Last updated: July 2026
1. Data controller
Controller for data processing within the meaning of the GDPR:
Ramin Göttlich
c/o POSTFLEX PFX-160-469
Emsdettener Straße 10
48268 Greven
Deutschland
Email: hallo@linuu.app
2. Scope
This notice applies to the website at https://app.linuu.app and to the mobile app Linuu. The website provides information about the service and forwards technical links (e.g. invitations, password reset) into the app. Terms of use are set out in our Terms of Service.
3. Processing on the website
When you visit the website, technically necessary data is processed (e.g. IP address, date and time of access, page requested, browser type). Hosting is provided by Vercel Inc. (USA/EU depending on configuration). The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating and securing the website).
On the pages /invite and /reset-password, URL parameters (e.g. invitation ID, auth token from email links) are evaluated only in the browser to open the app via deep link. We do not operate our own accounts or tracking services on the website for this purpose.
4. Processing in the app
When you use Linuu, the following data may be processed in particular:
- Account data (e.g. email address, sign-in credentials)
- Profile data (e.g. display name, avatar, onboarding status, retention settings for auto-deletion)
- Family and household data (family name, memberships, roles, invitations, family chat messages)
- Tasks, events, recurring household duties, weekly planning, and reminder rules
- Uploaded documents (files), metadata (name, category, tags), extracted text for search, and visibility settings (e.g. for children in the household)
- Results of optional document analysis (e.g. summary, detected events or tasks)
- Shopping lists, rewards/points system, and related settings
- Subscription status (via the payment service provider; we do not store full payment card details)
- Coarse product usage events (e.g. uploads, subscription events) to improve Linuu — not for advertising
- Device-related data for push notifications and optional calendar sync (if you enable these features)
- Optional in-app feedback (category, free text, app version, build number, technical device information)
- Optional information when cancelling a subscription (e.g. reason, optional free text)
Security, encryption, and shared use
Data is encrypted in transit (TLS) and stored securely on our servers through the hosting provider. There is no end-to-end encryption: content in a shared household (e.g. documents, chat, tasks) is visible to authorised family members. Linuu is intended for everyday household organisation — please do not upload highly sensitive documents (e.g. extensive health or financial records) if you do not want to accept the risk of shared access.
Uploaded documents are stored on our servers as extracted text for full-text search. Family members with access to a document can view its content this way without reopening the file.
Not a backup service: Linuu stores your documents but is not an archive or backup service. Please always keep your own copy of important files. Deleted or lost files cannot always be restored.
Family chat is not an end-to-end encrypted messenger. Messages remain stored in the household and are visible to all members. If you delete your account, your uploaded documents and account data are removed; chat messages you sent may remain in the household without being linked to your account.
AI analysis (documents, recipes) runs only when you explicitly trigger it (e.g. “Analyze with AI”). Content is transmitted to OpenAI for that request (see section 5).
Push notifications for chat may include a short preview of the message text, delivered via the push provider to Apple or Google. You can disable chat notifications in app settings.
Children in the household: adults see all documents; children only see items explicitly shared with them. Setting up a child account is the responsibility of parents or guardians. Creating your own account requires a minimum age of 16; younger children use the Service only via a profile managed by a parent or guardian.
Stored locally on your device (not on our servers) may include: sign-in session in the system keychain, language preference, reminder and calendar sync preferences, and optional Face ID/Touch ID for app lock. Biometric data does not leave your device. Exception: whether you want to receive chat push notifications is also stored on our servers together with the device token, so the backend can decide whether to send a push notification.
Legal bases depend on the activity: Art. 6(1)(b) GDPR (contract or use of the service), Art. 6(1)(a) GDPR (consent, e.g. for optional features), or Art. 6(1)(f) GDPR (legitimate interests, e.g. secure operation and product development).
5. Service providers (processors)
Third-party providers are used to deliver Linuu. Where required, data processing agreements under Art. 28 GDPR are in place:
- Supabase Inc. — authentication, database, file storage for app data (server location depends on your project region)
- Vercel Inc. — hosting of this website
- Resend Inc. — sending invitation and system emails (email address, message content)
- OpenAI, L.L.C. — analysis of document and recipe content if you use AI analysis. Content is sent only for the respective request; API calls are configured so OpenAI does not store content for model training (
store: false). Short-term processing logs at the provider may still apply (see OpenAI DPA and API terms). - Expo (650 Industries, Inc.) — delivery of push notifications to Apple/Google (device token, title, preview text)
- RevenueCat, Inc. — management of in-app subscriptions (account identifier, subscription status; payment via Apple/Google)
- Functional Software, Inc. (Sentry) — error and crash reports for app stability (technical diagnostic data, no advertising)
- Apple Inc. / Google LLC — push notifications and app store billing, where you use these services on your device
Providers based outside the EU/EEA may involve transfers to third countries. In that case, appropriate safeguards are used (e.g. EU Standard Contractual Clauses) where the provider makes them available.
6. Retention
Personal data is stored only as long as necessary for the respective purposes or where statutory retention periods apply. Account data and app content remain stored until you delete your account or remove data in the app.
After account deletion, your auth account, documents you uploaded, and data linked to you are removed from the active database. Chat messages that remain in a shared household and content created by other members are excluded. Technical backups at the hosting provider may still contain deleted data for a limited time before they rotate.
In-app feedback and optional cancellation details are stored for product improvement and are accessible only to authorised platform administrators.
Temporary recipe uploads are automatically removed from the server within 24 hours at the latest.
Under Tidy up in settings, you can configure whether completed tasks, past events, or deleted documents are permanently removed after a set period. Website server logs and technical operational logs (e.g. edge functions) are typically retained by the host for a limited time only; invitation links and passwords are not logged.
7. Your rights
You have the following rights vis-à-vis the controller, among others:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent (Art. 7(3) GDPR) with effect for the future
To exercise your rights, contact us at hallo@linuu.app.
In the app, you also have these self-service options:
- Export data (Settings → Privacy & data → Export my data): You receive a JSON file with profile, document, task, family, and other account-related data under Art. 20 GDPR. Document files (PDF/images) are not included; metadata and extracted text are. The file may contain sensitive data (e.g. invitation tokens for pending invites) — treat it as confidential and do not share it. For technical reasons, another export is only possible after a short waiting period.
- Delete account (Settings → Delete account): Permanently removes your account and data linked to you from the active database (see section 6 on chat retention and backups).
- Tidy up: Controls automatic deletion periods for completed tasks, past events, and deleted documents.
You can also find information on data use in the app under Settings → Privacy & data.
8. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. In particular, you may contact the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement. An overview of the German data protection supervisory authorities is available from the Federal Commissioner for Data Protection and Freedom of Information.
9. Changes
This privacy notice may be updated when features, services used, or legal requirements change. The current version is always available on this page.