Privacy Policy

1. Controller (Verantwortlicher)

2. Scope and Principles

This privacy policy applies to the mobile application Spectrum for iOS.

Spectrum includes optional online features, in particular in-app purchases/subscriptions and the optional Spectrum Community feature for browsing, uploading, rating, reporting, and moderating shared presets. If you do not use these features, much of Spectrum continues to function locally on your device.

We do not sell personal data and we do not share personal data with third parties for advertising purposes.

3. Data Processing Details

3.1 In-App Purchases & Subscriptions (Apple StoreKit + RevenueCat)

Spectrum offers optional paid features and subscriptions. Payments are processed exclusively by Apple via the App Store and StoreKit. We do not receive or store payment card data.

Spectrum uses RevenueCat as a technical service provider to manage subscriptions, validate receipts, restore purchases, and determine entitlement status.

In this context, the following data may be processed:

• RevenueCat App User ID (pseudonymous identifier)
• Product identifiers
• Purchase and renewal timestamps
• Subscription status
• Transaction and receipt information provided by Apple
• Technical metadata necessary to operate the subscription service and prevent fraud/abuse
• Network metadata such as IP address processed by Apple and/or RevenueCat as part of operating and securing the service

Legal bases: Art. 6(1)(b) GDPR (performance of contract) and, where applicable, Art. 6(1)(f) GDPR (legitimate interest in fraud prevention and system security).

RevenueCat Privacy Policy: www.revenuecat.com/privacy

3.2 Media Import (Files / Music / Videos / Images) - Local Processing

Spectrum allows you to import media such as music files, videos, and images from sources you select, including the Files app, Photos, and compatible iOS pickers.

Imported media is processed locally on your device to provide playback, visualization, editing, rendering, thumbnail generation, and export features. We do not upload your imported media to our servers merely because you use the app.

Depending on the workflow, Spectrum may create temporary local copies, cached files, generated previews, or exports on your device. These remain on-device unless you explicitly share content through an online feature such as Spectrum Community.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and § 25(2) No. 2 TDDDG (necessary for providing the requested service).

3.3 Photos Library Access (Optional)

If you choose to grant access, Spectrum may access your Photos library to let you pick images/videos for your projects or to save exported videos/images back to Photos.

• Read access: only for media you choose via iOS pickers and permission dialogs
• Write access: only when you actively export or save content to Photos

Photos library content is processed locally on your device unless you separately decide to upload content through Spectrum Community. You can revoke Photos access at any time in iOS Settings.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and/or Art. 6(1)(a) GDPR (consent via iOS permission prompt, where applicable).

3.4 Export of Videos/Images - To Your Device or Chosen Destination

Spectrum allows you to export videos and images you create. Exports are saved only to locations you choose, such as your Photos library, Files app, or share destinations you explicitly invoke. We do not receive exported content unless you separately choose to upload a preset to Spectrum Community.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

3.5 Local App Data (Presets, Projects, Settings, Caches)

Spectrum stores user-created presets, project configurations, app settings, cached media, and other operational data locally on the device. This local data does not become accessible to us solely because you use the app offline.

Legal basis: § 25(2) No. 2 TDDDG (necessary for providing the requested service).

3.6 Spectrum Community

Spectrum Community is an optional feature that allows users to browse, upload, rate, report, and, where authorized, moderate shared presets. When you use Spectrum Community, data is processed on our community server.

3.6.1 Anonymous Community Session

When you open Spectrum Community, the app may create or resume a server-issued anonymous session. This session is tied to a pseudonymous user ID and session token rather than requiring a traditional account.

In this context, we process in particular:

• anonymous community user ID
• community session token or a hashed representation of that token on the server
• chosen display name / creator name
• identity mode state (anonymous or account-based)
• timestamps such as account/session creation and last activity

Anonymous Community uploads may remain tied to that installation. If you uninstall the app, reset the app data, or lose the local session token, you may lose access to that anonymous community identity.

Legal bases: Art. 6(1)(b) GDPR (providing the requested online feature) and Art. 6(1)(f) GDPR (security and abuse prevention).

3.6.2 Optional Community Accounts

If you choose, you can upgrade your Community identity into an account by registering a username and password, or later log in to an existing account.

For community accounts, we process:

• account username
• password in order to create/login/delete the account (stored server-side only as a salted one-way hash, not in plain text)
• associated display name / creator name
• account status such as whether the account is registered or has moderation/admin privileges
• security and anti-abuse metadata such as login attempt counters and related request metadata

Failed login attempts may be rate-limited to protect accounts and the service from abuse.

Legal bases: Art. 6(1)(b) GDPR (account access) and Art. 6(1)(f) GDPR (security, abuse prevention, and account protection).

3.6.3 Community Uploads, Browsing, Ratings, Reports, and Moderation

When you use Spectrum Community to upload or interact with presets, we process the content and metadata necessary to operate the feature.

This may include:

• preset name
• preset JSON / configuration data you choose to upload
• thumbnail image you upload or capture for the preset
• display name shown with the preset
• rating you assign to a preset
• report reason and optional report notes if you report a preset
• download counts, rating counts, and related ranking data
• status of the preset in the community (for example active, flagged, or removed)
• for moderators/admins: moderation queue data and report information necessary to review and act on flagged content

Uploaded presets may be publicly visible to other Spectrum Community users. Reported presets may be hidden from the public feed, reviewed, and removed if they violate the community rules.

