Unitee - Privacy Policy
Version: v1.1
Effective date: June 12, 2026
Operator:
Joana Noack & Stefanie Schalitz GbR, Hosemannstr.22, 10409 Berlin
Governing law:
GDPR (EU) 2016/679, TTDSG/TDDDG requirements for device storage, and applicable German law
1. Controller and contact
Unitee is operated by Joana Noack & Stefanie Schalitz GbR, Hosemannstr.22, 10409 Berlin. If you have questions about privacy or want to exercise your rights, email us at hello@uniteeapp.de.
2. What this policy covers
Unitee is a mobile app that helps parents, guardians, and other family-oriented users discover family-friendly places, events, and support nearby. This policy explains what personal data we process, why we process it, where it is processed, and how long we keep it.
3. Guest use of the app
If you use Unitee as a guest, the app can request your device location to center the map around you. The GPS coordinates are used on the device only and are not written to Firestore or uploaded to our servers. The legal basis is Art. 6(1)(b) GDPR because the location is processed only to provide the map function you request.
Guest access currently also uses anonymous Firebase Authentication so the app can keep a temporary signed-in session and record your acceptance of the legal documents. We store a consent record in Firestore under your anonymous user account with the accepted privacy-policy version, terms version, app version, timestamp, and anonymous user ID. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is being able to prove that the legal documents shown in the app were accepted.
4. Registered accounts and profile data
When you register with email and password, Firebase Authentication processes your email address, password hash, and email-verification status. We do not store your password in Firestore. The legal basis is Art. 6(1)(b) GDPR because this processing is necessary to create and manage your account.
In Firestore we store your account profile under users/{uid}. This currently includes first name, last name, display name, email address, role, provider company or organization name where applicable, subscription status, city, optional postal code, country, reminder settings, push-token list, saved-events version number, optional deletion scheduling fields, and timestamps for creation or updates. The legal basis is Art. 6(1)(b) GDPR because this data is necessary to provide the account-based features of the app.
During sign-up, we ask you for your city. You can also optionally provide your postal code. We store this location information in your profile so we can understand where registered users are located and use that information when deciding which cities to support next. The legal basis is Art. 6(1)(b) GDPR for providing location-aware account features and Art. 6(1)(f) GDPR for our legitimate interest in product planning based on city-level demand.
If you register as a provider, we ask for a company or organization name. We use it to identify provider accounts, show submitted event ownership internally, and review provider-submitted events. The legal basis is Art. 6(1)(b) GDPR because this processing is necessary for the provider account and event submission feature.
5. Provider-submitted events and review workflow
Providers can create events in the app. Provider event documents are stored in the providerEvents collection and currently include provider ID, title, description, date and time, address and geocoding data, price/free status, age range, tags, image URL, website URL, Instagram URL, recurrence information, review status, and timestamps.
New or edited provider events are reviewed before they are published in the public events list. For review, our Cloud Functions queue an internal review email that includes provider name, provider company or organization name, provider email address, event title, description, age range, tags, website, Instagram, location, and secure approve/reject links. The legal basis is Art. 6(1)(b) GDPR because this review is necessary to provide the provider event submission feature and protect the quality and safety of the public event list.
Approved provider events are mirrored into the public events collection and become visible to app users. Rejected or pending provider events remain visible to the provider account but are not published in the public event list.
6. Saved events, reminders, and consent records
If you save an event, we store a document in users/{uid}/savedEvents containing the event ID, a saved flag, and an update timestamp. We also store a saved-version counter in your user document so the app can synchronize your saved list between devices. The legal basis is Art. 6(1)(b) GDPR.
If you enable email reminders or push reminders, we store your reminder preference settings in Firestore. If push reminders are enabled, we also store one or more Expo push tokens in your user document so reminders can be delivered to your device. The legal basis is Art. 6(1)(a) GDPR because these reminders are optional and switched on by you.
When you accept the Privacy Policy and Terms of Service, we store a consent record in a Firestore subcollection with the accepted versions, app version, and timestamp. For guest users, the anonymous account ID is also stored in that consent record. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is documenting acceptance of the legal texts and defending legal claims if needed.
7. Profile photos and Firebase Storage
If you upload a profile photo, the image is stored in Firebase Storage at users/{uid}/avatar.jpg and the download URL is saved in your Firebase Auth profile and Firestore profile. The legal basis is Art. 6(1)(b) GDPR because the upload is part of the profile feature you choose to use.
