Privacy Policy

This is an English translation of the JeJal Privacy Policy. The German version (“Datenschutzerklärung”) is the legally binding version under German and EU data protection law. In case of discrepancies between the language versions, the German version prevails.

The protection of your personal data is important to us. This Privacy Policy informs you about which data we process, how and why we process it, to whom we transmit it, and which rights you have with respect to your data.

We process your data exclusively within the framework of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications-Telemedia Data Protection Act (TTDSG) and other applicable provisions.

§ 1 Controller

The controller within the meaning of Art. 4(7) GDPR is:

A data protection officer has not been appointed, as the statutory requirements (in particular § 38 BDSG) are currently not met. For data protection requests, please contact us directly at team@je-jal.com.

§ 2 Overview of Data Processing

We process personal data insofar as it is necessary for the provision of the JeJal app and its functions. The main data categories at a glance:

§ 3 Legal Bases for Processing

We process your data exclusively on one of the following legal bases:

§ 4 Registration and Authentication

An account is required to use JeJal. Registration takes place via one of the following authentication providers:

• Sign in with Apple (Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA)
• Google Sign-In (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
• Microsoft Sign-In (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland)

Data processed: provider-specific user ID, email address (if released), display name (if released). With Sign in with Apple, you can replace the sharing of your email with an Apple Relay address.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Retention: As long as your account exists. After account deletion in accordance with § 14 of this Policy.

Third-country transfer: The providers have US parent companies. Transfers to the USA are based on the EU-US Data Privacy Framework (DPF, EU Commission adequacy decision of 10 July 2023) and/or EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR. Apple, Google and Microsoft are DPF-certified.

4.1 Profile Information

When setting up your profile, you additionally provide:

• Nickname (freely chosen, changeable at any time)
• University (TU Berlin, FU Berlin, HU Berlin — list expanded gradually)
• Language preference (German or English)
• Optional: programme, department, semester

Legal basis: Art. 6(1)(b) GDPR. Retention: Duration of the account.

§ 5 Verification of Student Status

To ensure that JeJal is used exclusively by eligible students, we verify your status based on an enrolment or deregistration certificate.

5.1 Verification Procedure

1. You upload a current certificate from your university (PDF or image format).
2. By means of text recognition (OCR), name, university name and validity period are extracted from the document.
3. We check whether the university is on the list of supported institutions and whether the certificate is currently valid.
4. Upon successful verification, your account is activated.
5. The uploaded document is deleted after completion of verification. Only the extracted status information (university, verification date) remains stored.

5.2 Data Processed

• Name as per certificate (not displayed in profile)
• University name and validity period of enrolment
• Date of verification

OCR processing: Text recognition takes place server-side in our Supabase infrastructure in the EU (Ireland). The original document is not transmitted to any third parties.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in ensuring the student context of the platform). Retention of original document: Maximum 7 days for processing. Retention of status information: Duration of the account.

§ 6 Processing within the App Functions

6.1 Anonymous Board (Posts, Comments)

On the anonymous board, you publish posts and comments without displaying your name or nickname to other users. Internally, however, we store an encrypted link between posts and accounts in order to enable moderation and abuse prevention.

This internal link is lifted only under the following narrow conditions:

• judicial or official order (in particular § 100j StPO, § 21 TTDSG, Art. 9 DSA — disclosure orders),
• acute danger to life or limb (under emergency rules),
• enforcement of legal claims by affected third parties with proven legal basis.

Practice: In clear-cut cases, the JeJal team decides itself. In unclear or contested cases, external legal advice is sought. You are subsequently informed about every de-anonymisation, unless prohibited by official order.

Legal basis: Art. 6(1)(b) and (f) GDPR. Retention: Posts remain until deleted by you or by moderation. After account deletion in accordance with your choice (§ 14 of this Policy).

6.2 Course and Instructor Reviews

Reviews are published anonymously. Internally there is — as with posts — an encrypted link between review and account. The link is used exclusively for moderation purposes and for handling objections by instructors.

Processing of instructor data: We process names, university, faculty and courses of instructors on the basis of Art. 6(1)(f) GDPR. The legitimate interest of the student body in reviews has in principle been recognised by the German Federal Court of Justice in the “Spickmich” decision (BGH VI ZR 196/08) and the “Jameda” case law (in particular BGH VI ZR 30/17).

Instructor rights: Instructors may at any time request access, rectification, erasure and profile deletion where overriding legitimate interests apply. Details are set out in “Information for Instructors” (separate document).

6.3 Timetable and Free Periods

You can manage your timetable within the app and share it exclusively with friends you have confirmed. The data is stored exclusively on our EU servers.

The free-period alert compares your free periods with those of your friends locally in the app. No central evaluation takes place. Notifications are sent only to you, not to your friends.

Legal basis: Art. 6(1)(b) GDPR. Retention: Duration of the account.

6.4 Pods

Within pods, your nickname or registered name is displayed to other members — unlike on the anonymous board. We process pod membership, messages and, where applicable, shared appointments. Upon dissolution of the pod, the messages are deleted without delay.

