Privacy Policy

Status: January 2026

1. Introduction and Purpose of this Declaration

[cite_start]With this privacy policy, Azano Media, Asternweg 2a, 82538 Geretsried (hereinafter „we“ or „Snibit“) informs you about the type, scope, and purposes of the collection, processing, and use of personal data in connection with the use of the mobile application „Snibit“, the associated website https://www.snibit.app, and the connected backend and hosting services[cite: 1]. [cite_start]Snibit is a platform for documenting and sharing personal tastings („Snibs“) of food, drinks, and similar products[cite: 2]. [cite_start]The app is intended exclusively for adult users (18 years and older), as content regarding alcoholic beverages or tobacco products may be recorded[cite: 3]. [cite_start]Active age verification is currently not performed; use is at the user’s own responsibility[cite: 4]. [cite_start]Snibit commits to complying with all relevant data protection regulations, in particular the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG-new), and the Telecommunications-Telemedia Data Protection Act (TTDSG)[cite: 5]. [cite_start]The processing of personal data is always carried out in accordance with the principles of lawfulness, transparency, and purpose limitation[cite: 6].

2. Definitions (Art. 4 GDPR)

This declaration uses the terms defined in Art. [cite_start]4 GDPR[cite: 7]. [cite_start]The most important terms are[cite: 8]:

• „personal data“: any information relating to an identified or identifiable natural person.
• „processing“: any operation performed in connection with personal data (collection, storage, use, transfer, deletion).
• „controller“: the body that decides on the purposes and means of processing.
• „processor“: the body that processes personal data on behalf of the controller.
• „consent“: any freely given, informed, and unambiguous expression of will.

3. Controller

Azano Media Asternweg 2a 82538 Geretsried / Germany [cite_start]Email: hello@snibit.app [cite: 9] A data protection officer has not been appointed, as the legal requirements of Art. [cite_start]37 GDPR in conjunction with § 38 BDSG are not met[cite: 10]. Data protection inquiries can be directed directly to the controller.

4. Principles of Processing (Art. 5 GDPR)

[cite_start]
• Lawfulness, fairness, transparency [cite: 11]
[cite_start]
• Purpose limitation – processing only for specified, explicit purposes[cite: 11].
[cite_start]
• Data minimization – only necessary data is processed[cite: 11].
[cite_start]
• Accuracy – incorrect data will be corrected or deleted[cite: 11].
[cite_start]
• Storage limitation – data is stored no longer than necessary[cite: 11].
[cite_start]
• Integrity and confidentiality – technical and organizational protection measures (Art. 32 GDPR)[cite: 11].

Snibit also fulfills the accountability obligation according to Art. 5 Para. [cite_start]2 GDPR („Accountability“)[cite: 12].

5. Legal Basis for Processing (Art. 6 GDPR)

• Art. 6 Para. [cite_start]1 lit. a GDPR – Consent[cite: 13];
• Art. 6 Para. [cite_start]1 lit. b GDPR – Performance of contract / pre-contractual measures[cite: 13];
• Art. 6 Para. [cite_start]1 lit. c GDPR – Legal obligation[cite: 14];
• Art. 6 Para. [cite_start]1 lit. f GDPR – Legitimate interest (security, functionality, error analysis)[cite: 14].

6. Individual Processing Operations

6.1 Registration and User Account

Purpose: Creation and management of user accounts. Data: Email, username, password (hash), logins, technical identifiers. Legal Basis: Art. 6 Para. [cite_start]1 lit. b GDPR[cite: 16]. Recipient: PureHost | IT-Solutions (Germany). [cite_start]Storage Duration: Until the account is deleted[cite: 16].

6.2 Login via Third-Party Providers (Social Login – Google / Meta)

Purpose: Login via existing accounts. Data: Profile ID, name, email, auth token. Legal Basis: Art. 6 Para. [cite_start]1 lit. a GDPR[cite: 18]. [cite_start]Recipient: Google Ireland Ltd., Meta Platforms Ireland Ltd. (each as independent controllers)[cite: 18]. [cite_start]Third-Country Transfer: USA – according to EU–US Data Privacy Framework (DPF)[cite: 19]. Further information: – Google: https://policies.google.com/privacy – Meta: https://www.facebook.com/privacy/policy/

6.3 Creation and Storage of „Snibs“

Purpose: Recording personal tastings. [cite_start]Data: Title, category, description, rating, photos, location, timestamp[cite: 20]. Legal Basis: Art. 6 Para. 1 lit. b GDPR, Art. 6 Para. [cite_start]1 lit. a GDPR (photos/location)[cite: 20, 21]. [cite_start]Storage Duration: Until deletion of the Snib or account[cite: 21].

6.4 Spotlight Function

Purpose: Anonymous publication of Snibs. [cite_start]Data: Anonymized content without personal reference[cite: 22]. Legal Basis: Art. 6 Para. [cite_start]1 lit. a GDPR[cite: 22]. [cite_start]Storage Duration: Until revocation of release[cite: 22].

