Ombok EN DE

Privacy Policy

Last updated: 29 April 2026 · Effective date: 29 April 2026

This Privacy Policy explains what personal data we process when you use the Ombok mobile app and related services (the "Service"), why we process it, who we share it with, and the rights you have under the EU General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG").

1. Controller

The controller responsible for the processing described in this Policy is the operator of Ombok. Full contact details are listed in the Imprint. For privacy questions you can reach us directly at privacy@ombok.app.

2. What Data We Process

2.1 Account & Authentication

• Email address — required to create your account, sign you in, recover access, and to send you account-related emails such as verification and password-reset messages.
• Age confirmation — at registration you confirm you are 18 or older. We store the timestamp of that confirmation; we do not store your date of birth.

2.2 Profile

• Display name, handle, preferred languages, and a short description if you add one. We store these so other Ombok users can see your profile inside the app — they are not published on the open web or indexed by search engines.

2.3 Messages, Voice Notes & Audio

• Direct messages and connection-request voice notes are end-to-end encrypted on your device. Our servers store the ciphertext, the encrypted audio file, and the minimal metadata needed to deliver the message (such as who sent it to whom and when). We cannot read the contents of these messages.
• Waves (collaborative audio threads) may be open to all Ombok users in the app, or limited to invited participants, depending on the wave's settings. Content shared inside a wave is not end-to-end encrypted in the same way and is visible to other participants — and, for waves open to everyone, to other Ombok users from inside the app.
• Connection requests, blocks, wave membership, and wave likes as needed for the Service to function. We also track which waves you've played, so we can rank and personalise the in-app feed for you.

2.4 Encryption Key Material

• Public encryption keys are uploaded to our servers so other users can start an end-to-end encrypted conversation with you. They do not reveal the contents of any message.
• Your private keys never leave your device and are protected by your device's operating system.

2.5 Abuse Reporting

To support abuse reporting without breaking end-to-end encryption, we store a small piece of verification data alongside each encrypted message for 90 days. This lets us check reports without decrypting your messages. After 90 days the data is deleted, and the message can no longer be reported.

2.6 Push Notifications

• Push notification token — issued by Firebase Cloud Messaging (Google) and stored on our servers so we can deliver notifications to your device.
• Notification payloads contain only routing information (e.g. "you have a new message") and never the decrypted contents of an encrypted message.

2.7 Device & Diagnostic Data

• App version, build number, platform (iOS / Android), OS version, device manufacturer and model. These are sent in the User-Agent header so we can investigate support issues, gate force-updates, and roll out fixes.
• Server logs — for each request to the Service we log the request method, URL path, HTTP status, response time, and the diagnostic headers above. We do not log request or response bodies, and we do not log your IP address in our application logs. Logs are kept only as long as needed for operational and security purposes, then deleted. Our hosting provider sees connection-level metadata such as IP addresses at the network layer in order to route your traffic and protect against abuse; this is handled per the provider's policy.

2.8 Analytics & Crash Reporting

To understand how the app is used and to fix bugs, we use the following Google services:

• Firebase Analytics — records app-usage events (such as completing onboarding or publishing content) associated with your account ID, so we can analyse usage. We do not send message content, voice content, email addresses, phone numbers, or authentication tokens to Firebase; these patterns are automatically redacted before any event is sent.
• Firebase Crashlytics — collects crash reports and non-fatal error reports together with limited technical context, so we can reproduce and fix bugs.
• Firebase Performance Monitoring — collects aggregate performance metrics about the app and its network requests. These metrics are not associated with your account ID.

Server-side, we also keep an internal log of activity events (such as account and content creation, and engagement) in our own database for product analytics. No external analytics vendor receives this data.

You can opt out of Firebase Analytics, Crashlytics and Performance from inside the app at any time, in your Profile under Privacy.

3. Why We Process Your Data & Legal Bases

• To provide the Service (account creation, authentication, messaging, key exchange, content storage, push delivery, waves) — Art. 6 (1)(b) GDPR (performance of a contract with you).
• To keep the Service secure and prevent abuse (rate limiting, force-update gating, age gating, abuse reports, moderation of public content) — Art. 6 (1)(f) GDPR (legitimate interest in operating a safe service) and, for age verification, Art. 6 (1)(c) GDPR (legal obligation under youth-protection law).
• For diagnostics, crash reporting and product analytics (Firebase Analytics, Crashlytics, Performance, plus our own server-side events log) — Art. 6 (1)(a) GDPR (your consent), which you can withdraw at any time from your Profile under Privacy.
• To handle support and abuse reports — Art. 6 (1)(b) or (f) GDPR.
• To comply with legal obligations, including responding to lawful requests — Art. 6 (1)(c) GDPR.

