The following privacy notices provide you with comprehensive information about the processing of personal data when using the ALBA app and our associated websites. We process your data in compliance with the General Data Protection Regulation (GDPR) and other applicable legal provisions. Personal data means any information relating to an identified or identifiable natural person; a person is considered identifiable if they can be identified directly or indirectly. This includes, for example, your name, your email address, your usage behavior, or your IP address. Yourtrust is important to us, and we always treat your data confidentially and responsibly.
1 Controller
The controller responsible for processing your personal data is ALBA GmbH, registered in the commercial register of the Local Court (Amtsgericht) Frankfurt am Main under HRB 141157, with its registered office at Mainzer Landstraße 33, 60329 Frankfurt am Main, Germany. The legal representatives are Jessica Fothen and Larissa Mar Wischhusen. You can contact us by email at hello@alba-app.de. Our VAT identification number is DE459567529. Further information can be found on ourwebsite at www.alba-app.de.
For all matters relating to data protection and to exercise your data subjectrights, you can reach us at legal@alba-app.de or by post at our businessaddress stated above, adding “Data Protection”.
2 General information ondata processing
2.1 Legal bases forprocessing
We process your personal data in compliance with the applicable statutory data protection provisions and generally base our processing on the following legal bases:
(a) Consent. Where we obtain the data subject’s consent for processing operations, Art. 6(1) (a) GDPR serves as the legal basis. This includes, where applicable, consent for storinginformation on and accessing information in the end device.
(b) Contractual obligations. Where processing of personal data is necessary for the performance of a contract to which the data subject is a party, Art.6(1) (b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual measures.
(c) Legal obligations. Where processing of personal data is necessary to comply with a legal obligation to which we are subject, Art. 6(1)(c) GDPR serves asthe legal basis.
(d) Legitimate interests (balancing of interests). Where processing isnecessary for the purposes of legitimate interests pursued by us or a third party, and the interests, fundamental rights and freedoms of the data subject do not override those interests, Art. 6(1)(f) GDPR serves as the legal basis.
(e) Special categories of personal data. For special categories of personaldata such as information about sexual orientation or health data, Art. 9(2)(a) GDPR applies.
We generally do not collect health data and do not use the data we collect to draw conclusions about your past, present, or future physical or mental health condition. However, becausethe term “health data” is interpreted very broadly in some jurisdictions,certain data we collect may be considered such data in those jurisdictions. As with other data we collect, the primary purpose of using this data is to provide you with our services and to help you connect with other members.
2.2 Data deletion andstorage period
Personal data will be deleted or anonymized as soon as it is no longer necessary for the purposes for which it was collected or otherwise processed, or the relevant legal basisceases to apply (e.g., upon withdrawal of consent), provided there is no otherlegal obligation or overriding legitimate interest requiring continued storage. For this purpose, we maintain an internal deletion and retention schedule with purpose-based time limits and implement appropriate procedures for timely deletion or anonymization.
Storage may continue beyond this point to the extent and for as long as this is required by applicable Union law or the law of a Member State to which the controller is subject(e.g., accounting or regulatory retention obligations), or to the extent further processing is time-limited and, where necessary, restricted for the following purposes:
• Evidence and defense purposes: to assert, exercise, or defend legal claimsand to secure evidence within the relevant statutory limitation and exclusion periods. The specific periods depend on the applicable law.
As soon as data is no longer required for the purposes stated above, it will be deleted or anonymized in accordance with the deletion and retention schedule; access will be restricted to the necessary extent, and technical and organizational measures ensure timely implementation.
3 Processing purposes, personal data collected, and legal bases
3.1 Provision of the app and website
To keep the ALBA app and our website available, we use data and information from the device accessing them. This includes information about the browser type and version used, the operating system of the accessing device, the IP address, date and time of access, requested resources, websites from which you reached our services (referrer tracking), whether access was successful, and the volume of data transferred.This data is stored in the log files of our systems. As a rule, this data is not stored together with personal data of a specific user, so individual users are generally not identified.
Log files are processed to ensure the functionality of the app and website, for technical optimization,and to ensure the security of our IT systems.
The legal basis for the temporary storage of the data and the log files is Art.6(1)(f) GDPR. Our legitimate interest lies in ensuring the purposes stated above.
The deletion of the technical data mentioned above takes place automatically, at the latest on a rolling basis 30 days after the respective access, unless longer storage is required in individual cases to fulfill mandatory legalobligations or to investigate security incidents.
3.2 Registration and useraccount
To register you with ALBA and provide our services, we process the registration data you provide. This includes your email address, mobile phone number (for SMS verification viaTwilio), password, date of birth, gender, sought gender, first name, and your location (city or region). Optionally, you can provide further information, such as your profession, education, height, marital status, desire to have children, religion, smoking and drinking habits, or other personal preferences.
After signing up, you complete a questionnaire based on recognized findings from personality and relationship psychology. Based on your answers and statistical data, we automatically create your individual personality profile, which is thencompared with other users’ profiles. Registration is necessary to provide our services; otherwise, we cannot make all functions available to you.
The legal basis is contract performance pursuant to Art. 6(1)(b) GDPR.
The ALBA app is intendedexclusively for persons aged 18 and over. We do not knowingly collect personaldata from minors under 18. If we suspect a user is a minor, we request ageverification. If we determine that a user is underage, the account will be blockedand the relevant data deleted. If you become aware that a minor is using ourservices, please notify us via the reporting function in the app or by email.
3.3 Profile information andcontent
Your profile contains the information you provide, including profile photos and videos, yourself-description (“About me” text), interests and hobbies, information about personality traits, and your preferences for potential partners. This information is visible to other registered users unless you restrict visibility in the settings. If you upload or provide content such as photos, texts, or other media in the app, we process this in accordance with our terms of use.
The legal basis is Art. 6(1)(b) GDPR (contract performance) for providing your profile and Art. 6(1)(f) GDPR to safeguard the integrity of the platform and prevent misuse.
3.4 Special categories ofpersonal data
When using a dating app, special categories of personal data within the meaning of Art. 9(1) GDPR may also be processed. This includes, in particular, information about sexual orientation (e.g., by indicating the sought gender), religious or philosophical beliefs, and health data. We process this data only if you voluntarily provideit in your profile and thereby consent to the processing. Not providing this voluntary information does not impair the usability of the core functions but may affect the quality of partner suggestions.
The legal basis is Art. 9(2)(a) GDPR (explicit consent).
You can change or delete this information at any time in your profile settings.Processing for internal AI training or comparable purposes takes place onlywith explicit consent.
3.5 Communication data
We store the messages youexchange with other users via the chat function, including text messages,photos, videos, and voice messages. This data is stored in our database(MongoDB Atlas) and may be analyzed for fraud prevention, moderation, andenforcement of our terms of use.
The legal basis is Art. 6(1)(b) GDPR (provision of the chat function) and Art.6(1)(f) GDPR (security and misuse prevention).
We may automatically delete unanswered messages if they originate from profilesthat we have identified, for example, as spam or romance scamming.
3.6 Usage data
When using the ALBA app, weautomatically collect technical and usage-related data. This includes deviceinformation such as device type, operating system, unique device identifiers(e.g., IDFA, GAID), browser type, language, and app version used. We also process connection data such as IP address, mobile carrier, and network type,as well as usage statistics on the time and duration of app use, functionsaccessed, and interactions with other users (likes, matches, blocks). Inaddition, we process information about app crashes and errors.
The legal basis is Art. 6(1)(b) GDPR (contract performance for providing theservices) and Art. 6(1)(f) GDPR (legitimate interest in improving and securingthe services).
Our legitimate interest lies in troubleshooting and optimizing our offering.
3.7 Location data
The ALBA app offerslocation-based functions that enable you to receive partner suggestions near you. For this purpose, we use the Google Maps API for map, location, places,and geocoding functions. If you enable location sharing, we process precise GPS location data; otherwise, we use approximate location information based on your IP address. Location determination may occur via GPS, Wi-Fi, Bluetooth, or thelocation services of your end device. If access to these functions is disabledor not permitted, corresponding location-based features are not available.
The legal basis for processing precise location data is your consent pursuantto Art. 6(1)(a) GDPR.
You can disable location sharing at any time in your device settings.
3.8 Payment data
If you purchase paid services such as our membership or virtual goods, we process payment data necessary to complete the transaction. Payment processing is carried out via our payment service provider Stripe. Depending on the selected payment method, the following data may be processed: name, date of birth, payment method, account number, card type, expiration date, postal code, and mobile phone number. We do not store complete credit card numbers or bank account details; Stripe only transmits a transaction ID, payment status, and, where applicable, the last four digits of the card used.
