Privacy Policy
Effective: February 1, 2026 · Last updated: February 2026
1. Data Controller
The data controller responsible for processing your personal data is:
Wilke Bakker
Im Sionstal 13
50678 Köln
Germany
Privacy inquiries: privacy@gearbuddy.pro
General support: support@gearbuddy.pro
2. What Data We Collect
2.1 Account Data
- User ID (generated internally)
- Username
- Email address
2.2 Profile Data
- Profile emoji and color selection
- Subscription plan
2.3 Gear Data
- Item name, brand, model, category
- Quantity, serial number
- Purchase date and purchase price
2.4 Rental Data
- Renter name, email address, phone number
- Rental dates, pricing, and deposit amounts
2.5 Shoot Data
- Gig date, location, status
- Packing list (references to gear items)
2.6 Voice AI Data
- Voice transcripts are processed temporarily in memory
- Automatically deleted after each session (maximum 15 minutes)
- No voice data is stored permanently
2.7 Analytics Data
- Screen views and feature usage events (anonymized)
- Retained on a 12-month rolling basis, then automatically deleted
3. Authentication
GearBuddy supports the following sign-in methods, all managed through AWS Cognito:
- Apple Sign-In — Uses Apple's OAuth flow. We receive only the data you authorize Apple to share.
- Google Sign-In — Uses Google's OAuth flow via AWS Cognito.
- Email and Password — Passwords are hashed using bcrypt with 12 rounds before storage.
4. How We Use Your Data
| Purpose | Legal Basis | Details |
|---|
| Core app features | Contract (Art. 6(1)(b)) | Necessary to provide the service |
| Voice AI processing | Contract (Art. 6(1)(b)) | Feature you actively invoke; data is session-scoped |
| Product analytics | Legitimate Interest (Art. 6(1)(f)) | Anonymized usage data to improve the product |
| Marketing emails | Consent (Art. 6(1)(a)) | Separate opt-in during onboarding |
5. Data Processors
| Service | Data Processed | Region | Purpose |
|---|
| AWS EC2 / PostgreSQL | All user data | eu-north-1 (Stockholm) | Backend & Database |
| AWS Cognito | OAuth tokens | eu-north-1 (Stockholm) | Authentication |
| PostHog | Anonymized analytics | EU | Product analytics |
| OpenAI | Voice transcripts (session only) | US | Voice AI |
| Cloudflare Workers | Audio passthrough | Global | API proxy |
| RevenueCat | User ID, subscription status, transactions | US | Subscription management |
6. Data Retention
| Data Type | Retention Period |
|---|
| Account and gear data | Until account deletion + 14-day grace period |
| Analytics events | 12-month rolling window |
| Voice AI transcripts | Deleted after session (max. 15 minutes) |
7. Your Rights Under GDPR
- Access (Art. 15) — Request a complete export of your data in JSON format.
- Rectification (Art. 16) — Update your data directly within the app.
- Erasure (Art. 17) — Delete your account from Settings. 14-day grace period, then permanent deletion.
- Data Portability (Art. 20) — Export your data in structured JSON format.
- Object (Art. 21) — Toggle off analytics in Settings. Opt out of retargeting via email.
- Withdraw Consent (Art. 7(3)) — Withdraw at any time through app settings.
- Lodge a Complaint — Contact your state data protection authority.
8. Security Measures
- All data in transit encrypted via HTTPS/TLS
- JWT tokens (HS256) for API authentication
- Passwords hashed with bcrypt (12 rounds)
- Authentication tokens stored in iOS Keychain (hardware-encrypted)
9. Children's Privacy
GearBuddy is not intended for use by anyone under 16. We do not knowingly collect personal data from children.
10. Changes to This Policy
For material changes, we will notify you via an in-app notification before the changes take effect.
Questions? Contact us at privacy@gearbuddy.pro