Privacy Policy
Last updated: July 9, 2026
General Information
This Privacy Policy explains which personal data is processed when using Ninety Days, the purposes for which it is processed, and the rights available to users.
Ninety Days collects and processes personal data where necessary to provide the app, operate the website, ensure technical security, process payments, provide platform services, and comply with legal obligations.
Data Controller
The data controller responsible for processing personal data is:
Andreas Stein
c/o Block Services
Stuttgarter Str. 106
70736 Fellbach
Germany
Controller's email address: a.s@andreas-stein.tech
Types of Data Collected
The personal data processed by Ninety Days, either directly or through third parties, includes in particular:
- Payment Data
- Usage Data
- Email Address
- Device Information
- Various Types of Data
- Trackers
- Data Accessible Across Devices
Provision of Data
Complete details about each type of personal data processed are provided in the relevant sections of this Privacy Policy or through specific explanatory notices displayed before data collection.
Personal data may be freely provided by users or, in the case of Usage Data, collected automatically when using Ninety Days.
Unless otherwise specified, all data requested by Ninety Days is mandatory where required for the respective functionality. Failure to provide such data may prevent Ninety Days from providing certain services.
Any use of Trackers, cookies, or similar technologies by Ninety Days or third-party services is intended to provide the service requested by the user as well as the additional purposes described in this Privacy Policy.
Users who are uncertain about which personal data is mandatory may contact the Controller.
Third-Party Data
Users are responsible for any third-party personal data obtained, published, or shared through Ninety Days and confirm that they are authorized to provide such data.
Methods and Place of Processing
Methods of Processing
The Controller processes personal data in a proper manner and adopts appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the data.
Data processing is carried out using computers and IT-enabled systems in accordance with organizational procedures and practices that are strictly related to the purposes described in this Privacy Policy.
Access to Data
In addition to the Controller, personal data may in certain cases be accessible to individuals involved in the operation of Ninety Days, including administrative, legal, technical, or system administration personnel, as well as external service providers.
These external service providers may include hosting providers, technical service providers, payment processors, communication providers, or platform operators engaged by the Controller.
Place of Processing
Data is processed at the Controller's operating offices and at any other locations where the parties involved in the processing are located.
Depending on the user's location, data transfers may involve transferring personal data to a country other than the user's own. Further information is provided in the sections concerning the individual services and transfers of personal data outside the European Union.
Retention Period
Unless otherwise specified in this Privacy Policy, personal data is processed and stored for as long as required by the purpose for which it was collected and may be retained longer where required by law or based on the user's consent.
Data processed for the performance of a contract between the Controller and the user is retained until that contract has been fully performed.
Data processed for the purposes of the Controller's legitimate interests is retained for as long as necessary to fulfill those purposes.
Where processing is based on consent, personal data may be retained until such consent is withdrawn.
Longer retention periods may apply where required to comply with legal obligations or for the establishment, exercise, or defense of legal claims.
Once the applicable retention period expires, personal data will be deleted. After deletion, rights such as access, erasure, rectification, or data portability can no longer be exercised unless the relevant data is still available.
Purposes of Processing
Personal data is processed in order to provide, operate, improve, and lawfully offer Ninety Days.
In addition, data is processed in particular for the following purposes:
- Payment processing
- Data transfers outside the EU
- Hosting and backend infrastructure
- Platform services and hosting
- Analytics
- Provision and operation of the app
- Technical security and maintenance
- Compliance with legal obligations
Detailed Information on the Processing of Personal Data
Analytics
The services described in this section allow the Controller to monitor and analyze traffic and evaluate user behavior.
Anonymized Usage Statistics
Anonymized usage data is processed for technical analysis and statistical evaluation of the use of this website.
This may include, in particular, language settings used, the country of origin based on anonymized IP geolocation at country level, as well as the times of page views and redirects.
No IP addresses are stored. Processing takes place exclusively in aggregated form for statistical and technical purposes. Personal identification does not take place.
Hosting and Backend Infrastructure
This type of service is used to host data and files required for the operation and provision of Ninety Days or to provide a technical infrastructure through which certain functions or components of Ninety Days are executed.
Some of these services may operate through geographically distributed servers. This can make it difficult to determine the exact storage location of personal data in individual cases.
STRATO
When visiting the website, the hosting provider STRATO automatically processes access data in so-called server log files.
