Last updated: 15 February 2026
Version: 1.0
The Service is operated by a private individual. This policy is drafted in accordance with the General Data Protection Regulation (GDPR) and applicable European data protection laws.
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Ali Akbar Rahimi
Steindamm 80
25337 Elmshorn
Germany
Email: privacy@credio.online
General contact: contact@credio.online
Ali Akbar Rahimi operates the Credio Service as a private individual.
For customer accounts created by an owner, the respective owner acts as an independent data controller for the personal data they enter. In this context, Ali Akbar Rahimi processes such data on behalf of the respective owner in accordance with Article 28 GDPR.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
The competent supervisory authority for the data controller is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel
Germany
Phone: +49 431 988-1200
Email: mail@datenschutzzentrum.de
Website: https://www.datenschutzzentrum.de
The following categories of personal data in connection with the Service are processed:
This data is required to create and manage user accounts.
This data is entered by users and stored solely for displaying and organizing personal notebook records.
Chat data is accessible only to the related account participants.
This data is processed to secure accounts and prevent unauthorized access.
When users interact with the Service, technical metadata may be processed automatically, including:
This processing is limited to what is necessary for secure operation, system integrity, and abuse prevention.
Render, as hosting provider, may process infrastructure-level logs as a data processor in accordance with its Data Processing Addendum.
When users send or receive emails through the Service, the following data are processed:
Outgoing emails are processed via Brevo.
Incoming email is handled by Google Workspace.
Backend application, database, and supporting infrastructure are hosted by Render Services, Inc., United States.
Render provides application hosting, managed database services, and infrastructure-level security monitoring. Production services are deployed in the Frankfurt (Germany) region.
Render acts as a data processor within the meaning of Art. 28 GDPR. A Data Processing Agreement (DPA) has been concluded.
As Render is a U.S.-based provider, personal data may be transferred to the United States. Such transfers are safeguarded by:
Render may engage authorized subprocessors to provide its services. An up-to-date list of subprocessors is available at:
This application uses Firebase Cloud Messaging (FCM), a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to send push notifications.
When the app is installed, a device-specific push token is generated by Firebase. This token is transmitted to the backend server and stored together with the corresponding user ID. The token is used solely to deliver notifications related to the functionality of the application.
No additional personal data is transmitted to Firebase for this purpose beyond what is technically required to deliver push notifications.
The legal basis for this processing is Article 6(1)(b) GDPR (performance of a contract), as push notifications are necessary for the proper operation of the user account within the app.
The push token is deleted when:
Users can disable push notifications at any time in the device settings.
Incoming emails to addresses under the domain credio.online (e.g., admin@, privacy@, contact@) are processed using Google Workspace, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Workspace is used solely for receiving and storing emails sent to the above addresses.
The legal basis for processing email communication is Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interest in handling inquiries and account-related communication).
Google acts as a data processor within the meaning of Art. 28 GDPR. The Cloud Data Processing Addendum (DPA) has been accepted.
As Google may process data outside the European Union, transfers are safeguarded by:
Emails are retained only as long as necessary to handle the respective request or fulfill legal obligations.
Outgoing transactional emails (e.g., account-related notifications) are sent using Brevo, provided by Sendinblue SAS (Brevo), 106 Boulevard Haussmann, 75008 Paris, France.
Brevo processes recipient email addresses and the content of transactional emails solely for the purpose of delivering such communications.
Brevo acts as a data processor within the meaning of Art. 28 GDPR. A Data Processing Agreement forms part of Brevo’s General Conditions of Use and applies automatically upon account usage.
Data is processed exclusively for the delivery of transactional communication and is not used for marketing purposes.
Personal data is processed solely for the following purposes and on the following legal bases pursuant to Article 6 GDPR:
Personal data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Personal data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Communication data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Technical and security-related data is processed to:
Legal basis:
Article 6(1)(f) GDPR (legitimate interest).
The legitimate interest consists in ensuring the security, stability, and lawful operation of the Service.
Push tokens are processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Users may disable push notifications at any time via device settings.
Personal data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract)
and
Article 6(1)(f) GDPR (legitimate interest in handling inquiries).
No marketing emails are sent.
Personal data is retained only for as long as necessary to fulfill the purposes of processing or to comply with statutory retention obligations.
Customers may request account deletion only if their account balance is zero.
Once a deletion request is submitted:
During this 30-day period, no access is possible for the customer.
After expiration of the 30-day grace period:
This anonymized data cannot be used to re-identify the former customer.
Owners may request account deletion only if no active customer accounts exist.
If active customers exist, account deletion is not possible.
Deletion requests are reviewed by a Super Admin.
Upon approval:
Security and system logs are retained only for as long as necessary to:
Retention periods are limited to what is proportionate and necessary for security purposes.
Infrastructure-level logs processed by the hosting provider are retained in accordance with the provider’s internal policies.
Push notification tokens are stored only as long as the corresponding user account is active.
Tokens are deleted when:
Chat messages are stored for the duration of the respective account relationship.
If a customer account enters “pending deletion” status:
After expiration of the 30-day grace period:
If an owner account is permanently deleted, all associated chat data is permanently deleted together with the account.
Emails are retained only as long as necessary to:
Where statutory retention obligations apply (e.g., under German commercial or tax law), data will be retained for the legally prescribed period and subsequently deleted.
No automated decision-making within the meaning of Article 22 GDPR takes place.
In particular:
All relevant decisions affecting user accounts involve human review.
Personal data is processed primarily within the European Union.
Where service providers are established outside the European Union or where data processing may involve access from third countries (in particular the United States), transfers are carried out in accordance with Chapter V GDPR.
Where applicable, transfers are safeguarded by one or more of the following mechanisms:
The following providers may involve processing in the United States:
Transfers are carried out on the basis of legally recognized transfer mechanisms in accordance with Chapter V GDPR.
Where service providers are established within the European Union (e.g., Brevo, France), processing takes place within the EU unless subprocessors located in third countries are engaged under legally valid safeguards.
No transfers are carried out without an appropriate legal basis under Articles 44–49 GDPR.
Appropriate technical and organizational measures are implemented in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk.
These measures include in particular:
Access to personal data is restricted to what is necessary for the respective processing purpose.
This Privacy Policy may be updated where necessary to reflect:
The current version number and last update date are indicated at the beginning of this document.
Material changes will be communicated through the application where appropriate.
As a data subject under the General Data Protection Regulation (GDPR), you have the following rights, subject to statutory limitations:
You have the right to request confirmation as to whether personal data concerning you is being processed and, if so, to obtain access to that data and to further information regarding the processing.
You have the right to request the correction of inaccurate personal data concerning you and to request completion of incomplete data.
You have the right to request the deletion of your personal data where one of the statutory grounds applies, unless processing is required for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
You have the right to request restriction of processing where the statutory conditions are met.
Where processing is based on Article 6(1)(b) GDPR (performance of a contract) or consent and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.
(Currently, no automated export interface is provided. Requests may be submitted manually.)
You have the right to object, on grounds relating to your particular situation, to processing based on Article 6(1)(f) GDPR (legitimate interest). In such a case, processing will cease unless compelling legitimate grounds override your interests, rights, and freedoms or processing serves the establishment, exercise, or defense of legal claims.
Where processing is based on consent, you may withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
The competent supervisory authority is listed in Section 2 of this Privacy Policy.
Requests may be submitted to: privacy@credio.online