Privacy Policy

Last updated: 10 April 2026

1. Controller

The controller responsible for personal data processed in connection with Zeichn is identified in the Imprint (operator name and contact).

2. Scope

This policy describes processing when you use the Zeichn iOS app and when you visit this website. The app is the primary service; the site provides information and legal documents.

3. Data we process

In running Zeichn we collect and process personal data including, in particular: drawings (your submitted sketch images), emoji reactions (which emoji you chose and which drawing it relates to), your display name, an optional profile picture (avatar), and a Firebase Cloud Messaging (FCM) device token if you enable push notifications — together with account identifiers from Sign in with Apple, related metadata (for example submission time and daily quote association), and usage/analytics data as described below.

3.1 Account and profile

• Authentication data from Sign in with Apple (for example a stable user identifier; Apple may share a name or email depending on your choices).
• Display name you choose, shown with your drawings and profile.
• Avatar (profile image) if you upload one; stored so we can show it in the app.

3.2 Drawings and social features

• Drawing images you submit for a given day, stored so we can show them in the feed and your archive.
• Metadata such as submission time, association with the daily quote, and denormalised fields used for performance (for example your display name on a feed card).
• Emoji reactions you send to others’ drawings, including which emoji and which drawing.
• Reports if you flag content, including reason text we collect for moderation.

3.3 Device and usage

• FCM token (Firebase Cloud Messaging registration token for your device) if you opt in to notifications, used to deliver quote reminders or other pushes you agree to. The token is associated with your account in our backend while notifications are enabled.
• Analytics events (for example screens viewed, submissions, reactions) if Firebase Analytics or similar is enabled — typically pseudonymous.
• Technical logs from infrastructure providers for security and reliability.

4. Purposes and legal bases (GDPR)

We process data on the following bases, as applicable:

• Contract (Art. 6(1)(b)) — providing Zeichn: authentication, storing drawings, showing the feed, reactions, customer support.
• Legitimate interests (Art. 6(1)(f)) — securing the service, fraud prevention, product improvement, aggregated analytics, enforcing our terms, and moderation — balanced against your rights.
• Consent (Art. 6(1)(a)) — where required for marketing communications or non-essential cookies or similar technologies on the website.
• Legal obligation (Art. 6(1)(c)) — compliance with law, responding to lawful requests.

5. Children

Zeichn is not directed at children. We do not knowingly collect personal data from children below the digital consent age in your country without parental consent. If you believe we have, contact us using the Imprint details.

6. Recipients and subprocessors

Google / Firebase as processor. We use Google Firebase (Google LLC and affiliates) to host core backend services. Google processes the personal data described in this policy on our instructions as a processor (and, for some elements such as analytics, may also act under its own legal bases as described in Google’s privacy documentation). Firebase components we rely on include, among others: Firebase Authentication, Cloud Firestore, Cloud Storage for Firebase, Cloud Functions (deployed in the europe-west1 region), Firebase Cloud Messaging (FCM), and Firebase Analytics. That infrastructure stores and processes your account data, drawings, reactions, display name, avatar files, FCM tokens, and related app data. Google’s privacy policy and data processing terms for Firebase/Google Cloud apply in addition to this policy.

Apple. Sign in with Apple and Apple Push Notification service (APNs) are used for login and notification delivery; Apple processes data under its own terms as a separate provider.

We may add further subprocessors (for example email or support tools). We will update this policy for material changes to who processes personal data on our behalf.

7. International transfers

Providers may process data in the EU, EEA, UK, US, or other countries. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and supplementary measures as required by case law.

8. Retention

We keep personal data only as long as needed for the purposes in this policy, unless a longer period is required or permitted by law.

• Account, display name, and avatar — stored in Firebase (for example Firestore and Storage) for as long as your account is active. If you delete your account (see below), we delete or anonymise these within a reasonable period unless we must retain certain information for legal reasons.
• Drawings — kept so you and others can use the daily feed and your archive. Drawings are intended to persist after you lock them in for a given day; retention may continue after submission for as long as the service operates and the content remains appropriate for display, subject to moderation, legal obligations, and your rights (including erasure requests).
• Reactions — stored with the drawing and account records for as long as those records are kept, unless you remove or change a reaction in the app where that is supported.
• FCM token — stored while push notifications are enabled and your account is active; removed or refreshed when you disable notifications, log out, or we replace the token. If you delete your account, we delete associated token data from our systems within a reasonable period.
• Logs and analytics (including Firebase Analytics where used) — typically retained for a limited period according to Google’s settings and our security and product needs.

9. Account deletion

You may request deletion of your account and associated personal data by contacting us at the email address in the Imprint (for example support@peweo.com), or through any account-deletion option we provide in the app if available.

When we process a valid deletion request, we will delete or anonymise your account record, display name, avatar, FCM token, and other profile or device data we hold, and we will address drawings and reactions in line with applicable law (for example by deleting them, removing them from public view, or anonymising them so they no longer identify you), except where we must retain certain information for legal, security, or dispute-resolution purposes. Deletion may take a short time to propagate across Firebase and backups.

10. Your rights

Subject to EU/UK data protection law, you may have the right to access, rectify, erase, restrict processing, object, and data portability, and to withdraw consent where processing is consent-based. You may lodge a complaint with a supervisory authority. To exercise rights, contact us via the Imprint. You may also use Apple’s privacy controls for data obtained through Sign in with Apple where applicable.

11. Security

We implement technical and organisational measures appropriate to the risk, including access controls and encryption in transit where supported by providers. No method of transmission over the Internet is completely secure.

12. Website

This marketing site may log standard server data (IP address, user agent, timestamps) when hosted on a provider such as Vercel, Netlify, or Firebase Hosting. We do not use the site to collect drawings.

13. Changes

We will update this policy when our practices change. Material changes will be reflected here with a new “Last updated” date and, where required, additional notice in the app.