Last updated: 28.02.2025

I. Introduction

Thank you for using services of Trout UG (limited liability) (“we,” “our,” or “us”). Your privacy is important to us, and we are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, as well as your rights regarding your data.

By using our services, you agree to the terms outlined in this Privacy Policy. If you do not agree, please do not use our app.

This Privacy Policy applies to all users of our apps, regardless of location, and complies with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), where applicable.

If you have any questions or concerns about our privacy practices, please contact us at hello@trout.so.

II. Information We Collect

Our service gathers various types of information to ensure a seamless, personalized, and secure experience. The data collected helps us improve functionality, troubleshoot issues, and tailor our service to your needs. Below is an overview of the types of information we typically collect:

1. Personal Data

• User-Provided Information:

  When you interact with our service, you may voluntarily provide personal details such as your name, email address, phone number, or other contact information. This information is often provided during account registration or when contacting support.

• Account Information:

  If you create an account, additional details like a username, password, profile picture, and other preferences may be collected to enhance your experience.

2. Automatically Collected Data

• Device Information:

  Our service may automatically collect data about the device you use, including device type, operating system version, unique device identifiers, and mobile network information. This helps us optimize performance across different devices.

• Usage Data:

  We record information regarding how you interact with our service. This includes data on the features you use, time spent on various sections, and other interaction metrics that allow us to understand usage patterns and improve our offerings.

• Location Data:

  With your consent, our service may collect and process location-based data to offer location-specific features and content. This data is used solely for enhancing your experience and is handled with strict privacy measures.

• Technical Data:

  Technical details such as your IP address, browser type, and operating system may be captured to assist in diagnostics, administration, and overall service enhancement.

3. Third-Party Data

• Integrations with Other Services:

  In some cases, our service integrates with third-party platforms (such as social media or payment processors) that may collect additional information about your interactions. The collection and use of such data are subject to the privacy policies of those third-party services.

• Analytics and Advertising:

  We may employ third-party analytics tools or advertising networks that gather information about your usage for reporting and advertising purposes. This data helps us understand user behavior and improve our service, and it is processed in accordance with the relevant third-party privacy policies.

Each type of information is collected in a lawful, fair, and transparent manner, used solely to enhance the quality and security of our service. Your privacy remains a top priority, and we ensure that any data collected is managed in compliance with applicable legal standards and regulations. For more information on which data is actually collected, we refer you to this app’s App Store page.

III. How We Use Your Information

We use the information we collect to provide, improve, and protect our service while ensuring compliance with legal obligations. Specifically, we use your data for the following purposes:

1. Providing and Improving Our Service

• To enable core functionalities and ensure the service operates as intended.

• To personalize user experience, including content recommendations and user preferences.

• To analyze performance and usage trends to enhance functionality and efficiency.

2. Communication and Customer Support

• To respond to inquiries, provide support, and resolve technical issues.

• To send important updates, such as changes to our terms, security notices, or service improvements.

• To deliver promotional messages or service-related offers, where permitted by law and with user consent.

3. Security, Fraud Prevention, and Legal Compliance

• To detect, prevent, and investigate fraud, unauthorized access, and other security threats.

• To comply with legal obligations, law enforcement requests, and regulatory requirements.

• To enforce our terms of service and protect the rights, property, or safety of users and our service.

4. Analytics and Business Development

• To assess and improve our service through aggregated data analysis.

• To conduct research and development for new features and enhancements.

• To facilitate advertising and marketing efforts, where applicable and in accordance with user preferences.

  
  

IV. Sharing of Information

We do not sell your personal data. However, we may share certain information under the following circumstances:

1. Service Providers and Partners

We may share data with trusted third parties that help us operate, improve, and support our service, including:

• Cloud storage providers to securely store and manage data.

• Analytics services to understand usage patterns and optimize user experience.

• Customer support platforms to assist with inquiries and troubleshooting.

• Payment processors to facilitate transactions, if applicable.

These third parties are contractually obligated to protect your data and use it only for specified purposes.

2. Legal and Compliance Requirements

We may disclose information if required by law or in response to valid legal requests, such as:

• Compliance with legal obligations, court orders, or government regulations.

• Investigating potential violations of our terms of service or policies.

• Preventing fraud, security threats, or harm to individuals or property.

3. Business Transfers

In the event of a merger, acquisition, sale of assets, or other business transaction, user data may be transferred as part of the process. We will take appropriate steps to ensure that any such transfer respects the rights and privacy of users.