The service currently permits only presets that use Spectrum-owned library backgrounds and supported Spectrum image assets where images are involved. This limitation is intended in part to reduce rights risks and moderation issues.

If you delete your registered Community account in the app, the server deletes that account and its uploaded presets, ratings, and reports, and then returns a fresh anonymous session. Some information may nevertheless need to be retained longer where legally required or necessary to establish, exercise, or defend legal claims.

Legal bases: Art. 6(1)(b) GDPR (providing the requested online community service) and Art. 6(1)(f) GDPR (community safety, moderation, abuse prevention, and service integrity).

3.6.4 Network and Server Security Data for Spectrum Community

When you access Spectrum Community, our servers and infrastructure may process technical request metadata needed to deliver, secure, and maintain the service, including IP address, request timestamps, request headers, error information, and security-related events.

This data may be used to diagnose errors, defend against abuse, enforce upload and login limits, investigate moderation/security incidents, and maintain the reliability of the service.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system security, abuse prevention, moderation, and reliable operation).

3.7 Diagnostics & Crash Reporting (Apple)

Apple may collect diagnostic data and crash reports depending on your device settings. For App Store and iOS platform services, Apple typically acts as an independent controller under its own privacy framework.

Depending on your settings, diagnostics may include:

• device model
• iOS version
• crash logs and stack traces

Where Apple provides diagnostics to developers, it is typically provided in aggregated and/or pseudonymized form and is used solely to improve stability and fix bugs.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical stability, security, and error-free operation of the app).

3.8 Support Communication

If you contact us by email, we process your email address, the content of your message, and any information you choose to provide to handle your request. For Community-related requests, you may also provide a support ID or account information so we can identify the relevant record.

Privacy and data subject requests can be sent to info@mkgames.org. Community support inquiries may also be directed to spectrum@mkgames.org.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in customer support) and, where applicable, Art. 6(1)(b) GDPR (contract-related inquiries).

3.9 External Links

Spectrum may include links that open external websites, such as our legal pages, Apple pages, or support resources. When you open an external link, you leave the app. The provider of the linked site is responsible for data processing on that site.

Depending on your device and network configuration, opening external links may result in the external provider receiving technical data such as your IP address, browser/device information, referrer, and timestamp.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing legal information, support, and transparency).

3.10 Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

4. Data We Do NOT Collect

• Advertising identifiers (IDFA)
• Tracking under App Tracking Transparency (ATT)
• Precise location data
• Contacts
• Biometric or health data
• Behavioral tracking or profiling for advertising
• Third-party analytics SDKs (such as Firebase Analytics, AppsFlyer, or Mixpanel)
• Third-party advertising SDKs
• Third-party crash-reporting SDKs such as Sentry or Crashlytics
• Payment card data

Note: optional online community accounts and community uploads are separate from advertising or cross-app tracking.

5. Third-Party Services

• Apple – App Store purchases (StoreKit), iOS platform services, optional diagnostics
• RevenueCat – subscription infrastructure and receipt validation
• External websites you open via links – for example Apple pages or our legal/support pages

These providers process data under their own privacy frameworks and applicable law.

Apple Privacy Policy: www.apple.com/legal/privacy

6. International Data Transfers

Apple and RevenueCat may process data on servers outside the EU/EEA, in particular in the United States. Transfers are based on appropriate safeguards such as Standard Contractual Clauses (Art. 46 GDPR), adequacy decisions where applicable, and/or other valid transfer mechanisms under GDPR.

External websites you open and hosting/infrastructure providers used to operate the Spectrum website or Community service may also process data outside the EU/EEA depending on the provider and deployment chosen.

7. Data Retention

• Support emails: up to 12 months, unless a longer retention is required to resolve a request or due to legal obligations
• Subscription data (Apple/RevenueCat): retained for the duration of the subscription lifecycle and as needed for entitlement validation, restoration, fraud prevention, and legal compliance
• Local app data: stored on-device until deleted by you or upon uninstall
• Anonymous Community session data: retained as long as needed to operate the session, support the feature, and maintain security/integrity
• Community account data: retained until account deletion, subject to any longer retention necessary for legal claims, legal obligations, moderation/safety, or abuse prevention
• Community uploads, ratings, reports, and moderation records: retained as long as needed to operate the service, enforce the rules, handle disputes, and meet legal obligations; specific items may be deleted or removed earlier at our discretion or on request where applicable
• Security and server logs: retained for as long as reasonably necessary for security, abuse prevention, troubleshooting, and legal defense

Data may be retained longer where necessary to establish, exercise, or defend legal claims, or where statutory retention obligations apply.

8. Your Rights

You have rights under GDPR including access, rectification, erasure, restriction of processing, data portability, and the right to lodge a complaint with a supervisory authority.

If you use Spectrum Community, including anonymously, please include any available support ID, account username, or other identifying information when making a request so we can locate the relevant data.

Supervisory authority (Berlin):
Berliner Beauftragte für Datenschutz und Informationsfreiheit
www.datenschutz-berlin.de

9. Children

Spectrum is not directed to children under the age of 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal data from children.

10. Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, as appropriate, access controls, hashing of community passwords, hashing of session tokens on the server side, upload restrictions, moderation tooling, and abuse-protection mechanisms such as rate limiting. However, no method of transmission or storage is 100% secure.

11. Changes

This policy may be updated when Spectrum, Spectrum Community, or legal requirements change. The current version is available on our website and/or from within the app.