1. Data Controller

The data controller responsible for your personal data is:

Zest Labs GmbH
C 7 1, 68159 Mannheim, Germany
Email: contact@zestlabs.io
Phone: +49 (0) 160 698 818 9

2. What Data We Collect

In the App

We collect and process the following data when you use the TAFH App:

• Random device identifier: When you first launch the App, a random unique identifier (“user ID”) is generated and assigned to your device. This ID contains no personal information and cannot on its own be linked to your identity. It is used solely to distinguish between devices for the purposes of operating the App.
• Device model information: We may collect basic device model information (e.g. “iPhone 14”) to help us ensure App compatibility and performance.
• GPS location: When you submit a report, we collect the precise GPS coordinates of the hateful content you are reporting, along with a reverse-geocoded human-readable address.
• Report content: This includes the photograph you take of the reported content, the category and type of hate content, and an optional text comment. Photographs may incidentally contain personally identifiable information such as faces or vehicle registration plates visible in public spaces.
• IP address: When a report is submitted, we temporarily record the IP address of the submitting device. This is done exclusively to enable us to cooperate with law enforcement authorities in the event that illegal content is uploaded through the App.
• Reactions: If you react to a reported signal, the reaction is linked to your random device identifier.

On the Website

We do not collect any personal data from visitors to our Website. We do not use cookies, tracking technologies, or analytics tools on the Website.

3. How We Collect Your Data

Data is collected when you:

• Download and first launch the App (device identifier and model);
• Submit a report through the App (GPS location, photograph, report category, optional comment, and IP address);
• React to a report submitted by another user.

We do not collect data from third-party sources, social media platforms, or any other indirect means.

4. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

• Performance of a service (Art. 6(1)(b)): Processing of your random device identifier and device model information is necessary to provide the App’s core functionality.
• Your consent (Art. 6(1)(a)): Processing of GPS location, report photographs, and report content is based on your voluntary act of submitting a report. You may withdraw this at any time by requesting deletion of your submissions.
• Legitimate interests (Art. 6(1)(f)): Temporary retention of IP addresses is based on our legitimate interest in being able to cooperate with law enforcement should illegal content (such as content involving terrorism or child exploitation) be uploaded through the App. This interest is proportionate given the App’s purpose of combating hate content.

5. How We Use Your Data

We use the data we collect to:

• Operate and provide the core functionality of the TAFH App;
• Display approved reports on the public map within the App;
• Moderate submitted content to ensure compliance with our Terms and Conditions;
• Forward reports of illegal content (e.g. terrorism, child exploitation) to the relevant law enforcement authorities where legally required or permitted;
• Improve the App’s performance and compatibility.

We do not use your data for advertising or profiling, and we do not sell your data to third parties.

6. How Long We Keep Your Data

• Random device identifier: Retained for as long as you use the App. You may request deletion at any time (see “Your Data Protection Rights” below).
• Report content (location, image, comment): Retained for as long as the report remains active on the platform. Reports that are rejected or removed by moderators are deleted promptly. You may request deletion of your submitted reports at any time.
• IP address: Retained for a maximum of 90 days from the date of submission, after which it is permanently deleted — unless we are under a legal obligation to retain it for ongoing law enforcement proceedings.

7. Who We Share Your Data With

We do not sell or rent your personal data to any third party. We may share data only in the following limited circumstances:

• Law enforcement authorities: If content submitted through the App is determined to be illegal, we may disclose the associated IP address and report content to the competent authorities as required by law.
• Technical service providers: We engage European cloud hosting and infrastructure providers who process data strictly on our behalf, exclusively within the EU/EEA, under data processing agreements in accordance with Art. 28 GDPR.

8. Data Storage and International Transfers

All personal data collected through the App is stored and processed exclusively within the European Union (EU) and European Economic Area (EEA). Our backend services, database, and image storage are hosted with European cloud providers operating data centres within the EU. Data processing agreements in accordance with Art. 28 GDPR are in place with each provider.

We do not transfer your personal data to countries outside the EU/EEA. As all our infrastructure is operated by European providers within the EU, no transfer mechanisms under Chapter V GDPR (such as Standard Contractual Clauses) are required for these services.

Note on app distribution: Downloading the App via the Apple App Store or Google Play Store involves processing by Apple Inc. and Google LLC respectively, which may occur outside the EU/EEA. This is governed by their own privacy policies and is outside our control.

9. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you, free of charge.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to any legal retention obligations.
• Right to restrict processing (Art. 18): You may request that we limit how we process your data in certain circumstances.
• Right to object (Art. 21): You may object to processing based on our legitimate interests.
• Right to data portability (Art. 20): You may request that we provide your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at contact@zestlabs.io or in writing to Zest Labs GmbH, C 7 1, 68159 Mannheim, Germany. We will respond within one month of receiving your request.

10. Cookies

We do not use cookies or any similar tracking technologies on our Website. No information is collected from your browser when you visit our Website.

11. Changes to This Privacy Policy

We review this Privacy Policy regularly and will post any updates on this page. Where changes are material, we will take reasonable steps to notify you. This Privacy Policy was last updated on June 4, 2026.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise any of your data protection rights, please contact us:

Email: contact@zestlabs.io
Phone: +49 (0) 160 698 818 9
Post: Zest Labs GmbH, C 7 1, 68159 Mannheim, Germany

13. How to Contact the Supervisory Authority

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the competent supervisory authority. As a company based in Baden-Württemberg, Germany, the relevant authority is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI)