Privacy Policy
As of: 25 June 2026
Unofficial translation. This is a convenience translation. The legally binding version is the German original (
datenschutz.md); in case of any discrepancy, the German version prevails. Draft — pending legal review.
1. Controllers
The controllers within the meaning of the Swiss Data Protection Act (FADP) are (simple partnership):
yuKast – Dennis Wilsmann & Mate Kurtin c/o [PLACEHOLDER: provider, street no., postcode city — c/o domicile address] E-mail: legal@yukast.com
For privacy enquiries: privacy@yukast.com
2. Scope
This policy follows the revised Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023) and the Data Protection Ordinance (DPO).
3. What personal data we process
We process personal data in accordance with the principles of good faith, proportionality, purpose limitation and transparency (Art. 6 FADP). We obtain consent wherever the law or the feature requires it.
3.1 Account and authentication
- Data: e-mail address, chosen username, sign-in/session tokens.
- Purpose: providing the user account, sign-in/sign-out, attribution of your contributions.
- Processor: Supabase (authentication + database), see section 4.
3.2 Location data
- Data: geo-coordinates (latitude/longitude) at the time of a contribution; approximate location to show contributions near you.
- Purpose: core feature — contributions are geo-located and shown by proximity.
- Consent: you control location sharing via your device permissions and can revoke it there at any time.
3.3 Photo and video uploads
- Data: images/videos you capture or select (including audio track for videos) and associated metadata (e.g. capture source, device model).
- Purpose: publishing your contributions.
- Storage: Amazon Web Services (AWS S3), Frankfurt region
(
eu-central-1), see section 4.
3.4 AI-assisted analysis of media
- Data: every uploaded image/video is analysed automatically.
- Purpose: automatic scene description, tagging (search) and moderation checks (detection of impermissible content).
- Recipient: Anthropic (the "Claude" model) — content is transmitted to Anthropic for analysis. Disclosure abroad (USA), see section 5.
3.5 Map display
- Data: when you use the map view, map tiles are loaded from Google (Google thereby processes technical connection data, e.g. IP address).
- Purpose: displaying the map.
- Recipient: Google (Google Maps), see section 4/5.
3.6 Push notifications
- Data: device push token.
- Purpose: sending notifications (e.g. activity near you), only if you enable push.
- Recipient: Google Firebase Cloud Messaging, see section 4/5.
- Consent: via enabling it; revocable at any time in the settings.
3.7 Error and crash diagnostics
- Data: technical diagnostic data (error messages, device/app info).
- Purpose: stability and troubleshooting.
- Recipient: Sentry, see section 4/5.
4. Disclosure to third parties / processors
| Service | Provider | Purpose | Seat/Region |
|---|---|---|---|
| Supabase | Supabase Inc. | Auth + database | EU (AWS eu-central-1 / eu-west-1) |
| AWS S3 | Amazon Web Services | Media storage | EU (eu-central-1, Frankfurt) |
| Claude | Anthropic PBC | AI analysis of media | USA |
| Google Maps | Map display | USA / EU | |
| Firebase Cloud Messaging | Push notifications | USA / EU | |
| Sentry | Functional Software, Inc. | Error diagnostics | USA (EU region available) |
We have corresponding contracts for processing on our behalf (Art. 9 FADP) in place with our processors.
5. Disclosure abroad
Some services process data in the USA or outside Switzerland. Since 15 September 2024 the Federal Council recognises the Swiss–U.S. Data Privacy Framework (Swiss-U.S. DPF): transfers to US companies certified under it enjoy adequate protection. Where a service is not DPF-certified, we base the transfer on the Standard Contractual Clauses (SCC) recognised by the FDPIC (Art. 16 et seq. FADP).
| Service | Safeguard for the disclosure abroad |
|---|---|
| Google (Maps, FCM) | Swiss-U.S. DPF + SCC |
| AWS (S3, Frankfurt) | Storage in the EU; Swiss-U.S. DPF + Swiss addendum with SCC |
| Sentry | Swiss-U.S. DPF + SCC |
| Anthropic (Claude) | EU-U.S. DPF + Standard Contractual Clauses (in the DPA) |
| Supabase | Hosting in the EU; EU Standard Contractual Clauses (2021/914) in the DPA |
6. Retention
- Account data: for the duration of the account.
- Contributions/media: until deleted by you or by moderation. After deletion, content is first hidden (soft delete) and the associated media files are permanently removed from storage after 30 days.
- On account deletion, your content is deleted/anonymised and the auth account is removed.
7. Your rights
Under the FADP you have in particular the right to information (Art. 25 FADP), rectification (Art. 32 FADP), deletion or destruction of your personal data, and to data release/portability (Art. 28 FADP). You may withdraw consent-based processing at any time with effect for the future.
You can delete your account directly in the app. For other requests: privacy@yukast.com.
8. Federal Data Protection and Information Commissioner (FDPIC)
You may contact the FDPIC (www.edoeb.admin.ch). You may also assert civil-law claims before the competent courts.
9. Contact
Dennis Wilsmann & Mate Kurtin · legal@yukast.com