Privacy Policy

Effective: March 2, 2026 · Last updated: March 15, 2026

1. Data Controller

The controller responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:

GearBuddy

c/o GAM

Pappelallee 64

10437 Berlin

Germany

For privacy-related inquiries, please contact us at privacy@gearbuddy.pro. For general support, contact support@gearbuddy.pro.

2. Data We Collect

We collect and process the following categories of personal data in connection with your use of the Service:

2.1 Account Data

When you create an account, we generate a unique internal user identifier and collect your display name and email address. Your display name is the name you choose to be shown within the app and is visible to other users for collaboration purposes (e.g., crew sharing). If you sign in via Apple or Google, we receive only the data you authorize those providers to share. A verification email is sent to your address via our transactional email provider (Resend).

2.2 Profile Data

You may personalize your profile by selecting an emoji and color. Your display name, emoji, and color are visible to other authenticated users and can be found via the in-app search function (minimum 3 characters required). This data is stored to identify you within collaborative features such as crew sharing.

2.3 Gear Data

Information you enter about your equipment, including item name, brand, model, category, quantity, serial number, purchase date, and purchase price.

2.4 Rental Data

When you create a rental, we collect the renter's name, email address, and phone number, as well as rental dates, pricing, and deposit amounts. You are responsible for ensuring you have a lawful basis to provide third-party contact information to us.

2.5 Shoot Data

Shoot details you create within the app, including dates, locations, status, and associated packing lists that reference your gear items.

2.6 AI Interaction Data

If you use AI-powered features, the content of your voice or text input is transmitted to third-party AI providers for processing. Voice input is transcribed using speech-to-text services. We do not store AI conversation history beyond the duration of your active session, and we do not use your AI interactions to train third-party models.

2.7 Analytics Data

We collect pseudonymized usage data, including screen views and feature usage events, using an internal identifier that is not linked to your name or email address. Analytics data is retained on a 12-month rolling basis and automatically deleted thereafter.

3. Authentication

GearBuddy supports the following sign-in methods, all managed through Supabase Auth:

Apple Sign-In — Uses Apple's OAuth flow. We receive only the data you explicitly authorize Apple to share (typically your name and email, or a private relay address).
Google Sign-In — Uses Google's OAuth flow via Supabase Auth. We receive your name and email address as authorized by Google.
Email and Password — Your password is salted and hashed using bcrypt with a work factor of 12 before storage. We never store plaintext passwords.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

Purpose	Legal Basis	Details
Providing and operating the Service	Performance of contract (Art. 6(1)(b))	Processing is necessary to deliver the features you signed up for, including gear management, rentals, shoots, and collaboration.
AI-powered features	Performance of contract (Art. 6(1)(b))	When you use AI features, processing your input is necessary to deliver the requested functionality.
Product analytics	Legitimate interest (Art. 6(1)(f))	Pseudonymized usage data helps us understand how the app is used and identify areas for improvement. You may object to this processing at any time by contacting us at privacy@gearbuddy.pro.
Push notifications	Consent (Art. 6(1)(a))	Sent only if you grant notification permission on your device. You may revoke consent at any time through your device settings or in-app notification preferences.
Marketing communications	Consent (Art. 6(1)(a))	Sent only with your explicit opt-in during onboarding. You may withdraw consent at any time in Settings.

5. Data Processors and Third-Party Services

We engage the following third-party service providers to process data on our behalf. Each processor is bound by a data processing agreement in compliance with Art. 28 GDPR:

Service	Data Processed	Hosting Region	Purpose
Supabase	All user data, authentication tokens	EU West (Ireland)	Database, authentication, real-time synchronization, push notification delivery
Amazon Web Services (AWS)	AI requests (voice/text input)	EU North (Stockholm)	Cloud hosting for AI backend services
OpenAI	Voice transcriptions, text prompts	United States	AI language model processing and speech-to-text transcription
PostHog	Pseudonymized analytics events	EU	Product analytics and usage insights
Resend	Email address	United States	Transactional, verification, and marketing confirmation email delivery
Loops	Email address, subscription status	United States	Marketing email campaigns and onboarding sequences
Stripe	Payment and subscription data	United States	Payment processing and subscription billing

6. International Data Transfers

Your core data (account, gear, rentals, shoots) is stored exclusively within the European Union. However, certain processing activities require the transfer of data to service providers located outside the EU/EEA:

