Privacy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Helge Busemann
Saarlandstraße 1
25421 Pinneberg
Germany

Privacy contact: info@currentapp.de
General contact: info@currentapp.de

2. Data protection officer

Given the size and nature of our processing, we are not currently required to appoint a data protection officer (§38 BDSG). We handle data-protection enquiries in-house under the contact above.

3. Processing in the app

3.1 Magic-link sign-in

When you sign in, CURRENT sends a sign-in link to your email address. We process:

• your email address
• a timestamp of the sign-in attempt
• technical session metadata (session token, Apple device identifiers)

Purpose: authentication and account access.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract — CURRENT usage agreement).

3.2 Decks and cards

The cards and decks you create are stored on our servers so you can use them across devices. This includes questions, answers, multiple-choice options, category, language, difficulty, and optional explanations.

Purpose: core app function (learning, sync).
Legal basis: Art. 6 (1) (b) GDPR.

Private cards are private by default and visible only to you. They become accessible to the review process only when you actively submit them to the community (see 3.5).

3.3 Learning progress and spaced-repetition schedule

For intelligent repetition scheduling we store per-card progress: answer correctness, response time, next due date, mastery score, streak data.

Purpose: spaced repetition; statistical overview in the dashboard.
Legal basis: Art. 6 (1) (b) GDPR.

3.4 Images on private cards

If you attach an image to a private card, we store the image in a user-scoped private storage bucket. The path contains your user ID; only you (and our server on your behalf) can read it.

Purpose: core feature (cards with image content).
Legal basis: Art. 6 (1) (b) GDPR.
Note: Images on private cards are not used to train external AI models and are not accessible to other users.

3.5 Community cards

When you actively submit a card to the community, it becomes visible to other CURRENT users after a light review. In this process we handle:

• the card content (question, answer, options, explanation)
• a pseudonymous link to your user ID (for review status and withdrawal)
• voting and report signals from other users

Purpose: community quality and moderation.
Legal basis: Art. 6 (1) (a) GDPR (consent, given when you submit). You may withdraw cards at any time (see 9).

Your display name is not linked to published cards by default. Images attached to community-submitted cards are migrated to a public storage bucket — do not include any personal or confidential information in images on cards you submit.

3.6 In-app purchases and subscriptions (Apple)

When you subscribe (such as CURRENT Premium), the purchase runs through the Apple App Store (StoreKit). The displayed price follows from the app and the Apple App Store and may vary by country, tax, promotion, or currency. On our server we store only a verification token (receipt) to know your premium status.

Payment and billing data (credit card, Apple ID, billing address) are processed exclusively by Apple. We have no access to them.

Purpose: premium activation and contract fulfilment.
Legal basis: Art. 6 (1) (b) GDPR; supplemented by Apple's in-app purchase terms.

3.7 Crash reports (Sentry — currently not active)

The shipping app version does not run any crash-reporting service. No crash or error data is transmitted to third parties.

For a future version, an optional integration with the crash-reporting service Sentry is prepared. Once we activate it, it will initially be configured only in an EU region (planned: Frankfurt, de.sentry.io). The report would then contain:

• stack trace (technical call chain)
• app version and OS version
• your pseudonymous user ID (UUID, no email)
• device class (e.g. "iPhone 14 Pro"), language, time zone

Before sending, email addresses and storage paths would be stripped automatically. Screen content and view hierarchies would not be transmitted. These safeguards are already implemented in the app code and take effect from the first production activation.

Purpose (once active): app stability and quality.
Legal basis (once active): Art. 6 (1) (f) GDPR (legitimate interest in a functioning app), supplemented by your separate consent on first launch. You can withdraw the consent in app settings.

We will update this privacy policy and obtain renewed consent from you before Sentry is activated in production.

3.8 Consents (proof of consent)

When you grant or withdraw consents (privacy, crash reporting, marketing), we store the timestamp, the language of the consent UI, and the current status.

Purpose: proof of consent per Art. 7 (1) GDPR.
Legal basis: Art. 6 (1) (c) GDPR (legal obligation).

3.9 Guest mode

In guest mode the app runs without an account. Your cards, progress, and settings are stored locally on your device only (in SharedPreferences / local database). No data is transferred to our servers until you actively create an account.

On later sign-in you can choose whether to keep or discard the local data.

