Skip to main content

Table of Contents

  1. General Information
  2. Controller Responsible for Data Processing
  3. Processing of Your Data
  4. Registration and Contract Processing
  5. Permissions
  6. Enquiries via Contact Forms, Email/Messenger/Telephone/Fax
  7. External Services
  8. Logging of Error Messages and System Events
  9. Protection of Children and Processing of Personal Data of Minors
  10. Use of Cookies and Similar Technologies
  11. Storage and Deletion Periods for Personal Data
  12. Rights of Data Subjects
  13. Right to Object
  14. Right to Withdraw Consent
  15. Complaints to Supervisory Authorities
  16. Obligation to Inform
  17. Obligation to Provide Data
  18. Automated Decisions Including Profiling
  19. Data Security
  20. Questions / Comments

1. General Information

We take the protection of your personal data very seriously. Data is processed by us in accordance with the applicable legal data protection regulations. In addition to the General Data Protection Regulation (GDPR), we also comply with other applicable European Union data protection regulations, in particular the EU Consent Regulation (EinwV) 2025, the EU Artificial Intelligence Act (AI Act), Directive (EU) 2022/2555 (NIS2) on network and information security, as well as the EU Data Act (2023/2854) and national data protection regulations.

If our app is used by children under the age of 16, personal data is processed exclusively with prior consent of the legal guardians in accordance with Art. 8 GDPR.

“Personal data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Below we inform you about the processing of your data, in particular the type, scope and purpose of the collection and use of personal data as well as the corresponding legal bases. We also explain your rights in relation to data processing.

 2. Controller Responsible for Data Processing

The controller responsible for data processing can be contacted at:

culah GmbHc/o Lichtung
Gollierstraße 23
80339 Munich, Germany

Represented by Managing Director: Sabrina Haas

Email: hello@culah.de

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

3. Type, Scope, Purposes and Legal Bases of Data Processing

We process personal data only where legally permitted, in particular for handling enquiries, fulfilling contracts, based on legitimate interests or where you have given your consent.

For new features that may pose a high risk to data subjects’ rights (e.g. AI-based analysis, speech recognition), we conduct a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR.

a) Registration and Contract Processing

During registration, your name, address, email address, mobile number, payment information and technical data (device/operating system information) are processed.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(a) GDPR (consent) for optional processing (e.g. analytics, marketing).
You may withdraw your consent at any time.

Provision of mandatory data (name, address, payment information, telephone number) is required; without it, the app cannot be used.

After termination of the contract, data is deleted unless statutory retention obligations apply.
You may delete your account at any time via the app or by emailing support@culah.de.

b) Permissions

Our app requires certain permissions for specific functions:

aa) Camera / Photos / Profile Picture Upload

Purpose: Upload and display a profile picture
Data: Image files, optional metadata
Legal basis: Art. 6(1)(a) GDPR (consent)
Withdrawal: Anytime via app settings

bb) Visualisation of Savings Goals / Local Storage

Purpose: Display of allowances, savings goals and progress
Data: Child’s financial data, aggregated visualisation data
Legal basis: Art. 6(1)(b) or Art. 6(1)(a) GDPR
Withdrawal: Anytime

cc) Microphone / Voice Control

Purpose: Voice commands (e.g. add allowance, show savings goal)
Data: Audio input
Legal basis: Art. 6(1)(a) GDPR
Withdrawal: Anytime

dd) Push Notifications

Purpose: Notifications (e.g. reminders, offers)
Data: Device ID, user preferences
Legal basis: Art. 6(1)(a) GDPR
Withdrawal: Anytime via device or app settings

c) Enquiries (Contact Forms, Email, Messenger, Telephone, Fax)

Data is processed to handle and respond to enquiries.
Legal basis: Art. 6(1)(b) or (f) GDPR.

d) External Services

aa) Payment Processing via Stripe

Provider: Stripe Payments Europe (Ireland)
Purpose: Payment processing
Data: Payment details, name, email, device data
Legal basis: Art. 6(1)(b) GDPR
Data transfer: Based on Art. 28 GDPR and SCCs / adequacy decisions
Opt-out: Not possible (required for service)

bb) AI Cloud Service

Purpose: AI functions (analysis, predictions, voice control)
Data: Text inputs, voice commands, device data, profile data
Legal basis: Art. 6(1)(a) or (b) GDPR
Data transfer: EU / third countries with SCCs and adequacy decisions
Opt-out: Via app settings

Possible effects for users:

  • Profiling and categorisation
  • Misinterpretation of data
  • Behavioural influence
  • Limited transparency
  • Processing of voice data
  • Cloud processing risks
  • Special risks for minors

cc) Google Analytics for Firebase

Purpose: App usage analysis
Data: Device info, IP (truncated), interactions
Legal basis: Art. 6(1)(a) GDPR
Data transfer: SCCs / EU-US Data Privacy Framework
Opt-out: Via app settings 

e) Logging of Error Messages and System Events

We process technical data (device type, OS, crash logs, timestamps) for stability and security.
Legal basis: Art. 6(1)(f) GDPR.
Data is deleted after 30 days.

f) Protection of Children and Processing of Data of Minors

Data of children under 16 is processed only with parental consent.
Purpose: Allowance management, savings goals, learning progress
Legal basis: Art. 6(1)(a) GDPR, Art. 8 GDPR
Parents may withdraw consent and request deletion at any time.

4. Use of Cookies and Similar Technologies

Our app does not use cookies in the traditional sense. Analytics services are used only with consent. Consent can be managed in the app settings.

5. Storage and Deletion Periods

Data Category Retention Period Legal Basis
Contract & payment data 10 years Art. 6(1)(b) GDPR, §§147 AO, 257 HGB
Support enquiries 2 years Art. 6(1)(f) GDPR
Error logs 30 days Art. 6(1)(f) GDPR
AI analysis/training data Max. 6 months, then anonymised Art. 6(1)(a)/(b) GDPR

 

6. Rights of Data Subjects

You have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR, Art. 8 EU Data Act)
  • Not to be subject to automated decisions (Art. 22 GDPR)

7. Right to Object

You may object at any time to processing based on Art. 6(1)(e) or (f) GDPR.

8. Right to Withdraw Consent

You may withdraw your consent at any time with effect for the future.

9. Complaints to Supervisory Authorities

avarian Data Protection Authority
Promenade 27, 91522 Ansbach, Germany
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de

10. Obligation to Inform

We inform all recipients of any rectification, erasure or restriction unless this is impossible or disproportionate.

11. Obligation to Provide Data

Providing personal data is required for contract performance. Without it, use of the app is not possible.

12. Automated Decisions and Profiling

We do not use automated decision-making. If introduced, we will inform you accordingly.

13. Data Security

We implement technical and organisational measures including:

  • Encryption (AES-256, TLS 1.3)
  • Multi-factor authentication
  • Monitoring and logging
  • Firewalls and intrusion detection
  • Backups and emergency plans
  • Regular security training

Security incidents are reported within 24 hours in accordance with the Cyber Resilience Act.

14. Questions / Comments

If you have any questions or comments regarding this Privacy Policy, please contact us at the details provided above.

Status: 28 November 2025

©  2026 culah! Alle Rechte vorbehalten.

Sponsoren Logos: Strascheg Center for Enterpreneurship, Hochschule München, StartUp League, StartUp Certificate und Zeidler Forschungsstitftung