Parroo
EN DE FR

Privacy

Privacy Policy

Effective: March 2026 | Version: 1.1.1
Scope:
Parroo App (iOS & Android) and the accompanying website at www.parroo.app.
This Privacy Policy applies to the use of our mobile application “Parroo” and to visits to our website, unless otherwise stated.

1. Purpose of this Privacy Policy

This Privacy Policy explains which personal data we process when you use our mobile app “Parroo” and for what purposes. It also informs you about your rights as a data subject under the General Data Protection Regulation (GDPR).

2. Controller

Lucky Parrot UG (haftungsbeschränkt)
Kaiser-Joseph-Str. 254
79098 Freiburg im Breisgau
Germany
Registered with: Local Court of Freiburg im Breisgau
Registration number: HRB 733417
Managing Director: Stefanos Parussis
Email: info@parroo.app

The controller within the meaning of the GDPR and other data protection laws is Lucky Parrot UG (haftungsbeschränkt).
For any data protection inquiries, you may contact us at info@parroo.app.

3. General Information on Data Processing

We process personal data only in accordance with applicable data protection laws, in particular the GDPR, the German Federal Data Protection Act (BDSG), and the Telecommunications-Telemedia Data Protection Act (TTDSG).
Personal data means any information relating to an identified or identifiable natural person (Article 4(1) GDPR).
Data is processed only for specified purposes, in accordance with the principles of data minimisation and purpose limitation, and only for as long as necessary to fulfil those purposes.
Our systems are protected by appropriate technical and organisational measures (e.g., TLS encryption, access controls).

Categories of recipients: IT service providers (hosting, debugging), payment and billing processors, and platform operators (Apple, Google).

No personal data is shared or used for advertising or analytics purposes (e.g., Google Analytics, Firebase, Facebook SDK, etc.).
Our app does not contain any tracking or analytics SDKs.

Notice under Section 25 TTDSG

Access to information stored on your device (e.g., location services, local storage, app identifiers) takes place only when technically necessary for providing the app’s features or where you have explicitly consented (Section 25(2) TTDSG).
Consent to location access is obtained through your operating system’s standard permission dialogue. No other technically unnecessary access occurs, and therefore no separate consent management tool is required.
“Technically necessary” access refers to those functions essential to the operation of requested app features (e.g., location display, map loading). No storage or reading of information for analytics or marketing purposes takes place.
Under Section 2(2)(7) TTDSG, the law applies to mobile applications (“apps”). Our app meets the TTDSG’s privacy and device integrity requirements.

4. Collection and Processing of Personal Data

General

Use of the app is generally possible without registration or entering personal data.
Where personal data is processed, this occurs only for the purposes stated in this Policy.
As noted under Section 25 TTDSG, device information is accessed only where technically necessary or where you have explicitly consented.
Crash and error analyses are carried out solely to ensure the app’s stability and security.
You may withdraw your consent at any time with future effect, e.g., by disabling location access in your device settings.

Location Data

If you consent to location access, we process your current location to display map content and nearby points of interest.
Consent is requested via your device’s system permissions. Without consent, no location data is processed.
Location data is used only during the current session, not stored permanently, and not combined with other data.
The map component (Google Maps) loads only after you explicitly consent through your system’s permission prompt. Without consent, no connection to Google is established.
You may withdraw your consent at any time in the app or through your device settings. Upon withdrawal, no further location data is processed, and previously collected data are not stored.
Legal basis: Article 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG (consent).

Device Information and Usage Data

We automatically collect technical data required for the app’s functionality, stability, and security, such as:

  • IP address (where technically necessary, anonymised),
  • Device ID, operating system version, app version,
  • Timestamps and error messages.

Processing is pseudonymised and not linked to identifiable users. Temporary IP processing is technically required for app provision (Article 6(1)(f) GDPR — legitimate interest in technical operation).
A randomly generated technical identifier is used solely for error analysis and cannot identify you personally.
Statistical evaluations are made only in aggregate, non-personal form (e.g., crash counts per app version).

Legal basis: Article 6(1)(f) GDPR.
Our legitimate interest lies in maintaining stability, security, and improvement of the app.
Your interests do not override ours since no personal usage profiles are created and data is processed pseudonymously.

