PRIVACY POLICY
1. Controller responsible for data processing (hereinafter: “we”)
Point Zero GmbH
Speditionstr. 15A
40221 Düsseldorf, Germany
Phone: +49 162 7555786
E-mail: office@pointzero.tech
Further details about us can be found in our legal notice.
2. Personal data, purposes of processing and legal bases
In our app, in addition to the option of using the app as a guest, you can create a customer account. For this purpose, you must provide personal data; please see Section 5 of this Privacy Policy.
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific factors expressing the identity of that natural person.
The purpose of data processing is the operation of this app for you as a registered user.
In our app, personal data is collected only if this is
for the use of the app and the provision of essential functions (legal basis: Art. 6(1) sentence 1 lit. b GDPR – performance of a contract),
for the safeguarding of our legitimate interest in improving the user experience as well as maintaining the security of use (legal basis: Art. 6(1) sentence 1 lit. f GDPR),
for the use of the services offered in the app as well as pre-contractual measures (legal basis: Art. 6(1) sentence 1 lit. b GDPR),
for concluding a contract and for contract performance (legal basis: Art. 6(1) sentence 1 lit. b GDPR).
Further details on data processing can be found below under the relevant headings:
3. Access data / server log files
When using our app, the servers automatically store server log files. The information includes:
IP address (usually truncated or only in pseudonymised form, insofar as technically possible)
User ID (UID) (This is generated by Firebase Authentication when you use our app; when logging in via a Google/Apple account, the login is carried out via the respective identity provider, but the UID is assigned by Firebase.)
Time of login in the app
This data is not merged with other data sources. Pursuant to Art. 6(1) sentence 1 lit. f GDPR, the information is used exclusively for analysis and maintaining the technical operation of the servers and the network. In addition, the user ID is required in order to be able to exclude a user from further or renewed access to the app in the event of a breach of our terms of use and a subsequent suspension by us in accordance with the terms of use.
4. Contact by E-mail
If you send us enquiries by e-mail, the information you provide in the e-mail, including the contact details you provide there, will be stored by us for the purpose of processing the request and in case of follow-up questions pursuant to Art. 6(1) sentence 1 lit. b GDPR. We will never pass on this data without your consent. We will treat the personal data you provide voluntarily as strictly confidential. We store and use personal data voluntarily provided by you insofar as it is necessary for further correspondence with you.
5. User account
As a user, in addition to guest use, you can register a user account with us to use the app.
Mandatory information for registration is the user’s e-mail address and a password. When registering/logging in, an individual user ID (UID) is generated by Firebase Authentication. If you log in via a Google/Apple account, the login is performed via the respective identity provider; however, the UID is assigned by Firebase. The data processing is based on the necessity for contract performance pursuant to Art. 6(1) sentence 1 lit. b GDPR.
Please also note our Terms of Service.
6. In-app purchases / subscriptions
Our app offers the option to take out paid subscriptions. When purchases are made within the app, the order numbers are assigned to the user account and stored by us for the purpose of providing the purchased content and proper performance of the contract. Data processing is based on the necessity for contract performance pursuant to Art. 6(1) sentence 1 lit. b GDPR.
Please also note our Terms of Service.
7. Training and profile data (Firestore / Cloud Firestore)
In the app, we process training and profile data in order to provide the core functions of the app (e.g. carrying out training, streaks, statistics, badges, synchronisation between devices).
