TAGZ Privacy Policy

Last updated: March 2026

1. Controller (Verantwortlicher)

TAGZ
John Brandauer
Vienna, Austria
privacy@tagz.app

This privacy policy explains how we process your personal data when you use the TAGZ app, in accordance with the EU General Data Protection Regulation (GDPR/DSGVO).

2. Data We Collect and Legal Basis (DSGVO Art 13)

Account Data

• Email address, display name, profile photo
• Legal basis: Contract performance (Art 6(1)(b)) — necessary to provide the TAGZ service

Event Data

• Events you create, join, or view; event locations
• Legal basis: Contract performance (Art 6(1)(b)) — core app functionality

Location Data

• GPS coordinates when creating events or using map features
• Legal basis: Consent (Art 6(1)(a)) — via device location permission; revocable at any time in device settings

Device and Technical Data

• Device type, OS version, app version, crash reports
• Legal basis: Legitimate interest (Art 6(1)(f)) — maintaining app stability and security

Usage Analytics (PostHog)

• Anonymous interaction data (screens viewed, features used)
• Legal basis: Consent (Art 6(1)(a)) — opt-in only; you can enable or disable this in Privacy Settings at any time

Push Notifications

• FCM tokens for delivering notifications
• Legal basis: Consent (Art 6(1)(a)) — via device notification permission

3. Third-Party Processors and Data Transfers

We use the following third-party service providers to operate TAGZ. Some process data in the United States under the EU-US Data Privacy Framework (DPF):

• Firebase / Google Cloud (US) — Authentication, database (Firestore), file storage, push notifications (FCM). Transfer basis: EU-US Data Privacy Framework.
• Sentry (US) — Error tracking and crash reporting. Only anonymized user IDs are sent (no PII). Transfer basis: EU-US Data Privacy Framework.
• PostHog (US) — Usage analytics (opt-in only). Transfer basis: EU-US Data Privacy Framework.
• RevenueCat (US) — In-app purchase and subscription management. Transfer basis: EU-US Data Privacy Framework.

We never sell your personal data. Data is shared with processors only as necessary to provide the service.

4. Data Retention

We retain your data while your account is active. When you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g., tax or accounting obligations under Austrian law).

5. Your Rights (DSGVO Art 15–21)

Under the GDPR/DSGVO, you have the right to:

• Access your personal data (Art 15)
• Rectify inaccurate data (Art 16)
• Erase your data / “right to be forgotten” (Art 17)
• Restrict processing (Art 18)
• Data portability (Art 20)
• Object to processing based on legitimate interest (Art 21)
• Withdraw consent at any time without affecting lawfulness of prior processing

To exercise any of these rights, contact us at privacy@tagz.app.

6. Right to Complain

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority:

Datenschutzbehörde
Barichgasse 40-42
1030 Vienna, Austria
dsb@dsb.gv.at
https://www.dsb.gv.at

7. Contact Import

If you choose to import contacts, phone numbers are hashed client-side before any server communication. We never store raw contact information on our servers.

8. Children’s Privacy

TAGZ is not intended for users under 14 years of age (in accordance with Austrian DSGVO provisions). We do not knowingly collect information from users under 14. If we learn we have collected such information, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the app or email.

10. Contact Us

For privacy questions or to exercise your rights, contact us at: privacy@tagz.app