Privacy Policy
1. Introduction
This Privacy Policy explains how personal data is processed in connection with the TC-Informatik GIS application and related services for capturing, storing, synchronizing, exporting, managing, and supporting photos and project-related metadata. The service is intended for business and professional use by organizations and their authorized users and is not offered as a consumer service.
2. Provider and Contact Details
The service is provided by T.C. Informatik & Telekommunikation GmbH and operated from the following business addresses in Germany:
- Principal place of business: Innere Wiener Strasse 16, 81667 Munich, Germany.
- Branch office: Am Unteren Stein 8, 86672 Thierhaupten, Germany.
- Privacy and support contact: gis-support@tc-informatik.de.
3. Roles Under Data Protection Law
For personal data processed for account administration, organization and access management, subscription and entitlement handling, billing-related workflows, security, diagnostics, support, legal compliance, and protection of our own business interests, T.C. Informatik & Telekommunikation GmbH acts as controller. Where customer organizations upload, manage, or otherwise use the service for their own operational purposes, the respective customer organization generally remains responsible for deciding whether and why personal data is processed through the service. If applicable law requires additional controller-processor arrangements, the customer should contact us before or during onboarding. A Data Processing Agreement may be made available upon request where required by applicable law.
4. Categories of Personal Data We Process
- Account and organization data such as names, email addresses, user identifiers, roles, and membership information.
- Project and workflow data such as project references, comments, addresses, timestamps, workflow states, and assignment metadata.
- Photo and media data such as original photos, sketches, thumbnails, annotations, storage references, and media-related metadata.
- Technical and service data such as app version, platform, device and app identifiers, permission status, sync state, storage status, quota state, and technical error context.
- Support and incident data such as locally generated diagnostic logs, logs actively shared for support, support correspondence, and incident notes.
- Commercial and entitlement data where applicable, such as subscription tier, organization quota, billing state, purchase restoration state, and entitlement status.
- Advertising- and consent-related data where applicable, such as advertising identifiers, consent choices, and ad-delivery state for ad-supported tiers.
5. Sources of Personal Data
- Directly from users and administrators.
- Automatically through app usage and related synchronization, storage, retrieval, deletion, and account-management workflows.
- From authorized actions performed by other members of the same organization.
- From device features and permissions used by the app, including camera, notifications, location, and file or media access where supported by the relevant platform and enabled by the user.
- From third-party service providers where relevant for authentication, storage, subscriptions, advertising, payments, or technical support.
6. Purposes of Processing
- To authenticate users and manage organization-scoped access.
- To store, synchronize, retrieve, display, repair, and delete photos and related project metadata.
- To enable app features that depend on permissions, including capturing photos, using location-related features, accessing notification services, and exporting or handling media files.
- To maintain service reliability, cross-device consistency, deletion propagation, and operational integrity.
- To investigate synchronization failures, deletion disputes, suspected abuse, and technical incidents.
- To provide customer support and troubleshoot service issues.
- To manage subscriptions, quotas, entitlements, and related commercial administration where applicable.
- To operate ad-supported service tiers and related consent flows where applicable.
- To comply with legal obligations and to establish, exercise, or defend legal claims.
7. Legal Bases
Where required by applicable law, we rely on performance of a contract under Article 6(1)(b) GDPR, legitimate interests under Article 6(1)(f) GDPR, compliance with legal obligations under Article 6(1)(c) GDPR, and consent under Article 6(1)(a) GDPR where optional processing or platform-specific advertising or tracking features require it. Our legitimate interests include operating and securing the service, preventing abuse, diagnosing faults, enforcing our contractual terms, and defending legal claims.
8. Recipients and Service Providers
We may disclose personal data to service providers and infrastructure partners that support operation of the service, including Firebase and Google Cloud for authentication, database, storage, and backend functionality; Google Play Billing and RevenueCat for subscription and entitlement administration; Google advertising services for ad-supported tiers where applicable; Stripe for payment-related desktop licensing workflows where applicable; explicitly configured external storage destinations; professional advisors; support providers; and competent public authorities where required. We do not sell personal data.
9. International Processing and Transfers
Parts of the technical backend are configured for European hosting regions, including backend functions operated in Europe. At the same time, some service providers used for infrastructure, billing, subscriptions, or advertising may process data in other countries. Where required by applicable law, we rely on appropriate safeguards, including adequacy decisions, Standard Contractual Clauses, and other lawful transfer mechanisms recognized under applicable data protection law where available.
10. Logs, Diagnostics, and Audit-Related Records
Routine operation of the service is distinct from support-related diagnostics. Diagnostic logs are primarily stored locally on the device and are not automatically uploaded as full raw logs as part of normal service operation. The app keeps locally persisted daily diagnostic files for a limited rolling period and storage budget, currently up to 14 days subject to file size and device storage limits. Logs may be transmitted when a user or organization actively triggers sharing or upload for support purposes, including optional support uploads. Limited technical event records may also be retained server-side for service integrity, synchronization troubleshooting, deletion propagation, quota enforcement, entitlement administration, security, support, and the defense of legal claims.
11. Data Retention
We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy. Account and organization data are generally retained while the relevant account or organization relationship remains active and thereafter only as needed for compliance, recordkeeping, or legal defense. Local diagnostic logs are retained on-device for a limited rolling period, currently up to 14 days. Deleted or tombstoned technical traces may remain temporarily to preserve synchronization consistency, prevent unintended reappearance of deleted items, and support incident analysis; certain delete propagation markers may remain for up to 90 days before automatic cleanup. If an organization's paid cloud entitlement lapses and cloud data exceeds the available free-tier cloud allowance, cloud-stored data may be scheduled for deletion and, after a grace period currently configured as 30 days, deleted from cloud storage and related cloud records. Support artifacts and uploaded diagnostics are retained only for as long as reasonably necessary for support, security, dispute handling, or legal defense.
12. Security
We apply authenticated access controls, organization scoping, role-based restrictions, and technical and organizational measures designed to protect personal data against unauthorized access, misuse, alteration, loss, or disclosure.
13. Customer Organization Responsibilities
Customer organizations are responsible for their own lawful use of the service, including determining which users are authorized, ensuring that uploaded content and photo documentation are lawfully collected and processed, providing any notices required to employees, contractors, customers, or other data subjects, and maintaining any backup, export, or retention procedures needed for their own regulatory, contractual, or operational requirements.
14. User Rights
Depending on applicable law, users may have the right to request access to their personal data, rectification of inaccurate data, erasure, restriction of processing, objection to processing, and data portability. Where processing is based on consent, users may also withdraw consent at any time with effect for the future. Users also have the right to lodge a complaint with a competent supervisory authority. For users in the EEA, this may include the supervisory authority of their habitual residence, place of work, or the place of the alleged infringement. Where data is managed primarily within a customer organization context, requests may need to be coordinated with that organization.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes may be communicated in-app or through other appropriate channels and may require renewed acknowledgment or acceptance where appropriate.
16. Language and Contact
The English version of this Privacy Policy may be designated as the authoritative version. Local-language UI notices, summaries, or convenience translations may be provided for usability, but they do not replace the binding legal text unless explicitly stated otherwise. Questions about this Privacy Policy or privacy-related requests should be sent to gis-support@tc-informatik.de.