Privacy Policy – MIDI Controller

1. Controller (Verantwortlicher)

Marvin Krüger
Koppenstr. 54
10243 Berlin
Germany
Email: info@mkgames.org

2. Scope and Principles

This privacy policy applies to the mobile application MIDI Controller for Apple platforms (including iOS and, where applicable, Mac Catalyst builds distributed via the App Store).

Privacy-by-design: The app is designed to keep most processing on your device.

No user accounts / no login required in the app
No cloud sync backend operated by us for your creative workspaces
In-app purchases are handled by Apple; subscription status is managed with RevenueCat as described below
For advertising measurement, the app integrates the TikTok for Business (App Events) SDK as described in Section 3.10
Where the app requests App Tracking Transparency (ATT) permission, it is only to support optional measurement (such as IDFA) in line with Apple’s rules; you can refuse without losing core MIDI functionality

This privacy policy is intended to align with the information provided in the App Store privacy labels for this app. Please also review Apple’s and TikTok’s privacy information for categories their systems may process.

The app does not operate its own backend servers for your MIDI layouts, workspace data, or real-time MIDI performance. Unless explicitly stated otherwise below, such processing occurs locally on your device, or by Apple, RevenueCat, or TikTok as described in this policy.

We do not sell personal data. We do not share personal data with third parties for their own independent marketing beyond what is inherent to the payment and measurement services listed here (Apple, RevenueCat, TikTok).

3. Data Processing Details

3.1 In-App Purchases & Subscriptions (Apple StoreKit + RevenueCat)

The app offers optional paid features and subscriptions. Payments are processed exclusively by Apple via the App Store and StoreKit. We never receive or store payment details such as credit card numbers.

The app uses RevenueCat as a technical service provider to manage subscriptions, validate receipts, restore purchases, and determine entitlement status. RevenueCat processes personal data strictly as a service provider for subscription infrastructure and does not use this data for its own advertising.

In this context, the following data may be processed:

RevenueCat App User ID (pseudonymous identifier, often anonymous by default, used to associate purchases and restore entitlements across devices)
Product identifiers
Purchase and renewal timestamps
Subscription status (active, expired, cancelled)
Transaction and receipt information provided by Apple (for validation)
Technical and request metadata necessary to operate the subscription service (e.g., app version, device/OS information) and to prevent fraud/abuse
Network metadata such as IP address may be processed by RevenueCat as part of operating and securing the service

RevenueCat acts as a data processor (Art. 28 GDPR) on our behalf for subscription infrastructure and entitlement management. We have concluded a Data Processing Agreement (DPA) with RevenueCat. RevenueCat processes data solely to:

validate subscriptions and receipts
restore purchases
enable premium functionality
prevent fraud and abuse and ensure system security

Legal bases: Art. 6(1)(b) GDPR (performance of contract) and, where applicable, Art. 6(1)(f) GDPR (legitimate interest in fraud prevention and system security).

RevenueCat Privacy Policy: www.revenuecat.com/privacy

3.2 Bluetooth & MIDI Connectivity (On-Device)

MIDI Controller uses Bluetooth (where enabled) to advertise or connect as a Bluetooth MIDI device and to communicate with compatible peripherals and apps, according to the permissions you grant in iOS Settings.

MIDI messages and connection state are handled on your device to provide real-time control. We do not route your live MIDI traffic through our servers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and § 25(2) No. 2 TDDDG (necessary for providing the requested service).

3.3 Local Network & Ableton Link (On-Device)

Where you use features that synchronize with other apps on your network (for example via Ableton Link), the app uses the local network as permitted by iOS. This is used for tempo/sync between apps on your LAN, not for uploading your projects to us.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and § 25(2) No. 2 TDDDG (necessary for providing the requested service).

3.4 Local App Data (Workspaces, Controls, Settings)

MIDI Controller stores layouts, workspace data, control mappings, and related settings locally on the device. This data is intended to remain on-device and is not continuously uploaded to servers we operate.

Legal basis: § 25(2) No. 2 TDDDG (necessary for providing the requested service).

3.5 Diagnostics & Crash Reporting (Apple)

Apple may collect diagnostic data and crash reports depending on your device settings. For App Store and iOS platform services (including diagnostics), Apple typically acts as an independent controller under its own privacy framework.

Depending on your settings, diagnostics may include:

device model
iOS / macOS version
crash logs and stack traces

We do not receive personally identifiable crash data from Apple in a way that identifies you by name. Where Apple provides diagnostics to developers, it is typically provided in aggregated and/or pseudonymized form and is used to improve stability and fix bugs.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in ensuring technical stability, security, and error-free operation of the app.

3.6 Support Communication

If you contact us via email, we process your email address and message content to handle your request. Data subject requests under GDPR can also be submitted via info@mkgames.org.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in customer support) and, where applicable, Art. 6(1)(b) GDPR (contract-related inquiries).

3.7 External Links

The app may include links that open external websites (for example, Apple’s Standard EULA, legal information, or support pages). When you open an external link, you leave the app. The provider of the linked site is responsible for data processing on that site. We do not control and are not responsible for their content or privacy practices.

Depending on your device and network configuration, opening external links may result in the external provider receiving technical data (such as your IP address, device/browser information, referrer, and timestamp) as part of normal web delivery.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing required legal information and improving transparency).

