Skip to content
QrushBETA

Privacy Policy

1. Responsible Entity

Qrush GmbH
Zum Sportplatz 5
01723 Kesselsdorf
Phone: +49 152 24871373
Email: contact[at]qrushapp.de

2. General Information on Data Processing

We process your personal data only to the extent necessary to provide a functional app, website, and our content and services.

Legal basis for processing:

  • Art. 6 Abs. 1 lit. a) DSGVO – Consent
  • Art. 6 Abs. 1 lit. b) DSGVO – Contract performance
  • Art. 6 Abs. 1 lit. c) DSGVO – Legal obligation
  • Art. 6 Abs. 1 lit. f) DSGVO – Legitimate interest

3. Your Rights as a Data Subject

You have the right:

  • to information (Art. 15 DSGVO, §34 BDSG)
  • to rectification (Art. 16 DSGVO)
  • to erasure (Art. 17 DSGVO, §35 BDSG)
  • to restriction of processing (Art. 18 DSGVO)
  • to object to processing (Art. 21 DSGVO)
  • to data portability (Art. 20 DSGVO)
  • to withdraw given consent (Art. 7 Abs. 3 DSGVO)
  • not to be subject to automated decision-making (Art. 22 DSGVO)
  • to lodge a complaint with a supervisory authority (Art. 77 DSGVO)

To exercise your rights, an informal notification to [email protected] is sufficient.

4. Procedure for Exercising Data Subject Rights

To process your request, we process your information. This will be stored as proof of your request until the expiration of the limitation period (3 years). The legal basis is Art. 6 Abs. 1 lit. f) DSGVO.

5. Data Transfer to Third Countries

Data transfer outside the EU only occurs if there is an adequacy decision, appropriate safeguards, or your explicit consent according to Art. 44 ff. DSGVO.

6. Contract Processing

We use external service providers (e.g., hosting, analytics, shipping services). They are contractually obligated according to Art. 28 DSGVO to comply with data protection requirements.

7. Data Processing on Our Website

Email Contact

Contacting us via provided email addresses leads to the storage and processing of your information. The legal basis is Art. 6 Abs. 1 lit. b), f) or a) DSGVO.

Analytics Tools and Cookies

Our website uses cookies and analytics tools for optimization. The legal basis for essential cookies is Art. 6 Abs. 1 lit. f) DSGVO, for optional cookies Art. 6 Abs. 1 lit. a) DSGVO.

Cookies Used

  • Session Cookies: Session-related identification, deleted when closing the browser
  • Cookie Consent Cookies: Your consent settings

Server Log Files

Information such as IP address, browser type, referrer, time, etc. is automatically collected and stored for a short time. The legal basis is Art. 6 Abs. 1 lit. f) DSGVO.

8. Data Processing in Our App

A user profile is required to use our app. The following data is processed:

  • Phone number
  • Name (mandatory: real first name)
  • Date of birth
  • Gender & preference
  • Location (optional, with consent)
  • Profile pictures
  • Participation in events & Qrush rounds
  • Matching, chats, QR code function

Legal Basis

  • Contract performance (Art. 6 Abs. 1 lit. b) DSGVO)
  • Consent for location and certain functions (Art. 6 Abs. 1 lit. a) DSGVO)

Chats & Reports

Chats can be technically viewed by us as the app operator. However, we have committed in our terms and conditions to only do so when users report possible violations of our terms and conditions and community guidelines, and then analyze the chats for review purposes. In case of criminally relevant behavior, we reserve the right to forward the data to the competent law enforcement authorities. Legal basis: Art. 6 Abs. 1 lit. b), c) and f) GDPR. Our legitimate interest lies in protecting our users from abusive actions by other users.

Deletion

After deleting your account, data will be completely removed after 3 months.

Payment Processing & Qrush Plus

For payment processing within Qrush Plus, we use the payment service providers Apple and Google via the RevenueCat platform. Personal data such as name and billing address may be processed. Further processing of payment data is carried out by these third parties. The legal basis for this is Art. 6 Abs. 1 lit. b) GDPR (contract performance). We have concluded a data processing agreement with the provider in accordance with Art. 28 GDPR. Billing-relevant data is stored in accordance with the law for up to 10 years.

App Permissions

Our app requests the following permissions depending on usage: access to camera, location data, photo library, and push notifications. These permissions are based on user consent (Art. 6 Abs. 1 lit. a) DSGVO) and are required for certain functions. Refusal may limit functionality. Users can revoke their consent at any time in device settings.

Analytics and Tracking Services

To optimize our services and for error analysis, we use the analytics tools PostHog and Firebase. Usage data is processed. The legal basis for this is user consent or, where justified, our legitimate interest (Art. 6 Abs. 1 lit. a) or f) DSGVO). Data transfers to these service providers, especially Firebase based in the USA, are carried out based on appropriate protective measures such as standard contractual clauses.

Promotional Communication

We currently do not send paid advertising via push messages or email. However, we obtain consent at the beginning for the use of push notifications. This can be revoked at any time.

Storage Periods

Personal data is retained according to respective legal requirements and storage periods:

  • Profile data and usage data including chat histories: up to 3 months after deletion of user account
  • Payment and billing data: up to 10 years
  • Support and communication data: up to 3 years

Data Transfer to Third Countries

We transfer data to service providers within and outside the EU. The database is hosted with Firebase in the USA. The protection of data in transfers to third countries is ensured by appropriate security measures such as standard contractual clauses according to Art. 46 DSGVO.

Identity Verification (Verified Badge)

Purpose and Functionality

As part of our social feature, we offer voluntary identity verification. The purpose of this feature is to protect our community: verified users receive a Verified Badge on their profile, signaling to others that they are a real person. At the same time, verification ensures that banned users cannot re-verify themselves with a new account.

Data Processed

For verification, a selfie is captured. From this image, only biometric contour data (so-called facial embeddings) are extracted – that is, mathematical representations of facial geometry (positioning of eyes, mouth, face shape). The selfie image itself is deleted immediately after the contour data has been extracted and is not stored.

The original face cannot be reconstructed from the stored contour data.

The following data is stored per user:

  • User ID (internal identifier)
  • Verification status (verified / banned)
  • Biometric contour data (facial embedding)
  • Timestamp of verification

Legal Basis

The processing of biometric data is carried out exclusively on the basis of your explicit consent pursuant to Art. 6 Abs. 1 lit. a) DSGVO in conjunction with Art. 9 Abs. 2 lit. a) DSGVO.

This consent is obtained during the opt-in verification process within the app.

You may withdraw your consent at any time. Withdrawal can be made via the app settings or by email to [email protected]. Withdrawal will result in the deletion of your biometric contour data and the loss of the Verified Badge. The lawfulness of any processing carried out prior to the withdrawal remains unaffected.

Voluntariness

Verification is entirely voluntary. Users can use the app and all core features without restriction and without verification. The only consequence of not verifying is that no Verified Badge will be displayed on the profile.

Technical and Organizational Measures

The biometric contour data is stored in a PostgreSQL database operated in a Docker container on a server of our service provider, Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Access to the database is possible only via API key authentication. The server is protected by a firewall. No transfer of biometric data to third countries or third parties takes place.

Retention Period

Personal data related to verification is retained as follows:

  • Biometric contour data for active accounts: for the duration of account usage
  • Biometric contour data after account deletion: deleted within 30 days
  • Biometric contour data after a ban: 2 years after the ban, in order to prevent banned users from re-verifying with a new account. The legal basis for this is Art. 6 Abs. 1 lit. b) DSGVO, as we fulfill our contractual obligations toward all users by continuing to prevent the person in question from re-registering. After the two-year period has elapsed, the data is deleted.

No Use of Third-Party Providers

All processing of biometric data takes place exclusively on our own infrastructure or that of our hosting provider. In particular, no third-party providers are used for facial recognition or the storage of biometric data.

9. Data Processing for Advertising Purposes

Social Media Presence

We operate pages on Instagram, TikTok, YouTube, LinkedIn, and X (formerly Twitter). Data may be processed by the platforms outside the EU.

Legal Basis:

  • Legitimate interest (Art. 6 Abs. 1 lit. f) DSGVO)
  • possibly consent (Art. 6 Abs. 1 lit. a) DSGVO)

Note: Platform providers often have direct access to your data. For information or deletion requests, it is most effective to contact them directly.

10. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to adjust it to legal changes or changes in data processing. You can always find the current version on our website.