Which data do we process? Depending on how you use the app, the following data in particular may be processed and stored in the database:
Account data / user identifier: internal user ID (UID), if applicable e-mail (upon registration), login status (guest/registered)
Profile data: display name/username (if provided), avatar/profile picture reference (not the image itself; see the section “Firebase Storage”)
Training data: completed sessions (date/time), training type (e.g. push-ups/plank), training level/training day, set/rep counts, rest/duration values, total repetitions, personal records (e.g. max reps, longest plank), streak status including freezes, badges/progress
App-related settings: e.g. selected display options or training/coach settings (if available)
Purposes of processing: Processing is carried out for the following purposes:
Provision and execution of training functions
Saving progress, displaying statistics/histories and records
Synchronisation of data across devices/logins
Abuse/error prevention and ensuring proper app operation (where necessary)
Legal basis: Processing is necessary for fulfilling the user contract or providing the app functions you request and is therefore carried out on the basis of Art. 6(1) sentence 1 lit. b GDPR. To the extent we process data to ensure the security and stability of the app, this is carried out on the basis of Art. 6(1) sentence 1 lit. f GDPR (legitimate interest in secure and stable operation).
Recipients / service providers: For storage and processing, we use Google Firebase (Cloud Firestore), a service of Google LLC (details on the provider are set out in Section 8 “Firebase”). We have concluded a data processing agreement with Google pursuant to Art. 28 GDPR.
Storage location: Data is stored in the Firebase region selected by us: europe-west3 (Frankfurt).
Retention period / deletion: We generally store this data for as long as it is necessary for using the app. You can delete your user account (and thus the associated training/profile data) at any time. After account deletion, the corresponding data will be deleted or anonymised within the scope of technical possibilities and statutory retention obligations.
8. Firebase (Crashlytics, Analytics, Storage, App Check)
Our app uses Google Firebase. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use in particular the Firebase components Crashlytics, Analytics, Storage and App Check.
a) Firebase Crashlytics (error analysis)
Crashlytics is used for stability and error fixing. In particular, the following data may be processed:
User ID (UID) or an app-internal identifier, see Sections 2, 5 and 7
errors/crash information (e.g. crash stack traces)
time of the error
app version
device/system information (e.g. operating system version, device model)
where applicable, technical circumstances of the error (e.g. memory status at the time of the crash)
The legal basis is Art. 6(1) sentence 1 lit. f GDPR (legitimate interest in secure, stable and error-free operation of the app).
b) Firebase Analytics (usage analysis)
Firebase Analytics helps us understand and improve how the app is used (e.g. which functions are used how often). In particular, the following data may be processed:
session duration and frequency
first app open after installation
interactions within the app (e.g. use of certain functions)
app version and device/system information
where applicable, events in connection with in-app purchases (e.g. whether a purchase was initiated/completed; no payment data)
The legal basis is—if we use Analytics—your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR as well as § 25(1) TDDDG (access to information in the user’s end device). Consent can be revoked at any time (e.g. via the relevant settings in the app or the consent banner). Without consent, no evaluation via Firebase Analytics takes place.
c) Firebase Storage (profile pictures)
We use Firebase Storage to upload and store profile pictures. In doing so, the content you upload is transmitted to Google servers and stored there. Metadata such as file name, file size or upload time may be processed.
The legal basis is Art. 6(1) sentence 1 lit. b GDPR, as this is necessary to provide the profile picture function. You can change or delete an uploaded picture at any time.
d) Firebase App Check (protection against abuse)
We use Firebase App Check to protect our Firebase resources (e.g. database, storage and backend interfaces) against abuse, automated access and manipulation.
For Android devices, the Google Play Integrity API is used. Technical information about the app installation and the runtime environment is processed in order to verify that the app originates unmodified from the Google Play Store and is running on a trusted device. Based on this verification, a security token is generated and transmitted to Firebase.
In addition, for the use of the app in web/test mode we use reCAPTCHA (non-Enterprise) to prevent automated access and abusive connections. In doing so, technical connection data as well as reCAPTCHA-specific verification information may be processed.
Processing is carried out exclusively for the purposes of security, stability and abuse prevention. The legal basis is Art. 6(1) sentence 1 lit. f GDPR (legitimate interest in securing our IT systems and preventing abuse).
9. Push notifications (Firebase Cloud Messaging / FCM)
If you enable push notifications, we use Firebase Cloud Messaging (FCM), a service of Google LLC (details on the provider see Section 8 “Firebase”), to deliver notifications to your device (e.g. training reminders or information to maintain your streak). An FCM token is processed only if push notifications are enabled.
Which data is processed? For delivery, we process in particular:
a device-related push token (FCM token) assigned to your device or app installation,
technical delivery information (e.g. delivery time/error states),
where applicable, the information whether a notification was delivered/displayed (purely technical, insofar as provided by the operating system/FCM).
Depending on settings, the content of the notification may also contain data (e.g. training type/username), but is processed exclusively for the purpose of delivery.
Purpose of processing: Processing is carried out to deliver the notifications you request and to support app functions (e.g. reminders).
Legal basis and withdrawal: The legal basis is your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future by disabling push notifications in your device’s system settings or adjusting the relevant settings in the app (if available).
Retention period: The push token is stored as long as push notifications are enabled, or until you disable it in system settings, reset/uninstall the app, or we replace the token as part of technical updates. Technical delivery data is stored only as long as necessary for error analysis and secure operation.
10. Google AdMob
Our app uses Google AdMob to display advertisements. The provider is Google LLC (details see Section 8 “Firebase”).
Which data may be processed? Depending on your consent and the settings, AdMob may process in particular the following data:
your device’s advertising ID (Advertising ID) or comparable identifiers
IP address (usually truncated) and approximate location data derived from it
device and app information (e.g. device type, operating system, app version)
interactions with advertisements (e.g. impressions/clicks)
technical data for delivery, fraud prevention, reach measurement and frequency capping
Ads can be delivered personalised (interest-based) or non-personalised/contextual. Even for non-personalised ads, mobile identifiers or SDK information may be used, among other things, for frequency capping, security purposes and aggregated reporting.
Youth/children settings: We use AdMob settings to reduce the delivery of age-inappropriate ads (e.g. content filter “PG”). In addition, we mark requests for users in the EEA who are below the applicable digital age of consent accordingly, so that these users receive only contextual or restricted personalised ads.
Consent (CMP/UMP) and legal bases: Where legally required (in particular in the EEA/UK/CH), we obtain your consent via a Google-certified consent management solution (e.g. via the Google UMP SDK).
Personalised advertising: processing on the basis of your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR and § 25(1) TDDDG (access to information in the end device, e.g. advertising ID).
Non-personalised / restricted advertising: insofar as access to end-device information is also required for this, this likewise takes place only on the basis of your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR and § 25(1) TDDDG. If you do not give consent, we show—where technically available—only restricted/contextual ads.
Withdrawal: You may withdraw any consent given at any time with effect for the future or adjust your preferences via the privacy or consent settings within the App, insofar as technically available, or through your device settings (e.g. resetting or limiting the advertising ID).
Further information can be found in Google’s privacy information:
https://support.google.com/admob/answer/7676680 and
https://developers.google.com/admob/android/privacy/gdpr.
11. RevenueCat
For processing in-app purchases and subscriptions (“Pro features”), we use the service RevenueCat, provided by RevenueCat, Inc., 633 Taraval St. Suite 101, San Francisco, CA 94116, USA.
RevenueCat handles the technical management of subscriptions and purchases within our app and provides us with corresponding information (e.g. whether a valid subscription exists, which product variant was selected, term and renewal). In doing so, RevenueCat processes data such as: purchase and transaction information (e.g. purchase date, product ID, renewals, cancellations), anonymised device information (e.g. app installation ID, platform, operating system version) and your user ID, see Sections 2 and 5 of this Privacy Policy. Payment processing itself is carried out exclusively via the app store. We do not receive access from RevenueCat to sensitive payment data such as credit card numbers or bank details.
The legal basis for the use is Art. 6(1) lit. b GDPR (performance of a contract).
