Privacy Policy
This Privacy Policy applies to the website sightsnap.de and the mobile app SightSnap (together, the "Service"). It informs you about which personal data we collect, how we use it, how long we store it and which rights you have.
This Privacy Policy is a translation of the German original for the convenience of English-speaking users. In case of any discrepancy, the German version shall prevail.
1. Controller
Controller in the sense of the General Data Protection Regulation (GDPR) and other national data protection laws is:
Dr. Steffen Klarmann
Burgmagerbein 28
86657 Bissingen
Germany
Email: kontakt@sightsnap.de
2. General Information on Data Processing
2.1 Scope of Processing
We generally process personal data of our users only to the extent necessary to provide a functional website and app, its content and services. Processing occurs only with consent or where permitted by law.
2.2 Legal Bases
- Art. 6 (1) (a) GDPR – consent (e.g. analytics, location access)
- Art. 6 (1) (b) GDPR – performance of a contract (e.g. account creation)
- Art. 6 (1) (f) GDPR – legitimate interest (e.g. server logs for security)
- § 25 (1) TDDDG – consent for storing and reading information on end devices (cookies)
2.3 Data Deletion and Storage Duration
Personal data is deleted as soon as the purpose of storage ceases to exist or a legally prescribed retention period expires. Specific periods can be found in the respective sections below.
3. Provision of the Website (Server Logs)
When our website is accessed, information is automatically captured by our hosting provider (ALL-INKL.COM) and stored in server log files.
Captured:
- IP address (stored truncated)
- date and time of access
- URL accessed and HTTP status code
- amount of data transferred
- browser type, browser version, operating system
- referrer URL
Purpose: ensuring smooth operation, protection against attacks.
Legal basis: Art. 6 (1) (f) GDPR.
Storage duration: generally 7 days, at most 30 days for security analysis.
4. Hosting
The website is hosted by ALL-INKL.COM – Neue Medien Münnich (Hauptstraße 68, 02742 Friedersdorf, Germany). Technically necessary connection data is processed (see server logs). A data processing agreement under Art. 28 GDPR is in place with the provider.
The app's backend (api.sightsnap.de) is also hosted at ALL-INKL.COM in Germany. Data transmission between app and server is encrypted (HTTPS/TLS).
5. Cookies and Comparable Technologies
We use cookies and comparable technologies (e.g. Local Storage) to ensure the functionality of the website and – with your consent – to evaluate use in pseudonymous form.
5.1 Technically Necessary Storage
We store your cookie decision in your browser's Local Storage (key: sightsnap_cookie_consent). Without this storage we would need to ask for your consent again on every visit.
Legal basis: § 25 (2) no. 2 TDDDG (technically required).
Storage duration: until revocation by you.
5.2 Cookies Subject to Consent (Google Analytics)
Cookies and identifiers from Google Analytics are only set if you expressly click "Accept all" in the cookie banner. You can revoke your consent at any time via the "Cookie settings" link in the footer.
5.3 Overview of Cookies and Storage Objects Used
| Name | Provider | Purpose | Storage Duration | Legal Basis |
|---|---|---|---|---|
sightsnap_cookie_consent | SightSnap (Local Storage) | stores your cookie decision | until revocation | § 25 (2) no. 2 TDDDG |
_ga | Google Ireland Ltd. | user differentiation (Client ID) | up to 24 months | Art. 6 (1) (a) GDPR, § 25 (1) TDDDG |
_ga_70T1QMG6KV | Google Ireland Ltd. | session state for GA4 property | up to 24 months | Art. 6 (1) (a) GDPR, § 25 (1) TDDDG |
6. Web Analysis with Google Analytics 4 (Website Only)
On this website we use Google Analytics 4, a web analytics service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, USA). Google Analytics allows us to analyse user behaviour on our website in pseudonymous form and to improve our offering.
6.1 Processed Data
- truncated IP address (IP truncation is performed by GA4 automatically before storage)
- device information (device type, operating system, browser, screen resolution)
- geographic origin (country/city, derived from the truncated IP)
- referrer URL
- interactions with the website (page views, clicks, dwell time, scroll depth)
- pseudonymous Client ID (cookie)
6.2 Purpose
Statistical analysis of website usage, reach measurement, improvement of the offering.
6.3 Legal Basis
Consent according to Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time with effect for the future.