If Apple Pay is used, payment is processed via the Apple ecosystem. If PayPal is used, payment is processed via PayPal (Europe) S.à r.l. et Cie, S.C.A. in accordance with its privacy provisions. Stripe, Apple, and PayPal are each independent controllers for payment processing. You can also make in-app purchases via third-partyplatforms such as the Apple App Store or Google Play Store; in these cases, the provisions of the respective third party apply.
The legal basis is Art. 6(1)(b) GDPR (contract performance). Transaction datais stored for ten years in accordance with tax retention obligations (e.g., §147 AO).
3.9 Identity check and verification
For identity verification,we use the service Veriff OÜ (based in Estonia, EU). As part of verification, identification documents (e.g., ID card, passport, driver’s license), biometricdata (facial features for comparison with the ID photo), video selfies, and metadata of the verification process are processed. Identity verification is mandatory; without successful verification, no profile can be created. The processing of biometric data is carried out exclusively on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR, which is obtained in the appflow as a separate, active step immediately before the verification process begins. If you do not provide consent, registration can not be completed. Analternative, non-biometric verification procedure is currently not offered. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Veriff. The raw data collected during verification is stored by Veriff in accordance with documented retention periods; early deletion upon request is possible.
3.10 Legal obligations andenforcement of rights
To comply with legal obligations, we process user, usage, and payment data. The legal basis is Art.6(1)(c) GDPR. In the event of a judicial, administrative, or law enforcement request, we process the requested data to comply with legal obligations and basedon a legitimate interest in combating crime (Art. 6(1)(c) and (f) GDPR). Toenforce or defend legal claims, we process data based on our legitimate interest in protecting our company and our users (Art. 6(1)(f) GDPR).
3.11 Misuse prevention and security; community protection and moderation
If misuse of accounts and services is suspected, we analyze user, usage, and payment data based on legitimate interests in order to protect our services and users from fraudulent, abusive, or other unlawful activities. We use a combination of human moderators and automated systems to monitor accounts, interactions, andcontent and to protect you from harassment such as hacking, spam, or romance scamming.
Data is stored only as long as necessary for investigation or prevention.
The legal basis is Art. 6(1)(f) GDPR.
3.12 Provision of additional services and third-party services
If we offer additional services within the services, use of these services is optional for you. You may be able to connect your account with other third-party services, such associal media services. Connections with advertising partners, payment service providers, or merchants may also be possible to improve your user experience.
The processing may involve the following personal data: user data, paymentdata, or usage data.
Depending on the service used, the legal basis is Art. 6(1)(b) GDPR (contractperformance) or your consent, Art. 6(1)(a) GDPR. Further details can be foundfor the respective service in this privacy policy.
3.13 Troubleshooting and optimization
To fix errors in the use ofthe services and content and to optimize our offering, we process user andusage data. The legal basis is contract performance, Art. 6(1)(b) GDPR, andlegitimate interests, Art. 6(1)(f) GDPR.
4 Matching algorithm,recommendation systems, and automated processing
4.1 How the matchingalgorithm works
The ALBA app usesalgorithmic recommendation systems to suggest suitable partners to you. Through automated matching, you receive partner suggestions in your profile and, unless you disable it, also email notifications, which do not contain other users’ personaldata. Our suggestion and ranking systems, including matching, are based onautomated evaluations.
Key factors include your profile details (e.g., age, interests), your geographical proximity to others (via Google Maps API), your activity and response behavior in the app, and your stated preferences and filters. We useyour individual personality profile created from the questionnaire to determine compatibility with other users.
4.2 Use of artificial intelligence
We use AI-supported technologies to support our matching logic and for text-based processing. AI functions include the analysis of pseudonymized profile information (e.g.,profile texts, interests, without real names or contact details) to improvematching quality and the detection of potentially inappropriate content or content that violates our guidelines. There is no direct communication between users and the AI. Processing serves solely to improve our services. We use your content as training/validation data for our own AI systems only on the basis of separate consent (Art. 6(1)(a) GDPR; for special categories additionally Art. 9(2)(a)).
We do not share data with third-party AI providers for training purposes. This helps us improve our matching algorithms. You can withdraw consent at any time with effect for the future. For third-party AI systems or for purposes outside our services, we use your content only in anonymized form that does not allow conclusions about you.