4. With User Consent

Where applicable, we may share your data with third parties for purposes not covered in this policy, but only with your explicit consent.

We take all necessary precautions to ensure that any shared data is handled securely and in compliance with relevant privacy laws.

V. User Rights & Choices

We respect your rights regarding your personal data and provide various options to manage your information. Depending on your location and applicable laws, you may have the following rights:

1. Access, Correction, and Deletion

• You may request access to the personal data we hold about you.

• You can update or correct inaccuracies in your information.

• You may request the deletion of your data, subject to legal and operational requirements.

2. Data Portability

• Where applicable, you have the right to receive your data in a structured, commonly used, and machine-readable format.

3. Withdraw Consent

• If we process your data based on consent (e.g., marketing communications), you can withdraw it at any time without affecting the lawfulness of prior processing.

4. Opting Out of Communications

• You can opt out of promotional messages by following the unsubscribe instructions in emails or adjusting your settings within the service.

5. Restriction and Objection to Processing

• Under certain conditions, you may request that we restrict processing of your data or object to specific uses.

To exercise any of these rights, please contact us at hello@trout.so. We may need to verify your identity before processing requests.

VI. Third-Party Services and Links

Our service may contain links to third-party websites, applications, or services. Additionally, we may integrate third-party tools or APIs that collect and process data independently.

• We are not responsible for the privacy practices of external sites or services.

• Any data shared with third-party providers is subject to their respective privacy policies.

• We encourage you to review the privacy policies of any third-party services before interacting with them.

If our service uses third-party analytics, advertising, or authentication providers, we ensure compliance with relevant regulations and provide transparency about how these services operate.

VII. Children’s Privacy

Our services are not intended for use by children under the age of 13, or the minimum age of digital consent in your jurisdiction (e.g., 16 in the EU under GDPR). We do not knowingly collect, store, or process any personal data from children without verifiable parental or guardian consent.

If we become aware that we have inadvertently collected personal data from a child without appropriate authorization, we will take prompt action to delete such information from our systems.

Parents or legal guardians who believe their child may have provided us with personal information can contact us at hello@trout.so to request deletion and account closure.

In jurisdictions where additional protections apply (e.g., COPPA in the United States or GDPR-K in Europe), we comply with all applicable laws regarding the handling and processing of children’s data.

VIII. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make significant changes, we will notify users by:

• Posting an updated version within our service.

• Updating the "Last Updated" date at the top of this policy.

• Providing additional notice (e.g., via email or in-app notifications) where required by law.

  
  

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our service after any updates constitutes acceptance of the revised policy.

IX. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to provide our services, comply with legal, regulatory, tax, accounting, or reporting obligations, resolve disputes, enforce our agreements, and protect our legal rights.

The exact retention period depends on the type of data and the specific context in which it is processed. In general:

• Account-related information (such as your name, email address, and login credentials) is retained for as long as your account remains active and for a reasonable period thereafter to allow for reactivation or dispute resolution.

• Usage and device data (such as logs, analytics, and crash reports) is retained for up to 24 months for performance analysis, diagnostics, and service improvement, unless a longer retention period is required for security or compliance reasons.

• Communication data (such as messages with support or feedback submissions) is stored for up to 12 months after the issue has been resolved, or longer if required for legal protection or auditing purposes.

• Location and permission-based data is retained only for the duration necessary to provide the requested functionality, unless you explicitly agree to longer retention (e.g., storing preferred locations or history).

When data is no longer needed for the purposes stated above, we either delete it securely, anonymize it for statistical or research use, or isolate it from further processing in line with applicable laws. We regularly review our data retention practices to ensure that we only retain personal data for as long as necessary and justified.

If you request deletion of your data or closure of your account, we will follow up by removing or anonymizing your data within a reasonable timeframe, subject to legal obligations (such as tax and financial record-keeping) or overriding legitimate interests (such as fraud prevention or dispute resolution).

X. International Data Transfers

To provide you with a reliable and seamless experience, we may transfer and store your personal data on servers located outside your country of residence, including jurisdictions that may not provide the same level of data protection as your home country. In particular, your data may be processed by third-party service providers or platform-level infrastructure operated by companies such as Apple Inc. and Google LLC.

