Privacy Policy

As of: 18 April 2026

1. Data Controller

Data controller under GDPR:

Margot Kuhn
Am Judenfriedhof 4
97631 Bad Königshofen
Email: hello@esgvibe.org

2. Principles of Data Processing

ESGvibe collects and processes personal data only to the extent necessary to provide the app's functions. We do not sell user data and do not use tracking or advertising networks.

3. What data we process

3.1 Optional User Account

Using ESGvibe is possible without an account. For the optional sign-in (exclusively for cross-device synchronisation) we process:

• Email address
• Password (encrypted, never stored in plain text)
• Subscription status (Free / Basic / Pro)

Legal basis: Art. 6(1)(b) GDPR (contract performance).
The account can be deleted at any time in the app under Settings → "Delete account".

3.2 Locally Stored App Data

The following data is stored exclusively locally on your iPhone and is not transmitted to servers:

• Read and saved article IDs
• Selected topics and language setting
• Disabled source groups
• Onboarding status

3.3 ESG Pre-Rating Check (from version 2.2)

From version 2.2, all personal data – including ESG assessments, company data, answers, scores and bookmarks – is stored exclusively locally on the user's device (Apple SwiftData). No transmission to our servers takes place.

Supabase (EU hosting) is used exclusively for public reference data (news articles, regulatory texts, question catalogues) and subscription status checks. No tracking, no advertising, no analytics.

3.4 Optional iCloud Sync

Users can optionally activate iCloud sync to synchronise bookmarks and settings across their own Apple devices. This data is end-to-end encrypted by Apple. ESGvibe has no access to this synchronised data.

4. External Services

4.1 Supabase (Backend & Authentication)

User accounts and article content are provided via Supabase. Supabase uses EU data centres, is SOC 2 Type II certified and GDPR-compliant.
Legal basis: Art. 6(1)(b) GDPR.
supabase.com/privacy

4.2 Apple In-App Purchase (ESGvibe Pro)

Pro subscriptions are processed exclusively via Apple In-App Purchase. Payment data is processed by Apple — ESGvibe receives no payment or bank details.
Legal basis: Art. 6(1)(b) GDPR.
apple.com/legal/privacy

4.3 DeepL (Translation)

To provide content in German and English, ESGvibe uses DeepL. Only public article texts are translated — no personal user data is transmitted.
Service provider: DeepL SE, Maarweg 165, 50825 Cologne.
Legal basis: Art. 6(1)(f) GDPR.
deepl.com/privacy

4.4 Apple App Store

The app is downloaded via the Apple App Store. The data processing involved is governed by Apple Inc.'s privacy policy.

5. Newsletter

5.1 What we process

When you sign up for the newsletter on esgvibe.org, we process exclusively your email address and the date of registration.

5.2 Legal basis

Art. 6(1)(a) GDPR (consent). Revocable at any time.

5.3 Unsubscribe

Every email contains an unsubscribe link. Alternatively: hello@esgvibe.org

6. Your Rights (GDPR)

You have the right to:

• Access to stored data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure of your data (Art. 17) – directly in the app or by email
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Objection to processing (Art. 21)

Contact: hello@esgvibe.org

7. Data Security

All data transmissions are encrypted via HTTPS/TLS. Passwords are stored exclusively as bcrypt hashes. Local app data is stored in the protected iOS UserDefaults area.

8. No Cookies, No Tracking

ESGvibe uses neither cookies nor tracking technologies. No user profiles are created and no data is transmitted to advertising networks.

9. Changes to this Policy

The current version is always available at esgvibe.org/en/privacy.html.