Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Peter Schmidt, an individual developer based in Germany ("Developer", "we", "us", "our"), collects, uses, shares, and protects your personal data when you use the Numbio mobile application ("App") and the Numbio website at numbio.com ("Website").

We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Policy applies to both the App and the Website. By using the App or Website, you acknowledge that you have read and understood this Policy. This Policy is an integral part of our Terms of Use.

2. Information We Collect

2.1 Information You Provide

• Account registration data. When you create an account, we collect your email address and password (stored as a cryptographic hash, never in plaintext). If you sign in with Apple or Google, we receive the name and email address you choose to share, along with authentication tokens.

• Age. We collect your age to personalize content difficulty and categorize your age group.

• Training preferences. Your training intent (e.g., why you practice math) and daily training goal.

• Custom training configurations. If you use the AI Coach to generate custom trainings, we store the resulting configurations (exercise types, settings, names).

2.2 Information Generated Through Use

• Practice activity data. Session logs including activity type, start and end time, duration, score, exercise count, correct answers, and XP earned.

• Progress data. XP totals, streaks (current, longest, goal, last active date), high scores, total activities completed, total time practiced, operation-level statistics (accuracy and response times per arithmetic operation), and game-specific counts.

• Daily summaries. Aggregated daily statistics including activity count, practice time, XP earned, exercises completed, and per-operation breakdowns.

• Content interaction states. Whether you have favorited, read, or liked/disliked math tips and articles.

• Challenge progress. Your progress in the 60-day challenge feature.

2.3 Device & Technical Information

• Identifier for Vendor (IDFV). A device identifier unique to apps from our developer account. This is not the Identifier for Advertisers (IDFA) — we do not collect or use the IDFA and do not participate in Apple's App Tracking Transparency framework.

• Device model and OS version. For example, "iPhone16,1" and "iOS 19.0".

• App version and build environment. Whether you are using a production, TestFlight, or debug build.

• Crash reports and error logs. Automatic crash reports collected via Firebase Crashlytics, including stack traces, error descriptions, device information, and limited custom context (e.g., error type).

2.4 Information Processed On-Device Only

The following data is processed locally on your device and is never transmitted to our servers:

• Local preferences. Settings such as sound effects, haptic feedback, appearance, and trainer configurations are stored locally using UserDefaults and are never transmitted.

• Notifications. All notifications are scheduled and delivered locally on your device. No notification data is sent to our servers.

• Debug logs. Diagnostic logs are written to the system console using Apple's OSLog framework and are not transmitted to our servers.

3. How We Use Your Information

Performance of contract (Art. 6(1)(b)) — We process data that is necessary to deliver the service you signed up for:

• Core app functionality (exercises, scoring, progress tracking) — using your account data, progress data, and activity logs.

• Content personalization — using your age and performance statistics to adjust difficulty.

• Cross-device sync — storing all user data in Cloud Firestore so your progress stays in sync.

• Subscription processing — using your Firebase UID, email, and IDFV.

• AI Coach analysis — using exercise attempts, accuracy, response times, and performance statistics to generate personalized tips.

Legitimate interest (Art. 6(1)(f)) — We process data where we have a legitimate business interest that does not override your rights:

• Analytics and app improvement — using usage events, IDFV, and device information.

• Crash reporting and bug fixes — using crash reports, error context, and device information.

• Performance monitoring — using app performance metrics and device information.

• Security and fraud prevention — using account activity and device identifiers.

• Ads attribution measurement — using anonymized attribution data to measure advertising effectiveness. You can opt out in the App's privacy settings.

You have the right to object to processing based on legitimate interest (see Section 8).

Consent (Art. 6(1)(a)) — We only process the following data with your explicit consent:

• Game Center leaderboards — sharing scores and achievements when you opt in via Game Center.

• Consumption data sharing with Apple — sharing data about your usage and consumption of purchased content with Apple to help resolve refund requests (see Section 4).

You can withdraw consent at any time by disabling the relevant feature. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

4. Information Sharing & Third Parties

We do not sell, rent, or trade your personal data. We never have and never will.

We share data with the following third-party service providers solely to operate and improve the App. All third-party service providers process data under data processing agreements (DPAs) that comply with applicable data protection laws.

• Cloud infrastructure and backend services (Google LLC — Privacy Policy): Authentication, data storage and sync, analytics, crash reporting, performance monitoring, remote configuration, and AI-powered features.

• Subscription management (RevenueCat, Inc. — Privacy Policy): Account identifiers, contact information, device identifiers, and attribution data.

• Ads attribution (Meta Platforms, Inc. — Privacy Policy): Anonymized attribution data.

• Leaderboards (Apple Inc. — Privacy Policy): Scores and achievements via Game Center.

• Refund processing (Apple Inc. — Privacy Policy): When you request a refund through Apple, we may share data regarding your usage and consumption of purchased content with Apple. This information may include details about how you have accessed and interacted with the purchased content. This data is shared solely to help Apple make informed decisions regarding refund requests, in compliance with Apple's policies and only as necessary to process such requests.

• Website hosting (Framer B.V. — Privacy Policy): IP addresses, browser/device data, and access logs for the purpose of serving and securing the Website. For website analytics, aggregated, cookie-less usage statistics (page views, referrers, approximate region) are collected via Framer Analytics. No cookies or cross-site identifiers are used.

