Privacy Policy (Datenschutzerklärung)
Effective Date: 3 March 2026 Version: 2.0 Language: English (German translation available upon request)
1. Introduction
Kommit (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz — “BDSG”), the German Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz — “TTDSG”), and all other applicable data protection laws.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Kommit mobile application and related services (collectively, the “Service”). It applies to all users — whether you access the Service as an individual (B2C) or through your employer’s corporate wellness programme (B2B).
We encourage you to read this Privacy Policy carefully. If you have questions, please contact us using the details in Section 14.
2. Data Controller
Company: Kommit GmbH Registered Address: [Registered Address, City, Postcode, Germany] Commercial Register: [Amtsgericht / HRB Number] Managing Director(s): [Name(s)] Email: privacy@kommit.app Website: https://kommit.app
Data Protection Officer (Datenschutzbeauftragte/r): Email: dpo@kommit.app Postal: Kommit GmbH — Data Protection Officer, [Address]
3. Legal Bases for Processing
We process your personal data on the following legal bases under GDPR:
| Legal Basis | GDPR Article | When We Rely on It |
|---|---|---|
| Performance of a Contract | Art. 6(1)(b) | Account creation, service delivery, activity tracking, Koins economy, challenge/event participation |
| Your Consent | Art. 6(1)(a) | Marketing communications, optional data sharing, connecting third-party health apps |
| Explicit Consent (Special Categories) | Art. 9(2)(a) | Health data (exercise metrics, biometrics from Apple Health / Google Fit) |
| Legitimate Interests | Art. 6(1)(f) | Service improvement, security, fraud prevention, analytics (anonymised/pseudonymised) |
| Legal Obligation | Art. 6(1)(c) | Tax records, regulatory compliance, responding to lawful requests from authorities |
B2B Context — Employee Data: Where your employer provides Kommit as a corporate wellness benefit, we process your data on the basis of contractual necessity (Art. 6(1)(b)) and, where applicable, Section 26 BDSG (processing of employee data for the purposes of the employment relationship). Your employer acts as an independent data controller for its own HR data; we are a separate data controller for data processed within the Kommit Service.
Your employer never receives your individual health data, activity details, or Koins balance. Employers may only receive anonymised, aggregated participation statistics (e.g., “72% of enrolled employees participated this month”).
4. Data We Collect
4.1 Personal Data (provided by you or your employer)
- First name, last name
- Email address
- Profile photo (optional)
- Job title, department, company name (in B2B context)
- Account preferences and settings
4.2 Health & Biometric Data (Special Category — Art. 9 GDPR)
- Steps, distance walked/run, calories burned, active exercise minutes (from Apple Health, Google Fit, or manual entry)
- Age, height, weight, BMI (if provided in your profile)
Important: We only collect health data with your explicit, informed, freely-given consent (Art. 9(2)(a) GDPR). You can grant or withdraw this consent at any time in Settings → Data Consents. Withdrawal does not affect the lawfulness of prior processing.
4.3 Activity & Challenge Data
- Manually logged activities (type, duration, metrics)
- Challenge and event participation, scores, rankings
- Koins earned, spent, and transaction history
4.4 Device & Technical Data
- Device type, operating system version
- App version, crash reports (via Sentry — see Section 7)
- IP address (anonymised after 30 days)
- Authentication tokens (securely hashed)
4.5 Data We Do NOT Collect
- Precise GPS location (we do not track your real-time location)
- Contacts, photos, or files from your device (beyond profile photo you provide)
- Heart rate, blood pressure, sleep data, or medical records
- Biometric identifiers (fingerprint, face geometry)
5. How We Use Your Data
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account creation and authentication | Personal data, email | Contract (Art. 6(1)(b)) |
| Activity tracking and daily health summaries | Activity data, health data | Contract + Explicit consent (Art. 9(2)(a)) |
| Challenges, events, and leaderboards | Activity data, user profile | Contract (Art. 6(1)(b)) |
| Koins economy (earning, spending, history) | Activity data, transaction data | Contract (Art. 6(1)(b)) |
| Corporate wellness programme reporting (anonymised only) | Aggregated participation data | Legitimate interest (Art. 6(1)(f)) |
| Service improvement and bug fixing | Technical data, crash reports | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Technical data, IP address | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Email, name | Consent (Art. 6(1)(a)) |
| Legal compliance | As required by law | Legal obligation (Art. 6(1)(c)) |
6. Data Retention
| Data Category | Retention Period | After Expiry |
|---|---|---|
| Account & profile data | Duration of account + 30 days after deletion | Securely deleted |
| Activity & challenge data | Duration of account | Deleted with account |
| Health data | Duration of account, or until consent is withdrawn | Deleted within 30 days of withdrawal |
| Koins transaction ledger | Duration of account + 6 months (audit trail) | Anonymised or deleted |
| Consent audit log | 6 years (to demonstrate GDPR compliance; Art. 5(2), Art. 7(1)) | Anonymised or deleted |
| Technical / crash data | 90 days | Automatically purged |
| Marketing consent records | Until consent withdrawn + 3 years (proof of consent) | Deleted |
| Tax-relevant records (if applicable) | 10 years per §147 AO (German Fiscal Code) | Deleted |
After the retention period ends, data is either securely deleted (cryptographic erasure where possible) or irreversibly anonymised.
