Privacy Policy

Version 1.0 — March 23, 2026

This privacy policy explains how MONNINGHOFF Labs UG (haftungsbeschränkt) (“we”, “us”, “our”) collects, uses, and protects your personal data when you use the SNAB iOS app (iPhone, Apple Watch, Widget, Share Extension) and related services.

By default, personal data is processed in Germany and the European Union.

Transfers outside the European Union occur only where technically required for core functionality (e.g. Apple services) or when you explicitly enable features that involve external providers.

Further details on specific providers and safeguards are provided in Sections 9 (Cloud Storage), 13 (Data Processors), and 14 (International Data Transfers).

Contents

1. Controller
2. What SNAB Is
3. Data at a Glance
4. Data We Collect
5. App Permissions
6. AI and Machine Learning Processing
7. Apple Watch
8. Widget and Share Extension
9. Cloud Storage
10. Push Notifications
11. Hosting and Infrastructure
12. Data Security
13. Data Processors
14. International Data Transfers
15. Data Retention
16. Account Deletion
17. Data Export
18. Your Rights Under GDPR
19. Children’s Privacy
20. Do Not Track
21. California Residents (CCPA/CPRA)
22. Additional Rights by Region
23. Cookies
24. Legal Bases Summary
25. Changes to This Privacy Policy
26. Contact

1. Controller

MONNINGHOFF Labs UG (haftungsbeschränkt)
Wehrstr. 3
48151 Münster
Germany

Represented by: Chris Mönninghoff
Email: [email protected]
Court of Registration: Amtsgericht Münster, HRB 22312
VAT ID: DE451176103

2. What SNAB Is

SNAB is a mobile-first application for iOS (iPhone and Apple Watch), including a Widget and Share Extension.

The app is designed to process data primarily on the user’s device, where technically feasible. By default, personal data remains on the device unless a feature explicitly requires server-side processing or cloud storage.

SNAB allows users to capture and store information such as voice recordings, documents, images, and text. Based on user input, SNAB processes this data to generate structured outputs such as tasks, events, reminders, lists, and user-defined insights.

Processing may include automated analysis of content to identify relevant information (e.g. deadlines, action items, or categories).

SNAB is designed for users aged 13 and older.

3. Data at a Glance

4. Data We Collect

4.1 Account Data

We use Sign in with Apple exclusively. When you create an account, we receive:

• Apple anonymous user ID
• Apple private relay email address (or your real email, depending on your Apple settings)
• Display name (as provided by Apple)
• Device vendor ID (for device identification)

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

4.2 Content You Create

When you use SNAB, you create personal content including:

• Voice memos and their transcriptions
• Scanned documents and their OCR text
• Photos imported for processing
• Notes, tasks, events, reminders, and lists
• Insights — observations, ideas, decisions, rules, questions, focus areas, mistakes, and anti-goals

Content is stored on your device. When you use server-side features (transcription, OCR, extraction, cloud storage), relevant data is transmitted to our servers in Germany for processing.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

4.3 Processing Logs

Processing logs may include technical metadata (e.g. timestamps, processing duration, error codes). We do not store full content unless necessary for debugging specific issues, and access is restricted. These logs are not shared with third parties.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining service quality.

4.4 Email Data

• Inbound email capture: Each user receives a personal email address. We store verified sender addresses.
• Newsletter: Email address and subscription date. Double opt-in verification required.
• Transactional emails: Delivery metadata retained for up to 30 days.

Legal basis: Art. 6(1)(b) GDPR for email features; Art. 6(1)(a) GDPR (consent) for newsletter.

4.5 Subscription and Payment Data

All payments are handled exclusively through Apple (In-App Purchases). We receive transaction IDs, product IDs, and subscription dates. We never receive your payment details (credit card, bank account, billing address).

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

4.6 Referral Data

If you participate in the referral program, we store invite codes, user IDs, reward amounts, and IP address/device information for fraud prevention.

Legal basis: Art. 6(1)(b) GDPR for referral processing; Art. 6(1)(f) GDPR for fraud prevention.

4.7 Feedback and Extraction Feedback Data

When you submit feedback, we store your messages and optional screenshots. When you correct, accept, or reject an AI-extracted action, we store the original extraction, your correction, and the reason for the change. We use this feedback solely to improve our extraction prompts — we do not use it to train or fine-tune AI models, and we do not share it with third parties.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in improving service quality.

4.8 Technical Data

For service operation, we process push notification device tokens, storage usage, rate limit counters, and server access logs (retained for 7 days).

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in service security and stability.

4.9 Data We Do NOT Collect

We do not access or process the following categories of data:

• Location data
• Contacts or address book
• Calendar data
• Health or fitness data
• Biometric data

We use no analytics SDKs, no advertising frameworks, and no tracking technologies.

5. App Permissions

SNAB requests the following device permissions, each only when needed:

Free users require an internet connection for transcription and OCR, as these are processed on our servers. Paid users can additionally use on-device transcription (Apple Speech Recognition) and on-device OCR (Apple Vision) for offline use.

