Privacy Policy FotoBingo

Last updated: May 2026

Preamble

We take the protection of your personal data seriously. In this Privacy Policy we inform you about what information we collect about you, how we use it, when we share it, and what control options you have.

FotoBingo (hereinafter "the App") is intended for persons aged 16 and older. By registering, you confirm that you are at least 16 years of age. Further information on the minimum age can be found in Section 8.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is the civil-law partnership (Gesellschaft bürgerlichen Rechts, GbR) consisting of the following partners:

Francisco Soares Kaufmann
Willi-Graf-Str. 25
80805 Munich
Germany

Nick Elias Werner
Christoph-Probst-Str. 12
80805 Munich
Germany

Contact: info@foto.bingo

Data protection inquiries: info@foto.bingo

1. Information we process about you

FotoBingo processes data that you provide to us directly, data that we collect automatically when you use the App, and – to a limited extent – data that we receive about you from third parties.

1.1 Data that you provide to us directly

Account and login data. To use FotoBingo, you must create a user account. We offer various login methods; depending on the method, we process different data:

Email/password login: Your email address and a password. The password is stored exclusively in encrypted form by our data processor Firebase Authentication; we ourselves never have access to your password at any time.
Magic link login: Your email address. This is also briefly cached locally on your device in order to deliver the login link.
Login with Google: An OAuth token, your email address, your name, and your profile picture URL, insofar as these are stored in your Google account.
Login with Apple: An Apple user identifier; on first sign-in, your name on a one-time basis; and – at your option – an email forwarding address obfuscated by Apple.
Anonymous login: Only a temporary user ID. No personally identifying data is collected. Note: Content and game progress from anonymous accounts may be lost if the App is deleted.

During registration, we additionally collect your confirmation that you are at least 16 years old. We store this confirmation together with a timestamp and the version of the Terms of Use.

Profile data. During or after account creation, you may voluntarily provide additional information:

Nickname (display name)
Unique username (@handle)
Profile picture
Bio, website link
Freely entered location information
Phone number (optional)
Language preference (usually adopted automatically from your device settings)

Content. When using the App, you create and share content with other users:

Photos and videos that you record using the App's camera or select from your gallery in order to provide evidence of completed bingo tasks
Tile texts (tasks on your bingo board), game names, and self-created boards
Comments on posts by other users
Reactions (emoji) to posts
"Veto" markings with which you can flag content as not genuine
Join and friend requests
Reports about content, users, or comments that in your view violate our Terms of Use

Location data. If you wish to add a location to your profile or a game, we request your GPS location once via the operating system. The raw GPS coordinates never leave your device and are not transmitted to our servers. On the device itself, we locally map the coordinates to the nearest city from a static catalog; only this canonical city designation and the ISO country code are stored. We currently support the following countries: Germany, Austria, Switzerland, United Kingdom, Spain, France, Italy, the Netherlands, Portugal, Poland, Czech Republic, Denmark, Sweden, Norway, Finland.

Communication with us. If you contact us with an inquiry, complaint, or report, we process your email address and the content of your communication (including any attached files) in order to handle your inquiry.

1.2 Data we collect automatically when you use the App

Pseudonymous authentication ID. Upon registration, Firebase Authentication generates a pseudonymous Auth UID that uniquely identifies your account without containing further personal data. This ID serves as the internal key for all your data in our systems.

Security and device attestation. To protect the App against automated abuse (e.g. bot sign-ups), we use Firebase App Check. This cryptographically verifies that requests actually originate from a legitimate instance of our App. No identification of your person takes place in this context.

Push token. If you activate push notifications, we store the token issued to us by Apple (APNS), Google (FCM), or the Expo Push Service. The token is a technical identifier of the installed App instance on your device; it is stored together with your language preference so that we can deliver notifications to you in the appropriate language. Upon logout or account deletion, the token is removed.

Game and usage data. We process data about your activity in the App to the extent necessary for its function – in particular: which games and events you participate in, which tiles you have completed, your score points and leaderboard position, when you last read a feed, and similar interaction-related metadata.

Analytics data. We use Firebase Analytics for the statistical analysis of usage of our App. The following are recorded in particular:

Screens viewed (screen_view)
Game creations (game_created)
Completed bingo tasks (tile_completed, including game ID, tile ID, and media type)

These events are linked to your pseudonymous Firebase UID. Advertising-related analytics parameters (ad_storage, ad_user_data, ad_personalization) are permanently disabled in our configuration. You can object to analytics processing at any time in the App settings; your decision is stored locally.

Connection and technical data. Via the Firebase services mentioned, our data processor Google LLC processes technical data required for operating the App – including your IP address, device type, operating system and version, language setting, and timestamps of connections.

What we explicitly do not collect. Unlike many other social apps, the following applies to FotoBingo:

We do not use advertising IDs (no tracking via Apple IDFA or Google AAID).
We do not use third-party advertising networks and do not display advertising in the App.
We do not engage in cross-device tracking or tracking across third-party sites.
We do not sell your data and do not share it with third parties for advertising purposes.
We do not process biometric features from your photos or videos (no facial recognition, no personal identification).

