Logomark

Leest

Coming soon!

PrivacyPolicy

Privacy Policy

We keep your data private and secure.This explains what we collect, why we collect it, and your rights under EU and German law.

Effective date: 13 June 2026 | Last updated: 13 June 2026 | Applies to: iOS & Android app, website | Regulation: GDPR · BDSG · TTDSG

────────────────────────────────────────

Section 1

Controller and contact

The data controller responsible for your personal data is:

Iva Sa’adon

Email: privacy@getleest.com

If required under BDSG §38, our Data Protection Officer is:

Iva Sa’adon

Email: privacy@getleest.com

────────────────────────────────────────

Section 2

What data we collect

Account data

When you create an account, we collect your name, email address, and a hashed password. If you sign in via Apple or Google, we receive only the identifier and email those services choose to share.

App content you create

Shopping lists, items, quantities, notes, and shared list memberships. This data belongs to you and is stored on our servers solely to sync it across your devices.

Device and usage data

— Device type, OS version, and app version

— IP address (truncated to /24 for analytics; not stored in full)

— Session events: app opens, feature interactions, crashes

— Push notification token (if you grant permission)

Payment data

Subscription purchases are processed by Apple App Store or Google Play. We never see or store your full card number — only a purchase receipt and subscription status from the store.

Support data

If you contact support, we collect the content of your message and any attachments you send.

We do not collect: location data, camera or microphone data, contacts, or any data from outside the app unless you explicitly paste it into a list.

────────────────────────────────────────

Section 3

How and why we use your data

Provide the app

Account data, list content, device identifiers

Sync across devices

List content, account data

List sharing

Email address, list content

Push notifications

Notification token

Improve the app

Anonymised usage events, crash logs

Subscription management

Purchase receipts from app store

Customer support

Email, message content

Legal obligations

Transaction records, account data

We do not use your data for targeted advertising and do not sell it to third parties.

────────────────────────────────────────

Section 4

Legal bases (GDPR Art. 6)

Every use of your personal data rests on one of the following legal bases:

Contract (Art. 6 para. 1 lit. b GDPR)

Processing necessary to provide the app service you signed up for (account, sync, sharing).

Legitimate interests (Art. 6 para. 1 lit. f GDPR)

Product analytics and crash reporting to improve stability and features, subject to your interests not overriding ours.

Legal obligation (Art. 6 para. 1 lit. c GDPR)

Retention of transaction records as required by German commercial and tax law (§§ 238, 257 HGB; § 147 AO).

Consent (Art. 6 para. 1 lit. a GDPR)

Marketing emails and optional analytics. You can withdraw consent at any time.

────────────────────────────────────────

Section 5

Cookies and device storage

Our website uses cookies and local storage as governed by the German Telecommunications and Telemedia Data Protection Act (TTDSG §25). Strictly necessary cookies (session management, CSRF protection) do not require consent. All other cookies — including analytics — require your explicit opt-in via our consent banner.

The app uses on-device storage (e.g., SQLite, UserDefaults / SharedPreferences) only to cache your own list data locally. No tracking identifiers are stored on your device without consent.

────────────────────────────────────────

Section 6

Sharing and third parties

We use a small number of carefully selected processors, each bound by a GDPR-compliant Data Processing Agreement (DPA).

Cloud infrastructure

Hosting and database · EU (Frankfurt)

Error monitoring

Crash reporting · EU servers

Email delivery

Transactional emails · EU servers

Apple / Google

In-app purchase processing · global, own privacy policy applies

Analytics

Anonymised usage stats · EU servers

We disclose personal data to authorities only if required by law or a binding court order, and notify you where legally permitted.

────────────────────────────────────────

Section 7

International transfers

We store and process data primarily within the European Economic Area. If a processor is based outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs, June 2021) and, where applicable, the UK IDTA, to ensure adequate protection under Art. 46 GDPR.

You can request a copy of the applicable transfer safeguards by contacting us at the address in Section 1.

────────────────────────────────────────

Section 8

Retention periods

Account and list data

Retained for the duration of your account, plus 30 days after deletion to allow recovery.

Usage and crash logs

Anonymised within 14 days; raw logs deleted after 90 days.

Support correspondence

2 years after case closure.

Transaction records

10 years as required by §§ 238, 257 HGB and § 147 AO (German commercial and tax law).

Consent records

3 years after withdrawal for accountability purposes.

────────────────────────────────────────

Section 9

Your rights under GDPR and BDSG

Under the GDPR (Arts. 15–21) and the German Federal Data Protection Act (BDSG), you have the following rights:

Access (Art. 15)

Request a copy of all personal data we hold about you.

Rectification (Art. 16)

Correct inaccurate or incomplete data.

Erasure (Art. 17)

Request deletion of your data ("right to be forgotten").

Restriction (Art. 18)

Limit how we process your data in certain circumstances.

Portability (Art. 20)

Export your data in a machine-readable format (JSON/CSV).

Objection (Art. 21)

Object to processing based on legitimate interests.

To exercise any right, email privacy@yourapp.com. We respond within one month, free of charge. We may ask you to verify your identity before fulfilling a request.

Right to lodge a complaint: If you believe we have violated your rights, you may file a complaint with your local supervisory authority. In Germany, the lead authority is determined by our registered office. A full list is available at bfdi.bund.de.