4. Recipients & Processors

We share personal data only with processors who help us run the Service, under written agreements that meet Art. 28 GDPR. We do not sell or rent your personal data, and we do not use it for advertising. The following categories of recipient receive personal data:

• Cloud hosting provider (EU) — operates our application server and database, which hold your account data, profile, encrypted message metadata, wave content metadata, and the abuse-reporting verification data.
• Object storage provider (EU) — holds your encrypted audio files and avatars. Stored within the European Union.
• Transactional email provider (EU) — sends verification and password-reset emails.
• Push notification service — Google Ireland Limited / Google LLC (Firebase Cloud Messaging). Delivers notifications to Android and iOS devices.
• Analytics & crash reporting — Google Ireland Limited / Google LLC (Firebase Analytics, Crashlytics, Performance Monitoring). Receives the events and crash reports described in §2.8.

The names of specific sub-processors and their contractual safeguards are documented in our internal Record of Processing Activities (Art. 30 GDPR) and can be made available to you on reasonable request.

5. International Transfers

Most processing happens inside the European Union. Some of our processors — in particular Google (for push notifications, analytics and crash reporting) and our object-storage provider's parent company — are headquartered in the United States and may transfer personal data there. Where this happens, we rely on the European Commission's Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, the EU–US Data Privacy Framework, together with supplementary measures.

6. How Long We Keep Your Data

• Account & profile — kept while your account is active. When you request account deletion (see §8), your account record and all data linked to it (profile, encryption keys, messages, audio recordings, connections, blocks, wave participation, push tokens) are erased within 30 days, except where a longer period is required by law or to defend legal claims. Aggregate engagement counts (such as the number of plays or likes a wave received) may be retained without identifying you.
• Encrypted messages and audio — deleted from our servers shortly after delivery and acknowledgement by the recipient. Undelivered messages expire after 7 days.
• Connection requests — pending requests expire after 7 days.
• Abuse-reporting verification data — 90 days, then deleted.
• Application logs — kept only as long as needed for operational and security purposes, then deleted.
• Server-side product-analytics events — up to 24 months, then deleted.
• Firebase Analytics & Crashlytics — retained according to Google's published defaults; see Google's Firebase data-retention documentation for current details.
• Moderation decisions and admin audit trail — retained for as long as needed to operate trust-and-safety processes and to defend against legal claims.

7. Encryption & Security

Direct messages and connection voice notes are end-to-end encrypted on your device, so we cannot read their contents. All other data is encrypted in transit and at rest. Your password is never stored in plaintext. No system is perfectly secure — please choose a strong password and keep your device protected.

8. Your Rights (GDPR)

You have the following rights with respect to your personal data:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data. You can edit most profile fields inside the app, or contact privacy@ombok.app for corrections you can't make yourself.
• Erasure (Art. 17) — request deletion of your account and personal data ("right to be forgotten") from inside the app, in your Profile under Privacy.
• Restriction (Art. 18) — restrict processing in certain circumstances.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on our legitimate interests (such as security and abuse prevention).
• Withdraw consent at any time, where processing is based on consent (Art. 7 (3)) — for example, the diagnostic and analytics processing in §3, which you can disable from your Profile under Privacy. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Lodge a complaint with a supervisory authority. You may contact the authority of your habitual residence, place of work, or place of any alleged infringement.

To exercise any of these rights, write to privacy@ombok.app. We will respond within the period required by law (typically one month).

9. Children

The Service is for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, please contact us at report@ombok.app.

10. Tracking, Cookies & Advertising

The Ombok mobile app does not contain advertising SDKs, third-party trackers, advertising identifiers (IDFA), or device-fingerprinting libraries. We do not build ad profiles about you. We do not sync your contacts and we do not collect your location.

The app does include diagnostic and analytics SDKs from Google (Firebase Analytics, Crashlytics, Performance) as described in §2.8. These can be disabled in your in-app privacy settings.

The static web pages on this site use only essential resources required to render the page; they do not set tracking cookies.

11. Changes to This Policy

We may update this Policy from time to time. If we make material changes we will notify you in advance by email or in-app message and update the "Last updated" date at the top of this page.

12. Contact