Privacy Policy
1. Who we are
Data controller: Jan Lunge, sole proprietor (Heaper), Schloßstrasse 8a, 9273 Düssin.
Contact: support@heaper.de
Legal/DSAR requests: legal@heaper.de
2. What this policy covers
This notice explains how we collect, use, share and protect personal data when you use: • Heaper apps for iOS, iPadOS, Android, macOS, Windows & Linux (the "Apps"); • heaper.app and associated sub-domains (the "Website"); and • our optional cloud-sync platform (the "Server"). • the selfhosted sync backend (the "selfhosted Server"). • support interactions (e-mail, chat).
3. Data we collect
| Category (Apple label / Google data-type) | Examples | Purpose | Linked to you? |
|---|---|---|---|
| Account Data | Email, display name, authentication token, subscription status | Create and secure your account, billing | ✔ |
| Files & notes content | The documents, images, audio, tags and metadata you store | Core functionality (storage, sync, search, thumbnails) | ✔ |
| Device & connection data | Device model, OS version, language, timezone, IP | Diagnostics, fraud prevention | ✖ (aggregated) |
| Usage Data | Feature interactions, timestamps, change history | Sync, conflict resolution, product analytics | ✔ (pseudonymous UID) |
| Crash & error logs | Stack traces, error messages, App build ID | Improve stability | ✔ (may contain device ID) |
| Payment data | Processed by Apple, Google or Stripe; we receive transaction confirmation only | Fulfil subscription | ✔ (reference only) |
| Support communications | E-mail messages, feedback, bug reports | Customer support | ✔ |
| Cookies & local storage | No Cookies, Session tokens (access & refresh), local app preferences, sqlite based local cache for users data | Website functionality, security | ✔ |
We do not collect precise GPS location, contact lists, advertising IDs, health data or biometrics.
4. How we use the data
Legal bases under GDPR Art. 6 are shown in ( ).
- Provide and sync your content (performance of contract).
- Generate thumbnails, full-text and tag search indexes on the Server: we have read access to your data for processing, serving, indexing, and search functionality (legitimate interest).
- Maintain offline functionality – all content is stored locally; sync is opt-in.
- Diagnostics & crash reports to keep the Apps reliable (legitimate interest).
- Security: audit logs detect abuse and recover from accidental deletions (legitimate interest / vital interest).
- Billing & compliance (legal obligation).
- Marketing communications where you have consented (consent - GDPR Art. 6(1)(a)).
- Cookies: strictly necessary cookies (legitimate interest); optional analytics cookies (consent).
We never sell personal data or use it for third-party advertising.
5. Sharing & processors
We share data only with service providers bound by data-processing agreements:
| Processor | Role | Region | Safeguards |
|---|---|---|---|
| Cloud hosting providers (Infomaniak) | Servers, encrypted object storage | EU | SCCs / ISO 27001:2022 |
| Analytics services (Insighthub, Umami) | Crash & error logging | US & EU | SCCs + IP anonymisation |
| Apple / Google / Stripe | Payments | Various | Their own compliance |
| Push notification providers (FCM, APNs) | Message delivery | US | SCCs |
| Email service (SendGrid) | Transactional emails | US | SCCs |
Sub-processor list last updated: 2025-07-13. We will notify users 14 days before onboarding new processors.
6. International transfers
Where data leaves the EEA, we rely on Standard Contractual Clauses and EU-US Data Privacy Framework (where applicable) with additional security measures.
7. Your rights
Under GDPR (& UK GDPR/DSA/CCPA where applicable) you may: • Access or export your data ("Data Portability" – ZIP/JSON). • Correct or delete notes & files. Deletion cascades to server backups within 30 days. • Object to processing or request restriction. • Withdraw consent for marketing/analytics (does not affect contract-based processing). • Lodge a complaint with your supervisory authority.
To exercise these rights, e-mail privacy@heaper.de; we'll respond within 30 days.
Competent supervisory authority: Der Landesdatenschutzbeauftragte Mecklenburg-Vorpommern.
8. Security measures
• TLS 1.3 in transit; AES-256 at rest. • Email authentication codes with short livetime. • Sessions with short lived access tokens and longer-lived revokable refresh tokens. • Decentral authentication with EDDSA public and private key challenges. • Application has access to user data for operational purposes (serving, indexing, search, thumbnails). • the users files and data are replicated to their device allowing offline use even when the server is not reachable.
9. Data retention
| Data set | Retention rule |
|---|---|
| Account Data & subscription data | While account is active + 6 years for tax |
| Notes & files | Until you delete them or 12 months after account closure |
| Crash logs | 90 days rolling window |
| Server change logs | 30 days to resolve sync conflicts |
| Support communications | 3 years after resolution |
| Marketing consent records | 3 years after withdrawal |
10. Automated decision-making
We do not use automated decision-making or profiling that produces legal effects concerning you.
11. Children
Heaper is not intended for children under 16 in the EEA (13 elsewhere). We do not knowingly collect their data.
12. Changes
We will post any changes here and in the Apps' "About → Privacy" screen 14 days before they take effect. For material changes we will request consent via in-app prompt.
13. Contact
Privacy queries: privacy@heaper.de
Legal/DSAR requests: legal@heaper.de
Data-protection officer (EU): Jan Lunge, Schloßstrasse 8a, 9273 Düssin
There is a right to complain to a supervisory authority. All consents that have been given on the basis of GDPR Art. 6 No. 1 letter a or GDPR Article 9 No. 2 letter a can be revoked.
Crafted with care by Jan Lunge
Independent software for independent minds