Privacy Policy

Last updated: 28.05.2026

This policy explains what personal data Mountain Memory (“the app”) collects, why, on what legal basis, and the rights you have under the EU General Data Protection Regulation (GDPR). Mountain Memory is currently in a closed testing phase distributed via Apple TestFlight.

1. Who is responsible

Dennis Rohlfing
c/o Impressumservice Dein-Impressum
Stettiner Str. 41
35410 Hungen
Germany
Email: contact@mountain-memory.app

The above person is the “controller” for your data within the meaning of Art. 4(7) GDPR.

2. What data we process, and why

Account data

When you create an account we store your email address, a securely hashed password (we never store your password in plain text), your display name, and an optional profile picture. We use this to create and secure your account and to identify you within the app.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract — providing the service you signed up for).

Content you create

The app stores the content you add: the climbing routes and collections you create, your logged ascents, and any notes, captions, grades and route details you enter. Ascents are private by default and are only visible to collaborators of a deck you have shared them into.
Legal basis: Art. 6(1)(b) GDPR.

Photos you upload

If you upload photos, we store the original image file together with the cropped/resized versions the app displays.

Please note: the original photo file is stored as you uploaded it. Photo files can contain embedded metadata (EXIF), which may include the GPS location and the date/time the photo was taken. We do not currently remove this metadata from the stored original. The cropped/resized versions shown in the app do not retain this metadata. If you do not want to share location data, remove it from the photo before uploading.

Legal basis: Art. 6(1)(b) GDPR.

Information about other people

The app lets you credit climbing partners on an ascent and build a network of connected climbers. When you credit a climbing partner by name, or connect with another climber, we store that information. If you enter the name of a person who is not a Mountain Memory user, please only do so where you are entitled to.
Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (our and your legitimate interest in a shared climbing record).

Authentication token

After you log in, an authentication token (JWT) is stored locally on your device in the device’s secure storage so you stay signed in. It is not shared with any third party.
Legal basis: Art. 6(1)(b) GDPR.

Technical server logs

Our server keeps operational logs (e.g. request times and error messages) needed to run and secure the service. These can contain technical identifiers such as IP addresses.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the service).

3. Email messages

We use your email address to send you account-related messages, such as verifying your address. We may also send you marketing emails; should you receive one, you can unsubscribe from it at any time. We do not share your address with advertisers. Outbound email is delivered via a third-party processor (see § 6).

4. Third-party analytics, tracking and advertising

Mountain Memory does not use any third-party analytics, tracking or advertising SDKs. We do not track you across other apps or websites, do not sell your data, and do not licence to third parties any machine-learning models we may train on it. We do use one third-party service for crash and error reporting, described in the subsection below. See § 5 for the limited internal analytics, statistics and machine-learning that we do carry out on the personal content you create within the service.

Crash and error reporting (Sentry)

We use Sentry to collect crash reports and error diagnostics so we can fix bugs. When the app crashes or hits an error, technical data (device model, OS version, app version and a stack trace) is sent to Sentry, together with your climber ID when you are logged in so we can correlate the error to your account. We have configured Sentry not to attach IP addresses, cookies or authentication headers to these events. We have selected Sentry’s European data region, so this data is stored at rest in Frankfurt, Germany, with backups remaining in the EU. Functional Software, Inc. (doing business as Sentry), based in the United States, is our contracting processor under a data processing agreement and may access the data from the United States in the course of providing the service; such transfers are safeguarded by EU Standard Contractual Clauses and by Sentry’s self-certification to the EU–U.S. Data Privacy Framework.

Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in operating a stable and secure app).

5. Internal analytics, statistics and machine-learning

We may process the personal content you create within the service for two limited internal purposes:

Anonymous aggregate statistics

We may derive anonymous, aggregate statistics from your personal content to improve the service and refine the public route catalogue — for example, using community grade-feel data from logged ascents to inform a route’s consensus grade, or computing aggregated insights such as average grades climbed in a region. Once derived, such statistics no longer identify any individual climber and are no longer personal data.

In-service machine-learning

We may train machine-learning or other AI models on your personal content where the resulting model is used to operate or improve the service itself — for example, personalised route recommendations, fraud and abuse detection, or more sophisticated catalogue refinement. We do not licence or otherwise make such models available to third parties for their own purposes, and we do not use your personal content for marketing or advertising.

Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in operating, securing and improving the service and its public route catalogue, balanced against your reasonable expectations as a climber logging your climbs). You have the right to object to this processing at any time under Art. 21(1) GDPR by contacting us; see § 8.

6. Where your data is stored, and who processes it

Hosting (our server and database): Hetzner Online GmbH, with servers located in Germany. Hetzner acts as our processor under a data processing agreement (Art. 28 GDPR).
DNS, domain registration and email-alias forwarding: Cloudflare, Inc., based in the United States with a global edge network. Cloudflare is our domain registrar for mountain-memory.app, operates our authoritative DNS, and forwards email sent to contact@mountain-memory.app to a personal inbox. DNS queries may include the requester’s IP address. Cloudflare acts as our processor under a data processing agreement; transfers to the United States are safeguarded by EU Standard Contractual Clauses. See cloudflare.com/privacypolicy.
Transactional email delivery: Resend, Inc., based in the United States. Resend delivers the account-related emails described in § 3 (such as the email-verification message) and, for that purpose, processes the recipient’s email address, name and the body of the message. Resend acts as our processor under a data processing agreement; transfers to the United States are safeguarded by EU Standard Contractual Clauses. See resend.com/legal/privacy-policy.
Crash and error reporting: Functional Software, Inc. (doing business as Sentry), based in the United States. Sentry processes the crash and error diagnostics described in § 4 (device model, OS version, app version, stack traces and, when you are logged in, your climber ID) to help us identify and fix bugs. We have selected Sentry’s European data region, so this data is stored at rest in Frankfurt, Germany with backups remaining in the EU; Functional Software remains the contracting processor and may access the data from the United States in the course of providing the service. Sentry acts as our processor under a data processing agreement; transfers to the United States are safeguarded by EU Standard Contractual Clauses and by Sentry’s self-certification to the EU–U.S. Data Privacy Framework. See sentry.io/privacy.
App distribution: the app is distributed through Apple TestFlight. To install and run the test build, Apple Inc. processes data such as your Apple ID email and basic device and usage information under Apple’s own privacy policy. This involves a transfer to the United States; Apple relies on EU Standard Contractual Clauses for such transfers. See apple.com/legal/privacy.

7. How long we keep your data

We keep your account data and content for as long as your account exists. If you ask us to delete your account, we delete your personal data unless we are legally required to retain certain information. Anonymous aggregate statistics and machine-learning model parameters derived from your data before deletion (see § 5) are no longer personal data and are not affected by deletion. Technical logs are kept only for a short period needed for operation and security.

8. Your rights

Under the GDPR you have the right to:

access your personal data (Art. 15);
have inaccurate data corrected (Art. 16);
have your data deleted (Art. 17);
restrict processing (Art. 18);
receive your data in a portable format (Art. 20);
object to processing based on legitimate interest (Art. 21).

To exercise any of these rights, contact us at contact@mountain-memory.app.

You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for the controller is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Straße 22, 20459 Hamburg, datenschutz-hamburg.de

9. Data security

We use appropriate technical measures to protect your data, including encrypted transport (HTTPS) for all traffic between the app and our server, and hashed storage of passwords.

10. Children

Mountain Memory is not directed at children and is not intended for use by anyone under the age of 16.

11. Changes to this policy

We may update this policy as the app evolves. The “last updated” date at the top reflects the current version.