MHD App - Smart Expiry Date Tracker

Privacy Policy

Your privacy and data protection are our top priorities

Introduction

This notice explains how MHD App ("we", "our") processes your personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Telecommunications-Telemedia Data Protection Act (TTDSG).

1.0 – pre-launch draft (prepared 30 June 2025)

Controller (Art. 4 No. 7 GDPR; § 5 TMG)

Trendafyl

Lorik Sadiku (Sole Proprietorship)

Wilhelm-Löhe-Straße 4

90443 Nürnberg

Germany

Contact

Tel.: +49 176 262 208 30

E-Mail: [email protected]

Legal Information

Handelsregister: Not registered (§ 2 HGB – Small business)

USt-IdNr.: Not applicable (Small business per § 19 UStG)

EU Representative (Art. 27 GDPR)

Not applicable – the Controller is established in Germany.

Privacy Contact (Art. 37 GDPR)

No formal Data-Protection Officer is required. Nevertheless, we have designated an internal contact point: Privacy Team – [email protected] | +49 176 262 208 30 A written assessment documenting why Art. 37 (1) GDPR / § 38 BDSG do not apply is on file and reviewed yearly.

Categories of Personal Data

Category	Description
Account Data	Name, e-mail, password hash, avatar colour
Subscription & Payment Data	Stripe customer/subscription IDs, card last 4
Usage Data	IP address, browser user-agent, locale, theme, timestamps, feature interactions
Log & Error Data	Request ID, error trace, rate-limit identifier
Content Data	Inventory items, product details, supplier lists you create
Communications	Support tickets, in-app messages, e-mails
Cookie / Device IDs	Session token, CSRF token, cookie-consent ID
Aggregated Analytics	Anonymous event counts (Plausible – cookie-less)

Purposes, Legal Bases & Balancing Test

1.Operate user account & app – Contract Art. 6 (1)(b)
2.Subscriptions, invoices, payments – Contract Art. 6 (1)(b); Legal obligation Art. 6 (1)(c) GDPR; §§ 257 HGB / 147 AO
3.Transactional messages – Contract Art. 6 (1)(b)
4.Optional expiry-reminder e-mails & tips – Consent Art. 6 (1)(a) GDPR; § 7 UWG
5.Barcode look-ups via Open Food Facts API – Contract Art. 6 (1)(b)
6.Fraud-prevention & IT-security – Legitimate interest Art. 6 (1)(f)
7.Product development & UX analytics – Consent Art. 6 (1)(a)

Cookies & Similar Technologies (§ 25 TTDSG)

Strictly necessary cookies are required for secure log-in and language settings. All optional storage requires prior consent via the Cookie Preferences Centre.

Cookie Name	Purpose	Duration	Type
next-auth.session-token	Authenticate session	7 days	Necessary
mhdapp_csrf	CSRF protection	Session	Necessary
locale	UI language	1 year	Necessary
theme	Dark/light mode	1 year	Necessary
plausible_ignore	Opt-out flag	2 years	N/A (opt-out)

Analytics: We self-host Plausible in Germany. It stores only aggregate counts and no personal data. Consent is optional; if declined, no analytics is recorded.

Recipients & International Transfers

Recipient	Purpose	Location	Legal Basis
Hetzner Online GmbH	Hosting & PostgreSQL	Germany	DPA (Art. 28)
Stripe Payments Europe	Payments	EU (primary) / USA	EU-US DPF (Adequacy Art. 45) + DPA
Google Ireland Ltd.	Google OAuth 2.0	EU / USA	EU-US DPF + DPA
Amazon Web Services EMEA	Amazon SES	Frankfurt; fallback USA	EU-US DPF
Plausible Analytics OÜ	Cookie-less analytics	Germany	DPA (EU)

We never sell personal data. Standard Contractual Clauses are kept on file as a contingency should a recipient leave the DPF.

Data Retention

Data Category	Retention Period
User account & content	Until account deletion + 30-day encrypted backup
Payment & invoice records	10 years
Server security logs	7 days
Support tickets & routine e-mails	3 years
Contract-relevant e-mails (e.g. termination)	10 years
Aggregated analytics	Rolling 24 months (non-resettable)

Encrypted backups are stored at Hetzner (DE) and auto-deleted after 30 days.

Security Measures (Art. 32 GDPR)

•Security-by-design & by-default principles
•TLS 1.3 encryption end-to-end
•ISO 27001-certified German data centres (Hetzner)
•AES-256 encryption for databases & backups
•Role-based access with mandatory MFA
•Continuous automated dependency scanning & patching
•Annual external penetration test & remediation review
•Yearly security & privacy training for staff

Children's Data (Art. 8 GDPR)

MHD App is aimed at individuals 16 years or older. We do not knowingly process data of children; please notify us if you believe otherwise so we can delete it.

Automated Decision-Making / Profiling

We do not conduct automated decision-making that produces legal effects within the meaning of Art. 22 GDPR. Stripe Radar fraud checks may block a payment, but a manual review is always possible.

Your Rights (Art. 15 – 22 GDPR)

You can exercise at any time and free of charge: Access, Rectification, Erasure, Restriction, Portability, Objection to legitimate-interest processing, Withdrawal of consent. We respond within one month (Art. 12 (3) GDPR). Identification may be required. Contact: [email protected]. Obligation to provide data: Fields marked "required" in our forms are contractually necessary. Without them we cannot open or maintain your account; all other fields are optional.

Right to Lodge a Complaint (Art. 77 GDPR)

You may complain to any supervisory authority. Our lead authority is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de

Changes to This Privacy Policy

We may update this notice to reflect legal, technical or business developments. You will be informed at least 14 days in advance via an in-app banner and e-mail. Where a change affects consent-based processing we will request renewal of consent beforehand.

1.0 – pre-launch draft (prepared 30 June 2025)