OpenAI (United States) — When you use AI features, your voice or text input is transmitted to OpenAI for processing. This transfer is conducted on the basis of the EU-U.S. Data Privacy Framework, under which OpenAI is a certified participant, and is further supported by Standard Contractual Clauses (SCCs) as adopted by the European Commission.
Resend (United States) — Your email address is transmitted to Resend for the purpose of delivering verification, transactional, and marketing confirmation emails. This transfer is conducted on the basis of Standard Contractual Clauses (SCCs).
Loops (United States) — Your email address and subscription status are transmitted to Loops for the purpose of delivering marketing email campaigns and onboarding sequences. This transfer is conducted on the basis of Standard Contractual Clauses (SCCs). You may unsubscribe at any time via the link in every email or through the app settings.
Stripe (United States) — Payment and subscription data is transmitted to Stripe for payment processing and billing management. This transfer is conducted on the basis of the EU-U.S. Data Privacy Framework, under which Stripe is a certified participant, and is further supported by Standard Contractual Clauses (SCCs).

We do not transfer personal data to any country outside the EU/EEA unless an adequate level of protection is ensured through one of the mechanisms described above or another safeguard recognized under Chapter V of the GDPR.

7. Data Retention

We retain your personal data only for as long as is necessary for the purposes described in this Policy, or as required by applicable law:

Data Type	Retention Period
Account, gear, rental, and shoot data	Retained for the lifetime of your account. Upon account deletion, you may choose a 14-day grace period (during which you may reactivate your account) or immediate permanent deletion. In both cases, all data is permanently and irreversibly deleted.
AI interaction data	Not persisted beyond the active session. No conversation history is stored.
Analytics events	12-month rolling window; automatically deleted after 12 months.
Subscription records	Retained for the duration of your account for billing reconciliation and audit purposes.

8. Your Rights Under the GDPR

As a data subject under the GDPR, you are entitled to the following rights. To exercise any of these rights, please contact us at privacy@gearbuddy.pro. We will respond to your request within 30 days.

Right of access (Art. 15) — You may request a complete copy of your personal data by contacting us at privacy@gearbuddy.pro. Please include your account ID, which you can find under Settings > Legal in the app.
Right to rectification (Art. 16) — You may correct inaccurate or incomplete personal data at any time through the app.
Right to erasure (Art. 17) — You may delete your account from Settings, with the option to keep your data for 14 days or delete everything immediately. All associated data is permanently and irreversibly deleted.
Right to data portability (Art. 20) — You may request your data in a structured, commonly used, machine-readable format by contacting us at privacy@gearbuddy.pro.
Right to object (Art. 21) — You may object to processing based on legitimate interest (e.g., analytics) by contacting us at privacy@gearbuddy.pro. Upon receiving your request, we will cease processing the relevant data without undue delay.
Right to withdraw consent (Art. 7(3)) — Where processing is based on consent (e.g., marketing emails, push notifications), you may withdraw consent at any time through the app settings or by contacting us. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Right to lodge a complaint (Art. 77) — You have the right to lodge a complaint with a data protection supervisory authority. If you are located in the EU, you may contact the authority in your country of residence. Our competent authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Postfach 20 04 44, 40102 Düsseldorf

Kavalleriestraße 2–4, 40213 Düsseldorf

Phone: +49 211 38424-0

Email: poststelle@ldi.nrw.de

Web: www.ldi.nrw.de

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to: encryption of all data in transit using HTTPS/TLS; authentication via signed JSON Web Tokens (JWT); password hashing with bcrypt using a work factor of 12; storage of authentication tokens in the iOS Keychain, which provides hardware-level encryption; and row-level security (RLS) policies on all database tables ensuring users can only access their own data.

While we strive to protect your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.

10. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects concerning you within the meaning of Art. 22 GDPR. AI features within the Service are used solely to assist you with gear management tasks at your explicit request and do not make autonomous decisions on your behalf.

11. Children's Privacy

The Service is not directed at, and we do not knowingly collect personal data from, individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a person under 16, we will take steps to delete such data promptly. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@gearbuddy.pro.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes, we will notify you via email or in-app notification at least 30 days before the revised policy takes effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

Questions about your data? Contact us at privacy@gearbuddy.pro