Further information on RevenueCat’s data protection can be found at: https://www.revenuecat.com/privacy
12. Recipients of personal data
Depending on the use of the app, personal data is transmitted to the following recipients or categories of recipients:
a) Service providers for hosting/backend and app functions
For core app functions as well as hosting and data processing, we use the Google Firebase platform (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), in particular for Cloud Firestore, Firebase Authentication, Crashlytics, Analytics (if consented), Firebase Storage, Firebase Cloud Messaging (FCM) and App Check.
b) Advertising service providers
For the display of advertisements, we use Google AdMob (Google LLC). Details on data processing and consent can be found in Section 10.
c) Subscription and purchase management
For the technical management of in-app purchases and subscriptions, we use RevenueCat, Inc., 633 Taraval St. Suite 101, San Francisco, CA 94116, USA (details see Section 11).
d) App stores / platform providers
Payment processing for in-app purchases and subscriptions is carried out exclusively via the respective app store or platform provider (e.g. Google Play Store; if used, also Apple App Store). We do not receive access to sensitive payment data (e.g. credit card numbers or bank details).
e) Internal recipients
Access to personal data is granted only to those employees/persons who require it to fulfil the purposes stated (need-to-know principle).
Data processing on behalf: With service providers who process personal data on our behalf, we conclude—where required—data processing agreements pursuant to Art. 28 GDPR.
Notice regarding transfers to third countries: When using service providers based in the USA (in particular Google LLC and RevenueCat, Inc.), personal data may be processed in the USA. Where required, such a transfer is based on appropriate safeguards (e.g. adequacy decision of the EU Commission, in particular the EU–US Data Privacy Framework, and/or Standard Contractual Clauses).
13. Storage duration
We delete your personal data without undue delay once the purpose has been achieved. Accordingly, we store data from e-mails until your request has been fully processed and resolved; thereafter, this information is usually deleted. In addition, your personal data is generally deleted as soon as you delete your user account (and—if applicable—the associated subscription has ended). You can delete the data stored in the user account at any time yourself.
In addition, it is reviewed annually whether deletion of the data stored by you is possible.
Access data and server log files are deleted after one week.
Please note that certain data is subject to commercial and tax retention obligations of at least six years (§ 257 HGB) or ten years (§ 147 AO).
You are not legally obliged to provide your personal data. However, providing it may be necessary for concluding a contract or for functions of the website. If you do not provide it, a contract or a function on the website may therefore not be offered.
There is no automated decision-making in the app; profiling does not take place.
The rights of data subjects arise in particular from Articles 15 to 23 and Article 77 GDPR as well as from §§ 32 to 37 of the German Federal Data Protection Act (BDSG new).
You have the following rights with regard to your personal data:
Right of access, Art. 15 GDPR
Right to rectification, Art. 16 GDPR
Right to erasure, Art. 17 GDPR
Right to restriction of processing, Art. 18 GDPR
Right to data portability, Art. 20 GDPR
If you have given consent to the processing of personal data, you have the right to withdraw your consent, Art. 7 GDPR, with effect for the future.
You also have the right to object to the processing of personal data, Art. 21 GDPR.
1. You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1) sentence 1 lit. f GDPR (processing based on a balancing of interests).
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
2. In individual cases, we process personal data to carry out direct advertising. If this applies to you, you have the right to object at any time to the processing of data concerning you for the purpose of such advertising.
If you object to processing for direct advertising purposes, we will no longer process your personal data for these purposes.
The objection may be made informally and should preferably be addressed to us; see above under Section 1.
If you believe that the processing of personal data concerning you violates data protection law, you always have the right to lodge a complaint with the competent supervisory authority, see Art. 77 GDPR. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
A data protection officer has not been appointed. The contact details of the data protection officers in the federal states, the supervisory authorities for the non-public sector, broadcasting, churches, in Europe and abroad, as well as the Virtual Data Protection Office can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (Landesbeauftragte für Datenschutz Nordrhein-Westfalen), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.
Account Deletion
You can delete your user account and associated personal data at any time directly within the App (Settings > Account settings > Delete Account).
If you are unable to access the App, you may alternatively request account deletion via our website: