Hybbit

Privacy Policy for the iOS App "HYBBIT"

Last updated: August 17, 2025

Quick Overview

  • No account, no cloud sync – Processing locally on your device.
  • Features: Habits, reminders (local), local statistics, categories, export/import (JSON), Pro subscription via Apple (StoreKit).
  • Notifications: only local notifications (iOS consent), no remote pushes.
  • No tracking/no IDFA/no advertising.
  • Optional diagnostics: Crash reports with Firebase Crashlytics only on opt-in.

(Apple requires App Privacy declarations; possibly Privacy Manifest/Required Reason APIs in the app. These developer obligations concern publication, not your rights.)

1. Data Controller

Arnold Schreiner
Wümmering 28
21629 Neu Wulmstorf
Germany
Email: contact@hybbit.com

No data protection officer is appointed as it is not legally required.

Right to complain: You can complain to a data protection supervisory authority (e.g., at your place of residence). Legal basis of information obligations: Art. 13 GDPR.

2. Scope

This declaration applies to the iOS app "HYBBIT" (App Store ID: 6749539405). The website has its own privacy policy at: https://www.hybbit.com/privacy.

3. Processing in Detail

3.1 App Operation (without account)

Purpose: Providing app functions locally.

Data types: Habits (title, description, category), goals/frequencies, reminder plans, history/completions, streaks, sorting/display settings, language/theme.

Storage location: iOS app container (UserDefaults/CoreData/files) on your device.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance).

3.2 Local Notifications

Purpose: Reminder of habits.

Data types: Schedules, title/body of local notifications; app badge.

Recipients: no external recipients (delivery is done locally by iOS).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent via iOS prompt; revocable in iOS settings).

3.3 In-App Purchases (StoreKit)

Purpose: Management of Pro subscription.

Data types: Product IDs, transaction status, receipts/entitlements (system-side).

Recipients/Role: Apple as independent controller (payment processing).

Legal basis: Art. 6 para. 1 lit. b GDPR.

3.4 On-Device Usage Values (Review Timing)

Purpose: appropriate timing for review requests.

Data types: purely local counters (app starts, habit completions, streaks, successful days).

Recipients: none.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest; data does not leave the device).

3.5 Crash Reports (optional – Firebase Crashlytics)

Purpose: Error diagnosis/stability.

Data types: Crash stack traces, technical device data (e.g., device model, iOS version, app version), Crashlytics Installation UUID/Firebase Installation ID. We do not set our own user ID.

Recipients/Role: Google LLC (Firebase Crashlytics) as data processor (DPA/Firebase Data Processing Terms).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent via in-app switch; revocable at any time).

Storage duration at provider: 90 days.

3.6 Data Export/Import

Purpose: Portability/backup at your request.

Data types: JSON (habits, categories, reminders, history, settings).

Recipients: only controlled by you (iOS share sheet); no automatic upload.

Legal basis: Art. 6 para. 1 lit. b GDPR.

4. Device Access (TDDDG § 25)

We only use necessary local storage/identifiers for core functions; no tracking, no IDFA, no fingerprinting. For non-essential access, consent would be required – for us only relevant for Crashlytics opt-in, which you can control separately in the app. (Since May 14, 2024, the TDDDG with § 25 applies in Germany; in 2025, the Consent Services Regulation also came into force.)

5. Recipients and Service Providers (SDKs)

Firebase Crashlytics (Google LLC, USA) – Data Processor

Purpose: Crash reports (only with consent).

Legal framework for transfer: EU-US Data Privacy Framework (DPF) (Google certified) and/or EU Standard Contractual Clauses (SCC) according to Firebase DPA. Storage duration: 90 days. Revocation: anytime in-app.

Apple (StoreKit, UserNotifications) – Independent Controller

Payment processing/receipts and local notifications are done system-side. (Apple may provide crash reports in App Store Connect if you have consented to sharing with developers at the system level.)

6. Transfer to Third Countries

With activated crash reporting, a transfer to the USA to Google/Firebase may occur. Legal basis: EU-US DPF (certification) and/or SCC according to Firebase DPA.

7. Storage Duration and Deletion

  • App content/settings: until active deletion in the app ("Delete all data") or uninstallation.
  • Export files: created locally in temporary directory; further storage/sharing only by you.
  • Crash data: 90 days at the provider.

8. Obligation to Provide

There is no legal obligation to provide. Without certain local data (e.g., habit definitions), individual functions are not usable. Consent (notifications, crash reports) is voluntary.

9. Your Rights (GDPR)

You have rights to access, rectification, erasure, restriction, data portability, objection, and revocation of given consent with effect for the future (Art. 15–21, Art. 7 para. 3 GDPR).

Contact: contact@hybbit.com.

10. Security (Technical and Organizational Measures)

TLS-protected connections to Firebase (only with crash opt-in), on-device storage in iOS app container, iOS device encryption, role-based access control (least privilege), regular updates/patches, incident management including 72-hour notification obligation.

11. Minors

The app is not specifically targeted at children; no special processing of children's data.

12. Automated Decisions/Profiling

No automated decisions with legal effect. Review timing is based on purely local counters without personal reference.

13. Changes to this Privacy Policy

We update this declaration when functions/laws change. The current version is linked in the app. Archive of previous versions: https://www.hybbit.com/app-privacy-en.

14. Contact

Data Controller: Arnold Schreiner • Email: contact@hybbit.comAddress: Wümmering 28, 21629 Neu Wulmstorf

Privacy URL: https://www.hybbit.com/app-privacy-en