4.3 Automated decisions and profiling
Within our services, wemake certain automated decisions that may affect you. This includes the selection and order of profiles displayed to you, the assessment of the trust worthiness of your profile, and the automated detection of potential violations of our terms of use. Automated systems help us with pre-analysis ;however, sanctioning measures against an account are reviewed by a person or can be challenged by you.
Pursuant to Art. 22(1) GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You have the right at any time to request human intervention, to express your point of view, and to contest automated decisions.
5 Recipients of data and disclosure
We do not sell your data atany time. We have certain processes and services carried out by carefully selected service providers who are commissioned in compliance with data protection requirements. Service providers’ access to your data is limited to what is necessary. These external service providers are bound by our instructions and are regularly monitored. Depending on the case, these companies act either as processors or joint controllers, or as third partiessuch as payment service providers. Such disclosure takes place only on the basis of a legal permission or obligation, user consent, or our legitimate interests, for example when using agents or web hosts. A legitimate interest also exists, in particular, for processing data for administrative purposes.We implement a clearallocation of roles for each processing activity. Unless expressly statedotherwise, the providers listed process data as processors under Art. 28 GDPR on our instructions. Services such as Stripe, Apple Pay, PayPal, Google Maps,the app stores, and Klaviyo generally act as independent controllers.
5.1 Other users
Certain information in your profile is visible to other registered users of the ALBA app. This includes your first name (or preferred name), your age, your profile photos, your profile description and interests, and your approximate location (city or distance). Messages you send to other users are visible only to those recipients.
5.2 Processors and service providers
We use external service providers who process personal data on our behalf (Art. 28 GDPR) as well as independent controllers (e.g., payment service providers). Below is an overviewof the main services:•
Amazon Web Services (AWS)
The app uses services provided by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, for hosting and technical operation. AWS processes data as a processor exclusively on our instructions. Processing takesplace on servers within the European Union. In the event of a transfer of data to the USA, AWS is certified under the EU-US Data Privacy Framework. Access by AWS staff from the USA in support cases cannot be ruled out. To safeguard such access, Standard Contractual Clauses have been agreed in addition to DPF certification, and additional technical and organizational measures (TOMs) such as strong encryption and strict access restrictions are implemented. Further information can be found in the AWS privacy policy at aws.amazon.com/privacy.
The processed data includes all information stored and transmitted in the app, including user data, transaction data, and technical log data. The retention period depends on the retention periods defined by the controller. AWS implements extensive technicaland organizational measures to protect data, including encryption, access control, and security certifications such as ISO 27001 and SOC 2.•
MongoDB Atlas
We use MongoDB Atlas, a database service of MongoDB, Inc., 1633 Broadway, 38th Floor, New York, NY 10019, USA, to store and manage user data.
MongoDB processes, as our processor under a data processing agreement, among other things profile data, communication data, and usage and log data. Data processing takes place on servers within the European Union (“Data Residency in EU”). Backups may have different, time-limited deletion cycles. In the event of a transfer of data to the USA, MongoDB is certified under the EU-US DataPrivacy Framework. Access from third countries by MongoDB staff for support purposes is possible and is safeguarded by Standard Contractual Clauses and additional technical and organizational measures. Further information on dataprocessing can be found at mongodb.com/legal/privacy-policy.•
Firebase Authentication
We use Firebase Authentication by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for user registration and login. During use, emailaddress or phone number, hashed password, IP address, device identifiers, login times, and token metadata are processed. These authentication logs are stored for a limited period for security and trouble shooting. Processing is carried out to perform the user contract pursuant to Art. 6(1)(b) GDPR and on the basis of a data processing agreement.
