Privacy Policy
EverAct App and Website · As of April 2026
1. Controller
Hinweis: A data protection officer has not been appointed as the requirements for appointment under Art. 37 GDPR are not met.
2. Processing of Health Data
What health data is processed?
We process the following data from Apple HealthKit (with your explicit consent):
| Data Type | Example | Zweck |
|---|---|---|
| Steps | Number of steps per day | Calculation of sport score |
| Workouts | Training sessions (Running, Cycling, etc.) | Calculation of sport score |
| Active Calories | Calories burned during activities | Calculation of sport score |
Legal Basis
Art. 9(2)(a) GDPR - Explicit Consent
The processing of your health data is based on your express consent. You can revoke this consent at any time.
No Commercial Use
Your health data will not be used for:
- Advertising or marketing
- Data trading or sale to third parties
- Development of products for purposes other than EverAct
3. Wallet and Blockchain Data
| Wallet Address | 0x1234...5678 | Identification for token receipt |
| Transaction History | All token transfers on-chain | Transparency and traceability |
Important Notice on Transparency
All ECO token transactions are publicly stored on the Sonic Blockchain. Your wallet address is visible to anyone who analyzes the blockchain. Transaction amounts and timestamps are publicly viewable.
Conflict Between Blockchain and GDPR
On-chain data cannot be technically deleted. The right to erasure (Art. 17 GDPR) therefore does not apply to blockchain transactions, as the immutability of the blockchain represents a technical impossibility of deletion.
4. Authentication (Thirdweb)
EverAct uses Thirdweb for wallet authentication with the following options:
Google OAuth
Email, Name
Apple Sign In
Email, Name
Email Address
Legal Basis: Art. 6(1)(b) GDPR - Contract Performance
5. Receipt Processing
The following data is processed when scanning receipts:
| Data Type | Example | Storage Duration |
|---|---|---|
| Merchant Name | REWE, ALDI | Maximum 2 days |
| Purchase Date | 2026-04-10 | Maximum 2 days |
| Total Amount | 47.83 EUR | Maximum 2 days |
| Fingerprint | SHA256(merchant+date+total+hour) | Maximum 2 days |
No Storage of Photos: We do not store photos of your receipts. Only the text extracted via OCR is processed. Automatic deletion occurs at 00:01 UTC daily.
Legal Basis: Art. 6(1)(b) GDPR - Contract Performance
6. Score Data
The ECO token score is automatically calculated based on:
- Consumption Score (max. 15): Based on your purchase CO₂ analysis
- Sport Score (max. 8): Based on your HealthKit data
- Bonus Score (max. 2): For additional activities
Storage: Cloudflare KV (encrypted) · Daily Deletion: After blockchain transfer at 00:00 UTC
7. External Services and Third Country Transfer
Overview of External Services
| Service | Provider | Purpose |
|---|---|---|
| Cloudflare Workers | Cloudflare, Inc., USA | Receipt validation, Score storage |
| Google Gemini AI | Google LLC, USA | CO₂ analysis of receipt texts |
| Thirdweb | Thirdweb, Inc., USA | Wallet authentication |
| Apple HealthKit | Apple Inc., USA | Health data retrieval |
Third Country Transfer (USA): The transfer of personal data to the USA is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR.
8. Data Subject Rights
As a data subject, you have the following rights:
Right of Access (Art. 15)
Confirmation and copy of processed data
Right to Rectification (Art. 16)
Correction of inaccurate data
Right to Erasure (Art. 17)
Erasure unless retention obligations apply
Right to Data Portability (Art. 20)
Structured, machine-readable format
Exercise of Your Rights: frederik.pietratus@gmail.com
Revocation of Consent (Health Data): In iOS under Settings → Privacy → Health → EverAct → Revoke Access
9. Complaint to the Supervisory Authority
Competent Supervisory Authority
The Hessian Commissioner for Data Protection and Freedom of Information (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de
Stand: April 2026 · Nächste Überprüfung geplant: April 2027