PRIVACY POLICY
Global Data Protection and Privacy Notice
Effective Date: May 2026
Service operated by: DigitalFreedom — a brand of Berger & Rosenstock GbR
Data Controller (legal entity):
Berger & Rosenstock GbR (trading as DigitalFreedom)
Dieselstr. 22e
61231 Bad Nauheim
Germany
Authorized Representatives: Marcel R. G. Berger, Jasmin Rosenstock
VAT-ID: DE455096022
Contact (general): hello@digitalfreedom.co.za
Contact (data protection): data-protection@digitalfreedom.co.za
Website: https://digitalfreedom.co.za
1. INTRODUCTION
This Privacy Policy explains how DigitalFreedom (a brand of Berger & Rosenstock GbR, collectively "we", "us", "our") collects, uses, stores, and protects your personal data when you use our applications, software, websites, and related services ("the Services").
1.1 Global scope
Our applications are distributed via the Apple App Store and the Google Play Store and are therefore made available in every country and territory those platforms serve. This Privacy Policy applies globally to all users of the Services, regardless of the country in which the Service is downloaded, accessed or used.
1.2 GDPR as the global baseline
We adopt the European Union General Data Protection Regulation (GDPR) and related EU data-protection law as the strictest baseline and apply it as a global floor — every user, in every country, benefits from at least the GDPR-level protections set out in this Policy. We additionally respect and comply with any applicable local data-protection law of the user's jurisdiction, and where that local law is more protective for the user, the more protective standard applies.
We are committed to protecting your privacy and complying with applicable data-protection laws, including but not limited to:
- EU General Data Protection Regulation (GDPR) — applied as the global baseline
- German Federal Data Protection Act (BDSG)
- UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
- Swiss Federal Act on Data Protection (FADP)
- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) and other US state privacy laws
- Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australian Privacy Act 1988
- Brazilian General Data Protection Law (LGPD)
- Japanese Act on the Protection of Personal Information (APPI)
- South Korean Personal Information Protection Act (PIPA)
- Indian Digital Personal Data Protection Act (DPDP Act) and IT Act
- South African Protection of Personal Information Act (POPIA)
- All other applicable national data-protection regimes in jurisdictions in which the Services are made available via the Apple App Store or Google Play Store
2. DATA CONTROLLER
The Services are offered under the DigitalFreedom brand. The legal entity responsible for processing your personal data (the "data controller" under Art. 4(7) GDPR) is:
Berger & Rosenstock GbR (trading as DigitalFreedom)
Dieselstr. 22e
61231 Bad Nauheim
Germany
Authorized Representatives: Marcel R. G. Berger, Jasmin Rosenstock
VAT-ID: DE455096022
For data protection inquiries (GDPR Art. 13/14, access, rectification, erasure, portability, objection requests):
Email: data-protection@digitalfreedom.co.za
For general inquiries:
Email: hello@digitalfreedom.co.za
Website: https://digitalfreedom.co.za
3. DATA WE COLLECT
3.1 Data You Provide
- Account information (name, email address, username)
- Communication data (support requests, feedback)
- Payment information (processed via third-party payment providers)
- User-generated content
3.2 Data Collected Automatically
- Device information (device type, operating system, version)
- Usage data (features used, interaction patterns)
- Log data (IP address, access times, error logs)
- Analytics data (aggregated usage statistics)
3.3 Data from Third Parties
- Authentication data from social login providers (if applicable)
- Platform-specific data from app stores (Apple, Google)
3.4 Sensor, Device and Biometric Data
Where the app uses sensors or biometrics on your device:
- Biometric authentication (Face ID / Touch ID / Android BiometricPrompt): the biometric template never leaves your device. The app only receives a yes/no result from the operating system.
- Camera, microphone, location, photos, contacts, calendar, motion, health: accessed only when you actively use the feature that needs them. Each access is prompted by the OS with our usage-description text explaining why.
- Health & Fitness data (HealthKit / Health Connect): processed only for the specific feature you use; not shared with third parties for advertising; not used to train AI models.
- App Tracking Transparency (iOS) / AAID controls (Android): by default, DigitalFreedom apps do not track you across other companies' apps and websites. We do not present the ATT prompt unless a specific feature requires it; if a future feature does, you can decline without losing access to the rest of the app.
