Last updated: May 9, 2026
The controller responsible for processing your personal data under Art. 4(7) GDPR is:
Finn Strehl (Strehl Digital)We only collect data that is necessary to operate the Service.
Email address and authentication credentials (password hash via Supabase Auth, or a Google OAuth token if you sign in with Google).
Legal basis: Art. 6(1)(b) GDPR — necessary for the performance of your account contract.
Goal text, schedule, stake amount, chosen charity, and proof submissions you make during a challenge (photos, location check-ins, or timer completions depending on the proof type you select).
Legal basis: Art. 6(1)(b) GDPR — necessary for the performance of your challenge contract.
We store only a Stripe Customer ID and a Stripe payment method token. Raw card numbers are never seen or stored by us — they go directly to Stripe's servers.
Legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR — contract performance and compliance with financial record-keeping obligations (§ 257 HGB, § 147 AO).
Basic app stability signals and error logs to monitor and improve the Service. No third-party analytics SDKs or advertising trackers are used.
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating a secure and stable service.
If you allow notifications, we store a device push token (issued by Expo's push service) to send you challenge reminders and settlement updates. You can revoke notification permission at any time in your device settings.
Legal basis: Art. 6(1)(b) GDPR — necessary to deliver time-sensitive challenge and settlement notifications that are part of the Service.
All payment processing is handled by Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA. When you save a card, your payment details are transmitted directly to Stripe — we receive only a token reference. When a challenge is settled as failed, we instruct Stripe to charge the saved card and transfer 91% to the selected charity's Stripe Connect account; we retain 9% as a platform fee. We never hold funds on behalf of charities.
Stripe is certified under the EU–US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) for transfers of personal data from the EU to the US (Art. 46 GDPR). See Stripe's Privacy Policy and Data Processing Agreement.
Account authentication is managed by Supabase (Supabase Inc., Singapore). Your account data is stored in Supabase's EU region (West EU — Ireland, AWS eu-west-1). Supabase Inc. is a US-headquartered company with SCCs in place for any transatlantic access. See Supabase Privacy Policy.
If you choose to sign in with Google, your authentication is processed by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, under Google's own Privacy Policy. See Google Privacy Policy.
If you create a challenge with a location-based proof type, the app displays a map and verifies your position using Mapbox. This is provided by Mapbox, Inc., 740 15th Street NW, Washington, DC 20005, USA. When location proof is active, your approximate coordinates and device IP address are transmitted to Mapbox's servers in the USA to render map tiles and validate your check-in.
Location proof is entirely optional — you choose the proof type when creating a challenge. If you select photo or timer proof instead, no data is sent to Mapbox.
Mapbox processes data under Standard Contractual Clauses (SCCs) for EU-to-US transfers. See Mapbox Privacy Policy.
Legal basis: Art. 6(1)(b) GDPR — necessary for providing the location-based proof feature you have selected; Art. 6(1)(f) GDPR — our legitimate interest in accurate location verification.
Challenge reminders and settlement notifications are delivered via the Expo push notification service, operated by Expo (Expo, Inc., USA, a subsidiary of Software Mansion S.A.). When you grant notification permission, your device push token is sent to and stored by Expo's infrastructure in the USA. Expo uses this token solely to route notifications to your device on our behalf.
You can withdraw permission at any time in your device's notification settings, after which we will stop sending push notifications to your device. See Expo Privacy Policy.
Legal basis: Art. 6(1)(b) GDPR — necessary to deliver challenge and settlement notifications that form part of the Service; transfers to the USA are safeguarded by SCCs.
Photos you submit as daily proof are stored in Supabase Storage (EU region — Ireland, eu-west-1). They are accessible only to you and the automated settlement process. Proof photos are deleted 90 days after the challenge ends, or immediately when you delete your account, whichever is earlier.
Our web pages load the Inter font from Google Fonts (Google LLC, USA). When a page loads, your browser connects to Google's servers and your IP address is transferred to Google as a result. This constitutes a transfer of personal data to a third country (USA).
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in a consistent visual presentation. To prevent this transfer, you can block requests to fonts.googleapis.com in your browser, or use a browser extension that intercepts Google Font requests.
The DoOrDonate mobile app does not use browser cookies. Our web pages (legal notices, landing page) use only technically necessary browser storage for navigation. No analytics, advertising, or tracking cookies are set on any of our pages.
Your data is primarily stored within the EU (Supabase, Ireland — eu-west-1). Transfers to the USA occur in the following circumstances:
All transfers are safeguarded under Art. 46 or Art. 45 GDPR. No transfers occur to countries without an adequacy decision or appropriate safeguards.
You can request deletion of all data not subject to a statutory retention obligation by emailing strehldevs@gmail.com. We will act on your request within 30 days.
Challenge settlement (pass or fail) is determined automatically by comparing the number of submitted proofs to the required count. This automated decision has a direct financial consequence — it determines whether your payment card is charged. Pursuant to Art. 22(3) GDPR you have the right to request human review of any individual settlement decision. To do so, email strehldevs@gmail.com within 14 days of the settlement date, stating your challenge ID.
Under the GDPR you have the right to:
To exercise any of these rights, email strehldevs@gmail.com. We will respond within one month.
You also have the right to lodge a complaint with the competent supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf — ldi.nrw.de.
We may update this policy to reflect changes in law or our data practices. For material changes we will notify you by in-app notification or email at least 30 days before the changes take effect. Where a change requires consent under GDPR (e.g. a new processing purpose), we will obtain your explicit consent before it applies — continued use alone will not constitute consent for such changes.
Privacy questions: strehldevs@gmail.com