Privacy policy
Version: 11 June 2025
Contents- Controller
- Data-Protection Officer
- Definitions
- Purposes & Legal Bases
- Hosting & Content Delivery
- Server Log Files
- Cookies & Consent Management
- Web-Analytics & Marketing Tools
- International Data Transfers
- Storage Periods
- Recipients / Categories of Recipients
- Data-Subject Rights
- Withdrawal of Consent
- Security
- Child-Protection Notice
- Changes to This Policy
1. Controller
a2zebra GmbH
Bouchéstraße 12, Halle 20
12435 Berlin – Deutschland
Commercial Register: HRB 248729 B, Local Court Berlin-Charlottenburg
E-mail: privacy@a2zebra.de
2. Data-Protection Officer
No DPO is appointed because we employ fewer than 20 persons (Art. 37 GDPR not applicable). All privacy enquiries: privacy@a2zebra.de.
3. Definitions
The definitions of Art. 4 GDPR apply (e.g., “personal data”, “processing”, “controller”).
4. Purposes and Legal Bases of Processing
Data-Processing Agreements (Art. 28 GDPR) are in place with all named service providers.
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Website access (hosting) | IP address, timestamp, user agent | Art. 6(1)(f) GDPR — legitimate interest (technical operation) |
| Web analytics (Google Analytics 4) | Pseudonymised usage & interaction data | Art. 6(1)(a) GDPR — consent |
| Conversion tracking & remarketing (Meta Pixel, Google Ads, Google Tagmanager, Pinterest Tag, TikTok Pixel) | Cookie/pixel IDs, events, pseudonymised profiles | Art. 6(1)(a) GDPR — consent |
| Shop processing via Shopify | Order, payment, shipping & contract data | Art. 6(1)(b) GDPR — contract; Art. 6(1)(c) — legal retention duties |
| Newsletter | E-mail address, optional name & preferences | Art. 6(1)(a) GDPR — consent |
(Shopify, Google, Meta, TikTok, Pinterest as relevant processors/controllers under applicable arrangements.)
5. Hosting and Content-Delivery
Hosted by Shopify International Ltd., Victoria Buildings, 2 Haddington Road, Dublin 4, Ireland. Legal basis: Art. 6(1)(f) GDPR in conjunction with an Art. 28 processing contract.
6. Server Log Files
Collected on each page view: IP address, date/time, requested resource, referrer, browser information. Retention: max. 14 days; no merge with other data. Legitimate interests: technical security & abuse investigation.
7. Cookies & Consent Management
On first visit a cookie banner requests and logs your consent (Art. 6(1)(a) GDPR / § 25 TTDSG). Essential cookies are set under § 25(2) TTDSG. Preferences can be changed anytime via the consent centre.
8. Web-Analytics & Marketing Tools
- Google Analytics 4 — IP anonymisation; US processing under SCC; retention 14 months; opt-out via browser add-on.
- Meta Pixel — conversion measurement & Custom Audiences; opt-out in Facebook ad settings.
- Google Tagmanager & Google Ads — conversion & remarketing.
- TikTok Pixel — advertising & analytics.
- Pinterest Tag — campaign analytics.
- Shopify Analytics — functional & statistical cookies for shop features.
All non-essential tools operate only with your consent.
9. International Data Transfers
Data may be sent to parent companies in the USA (Google, Meta, TikTok, Pinterest) or Canada (Shopify). Safeguards include Standard Contractual Clauses (Art. 46 GDPR) for the USA, an adequacy decision for Canada, and additional measures (pseudonymisation, encryption).
10. Storage Periods
| Data Type | Period | Basis |
|---|---|---|
| Contract & invoice data | 6 / 10 years | § 147 AO / § 257 HGB |
| Marketing cookies | Until withdrawal / 13 months | Art. 6(1)(a) GDPR |
| Server log files | 14 days | Art. 6(1)(f) GDPR |
11. Recipients / Categories of Recipients
- Hosting & IT (Shopify)
- Payment providers (e.g., Stripe, PayPal)
- Analytics & marketing partners (Google, Meta, TikTok, Pinterest)
All recipients are bound by Art. 28 GDPR contracts.
12. Data-Subject Rights
You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). Supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information (datenschutz-berlin.de).
13. Withdrawal of Consent
You may withdraw consent at any time with future effect, e.g., in the cookie centre or via privacy@a2zebra.de.
14. Security
We use TLS encryption (HTTPS) and appropriate technical and organisational measures as per Art. 32 GDPR.
15. Child-Protection Notice
Our product targets pre-school children, but this website is for adult guardians only. Persons under 16 must not transmit personal data without parental consent.
16. Changes to This Policy
We update this policy when technical or legal changes occur. The current version is always available at tuktoro.com/en/policies/privacy-policy.
TukToro by a2zebra GmbH · Bouchéstraße 12, Halle 20 · 12435 Berlin · www.tuktoro.com
Mobile-App Privacy Policy “TukToro”
Version: 11 June 2025
Contents- Controller
- Scope
- Definitions
- Individual Processing Activities
- Legal Basis Overview
- Cookies / SDK IDs & Consent
- Non-EU/EEA Recipients
- Storage & Deletion
- Your Rights
- Technical & Organisational Measures
- Child Protection
- Automated Decisions
- Data Provision Obligation
- Changes to this Policy
1. Controller
a2zebra GmbH (TukToro)
Bouchéstraße 12, Halle 20
12435 Berlin, Germany
E-mail: info@a2zebra.de
Data Protection Officer (DPO): No DPO appointed (< 20 employees; Art. 37 GDPR not applicable). All enquiries: privacy@a2zebra.de.
