Preamble
Steffen Knoedler, Rothschildallee 41 - 60389 Frankfurt am Main - Germany, („Provider“) respects and protects your personal data.
The following Privacy Policy is intended to provide you with more detailed information about the collection, processing and use of data in connection with PublicCommit offered as a web application.
The Provider collects, processes and uses personal data exclusively in accordance with the applicable legal regulations. Therefore, the high data protection level of the General Data Protection Regulation ("GDPR") applies.
1. Scope of Application
1.1 This Privacy Policy is intended for all users of PublicCommit ("Users"). If certain services or individual apps of Provider have a different data protection declaration, such declaration shall apply.
1.2 The scope of this Privacy Policy does not include services and offers of third parties that may be referred to in PublicCommit by so-called links. Provider neither assumes responsibility for their content nor for compliance with data protection regulations by these third parties, unless otherwise stated in the privacy policy of the linked content. This applies, for example, to links via which social networks such as Facebook or chat apps such as WhatsApp can be accessed, and to links in advertisements that are used. For information on the handling of the User's personal data and their respective protection on these platforms, please refer to the privacy statement on the respective platform.
2. Accessing the web application
PublicCommit is a web-based application accessed through your web browser. When you access PublicCommit, your browser automatically transmits certain information to our servers, including your IP address, browser type and version, operating system, referrer URL, date and time of access, and pages visited. This information is collected automatically through standard web server logs and is necessary for the technical operation of the service.
The collection of this technical data is based on Article 6 (1) sentence 1 lit. f) GDPR, whereby our legitimate interest is the proper technical operation and security of our web application. This data may also be processed to the extent necessary for the fulfillment of our contract with you, based on Article 6 (1) sentence 1 lit. b) GDPR.
3. Collection, processing and use of data when using PublicCommit
3.1 When you start and use PublicCommit, a connection may be automatically established to the servers used by us in order to retrieve current content. Information that your device transmits to us is logged in the process. This includes the IP address of the device you are using, data on the operating system used as well as the version, date and time (including time zone) of the respective access to the contents as well as the information on which specific contents have been requested. In addition, the Provider may collect and process personal data in order to fulfil its contractual obligations with the User, e.g. to create the User's user profile. This data may include name and IP address and data identifying the User's device.
3.2 Provider collects and processes these data in order to provide PublicCommit and the respective current content. The provision of this data is not required by law, but is necessary for the conclusion of the user contract and the associated service by Provider. The User may voluntarily provide Provider with further data with respect to the offer. The basis of this data processing for the fulfillment of contractual obligations is Article 6 (1) sentence 1 lit. b) GDPR.
4. Commitment and Goal Tracking
4.1 PublicCommit allows you to create financial commitments and track your progress toward goals. When you create a commitment, the app collects and processes information you provide, including commitment amounts, descriptions, deadlines, progress updates, and any other information you choose to enter. This data is stored on our servers to provide the core functionality of the service.
4.2 Information about your commitments, payment history, and progress is processed to provide you with tracking features, reminders, and statistics. This may include calculating streaks, completion rates, and other metrics to help you track your goals. The legal basis for this processing is Article 6 (1) sentence 1 lit. b) GDPR, as it is necessary for the provision of the contractual services.
5. Social and Sharing Features
5.1 PublicCommit offers features that allow you to share commitments with friends, family members, or accountability partners. When you use these features, you may choose to share information about your commitments, including commitment descriptions, amounts, and progress updates, with specific other users.
5.2 When you invite someone to be an accountability partner or share a commitment, we collect and process the email address you provide for the recipient. We use this email address to send an invitation on your behalf. The recipient's email address is processed based on your consent and our legitimate interest in facilitating the sharing features (Article 6 (1) sentence 1 lit. a) and f) GDPR).
5.3 Information shared with other users becomes visible to those users and may include your name, profile information, and commitment details you choose to share. You control what information you share through the app's privacy settings. Once you share information with another user, that user may retain access to that information even if you later modify your sharing settings, though you can revoke ongoing sharing access at any time.
6. Email Communications
6.1 PublicCommit sends email notifications and communications to help you stay on track with your commitments. We use Resend, a third-party email delivery service, to send these emails. Resend processes your email address and the content of emails sent on our behalf.
6.2 Types of emails we may send include: (a) commitment reminders and deadline notifications; (b) progress updates and milestone achievements; (c) accountability partner notifications when you share commitments; (d) account-related emails such as password resets and security notifications; (e) service updates and important announcements. You can control your email notification preferences in your account settings, though some account-related emails cannot be disabled.
6.3 The legal basis for sending emails is Article 6 (1) sentence 1 lit. b) GDPR for emails necessary to provide the service (such as commitment reminders you've set up and account security emails), and Article 6 (1) sentence 1 lit. a) GDPR for optional notification emails where you have provided consent through your notification settings.
6.4 Resend acts as a data processor on our behalf. Information about Resend's data processing practices can be found at https://resend.com/legal/privacy-policy. Email data is stored by Resend only for the time necessary to deliver the emails and maintain delivery logs.
7. Calendar Export
7.1 PublicCommit allows you to export your commitments and deadlines to calendar applications (such as Google Calendar, Apple Calendar, or Outlook) using the iCalendar (.ics) format. When you use this feature, PublicCommit generates a calendar file containing information about your commitments, including titles, descriptions, and deadlines.
7.2 Calendar files are generated on-demand when you request an export. The calendar file contains only information you have entered into PublicCommit and is provided directly to you for import into your calendar application of choice. We do not transmit calendar data directly to third-party calendar services; you maintain control over what calendar data you choose to import.
7.3 If you enable calendar synchronization features, PublicCommit may generate a unique calendar feed URL that your calendar application can use to automatically sync your commitments. This URL contains a unique identifier and should be kept confidential. You can revoke calendar feed access at any time through your account settings.
7.4 The legal basis for calendar export functionality is Article 6 (1) sentence 1 lit. b) GDPR, as this feature is part of the contractual services provided by PublicCommit to help you track and manage your commitments.
8. Payment Processing via Stripe
8.1 PublicCommit uses Stripe for processing payments related to commitment enforcement and optional premium features. Stripe is a third-party payment processor operated by Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA, with EU operations handled by Stripe Payments Europe, Ltd.
8.2 When you make a payment through PublicCommit or add a payment method for commitment enforcement, Stripe collects and processes your payment information, including credit card numbers, bank account details (depending on payment method), billing address, and transaction details. The Provider does not have access to your complete payment card numbers or bank account details. We receive only limited information such as the last four digits of your card, card brand, expiration date, and transaction status.
8.3 Stripe processes payment data as a data controller for certain purposes (such as fraud prevention) and as a data processor on our behalf for processing payments. Information about Stripe's data processing practices can be found in Stripe's privacy policy at https://stripe.com/privacy.
8.4 For commitment enforcement features where you authorize PublicCommit to charge your payment method if you fail to meet a commitment, we store a payment method token provided by Stripe (not your actual payment card details). This token allows us to process charges in accordance with the terms you agree to when setting up the commitment. You can remove stored payment methods at any time through your account settings.
8.5 The legal basis for payment processing is Article 6 (1) sentence 1 lit. b) GDPR, as payment processing is necessary for the performance of the contract between you and the Provider. For commitment enforcement features, processing is additionally based on the specific authorization you provide when setting up a commitment with financial stakes.
8.6 Stripe is certified under the EU-U.S. Data Privacy Framework and adheres to standard contractual clauses for data transfers from the EU to the USA. Payment data transmitted to Stripe in the USA is protected in accordance with Article 46 (2) lit. c) GDPR through these standard contractual clauses and additional safeguards.
5. Support requests and contact
5.1 If you notify our customer support or otherwise contact us (e.g. with a contact form), the information you provide in the contact, including the contact details given there, will be processed for the purpose of handling your enquiry and processing it, including investigating and rectifying any problems and in the event of follow-up questions. Technical data on your device may also be processed automatically.
5.2 The Provider processes this data in accordance with Article 6 (1) sentence 1 lit. b) GDPR, as far as you contact us within the framework of an existing contract for the use of PublicCommit or for the purpose of initiating such a contractual relationship. Otherwise, the storage and use of the data takes place on the basis of Article 6 (1) sentence 1 lit. f) GDPR, whereby our legitimate interest is the careful processing of your respective request and the solution of any technical problems.
6. Error reporting and usage analysis via Firebase
6.1 PublicCommit implements functions of the Firebase service which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
6.2 Data on the general use of the app are collected and evaluated via the Firebase service (so-called Google Analytics for Firebase). At the same time, reports on errors and crashes that occur are generated to analyze and resolve these errors and crashes. For these purposes, information on whether and how you use certain parts is collected together with the IP address and other technical data on your device and the configurations assigned to it (hereinafter "Device-Related Data"), such as the manufacturer and model of the device, the language setting and the advertising ID as well as the country from which you use the app. In order to generate error reports, details about the error that occurred and, if necessary, relevant data will be collected and processed additionally, but only if such an error occurs while you are using the app. Google evaluates such data on our behalf and compiles aggregated reports for us. The Provider uses these reports to gain insight into the general use as well as into the errors that have occurred, in order to use this information to improve the content and functions and, in particular, to eliminate existing errors and problems. In addition to this the Provider also gets access to the in-app activity of individual users through Google, based on an anonymized user-id. Nevertheless it is not relevant for the Provider which User used the respective app and to what extent. It is therefore not a matter of creating user profiles for Provider but rather of providing functional services through the analysis of aggregated reports from Google. Google may also transfer these data to servers operated by Google LLC in the USA and analyze them there. However, in member states of the European Union or in other states that are party to the Agreement on the European Economic Area your IP address will be shortened and thus made anonymous before it is transmitted to a Google server in the USA.
6.3 Google also processes the aforementioned data collected via the Firebase service to the extent covered by its own privacy policy which you can find at https://policies.google.com/privacy. There you will also find additional information on Google's handling of personal data.
