Privacy Policy

Version 1.0 · Last updated: February 20, 2026 · Applicable law: GDPR / DSGVO

Contents

1. Who Is Responsible for Your Data 2. What Data We Collect and Why 3. Data We Do NOT Collect 4. Who We Share Your Data With 5. Legitimate Interests Assessment 6. Your Rights 7. Data Security 8. Children's Privacy 9. Cookies and Tracking 10. Account Deletion 11. Changes to This Policy 12. Contact

1. Who Is Responsible for Your Data (Controller)

The data controller for ShowUp is:

Bogdan Nichovski
Engerstr. 78
32257 Bünde, Germany
Email: privacy@showup.gg

We do not have a Data Protection Officer (DPO) — we are not required to appoint one at our current scale under Art. 37 GDPR.

2. What Data We Collect and Why

2.1 Account Data

Data: Email address, display name, profile photo (optional), date of birth (age verification)

Purpose: Account creation and authentication

Legal basis: Performance of contract (Art. 6(1)(b) GDPR)

Retention: Until account deletion + 30 days

2.2 Authentication Data

Data: Firebase Auth UID, login timestamps, authentication tokens

Purpose: Secure login and session management

Legal basis: Performance of contract (Art. 6(1)(b) GDPR)

Processor: Google Firebase — Google Cloud DPA

Retention: Until account deletion + 30 days

2.3 Commitment and Activity Data

Data: Groups you join, goals you set, daily check-ins, commitment amounts, settlement history

Purpose: Operating the core ShowUp service — tracking commitments and calculating settlements

Legal basis: Performance of contract (Art. 6(1)(b) GDPR)

Retention: Until account deletion + 30 days (anonymized aggregate statistics may be retained)

2.4 Payment Data (when real-money features are active)

Data: Partial card number (last 4 digits), billing country, Stripe customer ID, transaction history

Purpose: Processing commitment settlements and platform fee collection

Legal basis: Performance of contract (Art. 6(1)(b) GDPR); Legal obligation for financial records (Art. 6(1)(c) GDPR)

Processor: Stripe — Stripe DPA

Retention: Transaction records: 10 years (required by § 147 AO / § 257 HGB). We do not store full card numbers.

2.5 App Usage Data / Analytics

Data: Feature usage, screen views, crash reports, device type, OS version

Purpose: Improving the app and fixing bugs

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Retention: 14 months

2.6 Communications

Data: Emails and messages you send to our support address

Purpose: Responding to your inquiries

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Retention: 3 years

3. Data We Do NOT Collect

We do not collect precise geolocation data
We do not access your contacts, camera, or microphone without your explicit permission
We do not sell your data to third parties
We do not use your data for automated decision-making or profiling that produces legal effects

We share data only as necessary to operate the service:

Recipient	Purpose	Location	Safeguard
Google Firebase	Authentication, database, analytics	USA (EU servers available)	SCCs + DPA
Stripe	Payment processing, identity verification	EU (Stripe Payments Europe Ltd.)	DPA + SCCs
RevenueCat	Subscription management	USA	DPA + SCCs
Apple / Google	App distribution	USA	App Store / Play Store T&Cs

We do not transfer data outside the EU/EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decision).

5. Legitimate Interests Assessment

App Analytics

Our interest: Understanding how the app is used to improve it and fix issues.

User impact: Low — data is anonymized/aggregated, no sensitive categories processed.

Conclusion: Our interest outweighs the minimal privacy impact. Users can opt out in app settings.

6. Your Rights

Under GDPR, you have the following rights. To exercise them, contact: privacy@showup.gg

Access (Art. 15): Request a copy of all data we hold about you
Rectification (Art. 16): Correct inaccurate data
Erasure (Art. 17): Request deletion — we will delete within 30 days, subject to legal retention obligations
Restriction (Art. 18): Restrict processing in certain circumstances
Portability (Art. 20): Receive your data in a machine-readable format
Objection (Art. 21): Object to processing based on legitimate interests
Withdraw Consent (Art. 7(3)): Where processing is consent-based, withdraw at any time

Response time: We respond within 30 days. Complex requests may take up to 3 months — we'll inform you if so.

Right to complain: You may lodge a complaint with your supervisory authority. For NRW, Germany: Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW).

7. Data Security

All data in transit is encrypted using TLS 1.2+
Payment data is handled exclusively by Stripe under PCI DSS Level 1 certification
Firebase data is encrypted at rest
Access to production data is limited to authorized personnel only
We conduct periodic security reviews

8. Children's Privacy

ShowUp is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we discover a user is under 18, we will immediately delete their account and associated data.

9. Cookies and Tracking (showup.gg)

The ShowUp website (showup.gg) may use cookies. We will ask for your consent before placing non-essential cookies.

Essential cookies: Required for the site to function — no consent required
Analytics cookies: Used to understand website traffic — require consent

The ShowUp mobile app does not use browser cookies.

10. Account Deletion

You can delete your ShowUp account at any time via Settings → Account → Delete Account.

Upon deletion:

Your profile, check-in history, and group data will be deleted within 30 days
Payment transaction records are retained for 10 years as required by law (§ 147 AO)
Anonymized, non-identifiable aggregate statistics may be retained

11. Changes to This Policy

We will notify you of material changes to this policy via email or in-app notification at least 14 days before they take effect. The date at the top of this document shows when it was last updated.

12. Contact

Bogdan Nichovski
Engerstr. 78
32257 Bünde, Germany
Email: privacy@showup.gg