1.3 Data we receive about you from third parties

To a limited extent, we receive data about you from third parties:

From other users of our App. Other users may generate data about you in the App, for example by:

Inviting you to a game or an event (whereby your nickname and avatar are displayed to the other participants),
Sending you a friend request,
Posting photos or videos in which you appear,
Commenting on your posts,
Reporting one of your contents or your account (reports to our moderation team).

From login providers. If you sign in via Google or Apple, the respective provider transmits to us – with your consent in the OAuth dialog – the data set out in Section 1.1.

Information about data we do not receive from third parties.

We do not offer address book import. Phone contacts from your phone are never transmitted to our systems or matched against other users – neither in plain text nor in hashed form.
We do not receive data from advertising or tracking partners about the origin of an App download (e.g. "attribution" via click on an advertisement).

2. How we use your data

We process your personal data exclusively for the purposes listed below. For each purpose, we name the categories of data processed and the legal basis under Article 6 of the General Data Protection Regulation (GDPR).

Purpose: To enable you to create a user account, log in, and be recognized across various sessions.

Data categories: Account and login data, pseudonymous Auth UID.

Legal basis: Art. 6(1)(b) GDPR (performance of the contract between you and us).

Purpose: To enable you to create bingo games and events, join them, and play together with others.

Data categories: Account data, profile data, game and event data, tile texts, boards.

Legal basis: Art. 6(1)(b) GDPR.

Purpose: To enable you to upload, view, and share photos and videos as evidence of completed bingo tasks.

Data categories: Content data (media and associated metadata).

Legal basis: Art. 6(1)(b) GDPR.

Purpose: To enable you to comment on content, react with emojis, and flag content as not genuine ("veto").

Data categories: Content data, pseudonymous Auth UID.

Legal basis: Art. 6(1)(b) GDPR.

Purpose: To enable you to find and add friends, manage requests, and block users.

Data categories: Profile data (nickname, username), social graphs.

Legal basis: Art. 6(1)(b) GDPR.

Purpose: To enable us to generate AI-supported suggestions for bingo tasks via Firebase AI (Gemini) when you actively use this feature.

Data categories: Game name, nicknames of lobby participants, tile texts already submitted.

Legal basis: Art. 6(1)(a) GDPR (consent through active triggering of the feature); see additionally Section 3.

Purpose: To enable us to determine your location information (city + country code) for your profile or a game. The raw GPS data is processed exclusively locally on your device.

Data categories: GPS coordinates (local only), city + ISO country code (stored).

Legal basis: Art. 6(1)(a) GDPR (consent via the system location permission).

Purpose: To enable us to deliver push notifications to you regarding games, events, comments, friend requests, and reminders.

Data categories: Push token, language preference.

Legal basis: Art. 6(1)(a) GDPR (consent via the system notification permission).

Purpose: To enable us to statistically analyze usage of our App, detect technical problems and crashes, and improve our App.

Data categories: Pseudonymous Auth UID, analytics events (including screen_view, game_created, tile_completed, app_exception), technical device and connection data.

Legal basis: Art. 6(1)(a) GDPR (consent). You grant or deny your consent on first App launch on a dedicated privacy consent screen; consent is not a prerequisite for using FotoBingo. You can change your decision at any time in the App settings.

Purpose: To enable us to protect our App against automated abuse, bot attacks, and unauthorized API access (Firebase App Check).

Data categories: Device attestation tokens.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and integrity of our systems).

Purpose: To enable us to moderate content, process reports, and act against violations of our Terms of Use.

Data categories: Content data, report data, account data, communication data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a safe environment for all users); additionally Art. 6(1)(c) GDPR insofar as legal obligations exist (e.g. under the Digital Services Act).

Purpose: To enable us to suspend or permanently exclude users in the event of repeated or serious violations.

Data categories: Account data, content data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in contractual compliance and protection of the community).

Purpose: To enable us to communicate with you in the App and via email – for example regarding support inquiries, security-related notices, or functional changes.

Data categories: Account data, content of your communication, possibly content data.

Legal basis: Art. 6(1)(b) GDPR (for contract-related communications); Art. 6(1)(f) GDPR (for other communications about the App).

Purpose: To enable us to document your confirmation that you meet our minimum age.

Data categories: Confirmation "at least 16 years old," timestamp, policy version.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measure) and Art. 6(1)(f) GDPR (evidence of contract initiation vis-à-vis supervisory authorities).

Purpose: To enable us to respond to inquiries from authorities, courts, or other bodies within the framework of applicable law.

Data categories: All data categories, to the extent necessary for the respective inquiry.

Legal basis: Art. 6(1)(c) GDPR (legal obligation); insofar as no direct obligation exists, Art. 6(1)(f) GDPR.

Purpose: To enable us to assert, exercise, and defend our rights before authorities and courts.

Data categories: All data categories, to the extent necessary.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in legal prosecution and defense).

Note on consent

To the extent that we process your data on the basis of consent (Art. 6(1)(a) GDPR), you may revoke this consent at any time with effect for the future. The lawfulness of processing carried out up to the time of revocation remains unaffected. You can usually exercise the revocation directly in the App settings or in the system permissions of your device (location, notifications); alternatively, contact us at the address provided in the "Controller" section.

When you first launch the App, we guide you through a separate consent screen on which you actively decide whether you consent to the processing of analytics and usage data (Firebase Analytics). Both options – consent and refusal – lead into the App; consent is not a prerequisite for using FotoBingo. If you refuse, Firebase Analytics is disabled at runtime and no events are collected. You can change your decision at any time in the App settings.