3.5 Data NOT Collected
Unless explicitly disclosed for a specific feature in the per-app addendum, we do not collect:
- precise location in the background
- contacts / address book
- SMS / email contents from your device
- browsing history outside the app
- behavioural-advertising identifiers
- payment-card data (Apple and Google are merchants of record for in-app purchases)
4. LEGAL BASIS FOR PROCESSING (GDPR)
We process your personal data based on the following legal grounds:
| Legal Basis | Purpose |
|---|---|
| Contract performance (Art. 6(1)(b) GDPR) | Providing the Services, account management |
| Legitimate interests (Art. 6(1)(f) GDPR) | Security, fraud prevention, service improvement |
| Consent (Art. 6(1)(a) GDPR) | Marketing communications, optional analytics |
| Legal obligation (Art. 6(1)(c) GDPR) | Tax records, regulatory compliance |
5. HOW WE USE YOUR DATA
We use your personal data to:
- Provide, operate, and maintain the Services
- Process transactions and manage subscriptions
- Communicate with you (support, updates, notices)
- Improve and personalize the Services
- Ensure security and prevent fraud
- Comply with legal obligations
- Conduct analytics (where permitted or consented)
6. DATA SHARING AND DISCLOSURE
We may share your data with:
6.1 Service Providers
Third-party providers who assist in operating the Services, including:
- Cloud hosting providers
- Payment processors
- Analytics providers
- Customer support tools
6.1.1 Named Sub-processors
The following sub-processors are currently engaged for processing your personal data:
| Processor | Role | Location |
|---|---|---|
| Civo Ltd. | Cloud infrastructure (Kubernetes, virtual machines, object storage, DNS) — primary infrastructure provider; workloads distributed across both regions | Frankfurt am Main, Germany (fra1) and London, United Kingdom (lon1) |
| Migadu Mail AG | Email hosting (inbound/outbound mail for support and contact addresses) | Switzerland |
| Google Ireland Limited (Google Cloud / Workspace) | Ancillary Google Cloud Platform / Workspace services consumed by applications and tooling | EEA data-centre regions (with onward transfer to other Google entities under EU SCCs / UK Addendum) |
| OpenAI Ireland Ltd. | OpenAI API Services (model inference, embeddings) for AI-assisted application features | Ireland (with onward transfer to OpenAI OpCo, LLC in the United States under EU SCCs / UK Addendum) |
| RevenueCat, Inc. | Subscription and in-app-purchase management (receipt validation, entitlement state) for Flutter apps | United States (governed by RevenueCat's published DPA framework / EU SCCs) |
| UAB "MailerLite" | Opt-in newsletter / email-marketing platform — only for users who actively subscribe (double opt-in) | Lithuania (EU/EEA) |
Workloads on Civo are distributed across the fra1 and lon1 regions for redundancy and migration purposes. The list of sub-processors may change; the current list is maintained in our internal sub-processor register and is available on request via the data protection contact below.
6.1.2 Platform and Distribution Channels
The following parties act as independent controllers (and, where applicable, merchant of record) for processing carried out in connection with platform distribution, payment, and platform-level services — not as our processors under Art. 28 GDPR. They are disclosed here for transparency:
| Party | Role | Location |
|---|---|---|
| Apple Distribution International Ltd. | App Store / TestFlight distribution, In-App Purchase / StoreKit (merchant of record for paid transactions and subscriptions on Apple platforms), Apple Push Notification service (APNs), optional Sign in with Apple | Ireland (with intra-group processing by Apple Inc. in the United States under Apple's internal safeguards / SCCs) |
For data processed by Apple under its own controllership (Apple ID, payment details, App Store analytics, APNs delivery), Apple's own Privacy Policy applies: https://www.apple.com/legal/privacy/.
6.2 Legal Requirements
We may disclose data when required by law, legal process, or government request.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred.
6.4 No Sale of Personal Data
We do not sell your personal data to third parties.
7. INTERNATIONAL DATA TRANSFERS
Your data may be transferred to and processed in countries outside your country of residence.
