Privacy Policy

How we process your data under the GDPR

This Privacy Policy explains how snap DISCOVERY AG and snap GmbH ("we", "us", "Brain Clarity") collect, use, and protect your personal data when you use the Brain Clarity mobile application (the "App"). We process your data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data Controllers

Two separate legal entities are involved in operating Brain Clarity. Each is an independent controller under Art. 4 (7) GDPR for the data described below.

1.1 snap DISCOVERY AG — controller for app and gameplay data

snap DISCOVERY AG
Gesundheitscampus-Süd 17
44801 Bochum, Germany
Email: weber@snapdiscovery.de
Phone: +49 234 4799147-0

Responsible for: account, profile, and gameplay data (Sections 2.1 through 2.4 below).

1.2 snap GmbH — controller for subscription billing data

snap GmbH
Gesundheitscampus-Süd 17
44801 Bochum, Germany
Email: invoice@snap-gmbh.com
Phone: +49 234 4799147-0

Responsible for: subscription billing data we receive from Apple or Google in connection with Brain Clarity Pro (Section 2.7 below).

2. Data We Collect

2.1 Account Data

When you create an account, snap DISCOVERY AG collects and stores:

Email address (required for login)
Password (stored only as a hash, never in plaintext)
Display name you choose
Account creation timestamp

2.2 Optional Profile Data

During onboarding you may optionally provide age range, gender, education level, and your personal cognitive goal. Providing this is strictly optional and helps us personalize your Brain Profile. You can skip these fields or change them later.

2.3 Gameplay Data

As you play, we record:

Game type, difficulty level, and date played
Normalized score (0–100) and raw game-specific metrics
Per-response reaction times (aggregated, not linked to content)
Streaks, XP, unlocked achievements

2.4 Technical Data

We do not collect device identifiers, IP addresses, location data, contacts, or advertising IDs. Firebase may log minimal diagnostic information (crash reports, error logs) to keep the service running reliably.

2.5 Local Notifications

If you enable training reminders or the daily-riddle notification, the scheduling and content of these notifications happens entirely on your device. We do not run a push-notification server and do not collect any data when notifications are scheduled, fired, dismissed, or tapped. The riddle text shown in a notification is selected deterministically from a fixed catalog shipped with the app — no server is queried.

You can turn each notification stream on or off, change the reminder time, or revoke the system-level permission at any time:

In-app: Profile → Settings → Notifications
iOS: Settings → Brain Clarity → Notifications
Android: Settings → Apps → Brain Clarity → Notifications

We do not send marketing or promotional notifications under any circumstance. The notification streams listed above are functional reminders that you have explicitly opted into.

2.6 Two-factor Authentication (2FA)

To protect your account, Brain Clarity uses mandatory two-factor authentication via email. After you enter your password at sign-in, we send a six-digit one-time code to your verified email address. You must enter this code to complete the sign-in.

For this we process:

Your email address (already on file from registration)
The hashed one-time code (the plaintext is never stored — we keep only a SHA-256 hash with a per-code salt; the code expires after 5 minutes)
Hashes of your 10 single-use recovery codes (we never store the plaintext; you save the codes yourself when you set up 2FA)
Timestamps of code requests, used for rate-limiting

These data are stored exclusively in our processing infrastructure (Google Firestore — see Section 5) and are never shared with third parties beyond the email-delivery provider listed below.

noreply@brainclarity.de is operated through ActiveCampaign Postmark Inc. (Postmark, USA), our transactional email processor. Postmark handles only the delivery of the one-time codes; they do not receive your account data, scores, or profile. Data transferred to Postmark is limited to your email address and the email body containing the code. The transfer relies on the EU Standard Contractual Clauses (SCCs, 2021/914) as the Art. 46 GDPR safeguard.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the security of your account) and Art. 32 GDPR (security of processing).