Google is certified under the EU-US Data Privacy Framework. Authentication data is stored for the duration of the user account. Further information can be found at firebase.google.com/support/privacy.•
Veriff
We use Veriff OÜ, Niine 11, 10414 Tallinn, Estonia, for online identity verification. Without successful verification, no user account can be created. We currently do not offer an alternative, non-biometric verification procedure. The following data is processed as part of identity verification: photos and videos of the verification session, identity documents, biometric data for comparing document and person, IP address, and device information. Processing of biometric data is carried out exclusively on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Veriff. The raw data collected during verification is stored by Veriff for 30 days; the verification result is stored by us for the duration of the customer relationship. Further information can befound at veriff.com/privacy-notice/de.•
Stripe
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, is used as an independent controller for payment processing. When carrying out payment transactions, name, email address, payment data(e.g., tokenized credit card number), billing address, and transaction data are processed. For fraud prevention, Stripe also processes device and behavioral data on the basis of its legitimate interests (Art. 6(1)(f) GDPR). We receive transaction confirmations and risk assessments from Stripe, which we store forcontract performance and in accordance with statutory retention obligations. Stripe is certified under the EU-US Data Privacy Framework. Detailed information on Stripe’s data processing can be found at stripe.com/de/privacy.•
Apple Pay
The app supports Apple Pay, provided by Apple Distribution International Ltd. as an independent controller. When using Apple Pay, transaction data is processed directly by Apple. The actual card numbers are not transmitted to us;instead, they are replaced by a tokenized, device-specific account number(tokenization). We do not receive plaintext payment data. Further informationcan be found at apple.com/de/legal/privacy.• PayPal
If you choose PayPal as the payment method, payment data is transmitted toPayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449Luxembourg. PayPal processes data as an independent controller. Aftercompletion of the transaction, we receive a confirmation containing the payment status, a transaction ID, and the payer ID. We store this data for contract performance and in accordance with statutory retention obligations. Details on PayPal’s data processing can be found at paypal.com/de/webapps/mpp/ua/privacy-full.•
Twilio
We use services provided by Twilio Inc., 101 Spear Street, 5th Floor, San Francisco, CA 94105, USA, for SMS-based verification of phone numbers. During verification, your mobile phone number and the content of the SMS (only averification code) are transmitted. Meta data and connection data may be generated and routing via non-European networks may occur. Processing is carried out for contract performance (Art. 6(1)(b) GDPR) on the basis of a dataprocessing agreement. Twilio is certified under the EU-US Data Privacy Framework. Verification data is deleted by Twilio after a short period (usuallywithin 24 hours). Further information can be found at twilio.com/legal/privacy.•
Google LLC (Maps API)
Google Maps is integrated only after prior consent via the cookie consent tool used. Only after active consent are the relevant contents loaded and a data transfer to Google triggered. The provider is Google Ireland Limited, GordonHouse, Barrow Street, Dublin 4, Ireland, which processes the data as an independent controller. When using Google Maps, IP address, device and browser information, and, where applicable, location coordinates are transmitted to Google, including to servers in the USA. Processing of precise location data iscarried out only with your consent (Art. 6(1)(a) GDPR), which you can withdrawat any time in your device settings. Google is certified under the EU-US Data Privacy Framework. Further information can be found at policies.google.com/privacy.•
OpenAI, Inc.
We use AI-supported functions based on the OpenAI API. The provider is Open AI Ireland Ltd., 1st Floor, The Liffey Trust Center, 117-126 Sheriff Street Upper,Dublin 1, D01 YC43, Ireland. During use, pseudonymized profile content (e.g., profile texts, interests) is transmitted to OpenAI for processing. OpenAI processes the data as our processor and does not use it to train its own AI models. Depending on the purpose, processing is carried out based on our legitimate interests (Art. 6(1)(f) GDPR) to improve functionality or on the basis of your consent (Art. 6(1)(a) GDPR). A data processing agreement has been concluded with OpenAI, which includes Standard Contractual Clauses for transfers of data to the USA. User inputs are stored by OpenAI for up to 30 days to detect abuse and are then deleted. Users should not enter third parties’ personal data into AI functions. Further information can be found at openai.com/policies/privacy-policy.•
Klaviyo, Inc.
We use Klaviyo, Inc., 125 Summer St, Boston, MA 02110, USA, for sending newsletters. When signing up, email address and IP address are processed and consent is logged. Processing is based on your consent (Art. 6(1)(a) GDPR). After sending, open and click data is collected, which you can separately object to. A data processing agreement has been concluded with Klaviyo. Klaviyo is certified under the EU-US Data Privacy Framework and also uses Standard Contractual Clauses. You can withdraw your consent at any time by using the link in the newsletter. Further information can be found at klaviyo.com/legal/privacy-policy.• Apple App Store and Google
Play Store
The app is distributed via the Apple App Store. The provider is Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Apple processes data such as Apple ID and usage statistics as an independent controller. Download and purchase data may be linked to your Apple account, which is beyond our control. Processing is carried out in accordance with Apple’s privacy policy at apple.com/de/legal/privacy.
For Android devices, the app is distributed via the Google Play Store. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google processes Google account information and installation data as an independent controller. Details can be found at policies.google.com/privacy.•
Webflow, Inc.
Our website is created and hosted with Webflow. The provider is Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA. When visiting the website, technical data such as IP address, user agent, referrer, and accesstimes are collected. Processing is based on legitimate interests (Art. 6(1)(f)GDPR). Webflow uses a content delivery network (CDN) to provide the website. Webflow is certified under the EU-US Data Privacy Framework. Further information can be found at webflow.com/legal/privacy.
5.3 Authorities and legal obligations
We may disclose your data to authorities, courts, or other bodies if we are legally obliged to do so or if we, in good faith, believe that it is reasonably necessary to comply with court orders, enforce our terms of use, respond to third-party claims that your content infringes their rights, answer your customer service inquiries, protect the rights, property, or safety of our company or other persons, or investigate illegal activities, suspected fraud, or other misconduct.
6 International data transfers
6.1 Transfers to third countries
Some of our processors are located outside the European Economic Area (EEA), in particular in the USA.
When transferring personal data to third countries, we ensure that an adequate level of data protection is guaranteed. With regard to transfers to the USA, anadequacy decision of the European Commission for the EU-US Data Privacy Framework (DPF) within the meaning of Art. 45 GDPR has been in place since 10 July 2023. If the respective recipient is certified under the DPF, the usuallevel of GDPR protection applies. Certification of the respective providers canbe checked at dataprivacyframework.gov.For transfers that are notcovered by an adequacy decision, we use the Standard Contractual Clauses (SCCs)approved by the European Commission pursuant to Art. 46(2)(c) GDPR. Inaddition, we carry out transfer impact assessments and, where necessary, implementsupplementary technical and organizational measures (TOMs) such as strongencryption and pseudonymization to ensure an adequate level of protection.
6.2 Overview of third-country transfers
Our most important processors based in third countries are as follows: AWS (USA, processing in EU data centers, SCCs and DPF), MongoDB (USA with EU data residency, SCCs andDPF), Google LLC for Firebase and Maps (USA, SCCs and DPF), Twilio (USA, SCCsand DPF), Stripe (USA, SCCs and DPF), OpenAI (USA, SCCs), Klaviyo (USA, SCCsand DPF), Webflow (USA, SCCs and DPF). Veriff is based in Estonia (EU), so nothird-country transfer takes place.
7 Storage period and deletion
7.1 Profile data and usagedata
During active use, your data remains stored for the duration of your membership. In case of inactivity, all data associated with your account is automatically deleted after a reasonable period of time since your last login. If you delete your account, your data will be deleted within 30 days unless statutory retention obligations prevent deletion.
7.2 Communication data
Messages are stored during your active membership. We reserve the right to remove chats stored in your user account without prior notice once their number exceeds a specified maximum. After account deletion, messages are deleted within the regular deletion period. For evidence preservation in the event of reported violations, relevantdata may be retained for up to six months after a report.
7.3 Payment data
Transaction data is retained for up to ten years in accordance with statutory retention obligations (e.g., under commercial and tax law).
7.4 Log data
IP addresses and technical logs are deleted on a rolling basis at the latest 30 days after the respective access, unless security incidents require longer retention.
7.5 Deletion of your account
You can delete your account at any time in the app settings. Deleting the app from your device does not end your account or subscription. Certain data may be retained longer if statutory retention obligations exist, if data is necessary to assert, exercise, or defend legal claims, if data is needed to comply with a court or authorityorder, or if data is necessary to prevent fraud and misuse.
8 Cookies and tracking technologies
8.1 General
In addition to the data mentioned above, technical tools are used when you use our website and services for various functions, in particular so-called cookies that can be stored on your end device. Cookies are text files or information in a database that arestored in the device memory of your end device and associated with the application you use. Cookies can transmit certain information to the entity setting the cookie. Cookies can not execute programs or transmit viruses to your mobile device; they primarily serve to make our offering faster and more user-friendly. We use the following types of cookies, whose function and legal basis we explain below. To the extent we store information on your end deviceor access information on it, this is—unless technically necessary—based on your consent pursuant to Sec. 25(1) TTDSG; technically necessary processes are basedon Sec. 25(2) TTDSG.