6.4 Storage Duration
At Google: max. 14 months from last activity (GA4 default setting). Cookies in your browser: up to 24 months.
6.5 Third-Country Transfer
Transfer to the USA (Google LLC) cannot be excluded. Google is certified under the EU-US Data Privacy Framework. If personal data is transferred to third countries outside the scope of the EU-US Data Privacy Framework, Google has committed to comply with EU Standard Contractual Clauses.
6.6 Revocation of Consent
You can revoke your consent at any time with effect for the future by using the "Cookie settings" link in the footer of this website and deactivating Google Analytics.
6.7 Non-Activated Functions
In our GA4 property, the following functions are not activated: Google Signals, advertising functions / remarketing, demographic reports and interest categories, link with Google Ads. There is therefore no processing for advertising purposes or for cross-device tracking.
7. Data Processing in the SightSnap App
The following sections additionally apply to the mobile SightSnap app (iOS / Android).
7.1 Authentication (Firebase Authentication)
For login and management of your user account we use Firebase Authentication, a service of Google Ireland Limited.
Processed data: email address, encrypted password, unique user ID (UID), login times, device information. When logging in via "Sign in with Apple" or "Google Sign-In", additionally the identity information provided by the respective provider.
Purpose: account creation, login, security.
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
Storage duration: until deletion of your account.
Privacy Firebase: https://firebase.google.com/support/privacy
7.2 Protection Against Abuse (Firebase App Check)
We use Firebase App Check (Apple App Attest on iOS, Google Play Integrity on Android) to ensure that requests to our servers only originate from genuine, unmanipulated installations of our app.
Processed data: anonymous device / app attestation tokens (no personal data in clear text).
Purpose: protection against abuse, bot requests and manipulated app versions.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the security of our service).
7.3 Location Data (Core Functional Principle)
Location data is the core functional principle of SightSnap: the app detects based on your GPS position whether you are within the radius of a point of interest and unlocks the corresponding card for manual confirmation.
Three types of location processing:
(a) Live location during app use
While you have the app open, we process your current GPS position to show you nearby cards (Local Snaps) and to check whether you are within the collecting radius (approx. 500 metres) of a point of interest.
- Processed data: current GPS coordinates (latitude and longitude)
- Purpose: displaying nearby points of interest, unlocking collectible cards
- Legal basis: Art. 6 (1) (a) GDPR (consent via system dialog) and Art. 6 (1) (b) GDPR (necessary for the performance of the contract)
- Storage duration: the live location is processed exclusively while the app is in use and not stored permanently
(b) Background location during active "Live Snap" session
If you start the optional "Live Snap" function, the app processes your position even when the app is not in the foreground. While Live Snap is active, a visible indicator is permanently shown in the system status bar. The app uses geofencing to notify you as soon as you approach a point of interest.
- Processed data: current GPS coordinates
- Purpose: location-based notification when approaching a point of interest
- Legal basis: Art. 6 (1) (a) GDPR (explicit consent – background location must be expressly enabled by the user and confirmed via the system dialog with "Always allow")
- Storage duration: no permanent storage; processing only during the active Live Snap session
- Revocation: you can end Live Snap at any time in the app and revoke the "Always allow" permission in the system settings of your device
(c) Location when collecting a card or creating a check-in
When you collect a card or create a check-in (see 7.5), we store the approximate location and time alongside the card/check-in.
- Processed data: approximate GPS coordinates and timestamp of the collecting / check-in process, linked to your user ID and the collected card
- Purpose: displaying the collection in your gallery, personal collection history, challenge evaluation, protection against manipulation (e.g. GPS spoofing), display within "Follow Me"
- Legal basis: Art. 6 (1) (b) GDPR (performance of a contract)
- Storage duration: until deletion of the respective card/check-in or your account
Important note on movement profiles:
The collection history can allow conclusions about places visited and times. This data is not used for advertising purposes or for profiling outside the app. You can delete individual collected cards or your entire collection at any time.
Revocation:
You can revoke location access at any time via the system settings of your device. Please note that the app cannot be used in its core function (collecting cards) without location access.
7.4 Collected Cards and Progress
Processed data: IDs of the collected cards, time of collection, approximate GPS position at the time of collection (see 7.3 c), completed challenges, unlocked tours and benefits – linked to your user ID.