Legal basis: Art. 6(1)(b) GDPR. Retention: Duration of pod membership + 30 days after pod dissolution.

6.5 Mensa Function and Location Data

To display nearby cafeterias, we use your approximate location via the iOS location services with your express consent. Location requests take place only while you are actively using the Mensa feature (“When in Use”).

The location is processed exclusively on your device and is not transmitted to our servers. You can withdraw consent at any time in the iOS settings.

Legal basis: Art. 6(1)(a) GDPR (consent).

§ 7 Processors and Third-Party Services

We use technical service providers for the operation of the app. Data processing agreements pursuant to Art. 28 GDPR have been concluded with all service providers.

7.1 Supabase (Backend, Database, Storage)

Provider: Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore 318992 (US parent: Supabase Inc., Wilmington, Delaware).

Infrastructure: AWS region eu-west-1 (Ireland). All user data, posts, reviews and authentication data are stored and processed exclusively in this EU region.

Third-country transfer: Operational access by the Supabase team may theoretically take place from third countries. We use EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR and the EU-US Data Privacy Framework. In light of the “Schrems II” judgment (CJEU C-311/18), we have agreed additional safeguards, in particular:

• encrypted data storage (at rest and in transit),
• access control and audit logging,
• contractual obligation to challenge official disclosure requests,
• regular security reviews.

Legal basis: Art. 6(1)(b) and (f) GDPR. Processor: Yes (Art. 28 GDPR).

7.2 Expo Push Service / Apple Push Notification (Push Notifications)

For push notifications (e.g. new pod messages, replies to posts, free-period alert), we use the following chain:

1. Our app generates an Apple (APNs) push token on your device.
2. This token is transmitted to Expo Push Service (650 Industries, Inc., 1100 Alma Street, Suite 105, Menlo Park, CA 94025, USA), which acts as an intermediary.
3. Expo forwards the push message to Apple Push Notification Service (APNs) by Apple Inc.
4. APNs delivers the notification to your device.

Data processed: push token, notification content (e.g. “New reply to your post”). We do not transmit identifying content via the relay chain.

Third-country transfer: Expo and Apple process data partly in the USA. Basis: EU-US Data Privacy Framework (Apple certified) and SCC (Expo). You can deactivate push notifications at any time in iOS settings or in the app.

Legal basis: Art. 6(1)(a) GDPR (consent via iOS push permission).

7.3 Sentry (Error and Crash Reports)

Provider: Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. EU establishment and data processing: Sentry GmbH, Berlin (region EU/Frankfurt).

Sentry captures error reports and crash data to improve the stability of the app. Processing takes place exclusively in the EU region (Frankfurt). We employ PII scrubbing: personal data is automatically removed from error reports before transmission to Sentry.

Data processed: app version, iOS version, anonymised device identifier, error stack trace, timestamp, anonymised technical context data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stability and security of the app). Retention: 90 days.

7.4 Google Analytics for Firebase (Usage Statistics)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA).

We use Google Analytics to evaluate aggregated usage statistics (e.g. areas visited, dwell time, app performance). Processing takes place exclusively with your express consent, requested at app start. Without your consent, Google Analytics is not initialised.

Third-country transfer: Google processes data partly in the USA. Basis: EU-US Data Privacy Framework (Google is DPF-certified) and SCC. IP addresses are truncated before storage (IP anonymisation). We have configured the data retention period to the technically shortest value (14 months).

Note: The use of Google Analytics is controversial from a data protection perspective. You can withdraw consent at any time in the app settings. Upon withdrawal, no further data will be transmitted to Google; you can request deletion of already transmitted data via your Google account.

Legal basis: Art. 6(1)(a) GDPR (consent). Integration takes place only after active consent (opt-in).

7.5 Apple App Store and In-App Purchase

The app is distributed exclusively via the Apple App Store. Apple independently processes data in this context (e.g. download statistics, billing data). The controller for this processing is Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Details can be found in the Apple Privacy Policy (https://www.apple.com/legal/privacy/en-ww/).

Any future in-app purchases will be processed exclusively via Apple IAP. We only receive a pseudonymised transaction confirmation from Apple, no payment data.

§ 8 Server Logs and IP Addresses

When accessing the app and website, technically necessary log data is recorded:

• IP address (truncated after 7 days)
• Date and time of the request
• Endpoints accessed (e.g. /board, /reviews)
• HTTP status code and response size
• App build used (version, platform)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security, functionality and abuse defence). Retention of IP address: 7 days. Retention of other logs: 90 days.

§ 9 Moderation and Abuse Prevention

To ensure a safe platform, we process data for moderation purposes:

• Automated content filters: keyword and AI-supported classification of posts before and after publication,
• Notices: storage of notices of unlawful content with reference to post, reason and processing status,
• Moderation decisions: reasons, measures taken, complaint history.

Legal basis: Art. 6(1)(c) GDPR (legal obligation under DSA, TMG, Jugendmedienschutz-Staatsvertrag) and Art. 6(1)(f) GDPR (legitimate interest in security and functionality).