8.2 Technically necessary cookies
The technical structure ofthe services requires that we use technologies, in particular cookies. Without these technologies, our application cannot be used (fully correctly) or support functions cannot be provided. These are generally so-called transient cookies,in particular session cookies, which are automatically deleted when the application is closed or by logging out (at the latest after 30 days). They store a so-called session ID. This allows various requests from your browser tobe assigned to a common session and enables your computer to be recognized when you return to our application. You cannot opt out of these cookies if you want to use our services. The legal basis is Art. 6(1)(f) GDPR.
8.3 Optional cookies
We only set optional cookies with your consent, which you can choose when visiting our services via our cookie consent banner with granular setting options. Technically, ConsentPro by Finsweet is used for this; in addition, Cookiebot is implemented to provide cookie categorization, the cookie declaration, and the legally required documentation of consents. The functions are activated only if you consent and may help us analyze and improve the use of our application, facilitate operation across different browsers or end devices, recognize you when you return, or place advertising (including to align advertising with interests,measure the effectiveness of ads, or show interest-based advertising). A detailed and current overview of the cookies used can be accessed via the Cookie Declaration. The legal basis is Art. 6(1)(a) GDPR. You can withdraw your consent at any time, without affecting the lawfulness of processing carried outbefore withdrawal.An up-to-date and complete overview of the cookies used, including provider, purpose, and storage duration, can be found in our Cookie Declaration. It is accessible at any time via the link in the footer and via the cookie banner.
8.4 SDKs and tracking in the app
In our mobile app, we use software development kits (SDKs) that provide certain functions and collect data. The Firebase SDK is used for authentication, analytics, and pushnotifications. The Google Maps SDK is used for map functions. The Stripe SDK isused for payment processing.Non-essential SDKs (e.g.,for analytics purposes) are used only with your explicit consent pursuant toSec. 25(1) TTDSG, which we obtain via a consent management platform (CMP). Technically necessary SDKs (e.g., for authentication, map functions, paymentprocessing) are used on the basis of Sec. 25(2) TTDSG. You can manage and withdraw your consent at any time in the app settings with effect for the future. In addition, you can restrict the collection of tracking data in your operating system’s device settings (e.g., by resetting the advertising ID).
9 Analytics and evaluation
We use Firebase Analytics(Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) toanalyze app usage. The legal basis is your consent (Sec. 25(1) TTDSG, Art.6(1)(a) GDPR), which we obtain via a consent management platform (CMP). Firebase collects pseudonymized data on interactions with the app. We have enabled IP anonymization and limited the retention period to 14 months. Data transfers to the USA are safeguarded by Google’s certification under the EU-US Data Privacy Framework. You can withdraw your consent at any time in the app settings with effect for the future.
10 Contact
If you contact us via the contact options provided in the app or on our website (e.g., by email tohello@alba-app.de or via a contact form), the data you submit, including your contact data, will be stored in order to process your request and for possible follow-up questions. The legal basis is Art. 6(1)(b) GDPR (if the inquiry relates to contract initiation or performance) or Art. 6(1)(f) GDPR (legitimateinterest in handling customer inquiries). This data is deleted as soon as it isno longer necessary to achieve the purpose for which it was collected.
11 Marketing communications
11.1 Email marketing via Klaviyo (double opt-in)
We use Klaviyo, Inc. (USA)to send marketing emails and newsletters. If you sign up for our newsletter, your email address and, where applicable, other data will be transferred to Klaviyo. Your consent is logged for evidentiary purposes (including sign-uptime and IP address). Klaviyo also analyzes open and click behavior to measure the effectiveness of our emails.
The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You can unsubscribe from marketing emails at any time by using the unsubscribe link in each email or by contacting us at hello@alba-app.de.
Transfers to the USA take place on the basis of SCCs and, where Klaviyo is certified under the DPF, on the basis of the adequacy decision.
11.2 Push notifications
We use Firebase CloudMessaging (FCM) to send push notifications (e.g., about new matches ormessages). For this purpose, we process a device-specific push token, which we assign to your user account. The legal basis is your consent, which you providevia your operating system dialog when you first use the app (Art. 6(1)(a)GDPR). You can deactivate push notifications at any time in your device settings or in the app. We delete or invalidate the corresponding token as soon as you unsubscribe from notifications or delete your account.