6.5 Group Functions

Purpose: Shared sharing of Snibs with other users. [cite_start]Data: Username, group ID, shared Snibs[cite: 23]. Legal Basis: Art. 6 Para. [cite_start]1 lit. b GDPR[cite: 24]. [cite_start]Recipient: Exclusively group members[cite: 24].

6.6 Location Data

Used only after explicit system release (GPS). [cite_start]No background tracking[cite: 25]. Legal Basis: Art. 6 Para. [cite_start]1 lit. a GDPR[cite: 25]. [cite_start]Storage Duration: Until deletion of the Snib or revocation[cite: 25].

6.7 Communication and Support

Purpose: Processing of support and contact requests. [cite_start]Data: Email, content data, timestamp, technical metadata[cite: 26]. Legal Basis: Art. 6 Para. [cite_start]1 lit. b and lit. f GDPR[cite: 26]. [cite_start]Storage Duration: Six months after completion of the request[cite: 27].

6.8 Push Notifications (Firebase Cloud Messaging)

Purpose: Delivery of notifications. [cite_start]Data: Anonymous device token, technical metadata[cite: 28]. Recipient: Google Ireland Ltd., Processor according to Art. [cite_start]28 GDPR[cite: 28]. [cite_start]Note: No profiling, no personal analysis[cite: 28]. Legal Basis: Art. 6 Para. [cite_start]1 lit. a GDPR[cite: 29]. [cite_start]Storage Duration: Until revocation[cite: 29].

6.9 Analysis and Tracking Tools (App)

[cite_start]Firebase Analytics / Crashlytics: Error analysis and usage statistics; consent required[cite: 30]. [cite_start]Meta SDK: Performance measurement for campaigns; consent required[cite: 30]. [cite_start]Google Maps API: Map display; consent required[cite: 30]. [cite_start]Third-Country Transfer: USA – DPF or SCC[cite: 30].

6.9.1 Consent Management Platform (CMP – App)

[cite_start]The app uses the Consent Management Platform „Consentmanager.net“ (Consentmanager AB, Sweden)[cite: 31]. The platform manages consents according to Art. [cite_start]7 GDPR and § 25 TTDSG[cite: 32]. [cite_start]Pseudonymous consent IDs, times, and selection categories are stored[cite: 32]. Legal Bases: Art. 6 Para. [cite_start]1 lit. c and lit. f GDPR[cite: 33]. [cite_start]Revocation is possible at any time via the privacy settings in the app[cite: 33].

6.9.2 App Tracking Transparency (ATT – iOS)

[cite_start]In accordance with Apple’s AppTrackingTransparency (ATT) framework, explicit consent is requested before using tracking services[cite: 34]. [cite_start]Device identifiers (IDFA) may only be processed with consent[cite: 35]. Legal Basis: Art. 6 Para. [cite_start]1 lit. a GDPR in conjunction with § 25 TTDSG[cite: 35]. [cite_start]Revocation is possible at any time in the iOS settings[cite: 36].

6.10 Hosting and Server Log Files

Hosting takes place at PureHost | [cite_start]IT-Solutions (Germany)[cite: 37]. [cite_start]Processed Data: IP address, time, referrer, browser type, status code[cite: 37]. Legal Basis: Art. 6 Para. [cite_start]1 lit. f GDPR[cite: 37]. [cite_start]Storage Duration: 14 days[cite: 37].

6.11 In-App Purchases and Subscriptions

[cite_start]Payment processing takes place exclusively via the Apple App Store and Google Play Store[cite: 38]. [cite_start]Snibit has no access to payment data[cite: 38]. Legal Basis: Art. 6 Para. [cite_start]1 lit. b GDPR[cite: 39]. Privacy Information: – Apple: https://www.apple.com/legal/privacy/ – Google: https://policies.google.com/privacy

7. Addendum for the Website

7.1 Consent Management with Borlabs Cookie

[cite_start]To manage consents for cookies on the website snibit.app, the tool „Borlabs Cookie“ (Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany) is used[cite: 40]. [cite_start]Borlabs Cookie stores the granted consents in a technically necessary cookie („borlabs-cookie“) with a term of 12 months[cite: 41]. [cite_start]A personal assignment does not take place[cite: 42]. Legal Bases: Art. 6 Para. 1 lit. c GDPR (legal obligation) and Art. 6 Para. [cite_start]1 lit. f GDPR (proof of consent)[cite: 42, 43].