Note on legitimate interest

To the extent that we process data on the basis of legitimate interests (Art. 6(1)(f) GDPR), we have carried out a balancing test in advance between our interests and your interests worthy of protection. You have the right to object to such processing at any time on grounds relating to your particular situation (see Section 10, "Your rights").

3. AI processing (suggestions for bingo tasks)

FotoBingo offers you the option of having suggestions for bingo tasks (so-called "tiles") generated by an AI model when creating a bingo game. This feature is completely optional and is only executed when you actively trigger it.

3.1 How the feature works

When you trigger the AI suggestion feature, the App sends a request via the Firebase AI Logic SDK (formerly "Firebase AI" / "Vertex AI in Firebase") to the language model Gemini 2.5 Flash Lite from Google – or to its respective successor model that we use, should Google update the model name. The model then generates textual suggestions for bingo tasks that you can accept – or discard.

3.2 What data is processed in this context

Only the following data is transmitted to the model:

The name of the game you are currently creating,
The nicknames (display names) of the players who are currently in the game lobby,
Tile texts already submitted from the lobby suggestion pool.

Note: When you trigger the feature, the nicknames of the other lobby participants are also transmitted. These are mere display names that you can freely choose yourself – they contain no further identifying data.

3.3 What we explicitly do NOT send to the AI model

We do not transmit at any time:

Your email address, your real name, or your pseudonymous Auth UID,
Your phone number or profile picture URL,
Your location data (neither GPS coordinates nor city/country),
Your uploaded photos or videos,
Content from other games, events, or comments,
Your friend or block lists,
Content from evidence photos or videos.

3.4 Who processes the data and where

The AI processing is carried out by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a data processor within the framework of the Firebase AI Logic service. The processing takes place on Google infrastructure; a transfer to the USA does take place. For information on the safeguards for this transfer, see Section 6, "International data transfer."

3.5 Storage and model training

We ourselves do not store the prompts sent to the model (game name, nicknames, tile texts) in our systems. Only the AI-generated suggestions that you actually accept for your game are stored – like all other tile texts – in the respective game lobby.

Specifically, we use the Google AI Backend (Gemini Developer API) via the Firebase AI Logic SDK; our Firebase project runs on the paid tier ("Firebase Blaze"). Under the terms applicable here, your prompts transmitted to the model and the responses returned are not used to train or improve the Gemini models. Google also stores the data only briefly for abuse prevention purposes and then deletes it. A transfer to the USA does take place; the safeguards applicable in this regard can be found in Section 6.

3.6 No automated decision-making in individual cases

The AI feature generates only textual suggestions for bingo tasks. No automated decision-making within the meaning of Art. 22 GDPR takes place regarding you or other users – in particular no evaluation, classification, or profiling. You decide for yourself which suggestions to accept.

3.7 Legal basis and your choice

The legal basis for processing your own data within the framework of the AI feature is your consent under Art. 6(1)(a) GDPR, which you grant by actively triggering the feature. For the additional transmission of the nicknames of other lobby participants, we additionally rely on our legitimate interest in providing this feature (Art. 6(1)(f) GDPR); only the display name is transmitted in this context, without further identifying data.

The use of the AI suggestions is voluntary. You can use FotoBingo fully without any data ever being sent to the AI model by simply not triggering the suggestion feature and instead formulating your tiles yourself or selecting them from the pre-made templates. You can revoke your consent at any time by no longer using the feature in the future.

Note on AI-generated content: Content generated by an AI model may be incorrect, inappropriate, or out of context. We recommend always reviewing generated suggestions before accepting them. Since you trigger the feature deliberately, it is always apparent to you when you receive AI-generated suggestions.

4. When we share information

4.1 Principles

We share your personal data with third parties only in the circumstances described below. We do not sell your data and do not transfer it for advertising or third-party profiling purposes.

4.2 Data processors under Art. 28 GDPR

The following external service providers process data on our documented instructions. We have entered into a data processing agreement (Data Processing Addendum) with each of these providers, which restricts processing to the purposes described here.

Google LLC
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy policy: https://policies.google.com/privacy

Google provides the central technical infrastructure for us via Firebase. Specifically, the following sub-services are used:

Firebase Authentication – Login and identity management. Data processed: email, Auth UID, OAuth tokens, optionally phone number.
Cloud Firestore – Database for profile, game, event, feed, and comment data. Data processed: all structured user data except media.
Firebase Storage – Storage for profile pictures and evidence media. Data processed: images, videos.
Firebase Analytics – Usage statistics (only with active consent). Data processed: pseudonymous Auth UID, event data, technical device data.
Firebase App Check – Protection against automated abuse. Data processed: device attestation tokens.
Firebase AI (Gemini 2.5 Flash Lite) – AI-supported tile suggestions (see Section 3). Data processed: game name, nicknames, tile texts.
Firebase Cloud Messaging (FCM) – Push notifications on Android devices. Data processed: FCM push token, content of the push message.

Since Google LLC is based in the USA, a transfer to a third country takes place. Details on the applicable safeguards can be found in Section 6.