2. Scope
This notice explains how we process personal data when you use our iOS or Android app “TukToro”. It does not cover our website or web-shop (see separate policy at tuktoro.com/policies/privacy-policy).
3. Definitions
Terms follow Art. 4 GDPR (“personal data”, “processing”, “data subject”, etc.).
4. Individual Processing Activities
A separate Data Processing Agreement (Art. 28 GDPR) exists with every service listed.
| No. | Purpose / Activity | Services | Data | Legal Basis | Recipient / Third Country | Retention |
|---|---|---|---|---|---|---|
| 5.1 | App hosting & DB | Google Firebase (Firestore, Realtime DB, Cloud Storage) | User ID, auth token, e-mail, profile data, device & Bluetooth data, usage logs | Contract (Art. 6(1)(b)); consent (Bluetooth); legitimate interest (stability, abuse) | Google LLC, USA — EU-US DPF (certified) or SCC | 24 months after last login |
| 5.2 | Push notifications | Firebase Cloud Messaging (Android), Apple APNS (iOS) | Device token, user ID, language | Contract (Art. 6(1)(b), § 25(2) TTDSG) | Google LLC / Apple Inc., USA — SCC/DPF | Until push opt-out |
| 5.3 | Authentication / SSO | Sign in with Google / Apple | Name (opt.), e-mail, SSO token, user ID | Contract (Art. 6(1)(b), § 25(2) TTDSG) | Google LLC / Apple Inc., USA — SCC/DPF | 24 months after last login |
| 5.4 | Learning-progress analytics | Amplitude; Google Analytics for Firebase | Shortened IP, device & usage data, events, user ID | Legitimate interest (Art. 6(1)(f)) — ensure correct functionality | Amplitude Inc. / Google LLC, USA — SCC/DPF | 24 m (Amplitude) / 14 m (GA) |
| 5.5 | Crash & performance | Firebase Crashlytics | Device ID, app version, crash logs | Legitimate interest (Art. 6(1)(f)) | Google LLC, USA — SCC/DPF | 90 days |
| 5.6 | Support & communications | Xentral Helpdesk; Google Workspace | E-mail, name, ticket content | Contract (Art. 6(1)(b)) / Legitimate interest (f) | Xentral GmbH (EU); Google LLC (USA) — SCC/DPF | Ticket close + 6 m |
Note on third-country transfers: For recipients in the USA, we base the data transfer on the adequacy decision on the EU-US Data Privacy Framework (if certified) or on standard contractual clauses (Art. 46(2)(c) GDPR). Additional protective measures such as end-to-end TLS, pseudonymization and strict rights management are implemented.
5. Legal Basis Overview
| Art. 6 GDPR | Description | Examples |
|---|---|---|
| (a) Consent | Voluntary, revocable | Bluetooth, push notifications |
| (b) Contract | Provide app services | User account, support |
| (f) Legitimate interest | Balanced against your interests | Crash logs, fraud prevention |
| (c) Legal obligation | Statutory retention (HGB/AO) | Invoices, bookkeeping |
Revocation and objection options can be found under point 9.
6. Cookies / SDK IDs & Consent
The app does not use classic HTTP cookies, but comparable technologies (e.g., mobile SDK identifiers). On first start, we offer an opt-in function where you can consent to processing per this policy. Your decision is documented in the database. To revoke consent, contact privacy@a2zebra.de.
7. Non-EU/EEA Recipients
Data is only transferred to third countries without an adequacy decision if Standard Contractual Clauses (SCC) are concluded and additional technical protection measures (end-to-end encryption, pseudonymization, role-based access) are implemented.
8. Storage & Deletion
Personal data is deleted or anonymized as soon as the processing purpose no longer applies and there are no statutory retention periods to the contrary. Specific time limits are listed in section 4.
9. Your Rights
- Information (Art. 15 GDPR)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction (Art. 18)
- Data portability (Art. 20)
- Objection to processing based on Art. 6(1)(f) GDPR (Art. 21)
- Withdrawal of consent (Art. 7(3))
- Complaint to a data protection supervisory authority (Art. 77) — e.g., Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin.
Assert your rights via privacy@a2zebra.de.
10. Technical & Organisational Measures
- End-to-end TLS (TLS 1.3) between app and backend
- AES-256 encryption of data at rest (Firebase, cloud storage)
- Two-factor authentication & role-based authorization concept
- Regular penetration tests and vulnerability scans
- Redundant backups, disaster recovery plans
- Logging & monitoring (SIEM) with 30-day retention
11. Child Protection
The app is also aimed at children under the age of 16. In accordance with Art. 8 GDPR, we only process personal data of children under 16 with parental consent. By accepting this policy, you confirm custody and consent to processing as described. Parents may withdraw consent at any time (see section 10); we will then delete or anonymise the child’s data immediately.
12. Automated Decisions
No automated decision-making within the meaning of Art. 22 GDPR.
13. Data Provision Obligation
Basic & contract data (e-mail, auth token) are required to use the app. Non-essential data (e.g., push notifications) are voluntary.
14. Changes to this Policy
We will adapt this policy when app functionality changes, new service providers are integrated, or legal requirements make this necessary. The current version is available on our website.
© 2025 a2zebra GmbH (TukToro) — All rights reserved. · www.tuktoro.com