Retention: Data are anonymised or deleted within 90 days unless statutory retention obligations apply.

Crash and Error Reports (Sentry)

We use Sentry, operated by Functional Software Inc., 45 Fremont Street, San Francisco, CA 94105, USA, to identify and analyse technical errors.
Processing takes place in the EU region (Frankfurt am Main). IP addresses are automatically anonymised, and no personally identifiable data are stored.
Where technically possible, anonymisation occurs before transmission.

Processed data:

  • Device type, OS version, app version
  • Timestamps and error messages
  • Technical ID (pseudonymised)
  • IP address (short-term, automatically anonymised)

We have entered into a Data Processing Agreement (DPA) under Article 28 GDPR.
Some administrative data processing may occur in the USA. Such transfers are based on the EU Standard Contractual Clauses (SCCs) (Module 2, Commission Decision (EU) 2021/914) and, where applicable, the EU–U.S. Data Privacy Framework.
Despite these safeguards, an isolated risk of unlawful access by U.S. authorities cannot be entirely excluded.
A copy of the SCCs can be requested via info@parroo.app.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in error analysis and stability).
Further information: https://sentry.io/privacy

Map Display (Google Maps API)

Our app uses Google Maps to display map content.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When you use the map function, a connection to Google’s servers is established. Google may process personal data (e.g., IP address, location data) and may transfer it to the USA.
Google acts as an independent controller under the GDPR; there is no joint controllership under Article 26 GDPR.

International transfers are governed by Google’s incorporation of the EU Standard Contractual Clauses (SCCs) in its Data Protection Terms.
For users in the EEA, UK, and Switzerland, Google assumes all SCC obligations.
Despite contractual and technical safeguards, a residual risk of access by foreign authorities cannot be fully excluded.
A copy of the SCCs can be requested via info@parroo.app.

Legal basis: Article 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG (consent).

The map component only loads after you have granted location access through your device settings. Separate consent for data transfers to Google is not required, as the map display does not use tracking cookies. Should we implement an expanded consent management system in the future, this Policy will be updated accordingly.

Google’s Privacy Information:

In-App Purchases (RevenueCat)

We use RevenueCat, 300 California St, San Francisco, CA 94104, USA, to manage and verify in-app purchases.
RevenueCat processes pseudonymised transaction data (e.g., purchase receipt ID, product ID, timestamp, status) to manage entitlements.
We do not receive any payment details (e.g., credit card or bank data).

RevenueCat acts as our processor under Article 28 GDPR.
Where RevenueCat exchanges licence and payment data with Apple or Google, this occurs under its own responsibility (Article 4(7) GDPR).
Transfers to the USA are based on the EU Standard Contractual Clauses (Module 2, Decision (EU) 2021/914) and, where applicable, the EU–U.S. Data Privacy Framework.
Despite safeguards, an isolated risk of unauthorised access by U.S. authorities cannot be fully excluded.
Copies of the SCCs can be requested at info@parroo.app.

Retention: Transaction and entitlement data are stored for as long as your entitlement remains active or as required by law. Data are deleted or anonymised thereafter.

Legal bases: Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interest in fraud prevention).
Privacy information: https://www.revenuecat.com/privacy

Hosting and Database (Supabase)

Data is hosted by Supabase Inc. in EU data centres (Frankfurt am Main).
Supabase processes connection metadata (e.g., IP address, timestamp) solely for system security as our processor (Article 28 GDPR). No content analysis occurs.
Supabase uses sub-processors both within and outside the EEA (e.g., AWS EMEA SARL).
A current list is available at https://supabase.com/subprocessors.
Logs are retained for up to 30 days, then deleted or anonymised.
International transfers are based on SCCs (Module 2, Decision (EU) 2021/914).
Despite safeguards, an isolated risk of access by U.S. authorities cannot be excluded.
Privacy information: https://supabase.com/privacy

App Store Distribution (Apple / Google)

When downloading the app via the App Store or Google Play Store, personal data (e.g., Apple ID, payment information) are processed by the respective platform operator under their own responsibility.
We have no control over such processing.

This Privacy Policy applies only to the “Parroo” mobile app.
Apple and Google are solely responsible for data processing related to their stores.

