You are responsible for deciding with whom you share your book credentials.

If you have set a profile name or profile image, these will be visible to all members of any shared book you create transactions in. Please be aware of this before setting profile information.

When a book is deleted, all associated data is permanently removed from our servers and from all members' accounts. The legal basis for this processing is Art. 6(1)(b) GDPR.

5. rondre+ Subscription (In-App Purchase)

rondre offers an optional premium subscription ("rondre+") purchasable through the Apple App Store (iOS) and Google Play Store (Android). We do not directly process any payment data. All payment processing, billing, and subscription management are handled exclusively by Apple Inc. or Google LLC through their respective platforms.

We receive a confirmation of your subscription status from the respective platform (active, cancelled, expired, etc.) and store a premium status flag (account_premium) in our database to enable premium features in the App. We do not receive your payment card details, billing address, or other payment information.

We use RevenueCat, Inc. (USA) as a subscription management service to validate and manage subscription entitlements on our behalf. RevenueCat receives your device identifier and purchase receipts from Apple or Google to determine and track your subscription status. RevenueCat acts as a data processor on our behalf (see Section VI.1). Data is transferred to the United States under Standard Contractual Clauses (see Section VI.4).

For Apple's data processing in connection with App Store purchases, please refer to Apple's Privacy Policy. For Google's data processing in connection with Google Play purchases, please refer to Google's Privacy Policy.

The legal basis for storing your subscription status is Art. 6(1)(b) GDPR — processing is necessary to provide the rondre+ features you have subscribed to.

6. App Tracking Transparency (ATT)

On iOS, rondre requests the App Tracking Transparency (ATT) permission as required by Apple's App Tracking Transparency framework. We want to be clear: rondre does not track you across apps or websites owned by other companies, and we do not use your data for advertising or cross-app tracking of any kind. We do not share your data with advertising networks or data brokers. The App functions identically regardless of your ATT choice.

This is confirmed in our App's Privacy Manifest (PrivacyInfo.xcprivacy), where NSPrivacyTracking is set to false. All data categories declared in the manifest are categorized exclusively as "App Functionality".

IV. Cookies

The rondre App does not use cookies. As a native mobile application, it communicates with our servers through HTTPS API calls with request signing (HMAC-SHA256) and does not rely on any cookie-based mechanisms.

Our website rondre.com does not currently use cookies for analytics, marketing, or advertising purposes. Standard server log files may be maintained for security and operational purposes as described in Section III.1. If we introduce cookies in the future, this Privacy Policy will be updated accordingly.

V. Your Rights

1. Overview

In addition to the right to withdraw any consent you have given us, you are entitled — subject to the applicable legal requirements — to the following rights under the GDPR:

• Right of access (Art. 15 GDPR): You may request information about the personal data we hold about you, including the purposes of processing, categories of data, recipients, planned storage period, and the origin of your data.
• Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data or the completion of incomplete data.
• Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data, unless statutory or contractual retention obligations or other legal grounds require further storage. Within the App, you can delete your data at any time by deleting all your books.
• Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data in certain circumstances.
• Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a commonly used, machine-readable format, or to request its transfer to another controller.
• Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. As a rule, you may contact the supervisory authority at your habitual residence, place of work, or our registered office (Germany: Landesbeauftragte für Datenschutz und Informationsfreiheit NRW, ldi.nrw.de).

To exercise any of these rights, please contact us at help@rondre.com. We will respond within the statutory period (generally one month).

California Users (CCPA): We do not sell your personal information. You have the right to know what personal information we collect and the right to delete it (available within the App by deleting all books, or by contacting us).

2. Right to Object

Under the conditions of Art. 21(1) GDPR, you may object to data processing based on Art. 6(1)(f) GDPR (legitimate interest) on grounds relating to your particular situation. We are then obligated to cease that processing unless we can demonstrate compelling legitimate grounds which override your interests, or the processing is necessary for the establishment, exercise, or defense of legal claims. The right to object applies in particular to the processing described in Sections III.1, III.3.5, and III.3.7 of this Privacy Policy.

VI. Disclosure to Third Parties

We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertising networks, analytics providers, or data brokers. We only disclose data to the extent described below:

1. Data Processors (Art. 28 GDPR)

We use the following service providers who process personal data on our behalf under a data processing agreement (Art. 28 GDPR):

• Strato AG, Pascalstraße 10, 10587 Berlin, Germany — web hosting, database hosting, and email delivery (SMTP) for verification codes. All servers are located in Germany.
• RevenueCat, Inc., 633 Tasman Drive, San Jose, CA 95134, USA — subscription status validation and entitlement management for rondre+. RevenueCat processes device identifiers and purchase receipts received from Apple and Google on our behalf. Data is processed in the United States under Standard Contractual Clauses (Art. 46(2)(c) GDPR). For details, see RevenueCat's Privacy Policy.

These service providers have access to personal data only to the extent necessary to perform their tasks, are bound by contractual data protection obligations, and may not use the data for any other purpose.

2. Apple Inc. and Google LLC (App Store Distribution)

Our App is distributed via the Apple App Store and Google Play Store. Apple and Google may process certain technical data in connection with the download and use of the App under their respective privacy policies. We do not control this processing. Please refer to:

• Apple Privacy Policy
• Google Privacy Policy

3. Legal Obligations

We may disclose personal data if required by law, court order, or official governmental authority, or if necessary to protect our rights or the rights and safety of our users.

4. Transfers to Third Countries

Your personal data is primarily processed in Germany by Strato AG. However, the following transfers to third countries outside the EEA occur:

• RevenueCat, Inc. (USA): Device identifiers and purchase receipts are transferred to RevenueCat in the United States for subscription management purposes. This transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).
• Apple Inc. / Google LLC (USA): Where Apple or Google process data in the USA in connection with App Store distribution or in-app purchases, this occurs under their own privacy policies and, where applicable, subject to the EU–US Data Privacy Framework or Standard Contractual Clauses.

VII. Data Security

We take appropriate technical and organizational measures to protect your personal data against loss, theft, unauthorized access, disclosure, alteration, or destruction. In particular: all data transmission between the App and our servers uses HTTPS (TLS encryption); every API request is signed with HMAC-SHA256; access to our databases is restricted to authorized systems; and our servers are hosted in Germany by Strato AG in accordance with German and EU data protection standards. Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We encourage you to keep your Profile ID and any linked credentials confidential.

VIII. Children's Privacy

rondre is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information through the App, please contact us at help@rondre.com so we can delete it promptly. Although rondre is rated 4+ on the App Store, the Service is intended for use by adults and responsible for managing personal finances.

IX. Data Retention Summary

X. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will indicate any changes by updating the "Last updated" date at the top of this page. For material changes that significantly affect your rights or the way we process your data, we will notify you within the App where technically feasible. We encourage you to review this page periodically. Continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

XI. Contact

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have a data protection concern, please contact us:

rondre
Inh. Andreas Krause
Zechenstr. 5
51103 Cologne, Germany
Tel: +49 (0)221 80090637
Email: help@rondre.com