Apple Inc.
One Apple Park Way, Cupertino, CA 95014, USA
Privacy policy: https://www.apple.com/legal/privacy

Apple provides us with the Apple Push Notification Service (APNS) for delivering push notifications to iOS devices. The APNS token and the content of the respective push message are processed for this purpose.

Expo / EAS (Expo Application Services)
650 Castro Street Suite 120-223, Mountain View, CA 94041, USA
Privacy policy: https://expo.dev/privacy

Expo operates the Expo Push Service, which acts as an intermediary layer between our App and the native push services of Apple (APNS) and Google (FCM). The Expo push token as well as the recipient ID and the content of the respective push message are processed.

4.3 Single sign-on providers (independent controllers)

If you sign in via "Login with Google" or "Login with Apple," the respective providers act as independent controllers in the OAuth process. This means: which data the provider processes internally (e.g. logging of your sign-in process on its own systems) is governed exclusively by its own privacy policy. Which data the provider transmits to us as part of a successful login is described in Section 1.1 under "Account and login data."

Google LLC (Google Sign-In): https://policies.google.com/privacy
Apple Inc. (Sign in with Apple): https://www.apple.com/legal/privacy

4.4 Recipients in connection with legal obligations and legal counsel

We may share personal data with the following recipients where this is legally required or justified by a legitimate interest:

Authorities and courts: in the context of statutory disclosure or cooperation obligations (e.g. criminal prosecution, orders under the Digital Services Act, inquiries from data protection supervisory authorities).
Lawyers, tax advisors, and auditors: to fulfill statutory obligations as well as to assert and defend legal claims, each bound by professional confidentiality obligations.

4.5 In the event of change of ownership or restructuring

In the event of a takeover, merger, or restructuring – for example in the context of a change of our legal form – or a sale of assets, it may become necessary to transfer personal data to the acquirer(s) or successor entity. We will inform you of any such transfer in advance via the App and/or by email and will ensure that the level of protection of this Privacy Policy is maintained.

4.6 Services we explicitly do not use

For the sake of clarity – and in the spirit of maximum transparency – we do not use the following services, which are common in many comparable apps:

Sentry, Firebase Crashlytics standalone, or other dedicated crash reporting services
Mixpanel, Segment, Amplitude, or other third-party analytics platforms
RevenueCat or other subscription management services
AdMob, Meta Audience Network, or other advertising networks
Stripe, PayPal, or other payment service providers (FotoBingo currently contains no payment functionality)
Corporate groups or parent companies with which user data would be shared – FotoBingo does not belong to any corporate group

5. Event mode and the role of sponsors

5.1 What is event mode

In addition to private bingo games, FotoBingo offers an event mode that enables bingo events to be conducted for larger groups – such as company parties, conferences, festivals, or community events. An event is technically and from a data protection perspective separate from regular bingo games; it is maintained in its own database structure (/events/{eventId}).

5.2 Who creates and administers events

Events are created and administered exclusively by us as the operator (controller). Creation and editing rights are restricted via the database security rules (Firestore Rules) to a few authorized accounts of our team. Sponsors or event partners have no access to the event backend and can neither view participant data nor administer or edit events themselves.

5.3 Data processed in the event context

Beyond the general data described in Section 1, the following data is processed in event mode:

Event metadata (no personal data): title, description, sponsor name, logo and banner images, start and end time, event location (city, address, maps link).
Team membership: If you join a team within an event, your nickname, avatar, and time of joining are stored in the team member list.
Posts in the event feed: photos and videos that you share as evidence of completed bingo tasks in the event feed.
Reactions: likes and comments on event posts.
Event reminder: If you activate the start reminder push for an event, we store your Auth UID in the subscriber list of the event in question.

5.4 Standard mode: sponsors as branding elements

In the standard configuration of an event, sponsors appear exclusively through their branding elements (name, logo, banner). This content is provided to us by the sponsors – no reverse data flow takes place:

Sponsors receive no access to your profile data, posts, comments, or reactions.
Sponsors receive no list of event participants.
Sponsors receive no personal statistics about engagement, participation, or time spent.
Sponsors receive no access to the event feed or to push recipients.

Upon request, we may make fully anonymized, aggregated analyses available to sponsors (e.g. "number of participants," "number of completed tiles"). Such analyses do not allow any inferences about individual persons and are no longer personal data within the meaning of the GDPR.

5.5 Extended mode: events with sponsor image rights

For certain events – in particular festivals, trade fairs, or other curated large-scale events where the organizer already has corresponding contractual agreements with sponsors and the necessary information and consent structures in place (e.g. via ticket terms and conditions and signage at the event venue) – an event may be configured such that sponsors are granted a right to use the photos and videos posted in the event.

Visibility for you: It is clearly indicated as early as in the event overview and event detail screen whether an event uses extended mode. If you wish to join such an event, you will first be shown a separate notice screen that identifies the following:

The sponsor(s) who will receive access to the images,
The specific purpose and scope of the intended use,
A link to the organizer's privacy policy with further details,
An explicit confirmation option.

You can only join this event after your active confirmation. If you do not consent, you cannot participate in this specific event; your use of FotoBingo otherwise – including participation in other games and events without extended image rights – remains entirely unaffected.

What sponsors receive in this mode:

Access to the images and videos posted in the event by consenting participants,
Usage rights within the scope of the purposes specified by the organizer in the notice screen,
No access to email addresses, profile data, comments, or other identifying data beyond the image.