App Permissions

The following system permissions are required for app functionality:

  • Location access (to show nearby places)
  • Internet access (to load maps and content)

Permissions can be revoked or restricted in your device settings at any time.
The app can be used without location access, although some features will be unavailable.

Communication by Email

If you contact us by email, we process your data (e.g., name, email address, message) solely to respond to your inquiry.
Please note that unencrypted email communication may involve security risks. Alternatively, you may contact us by post.
Legal basis: Article 6(1)(b) GDPR (contract performance / pre-contractual steps) or Article 6(1)(f) GDPR (legitimate interest in communication).
Emails are deleted after your inquiry is resolved, or after six months at the latest, unless retention obligations apply.

Cookies and Tracking

Our app does not use cookies or comparable technologies beyond what is technically necessary.
No tracking or analytics SDKs are used, no cross-device tracking or profiling takes place, and no automated decision-making including profiling (Article 22 GDPR) is performed.

PurposeCategories of DataLegal Basis
Displaying locationLocation dataArticle 6(1)(a) GDPR; Section 25(1) TTDSG (consent)
Map display (Google Maps)IP address, location dataArticle 6(1)(a) GDPR; Section 25(1) TTDSG (consent)
In-app purchasesTransaction dataArticle 6(1)(b) GDPR (contract performance)
Error analysis / stabilityDevice and usage dataArticle 6(1)(f) GDPR (legitimate interests)
Email communicationCommunication dataArticle 6(1)(b) and (f) GDPR
Legal obligations (e.g., tax and accounting retention)Transaction / billing dataArticle 6(1)(c) GDPR; Section 147 AO; Section 257 HGB
App Store downloads (Apple / Google)Account and payment dataArticle 6(1)(b) GDPR

Where no specific legal basis is listed, data is processed under Article 6(1)(f) GDPR, based on our legitimate interest in ensuring a stable, secure, and functional app.
We do not process any special categories of personal data (Article 9 GDPR).

6. Data Sharing and Processors

We share personal data only when necessary to provide our services or when legally required.

Service ProviderPurposePrivacy Policy
SupabaseHosting & database services (EU, Frankfurt)https://supabase.com/privacy
RevenueCatManagement of in-app purchaseshttps://www.revenuecat.com/privacy
SentryCrash and error reporting (EU region, Frankfurt)https://sentry.io/privacy
Google Maps APIMap displayhttps://policies.google.com/privacy

All processors are carefully selected and contractually bound under Article 28 GDPR.
Transfers of personal data to countries outside the EU/EEA (in particular the USA) occur only in connection with Sentry, RevenueCat, and Google LLC.
Such transfers rely on: • the EU Standard Contractual Clauses (SCCs) (Module 2, Controller → Processor, Decision (EU) 2021/914), and
• where applicable, the EU–U.S. Data Privacy Framework (adequacy decision under Article 45 GDPR).
Despite these safeguards, a residual risk of unlawful access by U.S. authorities cannot be fully excluded.
Copies of the SCCs can be requested by emailing info@parroo.app.

7. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected or as required by law.
When the purpose no longer applies, or retention periods expire, data is deleted or anonymised in accordance with Article 17 GDPR.
Retention periods are regularly reviewed.

Typical retention periods: • Supabase: security logs — up to 30 days
• Sentry: error/crash reports — up to 90 days
• RevenueCat: transaction and entitlement data — for the duration of the entitlement and as required under tax and commercial law (6–10 years)

Accounting and payment data are retained for 10 years to comply with statutory retention obligations (Article 6(1)(c) GDPR in conjunction with Section 147 AO and Section 257 HGB).
Backups are encrypted and overwritten or anonymised after a maximum of 180 days.

8. Technical and Organisational Security Measures

We implement technical and organisational measures consistent with Article 32 GDPR to protect personal data from loss, misuse, and unauthorised access.
These include encryption, access controls, logging, and regular security assessments.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data: • Access (Article 15 GDPR)
• Rectification of inaccurate data (Article 16 GDPR)
• Erasure (“Right to be Forgotten”, Article 17 GDPR)
• Restriction of processing (Article 18 GDPR)
• Data portability (Article 20 GDPR)
• Objection to processing based on legitimate interests (Article 21 GDPR)
• Withdrawal of consent (Article 7(3) GDPR)

Right to Object under Article 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6(1)(f) GDPR.

To exercise your rights, simply contact us at info@parroo.app.
We will respond within one month, as required by Article 12(3) GDPR.

Supervisory Authority
You may also lodge a complaint with a supervisory authority:
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg
Königstraße 10a, 70173 Stuttgart, Germany
https://www.baden-wuerttemberg.datenschutz.de/kontakt/

10. Source of Data

We receive personal data exclusively from the individuals concerned.
No additional data sources are used, and no automated decision-making or profiling takes place.

11. Data Protection Officer

No Data Protection Officer is currently appointed, as the legal requirements of Article 37(1) GDPR and Section 38 BDSG are not met (fewer than 20 employees regularly engaged in automated data processing).
If this changes, the DPO’s contact details will be published here.

12. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in the law or technical developments.
The current version is always available in the app and on our website.

13. Children and Minors

Our app is not directed at children under 16 years of age.
We do not knowingly process personal data of children without parental consent.
If we become aware of such processing, the data will be deleted immediately (Article 8 GDPR).

14. Additional Information for Users in the United States

This section applies only to individuals residing in the United States and supplements the information provided above.
We process only the categories of personal data listed in this Policy, including: • Device and technical data (e.g., device type, OS version, app version, crash reports)
• Approximate location data (only if you grant access)
• Transaction data (for in-app purchases via Apple, Google, or RevenueCat)

We do not collect names, contact details, or user profiles.
We do not sell or share personal data for advertising or marketing purposes.

Depending on your state of residence (e.g., California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon), you may have the following rights under applicable state privacy laws: • Access the personal data we hold about you
• Request deletion or correction of your data
• Obtain a copy of your data in a portable format
• Opt out of the sale or sharing of personal data (we do not engage in such activities)

To exercise your rights, contact privacy@parroo.app with the subject line “U.S. Privacy Request.”
We will review and respond to your request within 45 days, as required by law.
We do not process sensitive personal data as defined by U.S. state privacy laws and do not knowingly collect data from children under 16.

15. Additional Information for Users in the United Kingdom

This section applies to individuals residing in the United Kingdom and supplements the information provided above.

Applicable Law
For users in the UK, personal data is processed in accordance with the UK GDPR (General Data Protection Regulation (UK)) and the Data Protection Act 2018.
References in this Policy to the GDPR should be interpreted as references to the UK GDPR.

Controller
Lucky Parrot UG (haftungsbeschränkt)
Kaiser-Joseph-Str. 254
79098 Freiburg im Breisgau, Germany
Email: info@parroo.app

UK Representative (Article 27 UK GDPR)
Because our app is available in the United Kingdom, we may be required to appoint a local representative under Article 27 UK GDPR.
If such a representative is appointed, their contact details will be published here.
Currently, no representative has been designated, as the processing activities are limited, occasional, and low-risk.
Nevertheless, you can direct UK privacy inquiries to info@parroo.app (subject: “UK Privacy Request”).

Purposes and Legal Bases
The same purposes and legal bases apply under UK GDPR, including: • Consent (Article 6(1)(a) UK GDPR) for location and map functions
• Contract performance (Article 6(1)(b) UK GDPR) for in-app purchases
• Legitimate interests (Article 6(1)(f) UK GDPR) for stability and security

International Data Transfers
If personal data of UK users is transferred outside the UK (e.g., to the USA for Sentry, RevenueCat, or Google Maps), the transfer is based on: • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, and
• any applicable UK adequacy regulations issued by the Secretary of State.
Despite these safeguards, an isolated risk of unlawful access by foreign authorities cannot be entirely ruled out.

UK Data Subject Rights
UK users have the same rights as under the GDPR, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
Requests can be made to info@parroo.app (subject: “UK Privacy Request”).

Supervisory Authority (UK)
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Website: https://ico.org.uk

16. Summary

We process only the data that is technically necessary — such as location data for maps and device data for error analysis.
No user accounts, no tracking, no advertising.
Location data and crash reports are used only with your consent or when required to maintain app stability.