Privacy Policy
This Privacy Policy applies to the iOS app "MVM Shift Planner".
Data Controller
Controller within the meaning of the GDPR:
Samir Salimovic
Independent iOS Developer
Vienna, Austria
Privacy Contact:
E-mail: privacy@mvm-app.at
Web: https://mvm-app.at
Privacy Approach ("Local-First")
MVM Shift Planner is primarily designed for local data processing. Planning data is primarily stored on your device. Data is transferred to external services only when necessary for the feature you use (e.g., Firebase login/synchronization, AI assistant, in-app purchases, advertising in the free version).
We do not sell personal data.
Processed Data Categories
Depending on usage, we process the following data in particular:
Planning and Shift Data
Shift codes, colors, calendar entries, notes, overtime values, planning rules, settings.
Storage: primarily local on the device; when Share/Sync is active, additionally in Cloud Firestore.
Personalization Data
Optional name, language, theme, reminder times, app settings.
Storage: local app storage areas (e.g., UserDefaults).
Authentication Data
Email address, user ID (UID), sign-in status, auth provider information (e.g., Apple, email/password), security-relevant event data (e.g., timestamp, device reference where required).
Storage: Firebase Authentication, required local status data, and where applicable Firestore event data.
MVM Share Data
Connected partner ID, shared shifts, swap requests including status, required timestamps/metadata.
Storage: Cloud Firestore.
Transaction/Subscription Status Data
Purchase and subscription status information from Apple for unlocking Pro features.
We do not process credit card or bank account data.
Technical Data
Diagnostics and crash data, where provided by Apple and enabled by you.
Advertising Data (Free Version Only)
When using AdMob, advertising/device identifiers (e.g., IDFA) may be processed, where legally permissible and enabled by you.
Legal Bases (Art. 6 GDPR)
We process data based on:
- Art. 6(1)(b) GDPR (contract performance / app functionality)
- Art. 6(1)(a) GDPR (consent, e.g., ATT, optional AI use)
- Art. 6(1)(f) GDPR (legitimate interest, security, stability, abuse prevention)
- Art. 6(1)(c) GDPR (legal obligations, where applicable)
MVM-AI Assistant
The AI feature is optional. When used, data may be transmitted to technical service providers to process your request.
Processed data (depending on request):
- Your entered text (prompt/chat message)
- Required context from the app, to the extent necessary for the response
Recipients:
- Cloudflare (technical AI proxy / worker)
- OpenAI (AI service provider)
Purpose:
- Providing the AI response requested by you
Consent:
- Consent is obtained before the first transmission
- No AI transmission takes place without consent
- Consent can be withdrawn at any time with effect for the future
Firebase Authentication & Synchronization (MVM Share)
When you use login and share features, the app uses:
- Firebase Authentication (sign-in, account management)
- Cloud Firestore (synchronization of MVM Share data, e.g., partner connections, shifts, swap requests)
Processing occurs only to the extent required for the features you use.
Email Security Emails (via Firebase Authentication)
When using email login, security-related emails may be triggered (e.g., verification, password reset, login-related notices).
For this, we process in particular:
- Email address
- Security/event data (e.g., timestamp, required device information)
Recipients:
- Google Firebase Authentication (for verification/reset and security-related auth processes)
Payments & Subscriptions (StoreKit)
In-app purchases are processed via Apple StoreKit. We only receive required transaction/status information to unlock functionality.
Advertising (Free Version Only)
The free version may use Google AdMob.
- Personalized advertising only with corresponding consent (ATT)
- Without consent: non-personalized ads may be shown
- Advertising is disabled when an active Pro subscription is present
Recipients / Categories of Recipients
Depending on usage, data may be transmitted to the following recipients:
- Apple (StoreKit, and possibly diagnostics services)
- Google Firebase (Firebase Authentication, Cloud Firestore)
- Cloudflare (technical AI proxy, only when using AI)
- OpenAI (only when using AI and with consent)
- Google AdMob (free version only, depending on consent)
Third-Country Transfers
Where service providers outside the EEA are used (e.g., USA), third-country transfers may occur. Such transfers are carried out in compliance with legal requirements, in particular based on appropriate safeguards (e.g., EU standard contractual clauses), where required.
Retention Periods
- Local app data: until deleted by you or uninstallation
- AI chat histories (local): until deleted by you or uninstallation
- Firestore share data: until deleted by you (e.g., disconnect/removal or "Delete Data") or account deletion, unless legal obligations prevent this
- Auth/login data: according to applicable Firebase and app operational rules, as long as required for operation/security
- Subscription/status data: as long as required for verification/unlocking
- Security/auth event data: only as long as required for operation, security, abuse prevention, and error analysis
- Diagnostics/log data: according to platform provider rules
Your Rights Under GDPR
You have, in particular, the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent with effect for the future (Art. 7(3) GDPR)
- Complaint to a supervisory authority (Art. 77 GDPR), e.g., in Austria at the Data Protection Authority
Data Security
We implement appropriate technical and organizational measures to protect data against loss, misuse, and unauthorized access (e.g., transport encryption, access controls, use of established platform services).
Changes to this Privacy Policy
We reserve the right to update this Privacy Policy when features, legal requirements, or used services change. The currently published version is authoritative.
Contact
For privacy inquiries: