Privacy Policy

Last updated: March 15, 2026

Welcome to STRLL (www.strll.app). We take the protection of your personal data seriously. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

STRLL is operated by Alexander Alber (Einzelunternehmer), Toemlingerstr. 21, 81375 Muenchen, Germany (“we”, “us”, “our”).

1. Data Controller

The data controller responsible for your personal data is:

Alexander Alber
Toemlingerstr. 21
81375 Muenchen, Germany
Email: info@strll.app

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

• Your email address (for authentication)
• A display name (optional)

2.2 Location Data

STRLL uses your device's location services for the following purposes:

• Precise location: Used to verify your proximity to mission locations and determine when you have arrived at a mission site. This is essential for the app's core mission-based exploration functionality.
• Background location: If you enable geofencing notifications, the app uses background location to notify you when you are near a mission site. This data is processed locally on your device and is not transmitted to our servers.
• Heading/compass data: Used to display a direction arrow guiding you to mission locations while in navigation mode.

Important: Location data is processed locally on your device. We do not store your location history on our servers. You can disable location services at any time through your device settings.

2.3 Usage & Progress Data

As you use the app, we store:

• Mission completion status
• Points earned and badges unlocked
• Cities visited and progress per city
• Bucket list entries

2.4 Local Data (SwiftData)

STRLL stores the following data locally on your device using Apple's SwiftData framework:

• Mission data and city information (cached from bundled content)
• Your exploration progress and completion state
• Badge and achievement data
• User preferences (budget, dietary options, display name)

This data remains on your device and is not automatically transmitted to external servers.

2.5 Data We Do Not Collect

We want to be transparent about what we do not collect:

• We do not use any third-party analytics or tracking services
• We do not collect or store your location history on our servers
• We do not collect or store payment information (handled entirely by Apple)
• We do not use advertising SDKs or share data with advertisers
• We do not sell, rent, or trade your personal data

3. How We Use Your Data

We use your personal data for the following purposes:

• Providing the service: Enabling mission-based exploration, tracking your progress, and calculating points and badges
• Location verification: Confirming your proximity to mission locations to unlock mission content (processed locally on device)
• Geofencing notifications: Sending local notifications when you are near a mission site (processed locally, only if enabled)
• Account sync: Syncing your progress across devices if you create an account
• Notifications: Sending mission reminders and exploration prompts (only if you grant permission)

4. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing is necessary to provide the app's exploration and mission-tracking services
• Consent (Art. 6(1)(a) GDPR): For location access, push notifications, and background location services. You can withdraw consent at any time through your device settings
• Legitimate interest (Art. 6(1)(f) GDPR): For service improvement and security

5. Data Storage & Security

Your progress data may be stored using Supabase, a secure backend-as-a-service platform, if you create an account. Supabase stores data on servers located in the European Union.

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Row-level security policies ensuring users can only access their own data
• Secure authentication mechanisms
• Local-first data architecture — most data stays on your device

6. Data Sharing & Subprocessors

We do not sell, rent, or trade your personal data. We share data only with the following subprocessors, strictly for operating the app:

• Supabase (Supabase Inc.): Backend infrastructure, database hosting, and authentication (if you create an account). Data is stored on servers in the European Union
• Apple (Apple Inc.): Authentication, payment processing via the App Store, push notifications via Apple Push Notification service (APNs), and location services on device

We do not share your data with any other third parties, advertisers, or analytics providers.

7. Data Retention

We retain your personal data for as long as your account is active. Specifically:

• Account data: Retained until you request account deletion
• Progress data: Retained for the duration of your account
• Local data: Stored on your device until you delete the app

When you delete your account, all your data on our servers is permanently removed within 30 days, except where retention is required by law.

8. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

• Right of access (Art. 15 GDPR): You can request a copy of your personal data at any time
• Right to rectification (Art. 16 GDPR): You can request correction of inaccurate data
• Right to erasure (Art. 17 GDPR): You can request deletion of your personal data
• Right to restriction of processing (Art. 18 GDPR): You can request that we limit how we use your data
• Right to data portability (Art. 20 GDPR): You can request your data in a structured, machine-readable format
• Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, please contact us at info@strll.app. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

9. Children's Privacy

STRLL is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us immediately at info@strll.app.

10. Push Notifications

STRLL may send push notifications for mission reminders and geofencing alerts when you are near a mission site. You can enable or disable notifications at any time through your device settings. We use Apple Push Notification service (APNs) to deliver these notifications.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page
• Notify you through the app where appropriate

12. Contact

If you have any questions about this Privacy Policy or your personal data, please contact us:

Alexander Alber (Einzelunternehmer)
Toemlingerstr. 21
81375 Muenchen, Germany
Email: info@strll.app
Website: www.strll.app