6. AI and Machine Learning Processing

All AI processing runs on our own servers in Germany. No personal data is sent to external AI providers by default. AI processing is limited to the specific content required for the requested feature.

6.1 Speech-to-Text (Transcription)

Your audio file is uploaded to our servers in Germany, transcribed, and the audio file is deleted immediately after processing, or within a short retention window required for processing stability. No data is sent to OpenAI, Apple, or any third party. Paid users can alternatively use Apple’s on-device speech recognition for offline transcription — in that case, audio never leaves your device.

6.2 Optical Character Recognition (OCR)

Your image is uploaded to our servers in Germany, text is extracted, and the image is deleted immediately after processing, or within a short retention window required for processing stability. No data is sent to any third party. Paid users can alternatively use Apple’s on-device Vision framework for offline OCR — in that case, the image never leaves your device.

6.3 Action and Insight Extraction

Your transcription or OCR text is analyzed on our servers in Germany to extract tasks, events, reminders, lists, and insights. All processing stays within our German infrastructure. No data is sent to any external AI provider.

6.4 No AI Training on Your Content

We do not use your content to train AI models. Your voice memos, documents, texts, tasks, insights, and other personal content are never used to train, fine-tune, or improve any machine learning model — neither ours nor any third party’s. Your content is processed solely to provide the service to you.

We do use anonymized, aggregated extraction feedback (e.g., “the AI incorrectly classified this as a task”) to improve our extraction prompts. This is a manual quality improvement process, not automated model training.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

6.5 Planned: Premium AI Option (not yet active)

We plan to offer an optional premium extraction feature using an external AI provider (servers in the USA). This feature:

• Is not currently active
• Will require explicit opt-in before any data is sent
• Will be clearly marked in the app
• Safeguards: EU-US Data Privacy Framework, Standard Contractual Clauses (Art. 46(2)(c) GDPR)

We will update this privacy policy before launching this feature.

7. Apple Watch

The SNAB Apple Watch app records voice memos via the microphone and transfers audio files to your paired iPhone for processing. Metadata (device model, recording duration, timestamp) is included in the transfer. Audio is deleted from the Watch after successful transfer.

The Watch app does not collect health data, location, contacts, or biometric data.

8. Widget and Share Extension

Widget: No data collection, no network requests. Opens the main app via deep links only.

Share Extension: Processes files you explicitly share (max 10 files, max 50 MB each). Files are stored temporarily on your device. The extension makes no network requests — the main app handles all processing.

9. Cloud Storage

9.1 snab.cloud

snab.cloud is SNAB’s own integrated storage service, hosted on Cloudflare R2 in the EU (Frankfurt). It is designed exclusively for storing your SNAB content (voice memos, scans, documents, exports) — it is not a general-purpose cloud storage or backup service.

All users receive snab.cloud storage included with their tier. Additional storage can be purchased as add-ons. Files are encrypted at rest (AES-256).

9.2 External Cloud Providers (Opt-In Only)

Paid users can optionally connect external cloud storage providers. When you connect a provider, we store your OAuth token on our servers to access your storage on your behalf. You can disconnect at any time, which revokes our access and deletes the stored token.

SNAB creates a dedicated folder (e.g., /SNAB/) on your connected cloud provider. Within this folder, SNAB can create, read, update, move, and delete files and subfolders on your behalf. You can also offload large files (e.g., scans, recordings) to your cloud provider — the file remains on your iPhone and is additionally copied to your cloud storage.

We only access the SNAB folder and its contents — we do not read, modify, or access any other files in your cloud storage.

Legal basis: Art. 6(1)(a) GDPR — your explicit consent when connecting a provider.

10. Push Notifications

We use Apple Push Notification service (APNs) to deliver reminders, event alerts, and task notifications. Your device token is registered with our server. No third-party push service is used.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

11. Hosting and Infrastructure

All servers are located in Germany. Cloud storage (snab.cloud) is hosted in the EU (Frankfurt). We use Hetzner Online GmbH for server hosting, Cloudflare for DNS, CDN, and object storage, and Amazon Web Services (Frankfurt) for transactional email delivery.

For details on each processor, see Section 13.

12. Data Security

We implement the following measures to protect your data:

• Encryption in transit: TLS 1.2+ for all connections
• Encryption at rest: AES-256 for cloud-stored files
• Authentication: Secure API tokens; OAuth 2.0 for Sign in with Apple
• Email security: DKIM, SPF, and DMARC for all outgoing emails
• On-device protection: iOS Data Protection for locally stored data
• Database: Replicated for redundancy
• Access control: Firewalled servers, time-limited signed URLs for file access

13. Data Processors (Art. 28 GDPR)

We use the following data processors, each bound by a Data Processing Agreement:

Hetzner Online GmbH

Industriestr. 25
91710 Gunzenhausen
Germany Purpose: Server hosting (API, database, AI processing, monitoring) Location: Germany

Cloudflare, Inc.