Retention of notices: 2 years. Retention of moderation decisions: 2 years. Retention of removed content (archive): 6 months.

§ 10 Retention Periods at a Glance

Unless stated otherwise in the previous sections, the following retention periods apply:

§ 11 Recipients of Personal Data

Personal data is disclosed exclusively to the following recipient categories:

• Processors (see § 7) on the basis of Art. 28 GDPR,
• Authorities and courts based on legal obligations (e.g. § 100j StPO, § 21 TTDSG, Art. 9 DSA — only after review of the legality of the order),
• External legal advice in individual cases (in particular for de-anonymisation decisions),
• Other recipients only with your express consent.

No sale of personal data takes place at any time. We do not pass on data to third parties for advertising purposes.

§ 12 Third-Country Transfer

The main processing of your data takes place in the European Union (Supabase: Ireland; Sentry: Frankfurt). In the following cases, transfers to third countries (in particular the USA) take place:

• Authentication via Apple/Google/Microsoft (DPF + SCC),
• Push notifications via Expo + APNs (DPF + SCC),
• Google Analytics (DPF, only with your consent),
• Operational access by Supabase staff (SCC + additional safeguards).

We base third-country transfers on the EU-US Data Privacy Framework adequacy decision (where the provider is certified) and on EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR. In light of the “Schrems II” case law, we have assessed the risks (Transfer Impact Assessment) and agreed additional safeguards.

§ 13 Your Rights as a Data Subject

You have extensive rights with respect to your personal data. You can exercise them at any time by email to team@je-jal.com. We respond within 30 days.

13.1 Right to Data Portability (Art. 20 GDPR) — Scope

Upon request, we provide you with the following data as a JSON export:

• Profile information (nickname, university, language)
• Your published posts and comments
• Your reviews
• Your timetable
• Pods that you created (without data of other members)
• Messages that you sent (without received messages)

Not included are:

• Content of third parties referring to you,
• Profile data of your friends,
• Reviews that others have written about you.

13.2 Right to Lodge a Complaint (Art. 77 GDPR)

If you are of the opinion that the processing of your data violates the GDPR, you can lodge a complaint with a supervisory authority. The competent authority is in particular:

At the federal level, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) is also competent: Graurheindorfer Str. 153, 53117 Bonn, https://www.bfdi.bund.de.

§ 14 Account Deletion

Users may request account deletion by contacting us via email at team@je-jal.com. Requests will be reviewed in accordance with applicable legal requirements and our data retention obligations.

14.1 Deletion Options

When deleting, you choose between two options:

14.2 Statutory Exceptions

Certain data is exempt from immediate deletion due to statutory retention obligations, e.g. accounting and tax data under § 147 AO (10 years) upon later introduction of paid features.

§ 15 Data Security

We employ technical and organisational measures to protect your data against loss, manipulation and unauthorised access. In particular:

• Transport encryption via TLS 1.3 for all connections,
• Encryption of the database at rest (AES-256),
• Access control to the backend via multi-factor authentication,
• Regular security updates of the components used,
• Automated backups in the EU region,
• PII scrubbing for error reports (Sentry),
• Pseudonymisation of sensitive database fields.

Despite all measures, absolute security can be guaranteed neither during data transfer nor during storage. We report security incidents to affected users and the competent supervisory authority in accordance with Art. 33 and 34 GDPR.

§ 16 Minors

JeJal is intended for persons aged 17 and above (App Store age rating 17+). Persons under 17 are generally not permitted to use JeJal. Exceptions are only possible for persons verifiably enrolled at a supported university.

Should we become aware that we are processing data of a person under 17 without corresponding university entitlement, the account will be deleted without delay. Legal guardians can contact us at any time at team@je-jal.com.

§ 17 Cookies and Tracking

JeJal is primarily a native app and therefore does not use classic website cookies. Within the app, we use the following local storage techniques:

• Authentication tokens (technically necessary, Art. 6(1)(b) GDPR, § 25(2) No. 2 TTDSG),
• Settings and preferences (technically necessary),
• Caching data for offline functionality (technically necessary).

For the optional analytics tools mentioned in § 7.4, we obtain your express consent before the respective SDKs are initialised.

The website https://je-jal.com uses only technically necessary cookies. A cookie banner is displayed on first visit.

§ 18 Automated Decisions

We use automated moderation tools (keyword filters, AI classification) for initial review of posts. This pre-check may result in automatic visibility restriction or routing to a manual review queue.

A final decision with significant effects (e.g. permanent suspension) is not made automatically, but always with human involvement. Under Art. 22 GDPR, you have the right to human review of any automated decision.

In accordance with Art. 17 DSA, we inform you for every specific moderation measure whether and which automated tools were used.

§ 19 Changes to this Privacy Policy

We may update this Privacy Policy as needed, in particular when new features are introduced or legal changes require it. For substantial changes, we will inform you at least 14 days before they take effect, by email and within the app.

The current version is available in the app under Settings → Legal → Privacy Policy and at https://je-jal.com/privacy.

§ 20 Contact

For questions about the processing of your personal data or to exercise your rights, please contact us: