Privacy Policy

1. Data Controller

Tim Kaltenbrunner
Schönauring 58
8052 Zürich
Switzerland
Email: tim.kaltenbrunner@gmail.com

2. What Data Is Collected?

Baby Monitor Timmy collects as little data as technically possible. Specifically:

• Firebase Anonymous Auth UID — An automatically generated, temporary identifier. It contains no personal data (no name, no email, no password).
• Firestore session data — SDP offers and answers as well as ICE candidates. These are purely technical connection data required to establish the WebRTC connection. SDP/ICE data is removed from Firestore immediately after the WebRTC connection is established. The session record itself (anonymised and encrypted connection metadata) is fully deleted within 24 hours at most.
• Pairing codes — Temporary 4-character codes for pairing two devices. The pairing code itself is never transmitted to any server and never leaves the device. Only a cryptographic hash (SHA-256) of the code is used as a Firestore document identifier. The hash cannot be reversed to reveal the original code. Pairing documents are deleted within 24 hours at most.

3. What Data Is NOT Collected?

Baby Monitor Timmy was deliberately designed to process as little personal data as possible:

• No audio or video data on servers — All audio and video transmission occurs directly between devices (peer-to-peer via WebRTC). No server listens in or records.
• No email addresses, no passwords — The app uses exclusively anonymous authentication.
• No location data — No location data is collected or stored.
• No cookies — The app and website do not use cookies.
• No tracking, no analytics — No analytics services, tracking pixels, or advertising networks are used.
• No advertising IDs — The app does not access advertising IDs.

4. Legal Basis

The Swiss Federal Act on Data Protection (DSG) applies as the primary law. For users in the EU/EEA, the General Data Protection Regulation (GDPR) applies additionally.

The processing of data described in Section 2 is based on:

• Art. 31(1) DSG (Legitimate interest) / Art. 6(1)(b) GDPR (Performance of a contract) — The technical connection data is necessary to provide the app's functionality.
• Art. 31(1) DSG (Legitimate interest) / Art. 6(1)(f) GDPR (Legitimate interest) — Anonymous authentication serves the legitimate interest of protecting the app from misuse.

5. Payment Processing (Subscription)

Baby Monitor Timmy is offered as a paid subscription via the Google Play Store or Apple App Store. Payment processing is handled entirely by the respective app store. We receive no payment data (e.g., credit card numbers, bank details). We only receive a confirmation of the subscription status (active/inactive), which contains no personally identifiable payment information.

Information about data processing by the respective app store can be found here:

• Google Play: policies.google.com/privacy
• Apple: apple.com/legal/privacy

6. Third Parties

Google Firebase

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Services: Firebase Authentication (anonymous), Cloud Firestore, Firebase Hosting.
Privacy: firebase.google.com/support/privacy
Third-country transfer: USA. EU Commission Standard Contractual Clauses (SCCs) and the Swiss-US Data Privacy Framework apply.

Cloudflare

Provider: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA.
Service: TURN relay server (Cloudflare Calls) for the WebRTC connection.
Only encrypted WebRTC traffic is relayed. Cloudflare has no access to the content of the communication (audio/video).
Privacy: cloudflare.com/privacypolicy
Third-country transfer: USA. EU Commission Standard Contractual Clauses and the Swiss-US Data Privacy Framework apply.

7. Data Retention

• Session data (SDP, ICE candidates, pairing codes): SDP and ICE data is deleted immediately after the connection is established. Anonymised, encrypted session metadata is fully deleted within 24 hours at most.
• Anonymous Auth UIDs: Short-lived and expire automatically. They contain no personal information.

8. Your Rights

Under the Swiss DSG (Art. 25–29) and, for EU/EEA users, the GDPR, you have the following rights at any time regarding your personal data:

• Access (Art. 25 DSG / Art. 15 GDPR) — You may request information about the data processed about you.
• Rectification (Art. 32(1) DSG / Art. 16 GDPR) — You may request the correction of inaccurate data.
• Erasure (Art. 32(2)(c) DSG / Art. 17 GDPR) — You may request the deletion of your data.
• Restriction of processing (Art. 18 GDPR) — You may request the restriction of processing (GDPR only).
• Data portability (Art. 28 DSG / Art. 20 GDPR) — You may receive your data in a commonly used format.
• Objection (Art. 21 GDPR) — You may object to the processing (GDPR only).
• Complaint to a supervisory authority — In Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch. In the EU/EEA, you may lodge a complaint with your local data protection supervisory authority.

9. Applicable Law

The Swiss Federal Act on Data Protection (DSG) applies to the processing of personal data through this app and website. For users in the EU/EEA, the General Data Protection Regulation (GDPR) applies additionally.

10. Hosting

This website is hosted via Firebase Hosting by Google. The app itself does not collect server logs. Information about data protection at Firebase Hosting can be found at firebase.google.com/support/privacy.