Purpose: providing the collecting function, cross-device synchronisation, personal collection history, triggering benefits.
Legal basis: Art. 6 (1) (b) GDPR.
Storage duration: until deletion of the respective card or your account.
7.5 Community and Social Functions (Follow Me, Check-Ins, Notes)
The app contains optional community functions with which you can make content visible to other users.
(a) Public notes and ratings
You can leave a public note and a rating for each collected card. These are visible to other users.
- Processed data: note text, rating (stars), timestamp, linked to your user ID
- Legal basis: Art. 6 (1) (a) GDPR (consent through active publishing)
- Storage duration: until you delete the content yourself, delete your account or the content is removed after a report
(b) Profile picture and profile name
You can optionally set a profile picture and a profile name, which are visible to other community users.
- Processed data: profile picture (file), profile name, linked to your user ID
- Storage location: on our server (api.sightsnap.de) at ALL-INKL.COM, Germany
- Legal basis: Art. 6 (1) (a) GDPR (voluntary)
- Storage duration: until deletion by you or upon account deletion
(c) Follow Me (trip sharing)
"Follow Me" is an optional function that must be expressly activated per trip plan. When activated, selected community friends can see which cards you collect during the trip period, including location and time. You decide whether the content is visible to all or only selected friends.
- Processed data: collection activity (card, location, time), optional trip photos and check-ins (see d and e)
- Visibility: exclusively during the trip period; no longer visible to other users after the trip ends
- Legal basis: Art. 6 (1) (a) GDPR (express activation per trip)
- Storage duration: until you delete the trip or your account
(d) Trip photos
During an active Follow Me trip, you can upload photos. By default these are private. You must explicitly release them for viewing by your Follow Me friends.
- Processed data: image file, timestamp, link to a collected card
- Storage location: on our server (api.sightsnap.de) at ALL-INKL.COM, Germany
- Legal basis: Art. 6 (1) (a) GDPR (consent through active upload and, where applicable, release)
- Storage duration: until you delete the photo yourself, delete your account or the photo is removed after a report
(e) Check-ins
Per collected card, you can optionally create a check-in containing the location, a timestamp, an optional note and an optional photo. Check-ins are visible to selected friends within Follow Me.
- Processed data: location, timestamp, optional note text, optional photo file
- Legal basis: Art. 6 (1) (a) GDPR (consent)
- Storage duration: as under (d) or (c)
(f) Reporting and blocking
You can report any publicly visible content of another user (notes, trip photos, check-in photos). When reporting, we process the reason for the report, an optional free-text description as well as the link to the reported content and to the reported user. You can also block other users.
- Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in protecting the community and statutory moderation obligations)
- Storage duration: reports are stored until processed and, where applicable, beyond for documentation purposes (usually up to 6 months)
7.6 Usage Statistics in the App (Firebase Analytics)
The app uses Firebase Analytics of Google Ireland Limited to collect anonymous usage statistics (e.g. which screens are accessed, technical device information). These help us to detect errors and improve the app.
- Processed data: pseudonymous app instance ID, screen views, device/OS information, app version, country (derived from IP)
- Purpose: function analysis, error diagnosis, improvement of the app
- Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in technical improvement of the app)
- Advertising/Tracking deactivated: we do not use any link with Google Ads, no advertising IDs (IDFA/AAID) and no cross-app tracking functions
- Third-country transfer: transfer to the USA (Google LLC) cannot be excluded; Google is certified under the EU-US Data Privacy Framework
- Privacy Firebase: https://firebase.google.com/support/privacy
7.7 Crash Reports (Firebase Crashlytics)
The app uses Firebase Crashlytics to capture crash reports.
- Processed data: stack trace, app version, device/OS information, crash timestamp; no personal content from within the app
- Purpose: detection and resolution of program errors
- Legal basis: Art. 6 (1) (f) GDPR
7.8 Push Notifications (Firebase Cloud Messaging)
The app may send you push notifications (e.g. about nearby cards, Live Snap hits, community activity). For this we use Firebase Cloud Messaging.
- Processed data: device token (pseudonymous identifier), associated user ID
- Legal basis: Art. 6 (1) (a) GDPR (consent via system dialog upon first notification)
- Revocation: you can deactivate push notifications at any time in your device's system settings
8. External Map and Geocoding Services
The app loads map tiles and performs address searches via external services. When these services are called, your IP address is necessarily transmitted to the respective provider.
