Supportive Stranger

IMPRESSUM

Angaben gemäß § 5 DDGDr. Yulia Rönsch
Kirchenstrasse 2
82194 Gröbenzell
DeutschlandKontakt
Telefon: +49 177 4901659
E-Mail: [email protected]Verantwortlich für den Inhalt nach § 18 Abs. 2 MStV
Dr. Yulia Rönsch
Kirchenstrasse 2
82194 GröbenzellVerbraucherstreitbeilegung/Universalschlichtungsstelle
Wir sind nicht bereit oder verpflichtet, an Streitbeilegungsverfahren vor einer Verbraucherschlichtungsstelle teilzunehmen.

Legal Notice

Information according to § 5 DDG
Dr. Yulia Rönsch
Kirchenstrasse 2
82194 Gröbenzell
GermanyContact
Phone: +49 177 4901659
Email: [email protected]Responsible for content according to § 18 Para. 2 MStV
Dr. Yulia Rönsch (Address as above)Dispute Resolution
We are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.

Datenschutzerklärung

1. Allgemeine Hinweise
Diese Datenschutzerklärung informiert Sie über die Verarbeitung personenbezogener Daten auf dieser Website. Diese Website dient rein informativen Zwecken („Link-Tree“) und verzichtet auf Analyse-Tools, Cookies oder Kontaktformulare.2. Verantwortliche Stelle
Verantwortlich für die Datenverarbeitung auf dieser Website ist:
Dr. Yulia Rönsch
Kirchenstrasse 2
82194 Gröbenzell
E-Mail: [email protected]3. Datenerfassung beim Besuch der Website
Beim Aufruf dieser Website werden durch den Hostinganbieter (Carrd Inc.) automatisch Informationen in sogenannten Server-Log-Files erhoben, die Ihr Browser automatisch übermittelt. Dies sind:- Browsertyp und Browserversion- Verwendetes Betriebssystem- Referrer URL (die zuvor besuchte Seite)- Hostname des zugreifenden Rechners- Uhrzeit der Serveranfrage- IP-AdresseDiese Daten sind technisch notwendig, um Ihnen die Website anzuzeigen und die Sicherheit der Server zu gewährleisten. Rechtsgrundlage ist Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse).4. Datenübertragung in die USA
Diese Website wird über Carrd Inc. (675 Ponce de Leon Ave NE, Atlanta, GA 30308, USA) gehostet. Dabei können Daten an Server in den USA übertragen werden. Carrd stellt den Schutz der Daten durch Standardvertragsklauseln (Standard Contractual Clauses) sicher, um das europäische Datenschutzniveau zu wahren.5. Cookies und Tracking
Diese Website verwendet keine Cookies und keine Analyse-Tools (wie Google Analytics). Es findet keine Auswertung Ihres Nutzerverhaltens statt.6. Ihre Rechte
Sie haben das Recht auf Auskunft, Berichtigung, Löschung oder Einschränkung der Verarbeitung Ihrer gespeicherten Daten. Bitte kontaktieren Sie mich dazu unter der oben genannten E-Mail-Adresse.

Privacy Policy

1. General Information
This privacy policy informs you about the processing of personal data on this website. This website serves purely as an information hub ("Link-Tree") and does not use any analytics tools, cookies, or contact forms.2. Data Controller
The controller responsible for data processing on this website is:
Dr. Yulia Rönsch
Kirchenstrasse 2
82194 Gröbenzell
Germany
Email: [email protected]3. Data Collection when Visiting the Website
When you access this website, the hosting provider (Carrd Inc.) automatically collects information in so-called server log files, which your browser automatically transmits. These include:
-Browser type and version
- Operating system used
- Referrer URL (the previously visited page)
- Hostname of the accessing computer
- Time of the server request
- IP addressThis data is technically necessary to display the website and ensure server security. The legal basis is Art. 6 Para. 1 lit. f GDPR (legitimate interest).4. Data Transfer to the USA
This website is hosted via Carrd Inc. (675 Ponce de Leon Ave NE, Atlanta, GA 30308, USA). As part of this, data may be transferred to servers in the USA. Carrd ensures data protection through Standard Contractual Clauses (SCCs) to maintain a level of data protection equivalent to European standards.5. Cookies and Tracking
This website uses no cookies and no analytics tools (such as Google Analytics). No evaluation of your user behavior takes place.6. Your Rights
You have the right to information, rectification, erasure, or restriction of the processing of your stored data. Please contact me at the email address provided above for any inquiries.

