Privacy Policy
Last updated: 25 April 2026
This Privacy Policy explains how Pintumo UG processes personal data when you use the Advent App applications for iOS and Android, or the website at advent-app.com (together: "the Service"). We process your data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable laws.
1. Controller
The controller responsible for data processing under Art. 4(7) GDPR is:
Pintumo UG (haftungsbeschränkt)
Max-Beer-Str. 27
10119 Berlin, Germany
Email: info@advent-app.com
We have not appointed a Data Protection Officer because we are not legally required to do so under Art. 37 GDPR. Please direct any data protection questions to the email above.
2. Categories of Data We Process
When you use the apps:
- Content you create: calendar titles, recipient names, the photos, videos, GIFs, YouTube links and text messages you place behind each door.
- Sender identifier: a random identifier (UUID) generated by the app, used to associate calendars with the sending device.
- Device and usage data: device model, operating-system version, language, app version, the time of events, and IP address when the app communicates with our servers.
- Purchase data: Apple transaction identifier and receipt (iOS) or Google Play purchase token (Android) when you purchase the ad-free option. We never see your payment method.
- Diagnostic data (iOS only): crash reports and stability metrics via Firebase Crashlytics.
- Advertising identifiers: on iOS only with your App Tracking Transparency consent (Apple IDFA); on Android the Google Advertising ID and App Set ID, unless you have opted out of personalised ads on your device.
- Push notification token (iOS): stored locally on your device. On Android, reminders are scheduled locally via AlarmManager.
When you visit the website:
- Server logs (IP address, user agent, request URL, time of request) on AWS CloudFront and S3 access logs, retained for up to 14 days.
- If you receive a calendar link and open it on the website, the calendar's server identifier is read from the URL so the matching content can be displayed.
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) |
|---|
| Providing the Service's core functions | Art. 6(1)(b) — performance of the contract |
| Storing and serving calendar content | Art. 6(1)(b) |
| Processing the ad-free in-app purchase | Art. 6(1)(b) |
| Showing rewarded ads (AdMob) to unlock doors | Art. 6(1)(f) — legitimate interest in funding a free service; for personalised ads, Art. 6(1)(a) — your consent |
| Crash and stability diagnostics (iOS) | Art. 6(1)(f) — legitimate interest in a stable product |
| Operating the website (logs, security) | Art. 6(1)(f) — legitimate interest in a secure service |
| Responding to support requests | Art. 6(1)(b) / (f) |
| Complying with legal obligations | Art. 6(1)(c) |
4. Recipients and Processors
- Amazon Web Services EMEA SARL (Luxembourg) — cloud storage (AWS S3) for the photos and videos you upload, and hosting for the website. Data is stored in the EU region.
- Apple Inc. — App distribution, in-app purchases, CloudKit synchronisation of calendar content between your iOS devices, push notifications.
- Google Ireland Ltd. — Google Play distribution and billing (Android), Google Mobile Ads (AdMob), Firebase Crashlytics (iOS), Google User Messaging Platform.
- Google LLC — YouTube Data API v3 when you search for or embed a YouTube video. Subject to the YouTube Terms of Service and Google's Privacy Policy.
- Giphy, Inc. — when you search for a GIF, your query is sent to Giphy. Subject to the Giphy Privacy Policy.
- Recipients of calendars you share: anyone who receives the link you send will be able to open the calendar content you created for them.
5. International Transfers
Some processors (Google LLC, Giphy) are established in the United States. Transfers take place under the European Commission's adequacy decision for the EU-US Data Privacy Framework (where the recipient is certified) or under Standard Contractual Clauses (Art. 46(2)(c) GDPR). Apple Inc. and Amazon Web Services EMEA SARL operate the data centres used for the Service inside the EU.
6. Retention
- Calendar content stays on our servers only as long as the sender keeps the calendar in the app. We do not delete it automatically. When the sender deletes a calendar from inside the app, the deletion propagates to our backend immediately.
- Crash diagnostics: up to 90 days.
- Purchase records: up to 10 years (German tax law, § 147 AO).
- YouTube API data is refreshed or deleted within 30 days.
- Server log files containing IP addresses: up to 14 days.
7. Your Rights
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16).
- Right to erasure (Art. 17).
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20).
- Right to object (Art. 21) — including direct marketing.
- Right to withdraw consent (Art. 7(3)) at any time without affecting prior lawful processing.
- Right to lodge a complaint with a supervisory authority (Art. 77). For Pintumo UG the competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.
To exercise any of these rights, email info@advent-app.com. We respond within one month, extendable by two further months for complex requests as permitted by Art. 12(3) GDPR.
8. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal effects within the meaning of Art. 22 GDPR.
9. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without the consent of a parent or legal guardian, as required by Art. 8 GDPR and § 8 BDSG. If you are a parent or guardian and learn that your child has provided us with personal data, please contact us and we will delete it.
10. Security
We use industry-standard technical and organisational measures to protect your data, including TLS transport encryption, encrypted storage at rest on AWS and Apple infrastructure, and access controls. We will notify you and the supervisory authority of any personal data breach in accordance with Arts. 33 and 34 GDPR.
11. Changes
We may update this Privacy Policy to reflect changes in the Service or the law. The current version is always available at this URL and dated at the top. Material changes are announced in-app and on the website before they take effect.
12. Contact
For any question about this Privacy Policy: info@advent-app.com.
