Snakken

Privacy

How Snakken handles your data: as little as possible, as locally as possible, always inside the EU.

Last updated 11 June 2026

§ 1 Data Controller

The data controller within the meaning of the GDPR is:

Dennis Post
Lilistraße 67
63067 Offenbach am Main
Germany
Email: privacy@snakken.app

(hereinafter "we" or "Controller")

§ 2 Scope and Principles of Data Processing

This privacy policy covers both the Snakken mobile app (the "App") and our website snakken.app (the "Website"). The Website is a purely informational site and processes only the data described in § 3; all other sections of this policy concern the use of the App, unless stated otherwise.

The protection of your personal data is our highest priority. Snakken was developed according to the principles of "Privacy by Design" and "Privacy by Default." We process personal data only to the extent necessary for providing a functional app and our content and services, or where you have consented to the processing.

All data is stored and processed exclusively on servers within the European Union (EU) or the European Economic Area (EEA). No transfer to third countries takes place.

§ 3 The Website (snakken.app)

The Website is a fully static site. It sets no cookies, uses no tracking technologies, loads no third-party resources (fonts and all assets are served from our own infrastructure), and embeds no analytics. Web server access logs (IP address, requested URL, timestamp, user agent) are processed for the secure and performant operation of the site on the basis of Art. 6(1)(f) GDPR and deleted after 30 days at the latest. Beyond these access logs, no personal data is processed when you visit the Website.

§ 4 Hosting and Technical Infrastructure

The App and the Website are hosted on servers operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. We have concluded a data processing agreement (DPA) with Hetzner pursuant to Art. 28 GDPR.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and performant provision of the App and the Website).

§ 5 Categories of Personal Data in the App

When you use the App, we process the following categories of personal data:

5.1 Registration and Account Data

  • Email address
  • Authentication data (device-bound passkeys — no passwords)
  • Device identifiers (anonymized)

5.2 Profile Data

  • Display name and profile picture
  • Free-text entries (profile description)

5.3 Location Data

Your exact location never leaves your device. Snakken works at neighbourhood level: your device converts your position into a coarse geographic cell (H3 index) locally, and only this cell identifier is transmitted to our servers. Exact GPS coordinates are neither transmitted, stored, nor logged on the server. Your current cell is overwritten each time it updates; no location history is kept.

5.4 Content Data

  • Posts you publish (text, images, video, live streams), visible only to people in the same geographic area
  • Ephemeral posts are automatically and permanently deleted when they expire

5.5 Communication Data

  • Messages and media content you exchange with other users
  • Communication metadata (timestamps)

Messages are transmitted in encrypted form and stored on our EU servers.

5.6 Usage Data

  • Technical access data (IP address, device type, operating system, app version)
  • Usage statistics (anonymized and aggregated)
  • Crash and error reports (processed on our own servers in the EU, no third-party provider)

§ 6 Purposes and Legal Bases of Processing

  • Registration and account management — email, authentication data, device ID — Art. 6(1)(b) GDPR (performance of contract).
  • The local feed (showing your posts to people in your area and their posts to you) — content data, geographic cell — Art. 6(1)(b) GDPR.
  • Neighbourhood-based display — location data (coarse cell only) — Art. 6(1)(a) GDPR (consent, granted via the operating system's location permission and revocable there at any time).
  • Messaging features — communication data — Art. 6(1)(b) GDPR.
  • App security and abuse prevention — usage data, device ID — Art. 6(1)(f) GDPR (legitimate interest).
  • Error analysis and improvement — anonymized crash reports — Art. 6(1)(f) GDPR.
  • Automated content moderation — uploaded media, texts, usage patterns — Art. 6(1)(f) GDPR in conjunction with our obligations under Regulation (EU) 2022/2065 (Digital Services Act).
  • Criminal prosecution for illegal content — account data, IP addresses, content, metadata — Art. 6(1)(c) GDPR (legal obligation) or Art. 6(1)(f) GDPR.

§ 7 Data Separation and Security Architecture

We employ strict separation of your data for optimal protection. Identity data, profile information, and location data are stored in separate databases. This architecture ensures that even in the event of a hypothetical security incident, it is not possible to reconstruct complete user profiles with real names and locations from a single data set.

§ 8 Automated Content Moderation

To ensure platform safety and comply with our obligations as a platform operator under the Digital Services Act, we employ automated processes to detect unlawful or policy-violating content (e.g., hate speech, spam, fraud) and abusive behavior (fake profiles, bots). Decisions with significant effects on your account — in particular permanent suspensions — are never made solely by automated means; a human review takes place first. You have the right to request a review of any automated decision by a natural person and to contest the decision (Art. 13(2)(f), Art. 15(1)(h), Art. 22 GDPR). The results of automated analysis are never used for advertising or commercial profiling.

§ 9 Recipients and Data Processors

We generally do not share your personal data with third parties. Data is shared only in the following cases:

  • Hosting provider: Hetzner Online GmbH (DE) — DPA pursuant to Art. 28 GDPR.
  • App store operators: Apple Inc. and Google LLC — exclusively for processing any in-app purchases. We do not transmit user data to these companies.
  • Legal obligation: when we are legally required to do so (e.g., by order of law enforcement authorities pursuant to Art. 6(1)(c) GDPR), or where content gives rise to a suspicion of criminal activity and we file a criminal complaint with the competent authorities.

No transfer of personal data to third countries (outside the EU/EEA) takes place.

§ 10 Retention Periods

  • Account data: until deletion of your account, then immediately deleted.
  • Profile data: until deletion of the profile or account.
  • Location data: your coarse geographic cell is overwritten on each update; no history is stored.
  • Ephemeral posts: automatically deleted when they expire.
  • Messages: until deletion by you or your conversation partner, at the latest upon account deletion.
  • Usage data/logs: maximum 30 days, then automatically deleted.
  • Crash reports: maximum 90 days.
  • Billing data: in accordance with statutory retention periods (§ 147 AO: up to 10 years).

§ 11 Your Rights as a Data Subject

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR) — information about the personal data we process about you.
  • Right to rectification (Art. 16 GDPR) — correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) — deletion of your data, provided no statutory retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR) — your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR) — to processing based on Art. 6(1)(f) GDPR, at any time.
  • Right to withdraw consent (Art. 7(3) GDPR) — at any time with effect for the future.

To exercise your rights, contact: privacy@snakken.app

§ 12 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
datenschutz.hessen.de

§ 13 Data Protection by Design (Art. 25 GDPR)

  • No coordinates on the server: geographic cells are computed on your device; raw GPS positions are never transmitted.
  • Strict data separation: identity, profile, and location are stored in separate databases.
  • Encrypted communication: messages are transmitted and stored in encrypted form.
  • Passwordless authentication: device-bound passkeys instead of transferable secrets.
  • Data minimization: only data necessary for functionality is collected.
  • Automatic deletion: ephemeral posts, usage data, and logs are deleted automatically after defined periods.

§ 14 Cookies and Tracking

Neither the App nor the Website uses cookies or tracking technologies. We do not use any third-party analytics tools. Error reports are processed exclusively on our own servers in the EU.

§ 15 Changes to This Privacy Policy

We reserve the right to amend this privacy policy to adapt it to changed legal requirements or changes to the App and data processing. The current version is always available in the App and on the Website. Significant changes will be communicated via an in-app notification.

← Back to the start page