Privacy Policy Supportive Stranger application

Last Updated: May 4, 2026Provider / Data Controller:Dr. Yulia RönschKirchenstrasse 282194 Gröbenzell, GermanyEmail: [email protected]Phone: +49-177-4901659IntroductionThis Privacy Policy explains how we collect, use, and protect your personal data when you use the Supportive Stranger mobile application ("App"). It applies to all users worldwide.The App is built around a "privacy-by-design" approach. Your diary entries and saved journal entries are stored locally on your device and are not retained on our servers. AI processing of your entries happens on a stateless basis — providers process your text in real time and do not retain it afterwards. We do not use cookies, advertising trackers, or analytics. We do not maintain user accounts, and we do not know who you are by name.We do, however, process some pseudonymous data on our servers in order to operate the in-app purchase system: a hashed device identifier, your remaining reflection balance, and a transaction ID from Apple. This policy describes that processing honestly and in detail.1. Data ControllerThe data controller responsible for your personal data is:Dr. Yulia Rönsch, Kirchenstrasse 2, 82194 Gröbenzell, Germany.Email: [email protected] — Phone: +49-177-4901659.2. Categories of Data We Process2.1 Data that stays on your deviceThe following data is stored exclusively on your device and is not transmitted to or stored by us: diary entries that you write (maximum 100 words per entry); saved journal entries, including the AI-generated supportive text and AI-generated illustration that accompany each completed reflection (this applies regardless of whether you used the release flow "Dark thoughts" or the keep flow "Neutral notes" — the symbolic shatter ritual in the release flow is part of the user experience and does not delete the AI-generated content); local preferences and settings, including a flag indicating which character style (female or male figure) you selected during onboarding; and your device type, operating system version, and App version, which are used only by the App on your device for technical compatibility and are not transmitted to our backend.2.2 Data we receive on our serversWhen you use the App, our backend receives only the following:A hashed device identifier. When the App is first installed, it generates a random hex string ("device token") and stores it in local storage on your device. Before any request is sent to our backend, this token is hashed using SHA-256 and only the hash is transmitted. We use this hash to identify your device pseudonymously for the purpose of tracking your reflection balance. The hash cannot be reversed to reveal the original token.The text of a diary entry, only at the moment you request a reflection, and only for the purpose of forwarding it to the AI providers (see Section 4). We do not write the entry text to any persistent storage on our backend.The character style flag ("female" or "male"), passed alongside the diary entry so the AI providers can generate an illustration consistent with your choice.Reflection balance metadata: the number of reflections remaining for your device hash and the expiry date of your current reflection package.In-app purchase data, when you buy a Reflection Package: the StoreKit 2 transaction object passed to us by Apple, including the original transaction ID. We store the transaction ID to credit the corresponding reflections to your device hash and to prevent the same transaction from being credited twice.2.3 Data generated by AI providersWhen you request a reflection, third-party AI providers generate a short supportive text response and an illustration based on your entry. These outputs are returned to your device and saved in your local journal alongside your entry.2.4 Data we do not collectWe do not collect or process: your name, email address, phone number, postal address, or any other identifying contact data; precise or approximate location data; cookies or tracking identifiers; advertising identifiers (IDFA / IDFV); usage analytics, crash analytics, or behavioural statistics; or biometric or health data of any clinical kind.3. Purposes of Processing and Legal Bases (GDPR)For users in the EU, EEA, and the UK, the following sets out for each processing purpose the legal basis under Article 6(1) GDPR (and Article 6(1) UK GDPR).Operating your local diary and journal.Data: data in Section 2.1 (stays on device).Legal basis: Article 6(1)(b) GDPR — performance of the contract you entered into by accepting the Terms of Service. (Because this data does not leave your device, we as the controller do not, in practice, "process" it on our infrastructure.)Generating a reflection (forwarding the diary entry to AI providers and returning the result).Data: diary entry text, character style flag, device hash.Legal basis: Article 6(1)(b) GDPR — performance of the contract for the reflection.Tracking your reflection balance and expiry.Data: device hash, reflection