Specifically, some of our apps make use of:

• Apple's Cloud Infrastructure:

  Where supported and appropriate, our applications may store user data using Apple services such as CloudKit or SwiftData, which rely on Apple’s iCloud infrastructure. These systems may involve cross-border data transfers, including to Apple-owned data centers in the United States and the European Union. Apple states that it implements strict security protocols and complies with relevant data protection frameworks. However, the actual location of your data depends on your iCloud region, Apple’s infrastructure policies, and system-level configurations on your device. For more information, please refer to Apple’s Privacy Policy.

• Google Firebase Services:

  Some apps may use Google Firebase services, including Firestore, Firebase Authentication, Analytics, Crashlytics, or Remote Config. These services are hosted primarily in the United States and may involve transfers of personal data across borders, including from the European Economic Area (EEA) or the United Kingdom to the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework, and appropriate Standard Contractual Clauses (SCCs) are in place to ensure an adequate level of data protection for such transfers, as required under Article 46 of the GDPR. You can find more information in Google’s Firebase Privacy documentation.

  
  

We ensure that any international data transfers comply with applicable legal requirements, particularly the General Data Protection Regulation (GDPR) for users in the EEA or the UK GDPR for users in the United Kingdom. This includes:

• Using services provided by companies that participate in recognized data transfer mechanisms such as the EU-U.S. Data Privacy Framework, or

• Implementing Standard Contractual Clauses (SCCs) approved by the European Commission or relevant supervisory authorities,

• Conducting Data Protection Impact Assessments (DPIAs) where required, and

• Minimizing data to the extent necessary for the specified purpose.

  
  

By using our apps, you acknowledge and agree that your information may be transferred to and processed in countries outside of your jurisdiction, subject to appropriate safeguards in compliance with applicable data protection laws.

XI. Tracking Technologies and Analytics Tools

Our applications may use certain tracking technologies such as software development kits (SDKs), analytics tools, and device identifiers to understand user behavior, monitor performance, and deliver a high-quality experience. These technologies enable us to improve our products, offer tailored content, monitor purchases and subscriptions, and maintain operational and business insights.

We do not use browser-based cookies within our mobile applications. However, we may employ third-party app-level tracking and analytics frameworks, including but not limited to the following:

1. RevenueCat

We use RevenueCat, a third-party subscription management and in-app purchase (IAP) infrastructure provider, to process and monitor in-app purchases. RevenueCat tracks data related to:

• Purchases and renewals of subscriptions

• Entitlement status (i.e., which premium features a user has access to)

• Device-level information to associate purchases with users anonymously

RevenueCat does not track personal identifiers like name or email unless you explicitly link your account with such data. Data processed by RevenueCat may be stored or transferred to servers outside your country of residence, including in the United States. RevenueCat adheres to GDPR and CCPA requirements and provides mechanisms to ensure user privacy. For more information, see RevenueCat's Privacy Policy.

2. TelemetryDeck

We use TelemetryDeck, a privacy-first analytics service, to gain insights into how our apps are used and to make informed decisions about design, performance, and functionality. TelemetryDeck allows us to analyze aggregated usage patterns—such as which screens are visited most often or how frequently certain features are used—without tracking or identifying individual users.

TelemetryDeck is designed with data minimization and user privacy as core principles. It does not collect any personally identifiable information (PII), such as names, email addresses, IP addresses, or device identifiers. Instead, it uses ephemeral pseudonymous identifiers that are regenerated regularly and cannot be linked back to specific individuals or devices.

All data sent to TelemetryDeck is:

• Anonymized and aggregated before analysis

• Processed in the European Union, in accordance with GDPR principles

• Not shared with third parties or used for cross-app tracking or advertising purposes

  
  

By using TelemetryDeck, we are able to make better product decisions while respecting your privacy. This analytics framework helps us improve app stability, prioritize feature development, and understand general user engagement without building user profiles or conducting behavioral tracking.

If you wish to disable analytics collection entirely, you can do so via the in-app settings under “Privacy Options.” This opt-out is respected across all future sessions of the app.

For more information about TelemetryDeck’s privacy approach, you can visit their official Privacy Policy.

3. Consent and Control

Where legally required (e.g., under GDPR or ePrivacy Directive), we request your explicit consent before enabling any non-essential tracking technologies. You may be provided with in-app controls or settings to opt in or out of analytics or tracking services, depending on your region and applicable platform requirements.