101 Townsend St
San Francisco, CA 94107
USA Purpose: DNS, CDN, DDoS protection, object storage (snab.cloud) Location: EU (Frankfurt) for storage. Cloudflare may process limited request metadata via its global edge network to deliver content efficiently. Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses

netcup GmbH

Daimlerstr. 25
76185 Karlsruhe
Germany Purpose: Email server hosting (Mailcow — newsletter, inbound/outbound email delivery), website hosting Location: Germany

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy
L-1855 Luxembourg Purpose: Transactional email delivery (verification, reminders) Location: Frankfurt (eu-central-1) Safeguards: AWS Data Processing Addendum, EU Standard Contractual Clauses

Apple Inc.

One Apple Park Way
Cupertino, CA 95014
USA Purpose: Authentication, push notifications, payment processing Safeguards: EU-US Data Privacy Framework

Google LLC (only when you connect Google Drive)

1600 Amphitheatre Parkway
Mountain View, CA 94043
USA Purpose: Cloud storage integration Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses

Dropbox, Inc. (only when you connect Dropbox)

1800 Owens Street
San Francisco, CA 94158
USA Purpose: Cloud storage integration Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses

Microsoft Corporation (only when you connect OneDrive)

One Microsoft Way
Redmond, WA 98052
USA Purpose: Cloud storage integration Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses

ipapi.co (Kloudend, Inc.)

Purpose: IP-based geolocation for language detection (country code only). Used to suggest the appropriate language version of the website and to determine the preferred language for email communications (newsletter, transactional emails, email sequences), including when subscribed from within the app. The country code is stored with the user profile to ensure emails are delivered in the correct language. Safeguards: Only the country code from the response is used. No IP addresses are stored on our servers.

14. International Data Transfers

Default: All data is processed in Germany and the EU.

Transfers outside the EU occur only in these cases:

1. Apple services (Sign in with Apple, APNs, StoreKit) — required for app functionality. Safeguard: EU-US Data Privacy Framework.
2. Cloud storage integrations (Google Drive, Dropbox, OneDrive) — only when you explicitly connect a provider. Safeguard: EU-US Data Privacy Framework + Standard Contractual Clauses.
3. Cloudflare CDN — storage is EU-only. CDN edge servers may process website requests at global points of presence. Safeguard: EU-US Data Privacy Framework + Standard Contractual Clauses.
4. Future premium AI extraction — not yet active. Will be opt-in only.

Legal basis: Art. 45 GDPR (adequacy decision) and Art. 46(2)(c) GDPR (Standard Contractual Clauses).

15. Data Retention

16. Account Deletion

You can delete your account at any time from the app settings. Account deletion permanently removes all your data from our servers, including your profile, all content, files, logs, and subscriptions. External cloud provider tokens are revoked immediately.

Deletion is irreversible, typically completed immediately, and at the latest within 30 days.

17. Data Export

You can export all your data from the app settings in a machine-readable format (JSON). This fulfills your right to data portability under Art. 20 GDPR.

18. Your Rights Under GDPR

To exercise any of these rights, contact us at [email protected]. We will respond within one month (Art. 12(3) GDPR).

Right to Lodge a Complaint

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4
40213 Düsseldorf
Germany
www.ldi.nrw.de

19. Children’s Privacy

SNAB is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact us at [email protected] and we will promptly delete it. This applies globally, including under the U.S. Children’s Online Privacy Protection Act (COPPA).

20. Do Not Track

Some browsers transmit “Do Not Track” (DNT) signals. Since we do not use tracking technologies, advertising cookies, or analytics that track you across websites, your DNT preference is respected by default — there is nothing to disable.

21. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know: You may request what personal information we collect, use, and disclose.
• Right to Delete: You may request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at [email protected].

Categories of personal information collected: Identifiers (Apple ID, email), internet activity (server logs), commercial information (subscription status), audio data (voice memos, temporarily processed). See Section 4 for details.

We do not sell or share personal information as defined under CCPA/CPRA.

22. Additional Rights by Region

United Kingdom

If you are located in the UK, your data is protected under the UK GDPR and the Data Protection Act 2018. Your rights under Section 18 of this policy apply equally under UK law. The relevant supervisory authority is the Information Commissioner’s Office (ICO), ico.org.uk.

Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, delete, and port your data. To exercise these rights, contact us at [email protected].

Canada (PIPEDA)

If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access and correct your personal information. Contact us at [email protected].

India (DPDPA)

If you are located in India, your rights under the Digital Personal Data Protection Act 2023 (DPDPA) are respected. You may access, correct, and request deletion of your personal data by contacting us at [email protected].

Other Jurisdictions

If you are located in a jurisdiction with local data protection laws (including but not limited to Australia, New Zealand, South Korea, Japan, Singapore, Thailand, or South Africa), we comply with applicable requirements. You may exercise your rights under your local law by contacting us at [email protected].

23. Cookies

Our website (snab.app) uses only technically necessary cookies. We do not use analytics, advertising, or third-party tracking cookies. For details, see our Cookie Policy.

24. Legal Bases Summary

25. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our services or legal requirements. Material changes will be communicated via the app or email before they take effect.

The current version is always available at snab.app/legal/privacy.

26. Contact

MONNINGHOFF Labs UG (haftungsbeschränkt)
Wehrstr. 3
48151 Münster
Germany
Email: [email protected]

Münster, March 23, 2026