We may also share your information in the following circumstances:

• Legal obligations. When required by law, regulation, legal process, or governmental request.

• Protection of rights. To enforce our Terms of Use, protect our rights, privacy, safety, or property, or that of our users or the public.

• Business transfers. In connection with a merger, acquisition, reorganization, or sale of assets, in which case your data would remain subject to this Policy.

• Aggregated or anonymized data. We may share data that has been aggregated or anonymized so that it can no longer identify you, for research, analytics, or business purposes.

5. AI-Powered Features

5.1 AI Coach

The AI Coach is powered by Google AI (Gemini) via Firebase AI Logic. It analyzes your practice data to provide personalized math tips, identify areas for improvement, and generate custom training plans.

5.2 Data Sent to Google AI

When the AI Coach is used, the following data is sent to Google's servers for processing:

• Exercise attempts and results

• Response times

• Accuracy rates

• Performance statistics and trends

5.3 Data NOT Sent to Google AI

The following data is never sent to Google AI:

• Your name, email address, or other personal identifiers

• Audio recordings or handwriting images

• Device identifiers

5.4 Google's Use of Your Data

Under Firebase AI Logic terms, Google does not use data submitted through Firebase AI Logic to train its AI models. The data is processed solely to generate responses to your requests.

5.5 Availability

The AI Coach feature may be enabled or disabled via remote configuration. When disabled, the App falls back to rule-based performance analysis that operates entirely within the App.

For more information, see Google's AI terms.

6. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside of the European Economic Area (EEA), including the United States, where our service providers (e.g. Google, RevenueCat, Meta) operate servers.

These transfers are protected by appropriate safeguards maintained by our service providers, including the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

We only retain personal data for as long as necessary to fulfill the purposes described in this Policy or to comply with legal obligations. Your account data and progress are retained until you delete your account. Analytics and crash data are retained for limited periods as determined by our service providers' default retention policies. Anonymized and aggregated data that can no longer identify you may be retained indefinitely.

Third-party service providers retain data according to their own retention policies, linked in Section 4.

We reserve the right to delete accounts and associated data after an extended period of inactivity.

8. Your Rights

8.1 GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the GDPR:

• Right of access (Art. 15) — Request a copy of the personal data we hold about you.

• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.

• Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").

• Right to restriction of processing (Art. 18) — Request that we limit how we use your data.

• Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.

• Right to object (Art. 21) — Object to processing based on legitimate interest, including analytics and ads attribution.

• Right to withdraw consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

• Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority (see Section 13).

How to exercise your rights: Send an email to hello@numbio.com. To protect your privacy, we may take steps to verify your identity before processing your request. We will respond within one month. If your request is complex, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it.

We are not required to appoint a Data Protection Officer under Article 37 GDPR.

8.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know — You can request information about the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it.

• Right to delete — You can request deletion of your personal information.

• Right to opt-out of sale — We do not sell your personal information. Because we do not sell personal information, there is no need to opt out.

• Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.

How to exercise your rights: Send an email to hello@numbio.com.

8.3 Account Deletion

You can delete your account at any time using the account deletion feature within the App.

Account deletion is permanent and irreversible. Upon deletion:

• All personal data associated with your account is removed from our Firestore database promptly.

• Your progress, statistics, custom trainings, and all other user data are permanently lost.

• Anonymized and aggregated analytics data (which cannot identify you) may be retained.

Important: Deleting your account does not automatically cancel your subscription. You must manage and cancel your subscription through the App Store. See Section 17 of our Terms of Use for details.

9. Children's Privacy

Numbio is a general-audience application. Account creation and use of the App's online features (including AI Coach, cloud sync, and leaderboards) are intended for individuals aged 16 or older.

If a parent or legal guardian wishes to allow a younger person to use the App, the parent or guardian must create and manage the account on the child's behalf. By doing so, the parent or guardian accepts this Privacy Policy and confirms that they have the legal authority to provide consent for data processing on the child's behalf. If a parent creates an account on behalf of a child, the data described in Section 2 is collected under the parent's account and with the parent's consent.

We do not knowingly collect personal information directly from children. If we learn that personal data has been collected from a child without appropriate parental involvement, we will take steps to delete that information promptly.

If you believe a child has provided us with personal data without parental involvement, please contact us at hello@numbio.com.

10. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it, including:

• Encryption in transit. All data transmitted between the App and our servers is encrypted using TLS (Transport Layer Security).

• Data isolation. Firebase security rules enforce per-user data isolation, ensuring that users can only access their own data.

• Credential security. Firebase Authentication handles credential security. Passwords are cryptographically hashed and never stored in plaintext.

• Access controls. Access to user data is restricted to authorized services and is limited to what is necessary for the service to function.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or by email.

Your continued use of the App after any changes to this Policy constitutes your acceptance of the updated Policy. Where changes affect processing based on your consent, we will seek renewed consent where required by applicable law. If you do not agree to the changes, you should stop using the App and delete your account.

The "Last updated" date at the top of this Policy indicates when it was last revised.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Peter Schmidt
c/o Postflex #8507
Emsdettener Str. 10
48268 Greven
Germany

Email: hello@numbio.com