Additionally, for users in jurisdictions with "Do Not Track" or equivalent laws (e.g., CCPA in California), we honor such requests in accordance with legal obligations and technical feasibility.

XII. App Permissions

Certain features within our apps may request access to specific system permissions or device components in order to function properly. These permissions are only used when necessary to enable key app functionalities and are never used to collect information unrelated to the stated purpose.

Examples include:

• Camera Access: For scanning QR codes, capturing profile pictures, or similar user-initiated actions. We do not access or store camera content beyond the scope of the current session.

• Location Services: If enabled, used to provide location-specific features (e.g., local content or offers). This is always optional and subject to your consent.

• Photo Library Access: Only when users choose to upload an image or avatar.

• Notifications: May be used to deliver relevant updates, reminders, or promotional content (if you have opted in).

• Bluetooth or Nearby Devices: In very specific apps where local peer-to-peer communication is enabled (e.g., device-based authentication), we may ask for this permission—only with transparent explanation and user consent.

  
  

All permissions are requested just-in-time and explicitly, and you may decline or disable them at any time via your device settings. Our apps are designed to handle such revocations gracefully, without affecting unrelated functionality.

XIII. Data Security

We take the security of your personal data seriously and implement a combination of technical, organizational, and administrative measures to protect it from unauthorized access, disclosure, alteration, or destruction.

Our data security practices include, but are not limited to:

• Encryption at rest and in transit (e.g., TLS, HTTPS, secure storage layers)

• Secure access controls and role-based restrictions for staff and third-party vendors

• Anonymization and pseudonymization of sensitive analytics and telemetry data

• Routine audits and vulnerability scanning for known threats or attack surfaces

• Data minimization strategies to avoid unnecessary collection or retention

• Regular updates and security patches applied to our infrastructure and dependencies

  
  

Although no system is completely immune to risks, we are committed to implementing up-to-date safeguards in line with industry best practices and regulatory standards such as ISO/IEC 27001, GDPR, and CCPA.

If you suspect a security issue or have discovered a vulnerability in our app, please report it immediately to hello@trout.so.

XIV. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will notify you as soon as reasonably possible and in accordance with applicable laws.

This notification will include:

• A clear description of what happened

• The types of data involved

• Any known consequences or potential impact

• Steps we are taking to address and mitigate the breach

• What actions you can take to protect yourself (if applicable)

  
  

Notifications will be delivered through one or more of the following methods:

• In-app messages

• Email (if contact details are available)

• Notices on our website or app store pages

  
  

We are legally obligated under the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) to notify users and, where applicable, supervisory authorities (e.g., the German Federal Data Protection Authority) within a strict timeframe.

We maintain a data breach response plan and conduct periodic simulations to ensure readiness and minimize risk in real-world scenarios.

XV. Scope and Applicability

This Privacy Policy applies to all mobile applications, services, and digital products developed and published by Trout UG (haftungsbeschränkt) (“we,” “our,” or “us”), collectively referred to as “our apps” or “our services.”

As of the date of this policy, the following apps are covered:

• Looped - Habit Tracker

• Bits - Flashcards

• Waterly - Water Tracker

• Flits Access Business

• Flits Loyalty Business

• and all apps linking to this page by Trout UG (haftungsbeschränkt), Eichendorf, Germany and Flits Ltd, London, UK

  
  

This Privacy Policy also applies to:

• Future applications developed and distributed by Trout UG under the same legal entity,

• Cross-platform experiences (iOS, Android, iPadOS) associated with the aforementioned apps,

• Backend services, cloud integrations, and subscription/payment logic (e.g., via RevenueCat),

• Embedded or integrated components such as widgets, app clips, or passkit passes (.pkpass),

• Support communications, account systems, and any optional user accounts associated with these apps.

  
  

We maintain a unified privacy policy to provide a consistent explanation of how we collect, use, and protect your data across all products. However, certain apps may include in-app privacy notices or consent prompts that provide additional context based on app-specific features (such as health, location, or sensor-based data). These notices are meant to complement—not replace—this Privacy Policy.

If you are unsure whether a particular product or app falls under this Privacy Policy, you may refer to the app's listing on the App Store or contact us at hello@trout.so for clarification.

XVI. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, you can contact us at:

Email: hello@trout.so

Mailing Address: Trout UG (limited liability), Postfach 187, 94402 Landau a. d. Isar, GERMANY

We take privacy matters seriously and will respond to inquiries as soon as possible.