8.1 Stadia Maps
For displaying maps in the app we use map tiles from Stadia Maps Inc. (USA).
- Processed data: IP address, requested map section (tile coordinates), technical headers (browser/app user agent)
- Purpose: displaying maps in the app
- Legal basis: Art. 6 (1) (b) GDPR (necessary for performance of a contract)
- Third-country transfer: USA; Stadia Maps processes data according to its own privacy policy
- Privacy Stadia Maps: https://stadiamaps.com/privacy/
8.2 OpenStreetMap and Nominatim
We use map data from OpenStreetMap and the address and place search service Nominatim (operated by the OpenStreetMap Foundation, United Kingdom).
- Processed data: IP address, search query (e.g. address or hotel name when searching for accommodation in Snap Plan), technical headers
- Purpose: address search, geocoding (conversion of addresses into coordinates)
- Legal basis: Art. 6 (1) (b) GDPR (necessary for performance of a contract)
- Privacy OpenStreetMap Foundation: https://wiki.osmfoundation.org/wiki/Privacy_Policy
9. Affiliate Partners
The app contains so-called affiliate links at various points to the following partners:
- GetYourGuide Deutschland GmbH, Sonnenburger Straße 73, 10437 Berlin, Germany (guided tours and activities)
- Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands (accommodation)
- Airbnb Ireland UC, 8 Hanover Quay, Dublin 2, Ireland (accommodation)
What happens when you click an affiliate link?
- You leave the app and are redirected to the website of the respective partner (in the external browser).
- We transmit only a generic partner identifier (e.g. our affiliate ID and, if applicable, the ID of the offer clicked).
- We do not transmit any personal data (name, email, device ID, user ID) to the partners.
- As soon as you are at the partner, only their privacy policy applies.
- The partner may set its own cookies when visiting its website and process your IP address.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the economic viability of our service) and Art. 6 (1) (a) GDPR (consent through actively clicking the link marked as "partner link").
Privacy policies of the partners:
- GetYourGuide: https://www.getyourguide.com/c/privacypolicy
- Booking.com: https://www.booking.com/content/privacy.html
- Airbnb: https://www.airbnb.de/help/article/2855
10. Data Sharing
We do not transfer your personal data to third parties – except:
- Data processors with whom we have contracts under Art. 28 GDPR:
- ALL-INKL.COM (hosting website and app backend)
- Google Ireland Limited / Google LLC (Firebase Authentication, Firebase Cloud Messaging, Firebase Analytics, Firebase Crashlytics, Firebase App Check, Google Analytics)
- External services with their own responsibility whose use technically requires transmitting the IP address (Stadia Maps, OpenStreetMap/Nominatim – see § 8)
- Other users of the app to whom you yourself release content via the community functions (public notes, profile, Follow Me, check-ins) (see § 7.5)
There is no transfer for advertising purposes or for tracking purposes outside the app.
11. Your Rights as Data Subject
You have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR) – "right to be forgotten"
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR) – to processing based on legitimate interests
- Right to revoke consent (Art. 7 (3) GDPR) – revocation of given consents with effect for the future
- Right to lodge a complaint (Art. 77 GDPR) – with a supervisory authority
To exercise your rights please contact us informally at kontakt@sightsnap.de. We generally respond within one month.
11.1 Account and Data Deletion
You can delete your account and all data linked to it at any time:
- directly in the app via the settings
- alternatively via the web form at https://www.sightsnap.de/konto-loeschen
After deletion, all your personal data will be deleted or irrevocably anonymised, unless statutory retention obligations preclude this.
11.2 Competent Supervisory Authority
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de
12. Data Security
We use SSL/TLS encryption (HTTPS) throughout the entire website and for all communication between app and server. We take technical and organisational measures (TOMs) within the meaning of Art. 32 GDPR – including access protection at server and database level, encrypted data transmission and regular security updates – to protect your data against manipulation, loss or unauthorised access.
13. Currency and Changes to this Privacy Policy
This Privacy Policy is currently in force. Due to the further development of the service or changed legal requirements, it may become necessary to adapt this declaration. The current Privacy Policy can be accessed at any time at sightsnap.de/datenschutz.