Joint controllership: In this mode, the organizer and we act as joint controllers within the meaning of Art. 26 GDPR. The precise allocation of responsibilities – who fulfills which obligations vis-à-vis you and whom you can contact with inquiries – is set out in the joint controller agreement with the respective organizer; a summary is shown to you in the notice screen when joining the event.

Your rights vis-à-vis both controllers: Regardless of the internal allocation of tasks, you may, in accordance with Art. 26(3) GDPR, exercise your data subject rights – in particular access, rectification, erasure, and revocation – against us as well as against the organizer. You are therefore free to choose whom to contact. Our contact details can be found in the "Controller" section at the beginning of this statement; the organizer's contact details are shown in the notice screen when joining the event.

Revocation: You may revoke your consent at any time with effect for the future. In digital channels under the direct control of the sponsor, your image will be removed insofar as the sponsor is still able to do so. Images that have already been used in physical media (printed publications, posters, outdoor advertising) can no longer be covered by a revocation.

5.6 Visibility of posts in the event feed

Each event is configured as either public or internal:

Public events: Posts in the event feed are visible to all event participants.
Internal events: Access is restricted to persons who have been authorized via invitation link, code, or pre-registration. Posts are only visible within this invited group.

In both cases, your posts are not transferred to other games, to external platforms, or to public websites – except in extended mode under Section 5.5, insofar as you have expressly consented thereto.

5.7 Reminder push for event start

If you sign up for the start reminder of an event, we store your Auth UID in the subscriber list of that event. As soon as the event starts, you will receive a single push notification. You can unsubscribe at any time by deactivating the corresponding setting in the event detail screen.

5.8 Legal bases

Your participation in an event (posts, comments, team membership, reactions): Art. 6(1)(b) GDPR (performance of contract).
Display of sponsor branding (standard mode): Art. 6(1)(f) GDPR (legitimate interest in the economic viability and provision of event mode).
Sponsor image usage rights (extended mode): Art. 6(1)(a) GDPR (consent at the time of joining, supplementary to the consent obtained by the organizer in its terms and conditions and admission conditions).
Start reminder push: Art. 6(1)(a) GDPR (consent through active subscription to the subscriber list).
Aggregated, anonymized analyses to sponsors: outside the scope of the GDPR, since after anonymization there is no longer any personal reference.

6. International data transfer

6.1 To which countries your data is transferred

The data processors named in Section 4 are based in the United States of America:

Google LLC (Firebase services, Gemini)
Apple Inc. (APNS, Sign in with Apple)
Expo / EAS (push intermediation)

These providers operate globally distributed data centers. It is therefore possible that your data is technically routed via locations outside the USA; however, the responsibility under data protection law lies with the respective US company. Further third-country transfers beyond this constellation do not currently take place.

6.2 Legal bases for the transfer to the USA

According to the European Court of Justice, the United States does not have a level of data protection that is fully equivalent to that of EU law. For the transfer of your data there, we rely on the following mechanisms:

EU-US Data Privacy Framework (DPF)

With the European Commission's adequacy decision of 10 July 2023, a transfer to US companies certified under the EU-US Data Privacy Framework is permitted without additional safeguards (Art. 45 GDPR).

According to our most recent review (as of 15.05.2026), the following of our data processors are certified under the DPF:

Google LLC
Apple Inc.

You can check the current certification status at any time on the official DPF list: https://www.dataprivacyframework.gov/list

Standard contractual clauses (SCC)

In addition to the DPF, we have agreed with our US data processors on the European Commission's standard contractual clauses (Art. 46(2)(c) GDPR; Implementing Decision 2021/914 of 4 June 2021) as an additional safeguard. These apply in particular as the sole basis for data processors that are not (yet) certified under the DPF – currently this applies to Expo / EAS.

Upon written request to the contact details provided in the "Controller" section, we will make available to you a summary of the standard contractual clauses concluded with our data processors. Business-related or confidential passages may be redacted therein.

Additional technical and organizational safeguards

Beyond the legal safeguards, we ensure the following protective measures when selecting our data processors and configuring our systems:

Encryption in transit (TLS/HTTPS for all connections between the App and servers)
Encryption at rest by Firebase Storage and Cloud Firestore
Strict access restrictions via Firestore Security Rules
Pseudonymous identifiers (Auth UID instead of real name) for the majority of processing operations
Device attestation via Firebase App Check to prevent unauthorized API access

6.3 Residual risk from US government access

The case law of the European Court of Justice ("Schrems II," judgment of 16 July 2020, case C-311/18) has pointed out that US security authorities may, under certain conditions, demand access to data stored by US companies – even if such data concerns persons from the European Union. We have no influence over such governmental access. The EU-US Data Privacy Framework does set limits to such access (proportionality, complaint procedure via the Data Protection Review Court), but cannot fully exclude a residual risk.

We do not process special categories of personal data in our services within the meaning of Art. 9 GDPR (in particular no health data, biometric data, data on religious or political beliefs) and reduce the data transferred to the USA to the minimum necessary for the respective function.

6.4 Your options

Access to safeguards: Upon request to the contact details provided in the "Controller" section, you will receive information about the protective mechanisms we have concluded.
Complaint under the DPF procedure: If you have concerns about the processing of your data by a DPF-certified US company, you can submit a complaint directly to the company or use the independent dispute resolution procedure provided for by the DPF. Details: https://www.dataprivacyframework.gov/Individuals
Complaint to the supervisory authority: You may contact the data protection supervisory authority responsible for you at any time (see Section 10, "Your rights").