7.2 Google Analytics (Web Version)

[cite_start]This website uses functions of the web analysis service Google Analytics from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland[cite: 44]. [cite_start]Analytics uses cookies to analyze website usage[cite: 44]. [cite_start]IP anonymization is activated so that IP addresses within the EU are shortened[cite: 44]. [cite_start]Only in exceptional cases will the full IP address be transmitted to the USA[cite: 45]. [cite_start]Legal Basis: Consent (Art. 6 Para. 1 lit. a GDPR, § 25 TTDSG)[cite: 46]. [cite_start]Recipient: Google LLC (USA), DPF certified[cite: 46]. [cite_start]Opt-Out: https://tools.google.com/dlpage/gaoptout?hl=de [cite: 47]

7.3 Meta Pixel (formerly Facebook Pixel)

[cite_start]To analyze and optimize advertising campaigns, the Meta Pixel from Meta Platforms Ireland Ltd. is used[cite: 48]. [cite_start]Processed Data: IP address, user-agent, pixel ID, user actions[cite: 48]. [cite_start]Meta can link data pseudonymously to Facebook accounts[cite: 49]. Legal Basis: Art. 6 Para. [cite_start]1 lit. a GDPR, § 25 TTDSG[cite: 49]. [cite_start]Recipient: Meta Platforms Ireland Ltd. / Meta Platforms Inc. (USA, DPF)[cite: 49]. [cite_start]Revocation: At any time via the cookie banner or Facebook account settings[cite: 50]. Further information: https://www.facebook.com/about/privacy/

7.4 WordPress System and Plugin Logs

[cite_start]When operating the website, technical log data (IP address, time, URL, browser type) are processed by the CMS WordPress[cite: 51]. [cite_start]These serve stability, security, and error diagnosis[cite: 51]. [cite_start]Depending on the plugin used, additional technical cookies may be set[cite: 51]. Legal Basis: Art. 6 Para. [cite_start]1 lit. f GDPR (legitimate interest in secure operation)[cite: 52].

7.5 Google Fonts (Local Hosting)

[cite_start]This site uses so-called Google Fonts provided by Google for the uniform display of fonts[cite: 53]. [cite_start]The Google Fonts are installed locally[cite: 54]. [cite_start]A connection to Google servers does not take place[cite: 54]. [cite_start]Further information on Google Fonts can be found at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://policies.google.com/privacy?hl=de[cite: 55].

8. Disclosure, Order Processing and Third Countries

[cite_start]Personal data will only be passed on if it is legally permitted or consent has been given[cite: 56]. Order processing agreements according to Art. [cite_start]28 GDPR have been concluded with all service providers (PureHost, Consentmanager AB, Borlabs GmbH, Google Ireland Ltd., Meta Platforms Ireland Ltd.)[cite: 57]. [cite_start]Transfers to third countries take place exclusively on the basis of the EU–US Data Privacy Framework (DPF) or the Standard Contractual Clauses (SCC, 2021/914/EU)[cite: 58].

9. Technical and Organizational Measures (Art. 32 GDPR)

[cite_start]
• Transport encryption (TLS 1.3 / SSL) [cite: 59]
[cite_start]
• Password hashing (bcrypt) [cite: 59]
[cite_start]
• Access control and rights concept [cite: 59]
[cite_start]
• Firewall and network protection [cite: 59]
[cite_start]
• Regular penetration tests [cite: 59]
[cite_start]
• Encrypted backups within the EU [cite: 59]
[cite_start]
• ISO-27001-certified data centers [cite: 59]
[cite_start]
• Confidentiality obligation of employees [cite: 59]

10. Storage Periods

[cite_start]Data is stored only as long as necessary for the respective purposes or as long as legal obligations exist[cite: 60]. [cite_start]Account and Snib data will be removed within 30 days after a deletion request[cite: 61]. [cite_start]Log data are deleted after 14 days, backups after 90 days[cite: 62].

11. Rights of Data Subjects (Art. 12–22 GDPR)

[cite_start]
• Access (Art. 15 GDPR) [cite: 63]
[cite_start]
• Rectification (Art. 16 GDPR) [cite: 63]
[cite_start]
• Erasure (Art. 17 GDPR) [cite: 63]
[cite_start]
• Restriction of processing (Art. 18 GDPR) [cite: 63]
[cite_start]
• Data portability (Art. 20 GDPR) [cite: 63]
[cite_start]
• Objection (Art. 21 GDPR) [cite: 63]
[cite_start]
• Withdrawal of consent (Art. 7 Para. 3 GDPR) [cite: 63]
[cite_start]
• Right to lodge a complaint with the supervisory authority (Art. 77 GDPR) [cite: 63]

[cite_start]To exercise these rights, an informal notification to hello@snibit.app is sufficient[cite: 63]. Requests will be answered within one month in accordance with Art. 12 Para. [cite_start]3 GDPR[cite: 64].

12. No Automated Decision-Making

Snibit does not carry out automated decision-making or profiling within the meaning of Art. [cite_start]22 GDPR[cite: 65].

13. Changes to this Declaration

[cite_start]This privacy policy may be adjusted in the event of changes to legal requirements or technical developments[cite: 66]. [cite_start]The current version is available at https://www.snibit.app/datenschutz[cite: 67]. [cite_start]In the event of material changes affecting consent, renewed consent will be obtained in the app or via the cookie banner[cite: 67].

14. Contact

Controller: Azano Media Asternweg 2a 82538 Geretsried / Germany [cite_start]Email: hello@snibit.app [cite: 68] Competent Supervisory Authority: [cite_start]Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach, Germany[cite: 68]. [cite_start]Status of this Declaration: January 2026 [cite: 69]