12 Rights of data subjects
Subject to the statutory requirements, you have the following rights:
12.1 Right of access
At any time, you areentitled, within the scope of Art. 15 GDPR, to request confirmation from us as to whether personal data concerning you is being processed. If so, you are entitled to access to that personal data as well as certain additional information (including processing purposes, categories of personal data, categories of recipients, planned storage period, source of the data, use of automated decision-making, and, in the case of transfers to third countries, the appropriate safeguards) and a copy of your data. The limitations of Sec. 34BDSG apply.
12.2 Right to rectification
You are entitled under Art.16 GDPR to request that we rectify personal data stored about you if it is inaccurate or incorrect. Many details can be corrected directly by you in yourprofile settings.
12.3 Right to erasure
You are entitled, under theconditions of Art. 17 GDPR, to request that we delete personal data concerning you without undue delay. The right to erasure does not apply, among other things, where processing is necessary to comply with a legal obligation (e.g.,statutory retention obligations) or to assert, exercise, or defend legal claims. In addition, the limitations of Sec. 35 BDSG apply. You can delete your account at any time in the app settings.
12.4 Right to restriction of processing
You are entitled, under theconditions of Art. 18 GDPR, to request that we restrict the processing of yourpersonal data.
12.5 Right to data portability
You are entitled, under the conditions of Art. 20 GDPR, to request that we provide you with the personal data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format.
12.6 Right to withdraw consent
You can withdraw consent you have given for the processing of personal data at any time by notifying us. Please note that withdrawal takes effect only for the future; processing carried out before withdrawal is not affected. A simple notification is sufficient, e.g., by email to legal@alba-app.de. If your withdrawal results in us no longer being able to reasonably continue the contract with you, we reserve the right to terminate after balancing both parties’ interests.
12.7 Right to object
You are entitled, under the conditions of Art. 21 GDPR, to object to the processing of your personal data, meaning we must stop processing. The right to object exists only within the limits set out in Art. 21 GDPR. In addition, our interests may override cessation of processing, so we may be entitled to continue processing despite your objection. We will comply immediately and without further balancing with any objection to direct marketing measures.
12.8 Right to lodge a complaint with a supervisory authority
Under the conditions ofArt. 77 GDPR, you have the right to lodge a complaint with a competent supervisory authority. The supervisory authority responsible for us is the Hessian Commissioner for Data Protection and Freedom of Information,Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
12.9 Exercising your rights
To exercise your rights, you can contact us by email at legal@alba-app.de, use the contact form on our website, or use the relevant functions in the app settings. We will handle your request without undue delay, and at the latest within one month of receipt. This period may be extended by two further months if necessary, taking into account the complexity and number of requests; we will inform you accordingly. To process your request, we may require identity verification.
13 Obligation to provide data
To register and use essential app functions, providing certain data is necessary (e.g., email,phone number, password). If you do not provide this data, we can not conclude the contract and/or provide the respective functions. Information we label as“optional” is not required for concluding the contract.
14 Data security
We implement extensive technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or manipulation. These measures include encryption of data transmission via TLS/SSL, encryption of sensitive data atrest, access controls and authorization management, regular security audits, firewalls and intrusion detection systems, regular backups with secure storage, staff training, and incident response processes. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will inform you without undue delay in accordance with Art. 34 GDPR.
You are responsible forkeeping your access credentials confidential and not sharing them with thirdparties. If you suspect your account has been compromised, please inform us immediately. Where technically possible, our app includes measures to make screenshots and screen recordings more difficult; however, complete prevention can not beguaranteed depending on the device.
15 Changes to these privacy notices
We may update these privacy notices from time to time to reflect changes in our data processing practices, new features, or changed legal requirements. We will inform you of material changes in due time by email, by a notification in the app, or by a clear notice on our website. The current version of these privacy notices, includingthe date of the last update, is available at any time in the app and on ourwebsite. In the event of material changes involving new processing purposes or expanded data collection, we will obtain your renewed consent where legally required.
16 Contact
If you have questions about these privacy notices or the processing of your personal data, you can contact us as follows:
ALBA GmbH
Mainzer Landstraße 33
60329 Frankfurt am Main
Email: legal@alba-app.de
Version: 01.03.2026
