Back to Home

Privacy Policy

Last updated: April 24, 2026

1. Introduction

City Directory ("we", "us", or "our") operates the City Directory mobile application and web dashboard. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

We are committed to complying with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG).

2. Data Controller

The data controller responsible for processing your personal data is City Directory, located in Regensburg, Germany. For contact details, please see our Imprint.

3. Data We Collect

3.1 Account Data

When you register, we collect your name, email address, and chosen password (stored in hashed form). If you enable two-factor authentication, we store the associated secret key.

3.2 Location Data

With your consent, we collect your approximate location to display services and alerts relevant to your selected city. You may set a "home city" which is stored in your profile. Location data is not shared with third parties.

3.3 Usage Data

We collect anonymous usage analytics including pages viewed, features used, and device type (iOS/Android/web). This data does not identify individual users and is used solely to improve the service.

3.4 Business Inquiry Data

If you submit a business inquiry through our website, we collect your name, email, business name, city, and message. This data is used solely to respond to your inquiry.

3.5 Push Notification Tokens

If you enable push notifications, we store your device push token to deliver city alerts and important updates. You can disable notifications at any time through your device settings.

4. How We Use Your Data

  • Provide and personalize local services, city alerts, and news relevant to your location
  • Authenticate your account and maintain session security
  • Deliver push notifications for city alerts (with your consent)
  • Respond to business inquiries and support requests
  • Improve our services through anonymous usage analytics
  • Display relevant advertisements within the app

5. Legal Basis for Processing

We process your data based on:

  • Consent (Art. 6(1)(a) GDPR) — for location data, push notifications, and optional analytics
  • Contract performance (Art. 6(1)(b) GDPR) — to provide the service you signed up for
  • Legitimate interest (Art. 6(1)(f) GDPR) — for security, fraud prevention, and service improvement

6. Data Sharing

We do not sell, trade, or share your personal data with any third parties. Your data is stored exclusively on infrastructure service providers that we use to operate the application:

  • Database hosting — for storing account and application data
  • Application hosting — for serving the web dashboard and API
  • Email delivery — for transactional emails (account verification, password resets)

These providers act as data processors on our behalf and are contractually bound to process your data only as instructed by us and in compliance with GDPR.

In response to a lawful request by government or law enforcement authorities — including to meet national security or law enforcement requirements — we may be required to disclose personal data. We will comply with such requests only to the extent legally required and, where permitted, will notify affected users.

7. Data Retention

Account data is retained as long as your account is active. If you delete your account, all personal data is permanently removed within 30 days. Anonymous analytics data may be retained indefinitely. Business inquiry data is retained for 12 months.

8. Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, contact us via the details in our Imprint.

9. Cookies

The web dashboard uses essential cookies for authentication (access_token and refresh_token). These are strictly necessary for the service to function and do not require consent. We do not use tracking or advertising cookies on the web dashboard.

10. Security

We implement industry-standard security measures including encrypted data transmission (TLS/HTTPS), hashed passwords (bcrypt), HTTP-only secure cookies, and regular security audits. Despite these measures, no method of electronic storage is 100% secure.

11. Children's Privacy

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or by email. Continued use of the service after changes constitutes acceptance of the updated policy.