Privacy Policy for "RehaBuddy"

Last updated: 7/9/2026

This privacy policy explains how the RehaBuddy mobile application ("App") and website process your data and protect your privacy. RehaBuddy is targeted at the European market and is fully GDPR compliant.

Core Principles & Local Data Storage

RehaBuddy was developed with privacy as a core principle. The app functions primarily offline and stores your personal data locally on your device. This includes:

  • Exercise and progress data
  • Personal notes and goal settings
  • App usage settings and preferences

No registration or account creation is required, and your personal rehabilitation data never leaves your device unless you explicitly choose to share it.

App Data Collection & Processing

Crash Reporting (Sentry)

We use Sentry to detect and fix app crashes. This includes crash reports, device information, and randomly generated IDs. Data is stored on EU servers for 30-90 days. Legal basis: Legitimate interest (Art. 6 (1) lit. f GDPR).

Anonymous Usage Analytics (PostHog)

We use PostHog for anonymous analytics to improve app stability and functionality. No personal data is collected - no IP addresses, emails, or device IDs. Only a random, non-traceable UUID is used. All data stays on EU servers. This processing doesn't require consent as no personal data is involved. Legal basis: Legitimate interest (Art. 6 (1) lit. f GDPR).

Feedback & Feature Voting

When you submit feedback, we collect your message and optional contact details via Trello. Premium users can vote on features using anonymized IDs. Legal basis: Consent (feedback), contract performance (feature voting).

Accountability Partner (optional)

If you enable the optional Accountability Partner feature, a small amount of data leaves your device for the first time, so that a partner you invite yourself can see your daily exercise status and send you encouragement. If you don't enable this feature, your data stays fully local as described above.

Only the following data is processed and stored on EU servers (Supabase, Frankfurt):

  • a random, pseudonymous identifier (anonymous sign-in — no email, no account),
  • an optional display name you choose,
  • the connection between you and your partner,
  • a per-day status: whether you exercised that day, plus your streak count.

Explicitly not transmitted are your exercises, exercise details, goals, journal entries, or any other health or diagnosis data — these stay local on your device. Your partner sees only the daily status described above.

Nudges are delivered as push notifications. For delivery we use Firebase Cloud Messaging (Google); this transmits a push token and the notification text (title/body). Google acts as a processor in this regard (DPA, standard contractual clauses).

The feature is consent-based on both sides (invite + accept) and revocable at any time: either side can remove the connection, which deletes the associated data. Legal basis: your consent (Art. 6 (1) lit. a, and where applicable Art. 9 (2) lit. a GDPR). Retention: until you revoke or remove the connection, or uninstall the app.

Website Data Collection

Our website uses Vercel Analytics for anonymous performance monitoring. This is cookie-free and fully anonymized. Legal basis: Legitimate interest (Art. 6 (1) lit. f GDPR).

Third-Party Services

We use these services:

  • Sentry: Crash reporting (EU servers)
  • PostHog: Anonymous analytics (EU servers only)
  • Trello: Feedback management
  • Supabase: Cloud storage for the Accountability Partner feature (EU servers, only when enabled)
  • Firebase Cloud Messaging (Google): Push notification delivery (only when the partner feature is enabled)
  • App Store/Google Play: App distribution and subscriptions

Subscriptions

Subscriptions are processed by Apple App Store or Google Play. We only receive confirmation of active subscriptions, never payment details.

Device Permissions

The app may request notifications (for reminders), camera/photos (for exercise images), and device information (for compatibility). All data stays local on your device.

Data Security

Your local data is encrypted on your device. All external communications use HTTPS encryption.

Your Rights (GDPR)

You have full control over your local data - uninstalling the app removes everything. For external data (crash reports, analytics), you can request access, correction, deletion, or restrict processing by contacting us. You can also contact your local data protection authority.

Data Control

You can deactivate analytics in app settings (though it's already anonymous). Notifications can be managed in app settings.

Data Retention

Local data: You have full control. Crash reports: 30-90 days. Analytics: Per PostHog policies, deletion available on request. Feedback: Until processed, then deletable on request.

Data Sharing

We never sell your data. Sharing only occurs with the services mentioned above, for legal obligations, or with your explicit consent.

Data Location

PostHog and Sentry operate exclusively on EU servers. Supabase (Accountability Partner data) is hosted in the EU (Frankfurt). Push notifications are delivered via Google Firebase Cloud Messaging. For any services with potential non-EU transfers (e.g. Google FCM), we ensure adequate protection through standard contractual clauses or adequacy decisions.

Policy Updates

We may update this policy. Significant changes will be communicated via in-app notification or email (if available).

Contact Information

For questions about this privacy policy or your privacy rights:

Responsible: Tjard Lüdeke
Johaniterstraße 19, 10961 Berlin
Email: tjard@rehabuddy.app

Data Protection Officer: Inquiries to above contact details

For EU data protection rights, you can also contact your local data protection authority.

Privacy Policy | RehaBuddy