3.8 TikTok for Business – App Events SDK (Measurement)

We integrate the TikTok for Business SDK (“TikTok Business / App Events SDK”) to measure the effectiveness of advertising campaigns and to send in-app events that help us understand conversions (for example when a user starts or maintains a subscription). TikTok processes data as described in its own policies and may act as a separate controller for certain processing tied to its advertising ecosystem.

Depending on your settings, OS version, and implementation, processing through TikTok may include, for example:

App activity and app events (such as subscription-related events we configure)
Device-related identifiers and technical information (such as device model, OS version, and similar metadata)
Where you grant permission under Apple’s App Tracking Transparency framework, identifiers used for cross-app advertising measurement (such as IDFA) may be available to TikTok in line with your choice
Network-related data such as IP address when the SDK communicates with TikTok services
Privacy-preserving attribution signals where supported (for example SKAdNetwork-related data as allowed by Apple)

We configure the SDK to send specific standardized events relevant to our app (for example Subscribe in connection with qualifying subscription purchases). TikTok may combine received signals with other data in its systems for measurement, advertising delivery, and product improvement, as described in TikTok’s privacy documentation.

You may be able to limit certain tracking on your device via iOS privacy settings and by your ATT choice (where presented). Declining tracking does not block core MIDI features of the app; it may limit measurement quality for advertising.

Legal bases: Art. 6(1)(f) GDPR (legitimate interest in measuring marketing spend and understanding subscription performance), and—where applicable—Art. 6(1)(a) GDPR (consent, e.g., for ATT-gated identifiers where Apple requires consent).

TikTok Privacy Policy (please read the version applicable in your region): TikTok Privacy Policy · TikTok for Business / developer resources: TikTok for Business Help Center

3.9 Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place in the app beyond standard platform/SDK processing.

Right to Object (Art. 21 GDPR)

Where processing is based on legitimate interests, you have the right to object at any time for reasons arising from your particular situation.

Contact: info@mkgames.org

4. Data We Do NOT Collect (Beyond the Above)

We do not operate our own user-login database inside the app
We do not upload your MIDI performances or workspace files to servers we operate for cloud backup (unless you use separate Apple or third-party features outside our control)
We do not use Firebase Analytics, AppsFlyer, Mixpanel, or similar general-purpose analytics SDKs beyond TikTok measurement described above
We do not integrate third-party crash reporting SDKs (e.g., Sentry, Crashlytics) in this policy’s scope—Apple’s diagnostics may still apply
We do not require contacts, precise GPS location, health, or biometric data for app functionality
We do not sell your personal data

iOS permissions (Bluetooth, local network, etc.) are used to enable features you actively use. TikTok measurement is described in Section 3.8.

5. Third-Party Services

Apple – App Store purchases (StoreKit), platform services, optional diagnostics
RevenueCat – subscription infrastructure and receipt validation (processor)
TikTok (TikTok for Business / App Events SDK) – advertising and conversion measurement (separate privacy notices apply)
External websites you open via links – e.g., Apple Standard EULA pages or legal/support pages

These providers process data under their own privacy frameworks and applicable data protection law.

Apple Privacy Policy: www.apple.com/legal/privacy

6. International Data Transfers

Apple, RevenueCat, and TikTok may process data on servers outside the EU/EEA, including in the United States and other countries. Transfers are based on appropriate safeguards where required under GDPR, such as Standard Contractual Clauses (Art. 46 GDPR), adequacy decisions where applicable, and/or other valid transfer mechanisms (for example the EU-U.S. Data Privacy Framework, where applicable).

Apple Inc. (USA) – App Store / platform services
RevenueCat, Inc. (USA) – subscription infrastructure
TikTok group companies – measurement and advertising services (see TikTok’s policy for entity and transfer details)

External websites opened via links may also process data outside the EU/EEA depending on the provider.

7. Data Retention

Support emails: up to 12 months, unless a longer retention is required to resolve a request or due to legal obligations
Subscription data (RevenueCat/Apple): retained for the duration of the subscription lifecycle and as needed for entitlement validation, purchase restoration, system security, and fraud prevention
TikTok measurement data: retained according to TikTok’s retention rules in its role as provider; we do not control TikTok’s internal retention periods
Local app data (workspaces/settings): stored on-device until deleted by you or upon uninstall

Data may be retained longer where necessary to establish, exercise, or defend legal claims, or where statutory retention obligations apply.

8. Your Rights

You have rights under GDPR including access, rectification, erasure, restriction of processing, data portability, and the right to lodge a complaint with a supervisory authority.

Supervisory authority (Berlin):
Berliner Beauftragte für Datenschutz und Informationsfreiheit
www.datenschutz-berlin.de

For rights requests directed at TikTok’s processing, please also use the mechanisms described in TikTok’s privacy policy.

9. Children

The app is not directed to children under the age of 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children beyond what platform and SDK defaults may entail; please contact us if you believe a child has provided personal data inappropriately.

10. Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Access to any personal data is restricted to the extent necessary and protected using industry-standard safeguards. However, no method of transmission or storage is 100% secure.

11. Changes

This policy may be updated when the app (including SDK integrations such as TikTok), platform rules, or legal requirements change. The current version is available on our website and/or linked from the app where applicable.