7. Data Sharing & Sub-Processors
We share personal data only when necessary and only with the following categories of recipients:
| Recipient | Purpose | Location | Safeguard |
|---|---|---|---|
| MongoDB Atlas (MongoDB, Inc.) | Database hosting | EU (Frankfurt, eu-central-1) | EU data residency, DPA |
| Amazon Web Services (AWS) | Cloud infrastructure, email delivery (SES) | EU (Frankfurt, eu-central-1) | EU data residency, DPA, ISO 27001 |
| Sentry (Functional Software, Inc.) | Error monitoring & crash reporting | EU (Frankfurt) | DPA, SCCs |
| Apple HealthKit | Health data sync (on-device only; data flows from device to Kommit, not to Apple) | On-device | Apple’s privacy framework; data never leaves device to Apple |
| Your Employer (B2B only) | Aggregated, anonymised participation reports only | Employer’s jurisdiction | DPA with employer |
We do not sell your personal data. We do not share your data with advertisers, data brokers, or social media platforms.
International Transfers: All primary data processing occurs within the European Union (Frankfurt, Germany). If any sub-processor processes data outside the EEA, we ensure protection via:
- EU Commission Adequacy Decision (where applicable)
- Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR
- Supplementary technical measures (encryption in transit and at rest)
8. Your Rights Under GDPR
You have the following rights. To exercise any right, contact us at privacy@kommit.app or use the in-app features described below. We will respond within one month (extendable by two months for complex requests, per Art. 12(3) GDPR).
8.1 Right of Access (Art. 15)
Request a complete copy of all personal data we hold about you, including processing purposes, data categories, recipients, and retention periods. In-app: Settings → Data Consents shows your current consent status. For a full data export, email privacy@kommit.app.
8.2 Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data. In-app: Edit your profile directly in Settings → Edit Profile.
8.3 Right to Erasure — “Right to Be Forgotten” (Art. 17)
Request deletion of your personal data where: (a) it is no longer necessary, (b) you withdraw consent, (c) you object to processing, or (d) data was unlawfully processed. In-app: Settings → Deactivate Account. You may also email privacy@kommit.app for full erasure. Exceptions: We may retain data where legally required (e.g., tax records per §147 AO).
8.4 Right to Restriction of Processing (Art. 18)
Request that we limit processing of your data (e.g., while we verify accuracy or assess an objection). How: Email privacy@kommit.app.
8.5 Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON), and transmit it to another controller. How: Email privacy@kommit.app.
8.6 Right to Object (Art. 21)
Object to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds. How: Email privacy@kommit.app, or unsubscribe from marketing emails at any time.
8.7 Right to Withdraw Consent (Art. 7(3))
Withdraw any consent at any time, without affecting the lawfulness of processing before withdrawal. In-app: Settings → Data Consents — toggle off any optional consent.
8.8 Right Not to Be Subject to Automated Decision-Making (Art. 22)
We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
9. Data Security
We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR:
Technical Measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Secure authentication with short-lived JWT tokens
- API rate limiting and brute-force protection
- Regular security testing and dependency auditing
- Database access restricted by IP allowlist and role-based access controls
- Secrets managed via environment variables (not stored in code)
Organisational Measures:
- Access to personal data limited to authorised personnel on a need-to-know basis
- Data protection training for all team members
- Documented incident response procedure
- Data Processing Agreements (DPAs) with all sub-processors
- Regular review of processing activities
Breach Notification: In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours per Art. 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly per Art. 34 GDPR.
10. Children’s Privacy
Our Service is not directed at children under 16 years of age (the minimum age under Art. 8 GDPR as implemented in Germany). We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us immediately at privacy@kommit.app, and we will promptly delete such data.
11. Cookies & Tracking
The Kommit mobile application does not use cookies or web-based tracking technologies. We do not deploy advertising SDKs, analytics pixels, or cross-app tracking identifiers.
Technical data collected for crash reporting (Sentry) is limited to error diagnostics and does not include behavioural tracking.
12. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR or other data protection laws, you have the right to lodge a complaint with a supervisory authority, in particular:
- In the EU Member State of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR)
- In Germany: The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit — BfDI): https://www.bfdi.bund.de
- State-level authorities (Landesdatenschutzbeauftragte) depending on the federal state of our registered office
We encourage you to contact us first at privacy@kommit.app so we can address your concern directly.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Effective Date” and version number at the top of this document
- Notify you via in-app notification and/or email
- Where required by law, obtain your renewed consent before applying changes that affect consent-based processing
The latest version of this Privacy Policy is always available in the app under Settings → Privacy Policy.
14. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
Kommit GmbH Email: privacy@kommit.app Data Protection Officer: dpo@kommit.app Postal: Kommit GmbH, [Registered Address, City, Postcode, Germany]
This Privacy Policy is provided in English. A German translation (Datenschutzerklärung) is available upon request at privacy@kommit.app. In case of discrepancies, the German version shall prevail for users in Germany.