balance, expiry date.Legal basis: Article 6(1)(b) GDPR — performance of the contract.Processing in-app purchases and preventing double-crediting of transactions.Data: device hash, StoreKit transaction ID.Legal basis: Article 6(1)(b) GDPR — performance of the IAP contract.Retaining transaction records for tax and accounting purposes.Data: StoreKit transaction ID, purchase date, package.Legal basis: Article 6(1)(c) GDPR — compliance with a legal obligation, in particular §§ 140, 147 of the German Fiscal Code (Abgabenordnung).Securing the backend against abuse (e.g. rate limiting, blocking obviously malicious requests).Data: device hash, request metadata.Legal basis: Article 6(1)(f) GDPR — our legitimate interest in protecting the App and other users from abuse. You may object at any time on grounds relating to your particular situation (Article 21 GDPR), as described in Section 8.Where we rely on legitimate interests (Article 6(1)(f) GDPR), our interests are: maintaining the integrity, availability, and security of the App, and preventing fraud and abuse. We have considered your interests and rights and concluded that the limited, pseudonymous processing involved does not override them.4. AI Processing of Your Diary EntriesWhen you tap the button that requests a reflection, the App sends your diary entry text to two AI providers in parallel: Anthropic, PBC (Claude Sonnet model), which generates the supportive text response; and Google LLC via Google Cloud Vertex AI (Gemini 2.5 Flash image model), which generates the illustration.Processing happens in real time. Each request is independent: the AI providers do not retain a conversation history with you, do not link entries together, and do not use your entries to train their AI models. The outputs are returned to your device, where they are saved alongside your entry in your local journal.Both providers act as processors on our behalf within the meaning of Article 28 GDPR. We have entered into Data Processing Agreements with them that contractually require them to process data only on our instructions, to apply appropriate security measures, and not to use your data for any other purpose.5. Recipients of Data and International TransfersThe following recipients receive your personal data in the course of operating the App.Railway Corp. — Backend hosting and PostgreSQL database (stores device hash, reflection balance, transaction ID). Country of processing: United States. Transfer safeguard: EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, plus a Data Processing Agreement.Anthropic, PBC — AI text generation (processor). Country of processing: United States. Transfer safeguard: EU Standard Contractual Clauses, plus a Data Processing Agreement.Google LLC (Google Cloud Vertex AI) — AI image generation (processor). Country of processing: United States and/or EU/EEA regions, depending on operational requirements (currently us-central1). Transfer safeguard: EU Standard Contractual Clauses where US-based regions are used; Data Processing Agreement under Google's Cloud Data Processing Addendum.Apple Inc. / Apple Distribution International Ltd. — In-app purchase processing (Apple is the merchant of record). Apple receives your payment data directly from you; we receive only the StoreKit transaction ID. Apple processes data globally, including in the United States and Ireland. Transfer safeguard: Apple's own published transfer mechanisms (SCCs, Apple Privacy Policy at https://www.apple.com/legal/privacy/).You can request a copy of the safeguards we have put in place for transfers to third countries (in particular the SCCs and Data Processing Agreements with Railway, Anthropic, and Google) by writing to [email protected]. We will provide them in a redacted form to the extent necessary to protect commercial confidentiality of unrelated terms.We do not sell, rent, or share your personal data with any other third parties. We do not engage in any form of advertising or profiling.6. Data RetentionDiary entries and saved journal entries (on your device): retained on your device until you delete the entry or uninstall the App. We have no ability to access, recover, or restore this data.Diary entry text sent to AI providers for reflection generation: processed in real time; not retained by us. AI providers process on a stateless basis and do not retain entry text after the request completes.Device hash and reflection balance metadata: retained for as long as a reflection package is active. After the balance reaches zero and any active expiry has passed, the row is retained for up to 90 additional days to enable refund and dispute handling, and is then deleted.StoreKit transaction ID and purchase metadata: retained for the period required by German tax and commercial law (currently up to 10 years under § 147 AO and § 257 HGB). After this period the data is deleted.7. SecurityWe use TLS encryption for all communication between the App and our backend, and between our backend and the AI providers. Access to our backend infrastructure