Privacy Policy – NowTT Effective Date: 21.09.2025 Last Updated: 24.09.2025 Version: 2.2 We ("NowTT" or "the App") respect your privacy and are committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, how long we keep it, what third parties we share it with, and what rights you have under applicable laws (such as GDPR, CCPA/CPRA, COPPA, VCDPA, and other privacy regulations). 1. Data Controller Information Data Controller: NowTT App Development Team Data Protection Officer (DPO): Onuralp Akca Contact (DPO): onuralpakca36@gmail.com Address: Georg-Wolff-Straße 12, 60439, Frankfurt am Main, Germany 2. Information We Collect Class Selection Your selected school type and class are stored only on your device. If you enable notifications, your class selection is also stored securely in our database together with your device token, so we can send you timetable updates. Timetable Data The app retrieves timetable information from the Heinrich-Kleyer-Schule official website. This data is fetched in read-only mode and is not altered by us. Device Tokens (for Notifications) When you enable notifications, Firebase Cloud Messaging (Google) generates an anonymous device token. This token, along with your class selection, is stored securely in our database for notification delivery. Technical Data We may collect automatically via our servers or third-party services (e.g., Firebase): IP address Device model and operating system Device identifiers (Device ID, advertising ID where applicable) Error logs and crash reports 3. Third Party Data Sharing Who We Share Data With We share your personal data with the following third parties: Firebase (Google LLC) Purpose: Push notifications, backend services, crash reporting, and analytics Data Shared: Device tokens, crash reports, technical data (IP addresses, device information), class selection (when notifications are enabled) Google's Privacy Policy: https://policies.google.com/privacy Data Processing Agreement: We have appropriate data processing agreements in place with Google Your Right to Know About Data Sharing You have the right to know: Whether your personal data is shared with third parties (Yes - with Firebase/Google as detailed above) What specific data is shared (device tokens, technical data, class selection when notifications enabled) The purpose of sharing (notifications, app functionality, crash reporting) How to opt-out of data sharing (disable notifications, see Section 11) We do not: Sell your personal data to any third parties Share your data for advertising or marketing purposes Share your data with any parties other than Firebase/Google 4. How We Use Your Information We use your data to: Deliver timetable updates and notifications Ensure service reliability and improve the app Detect, prevent, and resolve technical issues We do not sell your data, use it for targeted advertising, or share it with third parties other than our service providers (Firebase/Google). 5. Legal Basis for Processing (GDPR) For users in the European Economic Area (EEA): Consent: When you enable notifications Legitimate Interest: To provide timetable information and maintain service security 6. Permissions The app may request the following Android permissions: INTERNET & Network State – To fetch timetable data from the school website POST_NOTIFICATIONS – To send timetable alerts 7. Data Retention Class selection & device tokens: Retained only while notifications are enabled. Deleted if you disable notifications or uninstall the app. Technical data (logs, crash reports): Retained only as long as necessary for troubleshooting, then deleted or anonymized. Timetable data: Not permanently stored. Fetched directly from the school website. 8. Data Sales and Sharing (CCPA/CPRA Compliance) Data Sales: We do not sell your personal data and have not sold personal data in the past 12 months. Data Sharing: We share data only with Firebase (Google) as detailed in Section 3. Your Rights (California Residents): Know if your data is sold/shared (detailed above - we share with Firebase but do not sell) Opt-out of sale/sharing (not applicable for sales, but you may disable notifications to limit sharing with Firebase) Equal treatment (we will not discriminate against you for exercising your rights) To exercise your rights, contact: onuralpakca36@gmail.com 9. Data Security We use industry-standard security measures, including restricted Firebase database access, encryption, and monitoring to protect your data against unauthorized access, disclosure, alteration, or destruction. 10. Children's Privacy (COPPA Compliance) Our app is rated USK 3 and designed for safe use by children. Data Collected from Children Only minimal data: class selection & anonymous device tokens No public sharing: Children cannot publicize their personal information through our app No profiling, tracking, or targeted ads How Children's Data is Shared with Third Parties Firebase/Google: We share device tokens and technical data with Firebase (Google) for app functionality and notifications only No other third parties: Children's personal information is not shared with any other third parties No advertising networks: We do not share children's data with advertising or marketing companies Publication of Children's Data Our app does not allow children to publicize their personal information No public profiles, posts, or sharing features All data remains private and is only used for app functionality Parents' and Caregivers' Rights Caregivers have the right to: Review: Access and review their child's personal information that we have collected Delete: Request deletion of their child's personal information Stop Collection/Use: Stop further collection or use of their child's personal information Non-discrimination: Ensure no discrimination for exercising these rights How Caregivers Can Exercise These Rights To Review Your Child's Personal Information: Email: onuralpakca36@gmail.com with subject line: "Child Privacy Request - Review Data" Include your child's class selection (if known) for identification We will provide details of what personal information we have collected from your child Response time: Within 10 business days To Request Deletion of Your Child's Personal Information: Email: onuralpakca36@gmail.com with subject line: "Child Privacy Request - Delete Data" Include your child's class selection (if known) for identification We will permanently delete your child's personal information from our systems Response time: Within 10 business days To Stop Collection or Use of Your Child's Personal Information: In-app: Disable notifications in app settings, OR Email us: onuralpakca36@gmail.com with subject line: "Child Privacy Request - Stop Collection" Uninstall: Remove the app (automatically deletes all stored data) Verification Process: We may request verification of parental status to protect your child's privacy This may include requesting identification or other verification methods We respond within 10 business days and will guide you through any verification process 11. Your Rights Depending on your location, you may have the following rights: Access: Request a copy of the data we hold Correction: Request correction of inaccurate data Deletion: Request deletion of your data Withdraw Consent: Disable notifications in the app or your device settings Portability (GDPR): Request your data in machine-readable format Non-Discrimination (CCPA): You will not be discriminated against for exercising rights Lodge a Complaint (GDPR): You have the right to lodge a complaint with a supervisory authority (e.g., your local Data Protection Authority) Virginia Residents (VCDPA): You may request access, correction, deletion, portability, and opt-out of certain processing activities To exercise any of these rights, email us: onuralpakca36@gmail.com 12. How to Opt-Out of Data Sharing Disable notifications in the app (stops sharing with Firebase) Use the app offline when possible Contact us for additional restrictions at onuralpakca36@gmail.com ⚠️ Note: Some minimal data sharing with Firebase is required for core app functionality. Full opt-out may reduce app features. 13. Contact For all privacy-related matters: 📧 Email: onuralpakca36@gmail.com 📝 Subject Line Guidelines: General privacy questions: "Privacy Inquiry" Rights requests: "Privacy Rights Request" Parental requests: "Child Privacy Request" Data deletion: "Data Deletion Request" ⏱ Response Time: Within 10 business days (or sooner, as required by law). 14. Updates to This Privacy Policy We may update this Privacy Policy from time to time. When we make material changes, we will: Update the "Last Updated" date at the top of this policy Notify users through the app or other appropriate means For significant changes affecting children's privacy, we will obtain parental consent where required by law This Privacy Policy is designed to comply with GDPR, CCPA/CPRA, COPPA, VCDPA, and other applicable privacy regulations. If you have questions about your privacy rights or this policy, please contact us at onuralpakca36@gmail.com.