Who is responsible for data processing

The controller responsible for data processing for the Aktivismo website and the Aktivismo app is:

Johann Hubmann
sole trader

Address:
Reichenbachstraße 13
83435 Bad Reichenhall
Germany

What this policy covers

This Privacy Policy applies to our website www.aktivismo.org (including subpages and redirects) and to the Aktivismo app on iOS, Android and as a web app at www.aktivismo.app. It covers the features currently provided on these services, in particular account creation, campaign creation, saving and sharing of campaigns, the AI campaign generator and newsletter subscription. If we add further community features in the future, such as public profiles, posts, forums, comments, or chats, we will update this Privacy Policy before or at the time those features go live.

What personal data is and when we process it

Personal data means information that can identify you directly or indirectly, such as your email address, your date of birth, the content you enter into the app, or technical identifiers in server logs. We only process personal data when we need it to provide Aktivismo, when we are legally required to do so, when we have a legitimate interest in running a secure and reliable service, or when you have given consent. Depending on the specific processing, the legal basis is typically performance of a contract (providing the service), consent (for optional communications), or legitimate interests (such as security and abuse prevention).

Minimum age

Aktivismo is intended for users who are at least 16 years old. During registration we process your date of birth to enforce this minimum age requirement. If we become aware that an account belongs to someone under 16, we may disable the account and delete the associated personal data from active systems.

Our website and server logs

Our website is hosted by IONOS. When you visit the website, IONOS processes server log data for technical reasons, such as the time of access, requested pages, technical device and browser information, referrer information and error messages. These logs are used to deliver the website, maintain stability and protect against attacks. The legal basis is our legitimate interest in operating a secure and reliable website, and where applicable the provision of the service you request by accessing the website. According to IONOS documentation, log data is kept for a maximum period and IP addresses are anonymised in the log files.

Our web app and server log data

When you use the Aktivismo web app at aktivismo.app or www.aktivismo.app, technical access data is processed for operational and security reasons. This may include IP address, date and time of access, requested resources, browser and device information, referrer information and error messages.

These data are required to deliver the web app, ensure stability, and protect against attacks or misuse. The legal basis is our legitimate interest in operating a secure and reliable service and, where applicable, the provision of the service you request by accessing the web app.

Access data is retained only for as long as necessary for technical operation, security, and error analysis.

Cookies and similar technologies

We do not use analytics or marketing trackers on our website. We use only strictly necessary cookies or similar storage where required for functions you explicitly request, for example basic navigation or security-related functions. If we introduce non-essential technologies in the future, we will request consent where required and update this Privacy Policy accordingly.

The above also applies to the Aktivismo web app. There, technically required storage mechanisms (such as session information or local storage) may be used to provide login functionality, security features and core app functions. We do not use analytics or marketing trackers unless explicitly stated otherwise.

Contacting us

If you contact us via our contact form or via email, we process the information you provide, typically the subject, message content and your email address, if you choose to provide it. We process this data to respond to your enquiry and to document the communication. The legal basis depends on the nature of the request and is typically performance of contract or pre-contractual steps, or our legitimate interest in handling enquiries. We keep contact communications only as long as necessary to process the request and handle follow-up, unless longer retention is required to comply with legal obligations or to establish, exercise, or defend legal claims.

Registration, account and required information

To create an Aktivismo account we process your email address and, within the registration flow, we ask you to repeat your email address to reduce entry errors. We also process your date of birth to enforce the minimum age rule and we process your selected interests to configure and personalise your campaign experience. If you do not provide the required information, account creation is not possible.

We use email/password authentication. We process account-related data to operate your account, provide requested features and maintain the security of the service. The legal basis is the performance of the user relationship and our legitimate interests in secure operation and abuse prevention.

Firebase and hosting of the app

Aktivismo uses Google Firebase for core backend services, including authentication, database storage, file storage, cloud functions and hosting. We host our Firebase resources in the EU region (Frankfurt / europe-west3). Even where services are configured in the EU, providers may in some cases process data from or with access from outside the EU/EEA for support and operational purposes; where this occurs, we rely on appropriate safeguards as described below.

In addition, our web app is delivered via FlutterFlow, which provides the application layer and custom-domain routing for the web app. FlutterFlow may process technical access data as part of providing this service.

Campaign creation, saving and share links

When you create, save, or edit campaigns, we process the content you provide and technical metadata necessary to store and deliver the content. Campaigns can be shared via a link and may be accessible without login by anyone who has the link. We do not actively enable search engine indexing for shared campaigns at this time, but anyone who receives a link may still share it further. The legal basis for processing campaign content is the provision of the requested service and, where relevant, our legitimate interests in ensuring platform security and preventing misuse.