7. Storage duration

7.1 Principle

We store your personal data only for as long as is necessary for the purposes described in this Privacy Policy or for as long as a statutory retention obligation exists. As soon as the respective purpose ceases to apply and no statutory retention obligations or legitimate interests stand in the way, the data is deleted or anonymized.

7.2 Criteria for the storage duration

Since the specific storage duration depends on the respective processing operation, we are guided by the following criteria:

Existence of the user account. Data we need to provide the App functions (profile data, content, game and event data, social relationships such as friendships and blocks) is generally stored for the duration of your account's existence.
Achievement of purpose. We delete data collected for a clearly defined purpose as soon as that purpose no longer applies. Examples: Push tokens are removed as soon as you deactivate notifications or log out. AI requests (see Section 3) are not persisted by us at all.
Revocation of consent. Data that we process on the basis of consent is deleted as soon as you revoke that consent – unless another legal basis permits continued storage.
Statutory retention obligations. Insofar as statutory obligations exist – for example commercial and tax law retention periods or retention obligations within the framework of governmental orders – the affected data remains stored until the expiration of the respective period.
Assertion and defense of legal claims. Data that may be required for the assertion or defense of legal claims is retained until the expiration of the statutory limitation periods – usually up to three years pursuant to § 195 of the German Civil Code (BGB), and in certain circumstances up to ten years.
Security and abuse prevention. Data required to maintain the security of our services or to prevent abuse (e.g. reports about repeated violations, block lists) may also be retained beyond the end of active use as long as a legitimate interest exists.

7.3 If you delete your account

If you delete your account at FotoBingo, your personal data will be removed by us insofar as none of the aforementioned criteria (in particular statutory obligations or legitimate interests) stand in the way. The procedure and your control options are described in Section 9.

Certain data may – provided no personal reference remains after anonymization – continue to be maintained in aggregated, anonymized form (e.g. for statistical analysis). Such data no longer constitutes personal data within the meaning of the GDPR after anonymization.

7.4 Data stored locally on your device

Our App stores certain data locally on your device – for example cached media for offline use, language preferences, onboarding progress, and your consent decisions. This data is automatically cleaned up by the App on a regular basis as soon as it is no longer needed (e.g. thumbnails older than seven days are removed, temporary media files promptly). Upon uninstallation of the App, all locally stored data is completely removed.

8. Minimum age

8.1 Age limit

FotoBingo is intended for persons aged 16 and older. During registration, we collect your self-declaration that you are at least 16 years old. Anyone younger may not use the App.

We have deliberately set this age limit uniformly worldwide above the GDPR minimum (16 years in Germany, 13–15 years in some other EU states). By doing so, we forgo our own processing of minors' data and protect both our young users and our small team from the special requirements that such processing entails.

8.2 If we subsequently learn that a user is under 16

Should we become aware – for example through a notice from parents/legal guardians, authorities, or other users – that a person under 16 years of age is actually using our App, we will suspend the affected account without delay and delete the associated data promptly, insofar as statutory retention obligations do not exceptionally stand in the way.

8.3 Notice for parents and legal guardians

If you, as a parent or legal guardian, suspect that your child is using FotoBingo by circumventing our age verification, or have concerns about a specific data processing operation, please contact us via the data protection contact address provided in the "Controller" section. We will investigate the matter promptly, suspend the affected account if there is just cause, and delete the associated data.

9. Your control options

We provide you with various ways to control the processing of your data directly in the App. This section summarizes the controls we make available to you. In addition to these in-app options, you have the statutory data subject rights described in Section 10.

9.1 Who sees your posts and your profile

FotoBingo is a social app; certain content is naturally visible to other users. You retain control over the most important visibility settings:

Profile. Your nickname, username, profile picture, bio, and self-provided location are visible to users who find you via search or with whom you are connected in a game or event. You can edit or empty these fields at any time in the profile settings.
Games. Content you post in a bingo game – tile evidence, reactions, comments – is visible exclusively to other players in that game. It is not publicly accessible.
Events. For public events, your posts are visible to all event participants. For internal events, visibility is limited to the invited group (see Section 5).
Friendships. Your friends see which games and events you are active in. You can dissolve friendships at any time.

9.2 Managing notifications

You can control push notifications at two levels:

In the FotoBingo settings, you can enable or disable individual notification types (such as comments, friend requests, event reminders).
In the system settings of your device, you can fully block push notifications for FotoBingo. In this case, we also remove the push token stored on our side.

9.3 Permissions for camera, gallery, and location

You grant these permissions via your device's operating system. You can revoke them there at any time:

Camera: for recording image and video evidence of completed bingo tasks.
Gallery / Photos: for selecting existing media from your library.
Location: for the one-time determination of city and country code during profile or game setup.

If you revoke a permission, the corresponding function in the App can no longer be used. Data previously processed (e.g. the determined city + country code) remains unaffected until you actively remove it.

9.4 Revoking consent

Analytics consent. In the App settings, you can revoke or re-grant the consent you gave during onboarding to the processing of analytics data (Firebase Analytics) at any time with effect for the future. Upon revocation, Firebase Analytics is disabled at runtime and no further events are collected.