Specifically with regard to our named sub-processors:
- Civo
fra1(Frankfurt am Main, Germany) — within the EU, no transfer outside the EEA. - Civo
lon1(London, United Kingdom) — covered by the EU Commission adequacy decision for the UK pursuant to Art. 45 GDPR. - Migadu (Switzerland) — covered by the EU Commission adequacy decision for Switzerland pursuant to Art. 45 GDPR.
- Google Cloud / Workspace — primary processing in EEA data-centre regions. Onward transfers to Google entities outside the EEA (including the United States) are governed by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum issued by the ICO, and supplementary technical measures (encryption in transit and at rest, key management). The contractual basis is Google's Cloud Data Processing Addendum (Customers).
- OpenAI Ireland Ltd. (Ireland) and OpenAI OpCo, LLC (United States) — Customer Data submitted to the OpenAI API is processed by OpenAI Ireland Ltd. in the EEA. Onward transfers to OpenAI OpCo, LLC in the United States are governed by the EU Standard Contractual Clauses (Module Two — Controller to Processor), the UK International Data Transfer Addendum, and intra-group safeguards. API Customer Data is retained for a maximum of 30 days and then deleted, unless retention is required by law. The contractual basis is the OpenAI Data Processing Addendum signed on 2025-08-02.
- RevenueCat, Inc. (United States) — subscription / in-app-purchase data is transferred to the United States. Transfers are covered by the EU Standard Contractual Clauses referenced in RevenueCat's publicly published DPA framework and supplementary technical measures (encryption in transit and at rest, pseudonymous App User IDs, no payment-card data — card data is processed by Apple / Google as merchants of record).
- MailerLite (UAB MailerLite, Lithuania) — primary processing is intra-EEA. Where MailerLite engages sub-processors outside the EEA (per its public sub-processor list), those transfers are covered by the EU Standard Contractual Clauses referenced in MailerLite's publicly published DPA framework.
- Apple (Apple Distribution International Ltd., Ireland; intra-group processing by Apple Inc., United States) — Apple acts as independent controller (and merchant of record for paid transactions). Intra-group transfers to Apple Inc. in the United States are governed by Apple's internal Binding Corporate Rules / SCCs as disclosed in the Apple Privacy Policy.
For any transfers not covered by an adequacy decision:
- We rely on EU Standard Contractual Clauses (SCCs)
- We ensure adequate safeguards under GDPR Chapter V
- We assess the data protection laws of the recipient country (Transfer Impact Assessment)
For transfers from other jurisdictions, we comply with applicable cross-border transfer requirements.
8. DATA RETENTION
We retain personal data only as long as necessary for the purposes described in this Policy.
Criteria for retention periods:
- Duration of your account or use of the Services
- Legal obligations (e.g., tax retention periods under German law: up to 10 years)
- Legitimate interests (e.g., dispute resolution)
Upon expiration of the retention period, data is securely deleted or anonymized.
9. DATA SECURITY
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256 or equivalent)
- Access controls (RBAC, MFA for administrative access, principle of least privilege)
- Regular security assessments and sub-processor audits
- Audit logging restricted to authorised personnel
- Daily backups with off-site replicas
- Documented incident response per our internal Breach Response Plan (Art. 33/34 GDPR)
No system is completely secure. We cannot guarantee absolute data security.
9.1 Breach Notification to You
In the event of a personal data breach likely to result in a high risk to your rights and freedoms (Art. 34 GDPR), we will notify you without undue delay using the email address associated with your account, including:
- nature of the breach
- categories and approximate number of records concerned
- likely consequences
- measures taken or proposed to address the breach and mitigate adverse effects
- contact details for further information
If individual notification would involve disproportionate effort, we make a public communication on https://digitalfreedom.co.za/.