8. Emails, push notifications, and local device storage
We send service emails needed to run your account, such as email-verification messages and password-reset emails. The legal basis is Art. 6(1)(b) GDPR.
We also send or queue operational emails needed to run the provider review workflow, including internal review emails and, where implemented, provider notifications about approval or rejection. The legal basis is Art. 6(1)(b) GDPR.
Optional saved-event reminder emails and optional push reminders are sent only if you turn them on in the app. The legal basis is Art. 6(1)(a) GDPR. You can switch those reminders off in the app settings at any time. On iOS or Android, push notifications also require device-level permission.
The app stores a small amount of information locally on your device in AsyncStorage to make core features work. This currently includes event and place cache data, saved-event cache data, reminder-setting cache data, a cached Expo push token, consent-related ad state, and technical state used for guest access. We use this storage only for app functionality that you request. Where German device-storage rules apply, the storage is used because it is technically necessary to provide the app feature you chose to use.
9. Recipients, processors, and international transfers
We use Google Firebase as our main processor for authentication, database hosting, cloud functions, and file storage. Firestore data for this app is currently hosted in europe-west10. Profile photos in Firebase Storage are currently hosted in us-central1. Firebase Authentication and other Google infrastructure may process data outside the European Economic Area, including in the United States.
Email delivery is handled through Firebase Cloud Functions, the Firebase Trigger Email extension, and the SMTP/email provider configured for the app. Email queue documents are stored in Firestore in the mail collection and are not readable by app clients.
For ad delivery in the free version of the app (on Android and iOS), we may also use Google AdMob and Google's User Messaging Platform (UMP). On iOS we additionally ask for App Tracking Transparency (ATT) permission before any advertising identifier can be used; without your permission, ads are served non-personalized. These services may process advertising identifiers, consent signals, device information, and ad-request metadata to decide whether ads can be shown and whether they must be non-personalized. The legal basis is Art. 6(1)(a) GDPR where consent is required and Art. 6(1)(f) GDPR for strictly necessary anti-abuse and delivery operations where applicable.
Where personal data is transferred outside the EEA, Google states that it uses appropriate safeguards such as the EU Standard Contractual Clauses where required. You can read Google's Privacy Policy here: https://policies.google.com/privacy.
We do not sell your data. We do not share it with data brokers or social-media SDKs.
10. Retention periods
Device location used to center the map is processed only during the relevant app session and is not stored on our servers.
Local device cache data stays on your device until it is replaced, cleared, you sign out, or you remove the app, depending on the feature.
Account data in Firebase Auth, Firestore profile data, provider event submissions, saved events, reminder settings, push tokens, and profile photos are kept while your account remains active.
Provider event review tokens are temporary and are intended to expire after a short review window. Queued email documents and reminder locks are deleted according to the configured Firestore TTL rules where enabled.
If you request account deletion in the app, your account is currently marked for deletion and then permanently deleted after 30 days unless you cancel the deletion during that period. You can also request deletion by email at hello@uniteeapp.de. We will delete or anonymize personal data unless we must keep it longer to comply with the law or to establish, exercise, or defend legal claims.
Consent records are kept for as long as needed to document acceptance of the legal documents and to defend legal claims, unless a shorter retention period is required by law.
11. Your rights under the GDPR
You have the right to request access to your personal data, rectification of inaccurate data, erasure of your data, restriction of processing, data portability, and to object to processing based on Art. 6(1)(e) or Art. 6(1)(f) GDPR. Where processing is based on consent, you can withdraw that consent at any time with effect for the future.
You also have the right to lodge a complaint with a supervisory authority, especially in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. If you are in Germany, you can contact the competent state data-protection authority.
12. How to request deletion or other privacy actions
For access requests, corrections, deletion requests, data-export requests, objections, or questions about this policy, email hello@uniteeapp.de. To help us verify your request, please contact us from the email address linked to your account where possible.
13. No analytics, limited advertising
Unitee currently does not use product analytics SDKs or third-party tracking SDKs for behavioral profiling. In the free version (Android and iOS), we may show limited Google AdMob ads on discovery screens. Where consent is required, we request it before allowing personalized ad serving and default to non-personalized ads until that consent state is known. We do not sell behavioral data.
14. Changes to this policy
We may update this Privacy Policy if the app, our processors, or the law changes. If the changes are material, we will publish the updated version in the app before it takes effect.
© 2026 Jofi Labs. All rights reserved.
UNITEE
Connect
© 2025. All rights reserved.
Email: uniteeapp@icloud.com
Questions? Feel free to contact us at any time – we are here for you.