Other consents. Insofar as we process data on the basis of consent – for example for AI suggestions under Section 3 or for events with extended sponsor image rights under Section 5.5 – you can revoke this consent at any time with effect for the future, either in the respective functional context or by sending a message to the contact address provided in the "Controller" section.

9.5 Blocking other users or reporting content

Blocking. You can block other users at any time. A blocked person can no longer see your content, can no longer invite you to games or events, and can no longer send friend requests. You, in turn, no longer see their content. You can find the list of blocked persons in the settings; you can lift blocks there at any time.
Reporting. If you believe that a post, a comment, or another user violates our Terms of Use, you can forward this to us via the report function. We review every report and take action where appropriate.

9.6 Adjusting your own content and profile data

Profile details (nickname, bio, profile picture, location, etc.) can be changed at any time in the profile settings.
Username (@handle): changeable, but with a lockout period of seven days between consecutive changes.
Your own posts in games and events can be deleted at any time.
Your own comments and reactions can be withdrawn at any time.

9.7 Deleting your account in full

In the settings, you can initiate the complete deletion of your account. Alternatively, you can contact the data protection contact address provided in the "Controller" section by email.

Procedure:

1. You confirm your intention to delete.
2. Your account is immediately deactivated and is no longer visible to other users.
3. Within the next 14 days, you may sign in again and thereby withdraw the deletion.
4. After this period has expired, your profile data, the games and posts you have created, and your connections with other users will be removed insofar as no statutory retention obligations or legitimate interests stand in the way (see Section 7).

Certain content that was part of a shared gaming experience with other users (e.g. posts in a completed team event) may be retained in pseudonymized form insofar as deletion would impair the experience of the other players.

If you wish to make requests beyond account deletion under the data subject rights of the GDPR (e.g. access or data portability), please refer to the corresponding information in Section 10.

10. Your rights (GDPR, UK GDPR, Swiss FADP)

10.1 Overview and exercising your rights

The General Data Protection Regulation (GDPR) grants you comprehensive rights with regard to the processing of your personal data. These rights apply to you regardless of whether you live in the EU, the United Kingdom (UK GDPR), Switzerland (revFADP), or another country with a comparable level of data protection.

To exercise your rights, please contact the data protection contact address provided in the "Controller" section. We will respond to your inquiry within one month; in the case of particularly complex or extensive inquiries, this period may be extended by up to two further months, of which we will inform you separately.

We may request additional information to verify your identity – in particular if the inquiry cannot be clearly assigned to one of our accounts. The processing of your inquiry is generally free of charge for you; in the case of manifestly unfounded or excessive inquiries, we may, pursuant to Art. 12(5) GDPR, charge a reasonable fee or refuse to process the inquiry.

10.2 Your rights in detail

Right of access (Art. 15 GDPR). You can request information from us as to whether and which personal data we process about you. Upon request, we will provide you with a copy of the data concerning you.

Right to rectification (Art. 16 GDPR). You can request that we correct inaccurate data or complete incomplete data. Many corrections can also be made directly in the App (see Sections 9.1 and 9.6).

Right to erasure (Art. 17 GDPR). You can request the erasure of your personal data, provided that the requirements of Art. 17 GDPR are met – for example if the data is no longer necessary for the original purposes or you have revoked a consent granted. You can initiate the deletion of your account directly in the App (see Section 9.7).

Right to restriction of processing (Art. 18 GDPR). You can request that the processing of your data be restricted in certain cases – for example while we are reviewing the accuracy of the data or while an objection you have lodged has not yet been finally processed.

Right to data portability (Art. 20 GDPR). To the extent that we process your data on the basis of your consent or for the performance of a contract by automated means, you can receive it in a structured, commonly used, and machine-readable format – or request that we transmit the data directly to another controller, insofar as this is technically feasible.

Right to object (Art. 21 GDPR). To the extent that we process data on the basis of a legitimate interest (Art. 6(1)(f) GDPR), you can object to the processing at any time on grounds relating to your particular situation.

Right to revoke consent (Art. 7(3) GDPR). To the extent that we process data on the basis of your consent, you can revoke this at any time with effect for the future. The lawfulness of processing carried out up to the time of revocation remains unaffected. Practical information on revocation can be found in Section 9.4.

Right not to be subjected to a decision based solely on automated processing (Art. 22 GDPR). You have the right not to be subjected to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. We do not make such decisions; in particular, the AI feature described in Section 3 does not constitute automated decision-making in this sense.

