function n(a,b,c,d){let e=m(a,b,c,d);return"string"!=typeof e?l(a,M.a.INVALID_MESSAGE,void 0):e}

Legal · Privacy

Privacy Policy

As of: 31 May 2026

1. Information Obligation under Art. 13 GDPR

This Privacy Policy fulfils the information obligation under Art. 13 GDPR (data collected directly from the data subject). Since Treffnah does not collect any real names or contact details, the information obligation under Art. 14 GDPR (data from other sources) does not apply — no personal data is obtained from third-party sources whatsoever.

2. Controller under Art. 4(7) GDPR

Nan Yu Horstmarer Str. 9 44329 Dortmund Germany Email: datenschutz@treffnah.de

Operating under the brand "Treffnah".

3. Principles of Our Data Processing

Treffnah does not collect any data that can be directly attributed to a natural person. All identifiers processed on our servers are pseudonymised (pseudonymised pursuant to Art. 4(5) GDPR) — they refer to a device-generated cryptographic key pair, not a real identity.

We process data in accordance with the principles of Art. 5 GDPR — in particular data minimisation and storage limitation. Our architecture pursues this through:

Location data: Only Geohash-3 precision (approx. 156 km × 156 km), not logged
Personal data: None on our servers — identity via BIP39 mnemonic on your device
Business data: Orders, messages, reviews stored locally only, peer-to-peer encrypted (WebRTC + XChaCha20-Poly1305) pursuant to Art. 32(1)(a) GDPR

4. What Data Does Our Server Process?

3.1 Anonymous Search Index

Legal basis: Art. 6(1)(f) GDPR (legitimate interest — brokering trade services)

Stored: pseudonymous ed25519 key, service categories, Geohash-3, tier, availability, languages. Automatic deletion after 24 hours.

3.2 Signalling Relay (WebRTC)

Legal basis: Art. 6(1)(f) GDPR + Mere Conduit privilege (Art. 4 DSA)

60-second rooms for connection setup. We relay only encrypted data and cannot technically decrypt it.

3.3 Anonymous Telemetry

Legal basis: Art. 6(1)(f) GDPR (legitimate interest — product improvement)

Aggregated events (event type, optional Geohash-3, minute timestamp). No user or device IDs. Retention: 14 days.

3.4 Subscription Status

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Synchronised via RevenueCat. Stored exclusively as an HMAC-SHA256 hash of your pseudonymous device token. No reverse attribution to your person is possible.

3.5 Crash Reports

Legal basis: Art. 6(1)(a) GDPR (consent)

No crash reports without your express consent.

Stack trace is cached locally on your device (sanitised)
On next launch the app asks whether you wish to send the report
If declined, the report is immediately deleted
If consented, sent to server in Frankfurt — 14 days retention — then automatically deleted

5. End-to-End Encryption

All business communications between users (orders, messages, reviews) are end-to-end encrypted (X25519 ECDH + XChaCha20-Poly1305). Keys remain exclusively on end devices.

This meets the requirements of Art. 32(1)(a) GDPR (encryption as an appropriate technical measure) and the spirit of the forthcoming German TDDDG (right to encryption).

We have no technical means to decrypt this communication — even at the request of authorities.

6. Data Location

Our server is located in Frankfurt, Germany (Vultr Holdings Corporation). No data transfer to third countries takes place.

7. Your Rights under Art. 15–22 GDPR

You have the right to:

Access (Art. 15)
Rectification (Art. 16)
Erasure (Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Objection (Art. 21)
Complaint to the supervisory authority (Art. 77)

Architecture-specific note:

Access: In the app under "Settings → Export Data"
Erasure: Uninstalling immediately deletes all local data; anonymous index expires after 24 h

8. Cookies / Tracking

No cookies, no tracking SDKs. In particular, no Google Analytics, no Facebook Pixel, no Sentry.

This complies with § 25 TDDDG — no consent obligation, as no access to the end device occurs beyond what is technically strictly necessary.

9. Processors under Art. 28 GDPR

Vultr Holdings Corporation — server hosting in Frankfurt; data processing agreement in place.
RevenueCat, Inc. — billing events; only HMAC-hashed pseudonymised identifier.
Pinata Cloud, Inc. — optional (IPFS profile images, only upon active use by tradespeople)

10. Supervisory Authority

Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW) Kavalleriestraße 2-4, 40213 Düsseldorf ldi.nrw.de

11. Contact

datenschutz@treffnah.de

12. Data Breaches under Art. 33 / Art. 34 GDPR

In the event of a breach of the protection of personal data (data breach):

Notification to the supervisory authority (Art. 33 GDPR): The LDI NRW will be notified within 72 hours of becoming aware, provided the data breach is likely to result in a risk to the rights and freedoms of natural persons.
Notification of data subjects (Art. 34 GDPR): If a high risk to rights and freedoms exists, affected users will be notified without undue delay — to the extent that contact is technically possible. As Treffnah does not collect real names or contact details, notification will be made via a prominent message in the app.
Architecture-conditioned limitation of risk: As no personal data is stored on our servers (pseudonyms, no clear data), the risk of a serious data breach at server level is structurally limited.

Reports or indications of possible data breaches please to: datenschutz@treffnah.de

13. Changes

Changes will be displayed in the app and on this page. For material changes requiring renewed consent, the app will request a corresponding confirmation.

Legal pages:Imprint Privacy Policy Terms of Use