3.10 Optional AI/PDF features with Google Gemini

CURRENT offers optional AI features, in particular:

• PDF analysis
• PDF-to-flashcards conversion
• automatic summaries
• generation of flashcards from content you provide

These features are only executed when you actively start them. They never run in the background or without your input.

When used, the following data may be processed and transmitted to Google:

• uploaded PDF files or content extracted from them
• prompts or additional information you enter
• existing card / deck context, where necessary for the feature
• generated results (e.g. flashcard suggestions, summaries, structuring outputs)
• technical request metadata (e.g. timestamps, usage status)

Purpose: provision of the AI feature you actively requested — in particular analysis, conversion, and structuring of learning content.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract — you actively trigger the AI/PDF feature as an in-app function).
Place of processing: primarily Google Ireland Limited (EU). Subject to capacity, Google may technically route requests to data centres outside the EU/EEA — see section 7.

Important:

• Use of the AI/PDF features is optional. Without an active trigger, no content is transmitted to Google Gemini.
• Transmitted content is not used to train external AI models, to the extent contractually and API-side excluded. Under the default configuration of the paid Gemini API, this exclusion is in place.
• You must not upload content you do not have the rights to process, nor content containing particularly sensitive personal data of third parties, unless this is necessary and legally permissible.

Quality note: AI-generated cards, summaries, and structuring outputs may be incorrect, incomplete, or imprecise. You are required to check every suggestion before saving — the app shows an editable preview before any card is committed. See also section 8 on EU AI Act transparency.

4. Processing on this website

4.1 Hosting / server logs

This website is served by a technical hosting provider. Technically necessary logs are created on request: IP address (truncated or pseudonymised depending on the host), timestamp, requested URL, referrer, user agent.

Purpose: delivery of the site, protection against abuse.
Legal basis: Art. 6 (1) (f) GDPR.
Retention: typically a few days at the hosting provider; automatic deletion afterwards.

4.2 No tracking cookies / no cookie banner

We do not use cookies for analytics, advertising or tracking purposes on this website. We do not use advertising pixels, analytics cookies or third-party trackers — in particular no Google Analytics, no Google Tag Manager, no Meta / Facebook Pixel, no TikTok pixel, no LinkedIn Insight, no Hotjar, no PostHog, no Plausible and no Matomo. There are no third-party embeds or scripts. Therefore, a cookie banner is not required.

Where technically necessary storage is used, it is used solely to operate the website, in particular to remember your selected language or other necessary display settings. The legal basis is Section 25 (2) TDDDG (Telecommunications and Digital Services Data Protection Act) and Article 6 (1) (f) GDPR.

Specifically, we use technically necessary LocalStorage to remember your selected language. This information is not used for tracking, analytics or advertising purposes and is not combined with third-party profiles.

4.3 Contact form / email

When you email us (info@currentapp.de), we store your email address, your name (if provided), and the content of your enquiry to process it.

Purpose: handling your enquiry.
Legal basis: Art. 6 (1) (b) GDPR (for contract-related enquiries) or (f) (legitimate interest in communicating with prospects).
Retention: until your case is closed, no later than the end of the following calendar year (statutory retention obligations excepted).

5. Recipients / third parties

We use the following processors and third parties. We have data-processing agreements per Art. 28 GDPR with every processor.

Supabase Inc. (hosting, database, auth, storage)

Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992
Function: database hosting, authentication (magic link), object storage for images, backend services.
Region of processing: EU (Frankfurt, eu-central-1).
DPA: supabase.com/legal/dpa

Apple Inc. (App Store, in-app purchases)

Provider: Apple Inc. / Apple Distribution International Limited
Function: app distribution, payment processing for in-app purchases, push-notification infrastructure.
Region of processing: EU (Apple Distribution International, Ireland) and USA (parent company).
Safeguards for cross-border transfer: EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR).

