Privacy Policy for malmal

Last Updated: October 7, 2025

Introduction

Welcome to malmal, a collaborative painting application. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our app.

Information We Collect

Personal Information

When you use malmal, we collect the following personal information:

• Email address - Used for account creation, authentication, and communication
• Username/Display name - Your public identifier within the app
• Date of birth - Collected solely to verify that you meet the minimum age requirement to use our service
• IP address - May be collected and stored temporarily to protect our service from abuse, fraud, and security threats

Automatically Collected Information

• Usage data - We use Plausible Analytics to collect privacy-friendly, anonymized analytics data about how our app is used
• Device information - Basic technical information needed to provide our services
• Authentication data - Login tokens and session information managed through Firebase Authentication

How We Use Your Information

We use your personal information to:

• Create and manage your account
• Enable you to create and share paintings collaboratively
• Verify you meet age requirements for using the service
• Protect our service from abuse, fraud, spam, and security threats
• Improve our app and user experience
• Process payments through our payment provider
• Communicate important updates about the service
• Provide customer support

Third-Party Services

malmal uses the following third-party services to provide and improve our application:

Infrastructure & Hosting

• Hetzner - Primary server hosting and data storage
• Bunny CDN - Content delivery network for faster global access
• Ubicloud - Additional cloud infrastructure

Authentication

• Firebase Authentication - Account authentication and security
• Google Login - Optional login method
• Apple Login - Optional login method

Payments & Subscriptions

• Paddle - Payment processing
• RevenueCat - Subscription management
• Google Play Store - Android app distribution and in-app purchases
• Apple App Store - iOS app distribution and in-app purchases

Analytics

• Plausible Analytics - Privacy-friendly, cookieless analytics that does not track individual users

Each of these services has their own privacy policy governing how they handle your data. We encourage you to review their policies:

• Firebase Privacy Policy
• Paddle Privacy Policy
• RevenueCat Privacy Policy
• Plausible Analytics Privacy Policy

Data Storage and Location

• Primary data storage: Your data is stored on servers located in Germany
• Global caching: To improve performance, your content may be cached worldwide through our CDN
• Exception: Firebase Authentication data is stored according to Google's Firebase data location policies

We use industry-standard security measures to protect your data during storage and transmission.

Data Sharing

We do not sell, trade, or rent your personal information to third parties. We only share your data:

• With the third-party services listed above, as necessary to provide our service
• When required by law or to protect our legal rights
• With your explicit consent

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access - Request a copy of the personal data we hold about you
• Correction - Request correction of inaccurate or incomplete data
• Deletion - Request deletion of your account and personal data
• Data portability - Request a copy of your data in a machine-readable format
• Objection - Object to certain processing of your data

Account Deletion

To delete your account and all associated personal data, please contact us at:

hello@malmal.app

We will process your deletion request within 30 days. Please note that some data may be retained for a limited period as required by law or for legitimate business purposes (such as resolving disputes or enforcing our terms of service).

Children's Privacy

We verify users' ages through date of birth to ensure compliance with children's privacy regulations. If we discover that we have collected personal information from a child without appropriate consent, we will delete that information as quickly as possible.

Data Retention

We retain your personal data only for as long as necessary to provide our services and fulfill the purposes outlined in this privacy policy. When you delete your account, we will delete or anonymize your personal data, except where we are required to retain it by law.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the new privacy policy on our website and updating the "Last Updated" date.

International Data Transfers

If you are accessing malmal from outside Germany, please be aware that your data may be transferred to and processed in Germany and other countries where our service providers operate. We ensure appropriate safeguards are in place for such transfers.

Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your personal data, please contact us at:

hello@malmal.app

GDPR Compliance (For EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• The right to lodge a complaint with a supervisory authority
• The right to restrict processing of your data
• The right to withdraw consent at any time

Our legal basis for processing your personal data includes:

• Contract performance - To provide you with our services
• Legitimate interests - To improve and secure our services
• Legal obligations - To comply with applicable laws
• Consent - For optional features requiring your explicit consent

California Privacy Rights (For California Users)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and how it is used, and the right to opt-out of the sale of personal information. We do not sell your personal information.

This privacy policy is designed to be transparent about our data practices. If you have any questions or need clarification, please don't hesitate to reach out to us.