10.3 Right to lodge a complaint with the supervisory authority

Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority at any time – in particular with the authority of your place of residence, place of work, or place of the alleged infringement (Art. 77 GDPR). Due to the location of our partners in Munich, the authority responsible for us in Germany is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
https://www.lda.bayern.de

An overview of the supervisory authorities responsible for you in other EU member states can be found at: https://www.edpb.europa.eu/about-edpb/about-edpb/members_de

10.4 Information for users in the United Kingdom (UK GDPR)

If you live in the United Kingdom, the provisions of the UK GDPR and the Data Protection Act 2018 apply to the processing of your data. The rights described in this section apply to you accordingly. You may direct complaints to the following body:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
https://ico.org.uk

10.5 Information for users in Switzerland (revFADP)

If you live in Switzerland, the Swiss Federal Act on Data Protection in its 2023 version ("revFADP") additionally applies. The rights described in this section apply to you analogously. You may direct complaints to the following body:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern
Switzerland
https://www.edoeb.admin.ch

11. US privacy rights

11.1 Scope

If your habitual residence is in the United States, the respective US privacy laws apply in addition to the GDPR, depending on the state. The most important are:

California Consumer Privacy Act (CCPA), as expanded by the California Privacy Rights Act (CPRA)
Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Texas Data Privacy and Security Act (TDPSA)
Utah Consumer Privacy Act (UCPA)
as well as other, comparable state laws in their main features (Oregon, New Jersey, Montana, Iowa, New Hampshire, Florida, etc.)

11.2 What data we process for US users

For users from the USA, we process the same categories of data as for all other users of our App. A complete description of the data categories, sources, purposes, and recipients can be found in Sections 1, 2, and 4.

11.3 Key statement on "sale" and "sharing" of your data

Within the meaning of the laws mentioned, the following applies:

We do not sell your personal data. FotoBingo is not financed through the sale of data – this is a deliberate business decision.
We do not share your personal data for the purposes of "cross-context behavioral advertising" (term from the CPRA). We do not use advertising networks, advertising IDs, or tracking pixels for advertising purposes.
Our transmissions to data processors (Google, Apple, Expo – see Section 4) are made exclusively to provide our App functions and, under most US laws, do not qualify as "sale" or "advertising sharing."

This means that many of the typical opt-out mechanisms from the laws mentioned are moot for our data processing – there is nothing for you to object to because the underlying processing simply does not take place.

11.4 Your rights in detail

To the extent applicable under the state law applicable to you, you have the following rights:

Right to Know / Right to Access – information about which categories of personal data we have collected about you, from which sources, for what purpose, and to whom we have disclosed it.
Right to Delete – deletion of your personal data, subject to statutory exceptions.
Right to Correct / Right to Rectification – correction of inaccurate data.
Right to Data Portability – receipt of a copy of your data in a structured, commonly used, and machine-readable format.
Right to Opt-Out of Sale or Sharing – objection to sale or advertising sharing. Since we do not sell your data or share it for advertising purposes (see 11.3), this objection is not necessary in practice; we nevertheless accept corresponding inquiries for confirmation.
Right to Limit Use of Sensitive Personal Information – restriction is not necessary in practice, since we do not process "sensitive" personal information within the meaning of the CPRA for supplementary purposes.
Right to Non-Discrimination – we do not treat you differently because you have exercised one of your privacy rights.

11.5 Exercising your rights

You can exercise your rights by contacting the data protection contact address provided in the "Controller" section. Please state in your inquiry:

Which right you wish to exercise,
The state of your residence,
Information that enables us to verify your identity.

We will respond to your inquiry within 45 days. In the case of particularly complex inquiries, this period is extended by up to another 45 days, of which we will inform you separately.

Authorized agents. You may submit your inquiry through an authorized agent. In this case, we may request proof of authorization as well as confirmation of your identity.

Frequency of inquiries. Access and deletion inquiries are free of charge; most US laws provide for a limit of two verifiable inquiries per twelve-month period.

11.6 Global Privacy Control (GPC)

Should you access our services via a website, we respect GPC signals (browser-based mechanism for transmitting opt-out preferences) as a valid opt-out inquiry. Since we – as explained in 11.3 – do not share data for advertising purposes anyway, the practical effect of a GPC signal in our case is limited. Within the mobile App itself, GPC is technically not applicable.

11.7 Children and adolescents in the USA

Our App is reserved for persons aged 16 and older (see Section 8). Our minimum age is thus significantly above the requirements of the US Children's Online Privacy Protection Act (COPPA), which prohibits the processing of data of children under 13 years of age without verifiable parental consent. We do not knowingly process data from persons under 16 years of age – neither in the USA nor in other countries.

11.8 "Shine the Light" law (California)

Users residing in California may, pursuant to § 1798.83 of the California Civil Code ("Shine the Light Law"), request information once per year as to whether we have shared personal data with third parties for their own direct marketing purposes. Our answer to this is simple: We do not share personal data with third parties for their direct marketing purposes.

12. Updates to this Privacy Policy and contact

12.1 Updates

We may adjust this Privacy Policy from time to time – for example if legal requirements change, new features are added, or existing processing operations change.

In the case of substantial changes that affect your rights or the manner in which your data is processed, we will inform you in an appropriate way – typically:

Through a notification the next time you open the App,
Additionally by email to the address stored in your account,
In the case of particularly far-reaching changes, by obtaining your consent again the next time the App is launched.

The current version of this Policy is available in the App and on our website at any time. You can find the version status in the "Last updated" entry at the beginning of this document.

12.2 Contact

For all questions, inquiries, complaints, or concerns regarding data protection, please contact the controller:

FotoBingo GbR
Represented by the partners Francisco Soares Kaufmann and Nick Elias Werner
Addresses and postal addresses: see "Controller" section at the beginning of this Policy

General inquiries: info@foto.bingo
Data protection-specific inquiries: info@foto.bingo

We strive to process your inquiry in a timely manner – in any case within the statutory deadlines (see Sections 10.1 and 11.5).