Google Ireland Limited / Google LLC (AI/PDF features — only when actively used)

Provider (contracting party): Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; and, where applicable, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Function: provision of optional AI features via Google Gemini — in particular PDF analysis, content analysis, summaries, and generation of flashcards. Only active when you trigger the respective feature yourself (see section 3.10).
Data categories: content you actively provide (PDF content, prompts, context information) and generated results. No direct account data (email, name) is transmitted.
Region / third country: depending on Google configuration, processing may take place within the EU and may involve Google LLC in the USA.
Model training: inputs and outputs of the paid Gemini API are not used to train Google's general-purpose models under Google's default configuration.
Safeguards: EU Standard Contractual Clauses pursuant to Art. 46 GDPR, plus additional contractual and technical safeguards.
Role: within the Gemini API, Google acts as service provider / processor under the Google Cloud / Gemini API data processing addendum.
DPA: cloud.google.com/terms/data-processing-addendum

Sentry (crash reporting — currently not active)

Status: not activated in production in the current app version — no data is transmitted to Sentry.
Provider (planned): Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, USA
Function (planned): crash and error reporting for the mobile app.
Planned region: EU (Frankfurt, de.sentry.io). We will name the final region here once the feature goes live.
Planned safeguards for cross-border transfer: Standard Contractual Clauses per Art. 46 GDPR (where the Sentry parent company in the USA is involved), pseudonymisation of user ID, automatic stripping of email addresses and storage paths.
DPA: sentry.io/legal/dpa

6. Retention

• Account master data (email, cards, learning progress): until you delete your account.
• Anonymised community cards (after account deletion): kept indefinitely in the public pool without personal link.
• Consent records: 3 years after withdrawal or account deletion (statutory limitation period).
• IAP receipts: for the duration of the business relationship and applicable tax/commercial retention obligations (up to 10 years).
• PDF files and AI processing results: for as long as required to provide the feature, or for as long as you keep them in your account.
• Temporary AI processing data: as briefly as technically possible.
• Cards / decks adopted from AI features: until account deletion or manual deletion.
• Crash reports: none currently, because Sentry is not active. Once activated: max. 90 days (default configuration).
• Server logs: typically a few days.
• Email correspondence: until your enquiry is closed, no later than the end of the following calendar year.

7. International transfers

Where personal data is transferred to recipients outside the EU/EEA (Apple, Google parent company in the USA, Sentry parent company in the USA), this is based on the EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR). We configure our processors so that operational processing takes place in the EU wherever possible (Supabase: EU; Google: primarily EU endpoints; Sentry: EU region).

8. AI/PDF features

• CURRENT provides optional AI/PDF features (in particular PDF analysis, PDF-to-flashcards conversion, automatic summaries, and generation of flashcards).
• These features are not permanently active; they only run on an explicit user action.
• When used, PDF content, prompts, and generated results may be transmitted to Google Gemini.
• Legal basis: Art. 6 (1) (b) GDPR (performance of contract — you trigger the feature actively).
• No use for advertising.
• No use to train external AI models, to the extent contractually and API-side excluded. Under the default configuration of the paid Gemini API, this exclusion is in place.
• You can avoid the AI/PDF features entirely by simply not starting them.
• Generated cards or results are stored in your account if you adopt or save them.
• Transparency under the EU AI Act: AI-generated content may be incorrect, incomplete, or imprecise. You must check it before saving or sharing. AI suggestions do not replace professional advice (medical, legal, tax, or other) and do not replace a vetted learning source.
• Model used: Google Gemini. The model version may change without prior notice when Google rolls out updates.

Further AI features may be added in the future. Once introduced, we will update this privacy policy and name the respective provider and processing purpose.

9. Your rights as a data subject

At any time you have the following rights:

• Access (Art. 15 GDPR) — see which data we hold about you
• Rectification (Art. 16 GDPR) — of inaccurate or incomplete data
• Erasure (Art. 17 GDPR) — "right to be forgotten"
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR) — export your data in a machine-readable format
• Objection (Art. 21 GDPR) to processing based on legitimate interest
• Withdrawal of consent (Art. 7 (3) GDPR) — effective from the moment of withdrawal

Please send requests to info@currentapp.de. We respond within one month.

Account deletion and data export can also be triggered directly in the app under Settings → Account — see also Account deletion step by step.

10. Right to lodge a complaint

If you believe that our processing of your data violates the GDPR, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). Competent in particular is the supervisory authority of the German federal state in which our operator is based:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany, phone: +49 431 988-1200, datenschutzzentrum.de

11. Changes to this privacy policy

We update this privacy policy when processing changes (e.g. new features, new providers). For material changes we notify you actively and obtain new consents if required. The current version is always available here.

12. Contact

For any privacy questions please contact info@currentapp.de.