- anonymized IP address of the visitor
- date and time of access
- browser type and browser version
- visitor's operating system
- referrer URL or previously visited website
- name of the accessed web page and requested file
- amount of data transferred
Purpose and Retention Period at STRATO
This data is stored exclusively to ensure the technical operation, security, and stability of the website and to detect and defend against potential attacks.
IP addresses are anonymized by STRATO immediately after collection. The anonymized data is stored for a maximum of seven days and then permanently deleted.
Further information: STRATO Privacy Policy
Platform Services and Hosting
These services are used to host and operate key components of Ninety Days so that the app can be provided through a unified platform.
Such platforms may provide tools for analytics, user management, database management, app distribution, e-commerce, or payment processing. This may involve the processing of personal data.
CloudKit
CloudKit is a hosting service provided by Apple Inc. that enables the Controller to manage the storage of data and the transfer of data to and from iCloud servers.
Storing data in iCloud allows users to access their data across multiple devices.
Personal Data processed: Data accessible across devices, Usage Data, and Trackers.
Service provider: Apple Inc. (United States).
Further information: Apple Privacy Policy
App Store Connect
Ninety Days is distributed through the Apple App Store. App Store Connect is a platform provided by Apple Inc. for managing mobile applications available in the App Store.
Depending on the configuration, App Store Connect provides statistical information about user engagement, app discovery, marketing campaigns, sales, in-app purchases, and payments, enabling the Controller to measure the performance of Ninety Days.
App Store Connect processes such data only for users who have agreed to share this information with the Controller. Users can manage this preference in their device settings.
Personal Data processed: Usage Data.
Service provider: Apple Inc. (United States).
Further information: Apple Privacy Policy
Payment Processing
Unless otherwise specified, Ninety Days processes payments through external payment service providers. As a general rule, and unless otherwise stated, payment data is processed directly by the respective payment service provider.
Ninety Days is generally not involved in the collection or processing of complete payment information. Instead, it receives notifications from the relevant payment provider confirming whether a payment has been successfully completed, together with the information required to manage purchases, in-app purchases, subscriptions, billing, and legal obligations.
Apple App Store
Payments, in-app purchases, and subscriptions are processed through the Apple App Store. The actual payment transaction is handled exclusively by Apple.
The Controller is generally not involved in the collection or processing of complete payment information, but receives notifications and information required to manage the app, purchases, subscriptions, billing, and legal obligations.
Personal Data processed: Email Address, Device Information, Usage Data, and Payment Data.
Service provider: Apple Inc. (United States).
Further information: Apple Privacy Policy
Data Transfers Outside the European Union
Personal data may be processed outside the European Union in connection with the services used, particularly where a service provider is established in a third country or operates servers there.
Transfers Based on Standard Contractual Clauses
Where personal data is transferred to third countries, such transfers may take place on the basis of the Standard Contractual Clauses adopted by the European Commission.
In such cases, the recipients undertake to process personal data in accordance with the data protection standards of the European Union.
Further information can be obtained from the Controller using the contact details provided in this Privacy Policy.
Legal Basis for Processing
Personal data is processed, where required, on one or more of the following legal bases:
Article 6(1)(a) GDPR, where users have given their consent for one or more specific purposes.
Article 6(1)(b) GDPR, where processing is necessary for the performance of a contract with the user or to take steps at the user's request prior to entering into a contract.
Article 6(1)(c) GDPR, where processing is necessary for compliance with a legal obligation.
Article 6(1)(e) GDPR, where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Article 6(1)(f) GDPR, where processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the user.
Upon request, the Controller will provide information about the specific legal basis applicable to a particular processing activity, including whether the provision of personal data is required by law, contract, or necessary for entering into a contract.
User Rights
Users may exercise certain rights regarding their personal data processed by the Controller, subject to the applicable legal provisions.
Right of Access
Users have the right to obtain confirmation as to whether their personal data is being processed, to receive information about specific aspects of the processing, and to obtain a copy of the personal data undergoing processing.
Right to Rectification
Users have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.
Right to Erasure
Users have the right, under the conditions set out by applicable law, to request the deletion of their personal data.
Right to Restriction of Processing
Users have the right, under the conditions set out by applicable law, to request the restriction of the processing of their personal data.
Right to Data Portability
Users have the right to receive their personal data in a structured, commonly used, and machine-readable format and, where technically feasible, to have those data transmitted to another controller.