10. YOUR RIGHTS
10.1 Rights under GDPR (EU/EEA/UK)
You have the right to:
- Access your personal data (Art. 15 GDPR)
- Rectify inaccurate data (Art. 16 GDPR)
- Erase your data ("right to be forgotten") (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing (Art. 21 GDPR)
- Withdraw consent at any time (Art. 7(3) GDPR)
- Lodge a complaint with a supervisory authority
10.2 Rights under CCPA/CPRA (California)
California residents have the right to:
- Know what personal information is collected
- Request deletion of personal information
- Opt out of the sale or sharing of personal information
- Non-discrimination for exercising privacy rights
- Correct inaccurate personal information
- Limit the use of sensitive personal information
10.3 Rights under PIPEDA (Canada)
Canadian residents have the right to:
- Access their personal information
- Challenge the accuracy of their information
- Withdraw consent (subject to legal or contractual restrictions)
10.4 Rights under Australian Privacy Act
Australian residents have the right to:
- Access their personal information
- Request correction of inaccurate information
- Complain to the Office of the Australian Information Commissioner (OAIC)
10.5 Rights under LGPD (Brazil)
Brazilian residents have the right to:
- Confirmation of data processing
- Access to data
- Correction of incomplete or inaccurate data
- Anonymization, blocking, or deletion of unnecessary data
- Data portability
- Information about shared data
- Revocation of consent
11. CHILDREN'S PRIVACY
Our Services are not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction).
We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
12. COOKIES AND TRACKING
Our use of cookies and similar technologies is described in our separate Cookie Policy.
13. AUTOMATED DECISION-MAKING AND AI
13.1 Automated decisions with legal or similarly significant effect
We do not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, unless:
- You have given explicit consent
- It is necessary for contract performance
- It is authorized by applicable law
Where any such processing occurs, you have the right under Art. 22(3) GDPR to obtain human intervention, to express your point of view, and to contest the decision.
13.2 AI-assisted features
Where the Services include AI-assisted features (for example, content generation, summarisation, classification powered by third-party AI APIs such as OpenAI), the AI Transparency Notice describes:
- which features use AI
- which AI provider is engaged
- what data is sent to the AI
- retention at the AI provider (30 days for OpenAI API by default)
- your right to opt out
- AI-generated content labelling (Art. 50 EU AI Act, in force 2026-08-02)
13.3 Fair Use enforcement
The Fair Use Policy describes how operational telemetry is used to detect abuse and to apply throttling, rate-limiting, restriction or suspension where appropriate. Automated detection informs human review; no automated decision under the Fair Use Policy produces legal effects on you without human involvement, except where strictly necessary to mitigate an immediate threat.
13.4 Marketing communications
Marketing emails (via MailerLite) and marketing push notifications are sent only with your explicit, separate opt-in. You can withdraw consent at any time without affecting the rest of the Services.
13.5 Account deletion
You can delete your account and request erasure of your data at any time. See the Account Deletion Notice for the in-app, email and postal paths.
14. THIRD-PARTY LINKS AND SERVICES
The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties.
15. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time.
- Material changes will be communicated via the Services or by email
- Where a change to the processing requires your consent under applicable law, we will obtain that consent before the change applies to you; we do not rely on continued use alone as consent
- The "Effective Date" at the top reflects the latest revision
16. CONTACT
For privacy-related inquiries or to exercise your rights:
DigitalFreedom
A brand of Berger & Rosenstock GbR
Dieselstr. 22e
61231 Bad Nauheim
Germany
Data protection: data-protection@digitalfreedom.co.za
General inquiries: hello@digitalfreedom.co.za
Website: https://digitalfreedom.co.za
For EU residents, you may also contact the competent supervisory authority in your member state.
17. REGIONAL PROVISIONS
17.1 European Union / EEA
- Processing complies with GDPR requirements
- The lead supervisory authority is the competent German data protection authority
- Data Protection Impact Assessments (DPIAs) are conducted where required
17.2 United Kingdom
- Processing complies with UK GDPR and Data Protection Act 2018
- The supervisory authority is the Information Commissioner's Office (ICO)
17.3 United States
- Processing complies with applicable state privacy laws (CCPA/CPRA, VCDPA, CPA, etc.)
- "Do Not Track" signals are respected where technically feasible
17.4 Canada
- Processing complies with PIPEDA and applicable provincial privacy legislation
- The Office of the Privacy Commissioner of Canada may be contacted for complaints
17.5 Australia
- Processing complies with the Privacy Act 1988 and Australian Privacy Principles (APPs)
17.6 Brazil
- Processing complies with the Lei Geral de Proteção de Dados (LGPD)
- The Autoridade Nacional de Proteção de Dados (ANPD) is the competent authority
(c) 2025-2026 DigitalFreedom — Berger & Rosenstock GbR. All rights reserved.