Privacy Policy — Crystal AI

Crystal AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our mobile application Crystal AI (the "App").

By using the App, you agree to the collection and use of information in accordance with this policy.

1. Who We Are

Crystal AI is operated by Leander Johannes Kahrens, based in Braunschweig, Germany. For any privacy-related inquiries, please contact us at:

Email: crystalaiapp@protonmail.com
Address: Kalandstr. 9, 38118 Braunschweig

Under the EU General Data Protection Regulation (GDPR), we are the data controller for the personal data we process through the App.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (if you sign up with email)
• Display name (if provided)
• Apple ID or Google account identifier (if you use Sign in with Apple or Google)

This data is processed through Firebase Authentication (provided by Google LLC) to create and manage your account.

2.2 Subscription and Purchase Data

When you subscribe to Crystal AI Premium, your purchase is processed by Apple through the App Store. We use RevenueCat, Inc. as our subscription management platform. RevenueCat receives:

• An anonymous user identifier linked to your account
• Subscription status (active, expired, or canceled)
• Purchase receipts from Apple

We do not receive or store your payment method details (credit card number, bank information). All payment processing is handled by Apple.

2.3 Crystal Identification Photos

When you use the crystal identification feature, photos you take or upload are sent to our AI service provider (Google Gemini via OpenRouter) for analysis. These photos are:

• Sent securely over encrypted connections
• Used solely to generate your crystal identification result
• Not stored permanently on our servers or by our AI providers after processing
• Not used to train AI models

We do not save, share, or sell your photos.

2.4 AI Chat Messages

When you use the AI chat feature, your messages are sent to our AI service provider (Google Gemini via OpenRouter) for processing. Your messages are:

• Used solely to generate a response to your query
• Not stored permanently by us or our AI providers after processing
• Not used to train AI models
• Not reviewed by any human

2.5 Usage Data

We may collect anonymous usage data to improve the App, including:

• Features used and frequency of use
• App crashes and error reports
• Device type and operating system version
• General geographic region (country level)

This data is collected in aggregate and cannot be used to identify you personally.

2.6 Local Device Data

The App stores certain data locally on your device, including:

• Your crystal collection and notes
• Free message usage counter
• App preferences and settings

This data remains on your device and is not transmitted to us unless you choose to sync it.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the App
• Process your account registration and authentication
• Manage your Premium subscription status
• Process crystal identification requests
• Respond to your AI chat queries
• Send important service-related notifications
• Analyze anonymous usage trends to improve the App
• Comply with legal obligations

We do not use your personal data for advertising purposes. We do not sell your data to third parties.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

• Contract Performance (Article 6(1)(b)): Processing your account data and subscription information is necessary to provide you with the App's services.
• Legitimate Interests (Article 6(1)(f)): We process anonymous usage data to improve our App and ensure its stability and security.
• Consent (Article 6(1)(a)): Where required, we obtain your consent before processing (for example, for optional analytics). You may withdraw consent at any time.
• Legal Obligation (Article 6(1)(c)): We may process data where required by law.

5. Third-Party Services

We use the following third-party services to operate the App:

5.1 Firebase Authentication (Google LLC)

Purpose: User account creation and sign-in
Data shared: Email address, authentication tokens
Privacy Policy: https://firebase.google.com/support/privacy

5.2 RevenueCat, Inc.

Purpose: Subscription management and purchase validation
Data shared: Anonymous user ID, subscription status, purchase receipts
Privacy Policy: https://www.revenuecat.com/privacy

5.3 OpenRouter / Google Gemini

Purpose: AI crystal identification and chat responses
Data shared: Chat messages, crystal photos (temporarily, for processing only)
Privacy Policy: https://openrouter.ai/privacy

These providers are contractually obligated to process your data only as instructed by us and in accordance with applicable data protection laws.

6. International Data Transfers

Some of our third-party service providers are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission where applicable
• Provider certifications under recognized frameworks

You may contact us for more information about the specific safeguards applied to international data transfers.

7. Data Retention

• Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
• Subscription data: Retained for as long as required by tax and accounting regulations (typically up to 10 years for financial records in Germany).
• Crystal photos: Not stored after identification processing is complete.
• Chat messages: Not stored after response processing is complete.
• Usage data: Retained in anonymous, aggregated form indefinitely.

8. Your Rights (GDPR)

As a resident of the European Economic Area, you have the following rights:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request that we correct inaccurate or incomplete personal data.
• Right to Erasure: You may request that we delete your personal data, subject to legal retention requirements.
• Right to Restriction: You may request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: You may object to the processing of your personal data based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing performed before withdrawal.

To exercise any of these rights, contact us at crystalappai@protonmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. For Germany:
Die Landesbeauftragte für den Datenschutz Niedersachsen
https://www.lfd.niedersachsen.de

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (TLS/SSL) for all network communications
• Secure authentication through Firebase Auth
• No permanent storage of photos or chat messages on our servers
• Regular review of our data processing practices

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

The App is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at crystalappai@protonmail.com.

11. Health and Wellness Disclaimer

Crystal AI provides information about crystals and their traditionally attributed properties for educational and entertainment purposes only. The App does not provide medical advice, diagnoses, or treatment recommendations. Crystal healing is a complementary practice and should not replace professional medical care. Always consult a qualified healthcare provider for medical concerns.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App with a new "Last Updated" date. Your continued use of the App after changes are posted constitutes your acceptance of the revised policy.

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: crystalaiapp@protonmail.com
Address: Kalandstr. 9, 38118 Braunschweig

For GDPR-specific inquiries, you may also contact our data protection point of contact at the email address above.