is restricted and authenticated. We hash device tokens with SHA-256 before any server-side storage so that the original identifier never reaches our database. Local data on your device is protected by your device's built-in security features (e.g. iOS Data Protection); we recommend that you secure your device with a passcode or biometric lock and keep your operating system updated.No system can be guaranteed to be perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority in accordance with Article 33 GDPR and, where required by Article 34 GDPR, we will inform affected users by an in-app notification or other suitable means.8. Your RightsRegardless of where you live, you can: see your saved entries directly in the App and delete any individual entry at any time; uninstall the App at any time, which will remove all locally stored data from your device; and contact us at [email protected] with any privacy question or request. We aim to respond within 30 days.Because we identify your device only by an unrecoverable SHA-256 hash and hold no name, email, or other contact data linked to it, we are generally unable to single you out in our server-side records and have no way to confirm which row, if any, relates to you specifically. In line with Article 11(2) GDPR, we are not obliged to maintain, acquire, or process additional information for the sole purpose of identifying you. We have made the design choice not to do so, in your interest.Practically, this means: if you wish to delete the data associated with your device, the most reliable method is to uninstall the App, which removes the device token from your device — the corresponding row in our database becomes untraceable to you and is deleted on the schedule set out in Section 6. If you wish to obtain or query records of an in-app purchase, we may be able to assist if you provide us with the Apple original transaction ID for the purchase (visible in your Apple ID purchase history). We do not require any other identifying information. For all other server-side data, we will respond to your request to the extent we can, while being transparent about the limits of identification described above.8.1 EU and EEA users (GDPR)You have the right to: access the data we hold about you (Article 15); rectification of inaccurate data (Article 16); erasure ("right to be forgotten") in the cases set out in Article 17 — note that we may need to retain the StoreKit transaction ID for the periods in Section 6 to comply with our legal obligations; restriction of processing (Article 18); data portability for data processed on the basis of consent or contract (Article 20); object to processing based on legitimate interests (Article 21), including the right to object on grounds relating to your particular situation; and withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for our processing is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — https://www.lda.bayern.de. You may also lodge a complaint with the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement. A directory of EU/EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.8.2 UK users (UK GDPR)Your rights are equivalent to those under the EU GDPR. You may contact the Information Commissioner's Office at https://ico.org.uk.8.3 California residents (CCPA / CPRA)If you are a California resident, you have the right to: know what categories of personal information we collect, the purposes for which we use it, and the categories of recipients; access the specific pieces of personal information we hold about you; correct inaccurate personal information; delete personal information, subject to legal exceptions (e.g. transaction records we must retain by law); limit our use of sensitive personal information (we do not use any data for purposes other than those described in this policy); opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising or for any other purpose; and not be discriminated against for exercising these rights.To exercise these rights, contact [email protected].8.4 Canadian users (PIPEDA)You have the right to access personal information we hold about you and to challenge its accuracy. Given our local-first architecture, virtually all your data resides on your own device. Contact [email protected] with any questions. You may also contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.8.5 Australian users (Privacy Act 1988)You may request access to or correction of your personal information. If you believe we have breached the Australian Privacy Principles, you may complain to the Office of the Australian Information Commissioner at https://www.oaic.gov.au.8.6 All other usersYou have the right to access, correct, and delete your personal data to the extent required by the laws of your country. Because most of your data is stored locally on your device, you already have direct control over it. Contact us at [email protected] with any requests or concerns.9. Children's PrivacyThe App is intended for users aged 17 years and older,