Right to Object
Users have the right to object to the processing of their personal data where such processing is based on the Controller's legitimate interests.
Where personal data is processed for direct marketing purposes, users may object at any time, and the personal data will no longer be processed for such purposes.
Withdrawal of Consent
Where processing is based on consent, users may withdraw their consent at any time with effect for the future.
Right to Lodge a Complaint
Users have the right to lodge a complaint with the competent data protection supervisory authority.
Exercising These Rights
Requests to exercise user rights may be submitted using the contact details provided in this Privacy Policy.
Such requests may be made free of charge and will be answered by the Controller as soon as possible and, in any event, within one month.
Any rectification, erasure, or restriction of processing will be communicated by the Controller to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
Additional Information for Users in Switzerland
This section applies to users in Switzerland and replaces any other potentially conflicting or differing provisions contained in this Privacy Policy.
Further details regarding the categories of personal data processed, the purposes of processing, recipients of personal data, retention periods, and other relevant information can be found in the corresponding sections of this Privacy Policy.
Rights Under Swiss Data Protection Law
Users in Switzerland may, subject to the applicable legal provisions, request access to their personal data, request the correction of inaccurate data, request the deletion or destruction of personal data, object to the processing of their personal data, and request the disclosure or transfer of certain personal data.
These rights may be exercised using the contact details provided in this Privacy Policy.
Additional Information for Users in Brazil
This section supplements the other information contained in this Privacy Policy for users residing in Brazil in accordance with the Lei Geral de Proteção de Dados (LGPD). For such users, it replaces any conflicting or inconsistent provisions of this Privacy Policy.
In this section, the term 'personal information' shall have the meaning assigned to it by the LGPD.
Legal Bases Under Brazilian Data Protection Law
Personal information may only be processed where a valid legal basis exists, including consent, compliance with legal or regulatory obligations, the performance of a contract or pre-contractual measures, the exercise of rights in judicial or administrative proceedings, the protection of life or physical safety, legitimate interests where fundamental rights and freedoms do not prevail, or the protection of credit.
Further information regarding the legal basis applicable in each case may be requested using the contact details provided in this Privacy Policy.
Rights Under Brazilian Data Protection Law
Users in Brazil are entitled, under the LGPD, to obtain confirmation of processing, access their personal information, request the correction of incomplete, inaccurate, or outdated data, request anonymization, blocking, or deletion of unnecessary or unlawfully processed data, request data portability, obtain information regarding data sharing, withdraw consent, lodge complaints with the ANPD or consumer protection authorities, and object to unlawful processing.
Requests may be submitted free of charge using the contact details provided in this Privacy Policy. Where a detailed response is required, it will be provided within 15 days in accordance with the LGPD.
Transfers of Personal Information Outside Brazil
Personal information may be transferred outside Brazil where permitted by the LGPD, including where necessary to comply with legal or regulatory obligations, perform a contract or pre-contractual measures, enable international cooperation, where authorized by the ANPD, or where appropriate safeguards are in place.
Additional Information for Users in the United States
This section supplements the other information contained in this Privacy Policy for users residing in U.S. states with applicable privacy laws, including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and Montana.
For these users, this section replaces any conflicting or inconsistent provisions. The terms 'personal information' and 'sensitive personal information' shall have the meanings assigned to them under the applicable state privacy laws.
Notice Regarding the Collection of Personal Information
During the previous 12 months, identifiers, commercial information, and information relating to internet or other electronic network activity may have been collected or disclosed.
The data processed may include Usage Data, Email Address, Device Information, various types of data, Trackers, Data Accessible Across Devices, and Payment Data classified as sensitive personal information.
This information is processed for the purposes described in this Privacy Policy, including payment processing, transfers of data outside the European Union, platform services and hosting, and other purposes relating to the processing of personal data.
No Sale, No Sharing, and No Targeted Advertising
Ninety Days does not sell personal information, does not share personal information for cross-context behavioral advertising as defined under applicable U.S. privacy laws, and does not process personal information for targeted advertising unless expressly stated otherwise in this Privacy Policy.
Sources and Recipients of Personal Information
Personal information is collected directly or indirectly from users when they use Ninety Days and may also be obtained from third parties cooperating with the Controller in connection with the service or its features.
Recipients or involved third parties may include, in particular, Apple Inc. and service providers acting on behalf of Ninety Days.