6.4 the Provider would like to point out that the transmission of data to servers in the USA used by Google LLC may involve additional risks, for instance the enforcement of your rights to these data may be more difficult. In order to counter these risks, the Provider have concluded the standard data protection clauses by the EU Commission with Google LLC for this data transfer and also stipulated appropriate protective measures therein, which, depending on the need for protection of the data, also include data encryption and can be improved in accordance with the legal and technical conditions for appropriate protection of the data. If data is transferred to Google LLC in the USA, such transfer is based on Article 46 (2) lit. c) GDPR.
6.5 The Provider only uses Firebase for the data analyzing purposes described above, if you consent to it. In these cases, the legal basis for the processing of your data is Article 6 (1) sentence 1 lit. a) GDPR. You may revoke an already granted consent for data processing at any time with effect for the future. the Provider have further concluded a data processing agreement with Google in accordance with Article 28 GDPR on data processing in the context of error analysis. Accordingly, Google will only process the data collected in this context in accordance with our instructions for this purpose. This forwarding of data to Google is therefore based on Article 28 GDPR.
9. Cookies and Local Storage
9.1 PublicCommit uses cookies and browser local storage to provide functionality and improve your experience. Essential cookies are necessary for the website to function and include authentication cookies that keep you logged in and session cookies that maintain your preferences during your visit.
9.2 We may also use analytics cookies to understand how users interact with PublicCommit, which features are most used, and how we can improve the service. For analytics cookies, we will request your consent before placing these cookies on your device. You can withdraw consent at any time through our cookie settings.
9.3 You can control and delete cookies through your browser settings. However, disabling essential cookies may affect your ability to use certain features of PublicCommit. The legal basis for essential cookies is Article 6 (1) sentence 1 lit. f) GDPR (legitimate interest in website functionality), and for optional cookies, Article 6 (1) sentence 1 lit. a) GDPR (your consent).
10. Storage, storage period and deletion of data
10.1 The Provider will process your personal data for as long as is necessary to achieve the purposes of the processing, is required by law to retain the data or is necessary for other reasons. Subsequently, the data will be deleted in accordance with the statutory provisions.
10.2 However, the Provider retains data that the Provider stores for legal reasons for as long as this is legally required. After expiry of a statutory retention period, the data are deleted immediately, unless there are other reasons preventing deletion in terms of Article 17 (3) GDPR.
11. data security
Provider has taken appropriate technical and organizational measures to protect personal data against accidental loss, damage, unauthorized access and unauthorized alteration. In particular, Provider's data are only transferred in encrypted form. Provider however clarifies that data protection and data security cannot be guaranteed for transfers outside Provider's sphere of influence.
12. Disclosure of personal data to third parties
12.1 Personal data will only be transferred to third parties without the User's explicit consent if this is necessary for the provision of Provider's services (e.g. for the technical provision of the offer), unless stated otherwise at another point in this Privacy Policy. Accordingly, a transfer of data to such service Providers (such as technical service Providers) takes place in order to protect our legitimate interests pursuant to Article 6 (1) sentence 1 lit. f) GDPR, namely in order to be able to provide our services for retrieval at all. Of course, Provider will ensure that the respective service Provider has taken appropriate technical and organizational measures to guarantee the security of the data before forwarding the User's personal data.
12.2 The Provider stores the data which the Provider collects with the help of third-party services. The Provider uses the Google Cloud and Google Firebase services, both of which are provided by Google. These services may also collect and possibly store the IP address of your device, but for a maximum of 30 days. However, Provider does not receive the IP addresses directly and only views IP addresses collected by these services in exceptional cases and only if a legal basis exists, in particular insofar as this is necessary to protect Provider's legitimate interests (e.g. during maintenance work or in the event of the investigation of technical problems). Google also transfers the collected data to their servers in the USA. The Provider uses these services to provide the aforementioned data efficiently and with the lowest possible error rate to thereby ensure a smooth use of the features. The legal basis for the associated data processing is Article 6 (1) sentence 1 lit. f) GDPR, whereby our legitimate interest is an optimal, technically sound provision of PublicCommit. As the Provider has already explained several times above, the Provider has concluded the standard data protection clauses adopted by the EU Commission with Google to safeguard the transfer of data to the USA. The Provider has also concluded a data processing agreement with Google. The forwarding of personal data to Google in connection with the aforementioned services is therefore based on Article 46 (2) lit. c) and 28 GDPR.
12.3 Otherwise Provider will not pass on the User's personal data to third parties, unless the User has expressly consented to the transfer (Article 6 (1) sentence 1 lit. a) GDPR) and Provider is neither entitled nor obliged to transfer the data due to legal regulations or court orders. In the latter case, Provider will transfer the data in order to fulfill a legal obligation according to Article 6 (1) sentence 1 lit. c) GDPR.
13. Changes to this Privacy Policy
Provider reserves the right to change this Privacy Policy at any time, and Provider will always comply with the legal requirements of data protection. Therefore, Provider recommends that Users regularly take note of the most up-to-date Privacy Policy. The Provider will inform Users in advance on further use of data, for example by messages in this respector by email notifications.
Frankfurt am Main, 08.01.2026
Steffen Knoedler