AI campaign generator and OpenAI

If you use the AI campaign generator, we transmit your prompt and your campaign inputs to OpenAI via our backend (Firebase Cloud Functions) so that text suggestions can be generated. We aim to send only what is necessary for the generation request and we do not intentionally include account identifiers such as your email address in the prompt unless you enter them yourself.

We store your generator inputs and outputs in our database so you can continue working with your campaign drafts and campaigns. We also keep limited technical logs of generator requests and errors to operate the feature, improve reliability and investigate malfunctions or abuse. The legal basis is the provision of the requested feature within the user relationship and, for technical logging, our legitimate interests in security and service integrity. Data sent via the OpenAI API is not used to train OpenAI models by default unless the customer explicitly opts in; we do not currently operate an opt-in that shares your content for model training.

Newsletter via Mailchimp

If you subscribe to our newsletter, we process your email address and your subscription status in order to send you newsletter emails. The legal basis is your consent. You can unsubscribe at any time, including through your account settings and via links provided in newsletter emails, after which we stop sending. To ensure we respect your unsubscribe choice, it may be necessary for our email service provider to retain a minimal record related to the unsubscribe status.

We use Mailchimp as our email service provider. Mailchimp may process data in the United States and relies on transfer mechanisms such as Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

Recipients, processors and data sharing

We use carefully selected service providers to operate Aktivismo, including IONOS for website hosting, FlutterFlow for the delivery of our web app under our custom domain, Google Firebase for authentication and backend infrastructure, OpenAI for AI text generation and Mailchimp for newsletter delivery.

Where service providers process personal data on our behalf, we rely on appropriate contractual arrangements for data processing and require suitable technical and organisational security measures. We share personal data with third parties only where this is necessary to provide the service, where we are legally required to do so, or where you have given consent.

International data transfers

If personal data is processed outside the EU/EEA, we ensure that appropriate safeguards are in place. Depending on the provider and the specific processing context, these safeguards may include adequacy decisions where applicable, participation in the EU–US Data Privacy Framework where relevant, and the use of Standard Contractual Clauses (SCCs).

For service providers based outside the EU/EEA, or where support or operational access from third countries may occur, we rely on appropriate safeguards such as Standard Contractual Clauses and, where applicable, adequacy decisions or the EU–US Data Privacy Framework.

How long we keep your data

We keep personal data only for as long as it is needed for the relevant purposes, unless legal obligations require longer retention. Account and campaign data is generally stored until you delete it or delete your account. AI generator inputs and outputs are generally stored as long as the related draft or campaign exists. Technical logs are retained only as long as necessary for troubleshooting, security and service integrity. Moderation or report cases, where they arise, are typically kept until the case is closed and then for up to six months. Website server logs are kept according to the hosting provider’s documented retention periods.

When you delete your account, we delete your personal data from active systems as soon as reasonably possible. Even if we do not maintain separate backups under our control, our service providers may maintain redundancy, security backups, or operational logs for limited periods; residual copies can therefore remain for a short time but are not used for normal operations. We may retain limited information where necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

Security

We use technical and organisational measures to protect your data, including access restrictions, role and permission concepts and encryption in transit. No system is perfectly secure, but we continuously work to maintain and improve safeguards appropriate to the risks.

Your rights

Under the GDPR, you have the right to request access to your personal data, rectification, erasure, restriction of processing, data portability and the right to object where processing is based on legitimate interests and your situation justifies an objection. Where we process data based on consent, you can withdraw your consent at any time with effect for the future. You also have the right to lodge a complaint with a data protection supervisory authority in the EU/EEA.

You can exercise your rights via the in-app account functions or by contacting us via our contact form or via the contact information stated under the section “Who is responsible for data processing”. To protect your data, we may verify requests by replying to the email address linked to your account and, only if necessary, requesting minimal additional information.

App stores and third-party platforms

If you download the app via an app store, the store provider processes certain data under its own responsibility, for example for billing, platform security and account management. Please refer to the privacy information provided by the respective store provider.

Changes to this Privacy Policy

Aktivismo will continue to evolve. If we introduce new features or if legal requirements change, we will update this Privacy Policy. The current version is available on our website and in the app.

Contact

If you have questions, anything is unclear, or you would like to exercise your rights, please contact us at any time via our contact form or via the contact information stated under the section “Who is responsible for data processing”. We’ll be happy to help as quickly as possible.

Last updated

This version of our Privacy Policy is effective as of 13 January 2026.