Privacy Rights Under U.S. State Laws
Subject to the applicable law, users may have the right to obtain confirmation that their personal information is being processed, access such information, correct inaccurate personal information, request deletion, obtain a copy in a portable format, and opt out of the sale, sharing, targeted advertising, or certain profiling activities.
California residents may additionally have the right to opt out of the sharing of personal information for cross-context behavioral advertising and to limit the use or disclosure of sensitive personal information to what is necessary.
Residents of other U.S. states may have additional rights, particularly regarding targeted advertising, profiling, consent for the processing of sensitive personal information, or information about specific third parties with whom personal information has been shared.
Exercising These Rights
To exercise the rights described above, users may contact the Controller using the contact details provided in this Privacy Policy. The Controller may request proof of identity before processing a request.
Requests will be answered without undue delay and within the time limits prescribed by applicable law. If a request is denied, the Controller will provide the reasons where required by law.
No fee will generally be charged for exercising privacy rights unless a request is manifestly unfounded, excessive, or a fee is otherwise permitted by applicable law.
Further Information About Data Processing
Level of Protection for User Data
Ninety Days shares user data only with carefully selected third parties that provide a level of data protection consistent with the standards described in this Privacy Policy and with the applicable legal requirements.
Legal Action
The Controller may process personal data for the purpose of enforcing legal claims, including in preparation for judicial proceedings arising from the use of Ninety Days or the related services.
Users acknowledge that the Controller may be required to disclose personal data in response to lawful requests from public authorities.
Additional Information About Personal Data
In addition to the information contained in this Privacy Policy, Ninety Days may provide users, upon request, with contextual information relating to specific services or to the collection and processing of personal data.
System Logs and Maintenance
For operational and maintenance purposes, Ninety Days and third-party services may collect files that record interactions with Ninety Days or use other personal data, such as IP addresses, for these purposes.
Information Not Contained in This Privacy Policy
Further information concerning the collection or processing of personal data may be requested from the Controller at any time using the contact details provided in this Privacy Policy.
SSL/TLS Encryption
For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. An encrypted connection can be recognized by the "https://" prefix in the browser's address bar and the padlock symbol displayed by the browser.
Changes to This Privacy Policy
The Controller reserves the right to amend this Privacy Policy at any time. Users will be informed of any changes on this page and, where technically and legally possible, within Ninety Days or by means of the contact information available to the Controller.
Users are encouraged to review this page regularly and, in particular, to check the date of the latest update.
Where changes affect processing activities based on consent, the Controller will obtain new consent where required by law.
Definitions and Legal References
Personal Data
Personal Data means any information that directly, or in combination with other information, allows the identification or makes identifiable a natural person.
Sensitive Personal Information
Sensitive Personal Information means personal information that is not publicly available and is classified as sensitive under the applicable data protection laws.
Usage Data
Usage Data refers to information collected automatically by Ninety Days or third-party services. This may include IP addresses or domain names of the devices used, URI addresses, the time of the request, the method used to submit the request to the server, the size of the response file, the server response status, the country of origin, browser and operating system details, the duration of visits, pages viewed, and other technical parameters relating to the user's device and IT environment.
User
User means the natural person using Ninety Days and, unless otherwise specified, corresponds to the Data Subject.
Data Subject
Data Subject means the natural person to whom the Personal Data relates.
Data Processor
Data Processor means any natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.
Data Controller
Data Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Ninety Days
Ninety Days refers to the app, website, or digital service through which Personal Data is collected and processed.
Service
Service refers to the functions, content, and features provided by Ninety Days, as described in this Privacy Policy.
Sale
Sale means the exchange of Personal Information by the Controller with a third party for monetary or other valuable consideration within the meaning of the applicable U.S. state privacy laws.
Sharing
Sharing means, in particular, the disclosure, transfer, or other making available of Personal Information to third parties for cross-context behavioral advertising where such activity is defined as sharing under applicable data protection law.
Targeted Advertising
Targeted Advertising means advertising that is selected based on Personal Information obtained from a person's activities over time and across non-affiliated websites, applications, or online services.
Cookie
Cookies are Trackers consisting of small data files stored in the user's browser.
Tracker
Tracker means technologies such as cookies, unique identifiers, web beacons, embedded scripts, E-Tags, or fingerprinting technologies that enable users to be tracked, for example by storing or accessing information on a user's device.
European Union
Unless otherwise specified, any reference in this Privacy Policy to the European Union also includes the European Economic Area (EEA).