2.7 Subscription Billing Data (Brain Clarity Pro)

If you purchase a Brain Clarity Pro subscription, the actual payment is processed by Apple Inc. (App Store) or Google Ireland Limited (Google Play), who act as the merchant of record. We do not receive your payment-card details. Through our subscription-management provider (RevenueCat), snap GmbH receives:

An anonymous subscription identifier linked to your account
Subscription status (active, trial, lapsed, refunded)
Plan tier, start date, renewal date
Country of purchase (for tax-reporting purposes)

We use this data only to grant Pro entitlements, comply with tax-reporting obligations, and answer support requests about your subscription.

3. Legal Basis for Processing

Art. 6(1)(b) GDPR — performance of the user agreement: required to operate the App, store your scores, provide your Brain Profile, and (for Pro users) deliver the subscribed service.
Art. 6(1)(a) GDPR — your consent: for optional profile data and any analytics we may add in the future.
Art. 6(1)(c) GDPR — legal obligation: subscription/billing records retained to comply with German tax and commercial-law retention requirements (Section 6 below).
Art. 6(1)(f) GDPR — legitimate interests: for security, fraud prevention, and protecting the integrity of leaderboards.

4. How We Use Your Data

Authenticate your account and sync your progress across devices
Compute your Brain Profile, stats, streaks, and achievements
Rank scores on daily, weekly, and all-time leaderboards
Grant and manage Brain Clarity Pro entitlements (Pro users only)
Keep the service secure and prevent score tampering

We do not sell your data. We do not use your data for advertising.

5. Service Providers & Data Transfers

We use the following processors under data-processing agreements (Art. 28 GDPR):

Google Firebase (Firebase Authentication, Cloud Firestore, Cloud Functions) for the App backend. Operated by Google Ireland Limited within the EU, with some processing taking place at Google LLC in the United States. Transfers covered by the EU–U.S. Data Privacy Framework and Standard Contractual Clauses where required.
RevenueCat (RevenueCat, Inc., USA) for subscription management on behalf of snap GmbH. Used only when a user starts a Pro trial or subscription. Transfers covered by Standard Contractual Clauses.
Apple Inc. and Google Ireland Limited as the merchant of record for App Store / Google Play subscription purchases. Their handling of your payment data is governed by their own privacy policies.

6. Retention

Account data: for as long as your account exists.
Scores and gameplay data: retained while your account is active so you can see your history.
Subscription/billing records: retained for the statutory periods required by German commercial and tax law (typically 6 to 10 years under §§ 147 AO, 257 HGB), even after account deletion.
After account deletion: app and profile data is deleted within 30 days; aggregated, non-identifying statistics may be retained.

7. Your Rights

Under the GDPR you have the right to:

Request access to your personal data (Art. 15)
Request correction of inaccurate data (Art. 16)
Request deletion of your data (Art. 17)
Request restriction of processing (Art. 18)
Data portability (Art. 20) — export your data in a machine-readable format
Object to processing based on legitimate interests (Art. 21)
Withdraw any consent at any time, without affecting prior lawful processing

To exercise rights related to app or gameplay data, contact weber@snapdiscovery.de. To exercise rights related to subscription billing data, contact invoice@snap-gmbh.com. You can also use the in-app tools in the Profile screen at any time:

Download my data — exports your profile and all scores as a JSON file (Art. 20 data portability).
Delete my account — permanently removes your account and all associated data (Art. 17 right to erasure). Note: subscription/billing records are retained for statutory periods (see Section 6).

8. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The authority responsible for both controllers is the

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2–4
40213 Düsseldorf, Germany
www.ldi.nrw.de

9. Security

All traffic between the App and our backend is encrypted in transit (TLS). Passwords are never stored in plaintext. Access to production data is restricted to authorized personnel. Leaderboard writes go through Cloud Functions to prevent tampering.

10. Children

Brain Clarity is not directed at children under 16. If you are under 16, you must have the consent of a parent or guardian before using the App. If we learn that we have collected data from a child under 16 without the required consent, we will delete it.

11. Changes to This Policy

We may update this Privacy Policy as the App evolves. If we make material changes, we will notify you in-app before the changes take effect.

Note: The final version of this document should be reviewed by a qualified German data-protection lawyer before market launch.

Last updated: 20 May 2026