────────────────────────────────────────

Section 10

Children's privacy

The app is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us immediately and we will delete it.

Family plan accounts where a parent or guardian invites a minor remain the responsibility of the account holder, who confirms they have the legal authority to consent on behalf of any minor added to their plan.

────────────────────────────────────────

Section 11

Security

We implement appropriate technical and organisational measures under Art. 32 GDPR:

— All data in transit is encrypted with TLS 1.2 or higher.

— Data at rest is encrypted using AES-256.

— Passwords are stored as salted hashes (bcrypt).

— Access to production data is restricted to authorised staff, logged, and reviewed.

— We conduct regular security assessments and follow responsible disclosure practices.

In the event of a personal data breach likely to risk your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and inform affected users without undue delay where required by Art. 34 GDPR.

────────────────────────────────────────

Section 12

Changes to this policy

We may update this policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email and/or an in-app notice at least 30 days before the changes take effect. Continuing to use the app after that date constitutes acceptance of the revised policy.

Previous versions of this policy are available on request.

────────────────────────────────────────

Section 13

Contact and complaints

For any privacy-related question or to exercise your rights, please reach out:

Email: privacy@getleest.com

Response time: within 30 days

If we cannot resolve your concern, you have the right to contact your national data protection authority. For users in Germany, a full list is available at bfdi.bund.de.

────────────────────────────────────────

© 2026 Leest · Privacy Policy · Version 1.0

Logomark

Leest

Coming soon!

Privacy Policy

Privacy Policy

We keep your data private and secure.This explains what we collect, why we collect it, and your rights under EU and German law.

Effective date: 13 June 2026 | Last updated: 13 June 2026 | Applies to: iOS & Android app, website | Regulation: GDPR · BDSG · TTDSG

────────────────────────────────────────

Section 1

Controller and contact

The data controller responsible for your personal data is:

Iva Sa’adon

Email: privacy@getleest.com

If required under BDSG §38, our Data Protection Officer is:

Iva Sa’adon

Email: privacy@getleest.com

────────────────────────────────────────

Section 2

What data we collect

Account data

When you create an account, we collect your name, email address, and a hashed password. If you sign in via Apple or Google, we receive only the identifier and email those services choose to share.

App content you create

Shopping lists, items, quantities, notes, and shared list memberships. This data belongs to you and is stored on our servers solely to sync it across your devices.

Device and usage data

— Device type, OS version, and app version

— IP address (truncated to /24 for analytics; not stored in full)

— Session events: app opens, feature interactions, crashes

— Push notification token (if you grant permission)

Payment data

Subscription purchases are processed by Apple App Store or Google Play. We never see or store your full card number — only a purchase receipt and subscription status from the store.

Support data

If you contact support, we collect the content of your message and any attachments you send.

We do not collect: location data, camera or microphone data, contacts, or any data from outside the app unless you explicitly paste it into a list.

────────────────────────────────────────

Section 3

How and why we use your data

Provide the app

Account data, list content, device identifiers

Sync across devices

List content, account data

List sharing

Email address, list content

Push notifications

Notification token

Improve the app

Anonymised usage events, crash logs

Subscription management

Purchase receipts from app store

Customer support

Email, message content

Legal obligations

Transaction records, account data

We do not use your data for targeted advertising and do not sell it to third parties.

────────────────────────────────────────

Section 4

Legal bases (GDPR Art. 6)

Every use of your personal data rests on one of the following legal bases:

Contract (Art. 6 para. 1 lit. b GDPR)

Processing necessary to provide the app service you signed up for (account, sync, sharing).

Legitimate interests (Art. 6 para. 1 lit. f GDPR)

Product analytics and crash reporting to improve stability and features, subject to your interests not overriding ours.

Legal obligation (Art. 6 para. 1 lit. c GDPR)

Retention of transaction records as required by German commercial and tax law (§§ 238, 257 HGB; § 147 AO).

Consent (Art. 6 para. 1 lit. a GDPR)

Marketing emails and optional analytics. You can withdraw consent at any time.

────────────────────────────────────────

Section 5

Cookies and device storage

Our website uses cookies and local storage as governed by the German Telecommunications and Telemedia Data Protection Act (TTDSG §25). Strictly necessary cookies (session management, CSRF protection) do not require consent. All other cookies — including analytics — require your explicit opt-in via our consent banner.

The app uses on-device storage (e.g., SQLite, UserDefaults / SharedPreferences) only to cache your own list data locally. No tracking identifiers are stored on your device without consent.

────────────────────────────────────────

Section 6

Sharing and third parties

We use a small number of carefully selected processors, each bound by a GDPR-compliant Data Processing Agreement (DPA).

Cloud infrastructure

Hosting and database · EU (Frankfurt)

Error monitoring

Crash reporting · EU servers

Email delivery

Transactional emails · EU servers

Apple / Google

In-app purchase processing · global, own privacy policy applies

Analytics

Anonymised usage stats · EU servers

We disclose personal data to authorities only if required by law or a binding court order, and notify you where legally permitted.

────────────────────────────────────────

Section 7

International transfers

We store and process data primarily within the European Economic Area. If a processor is based outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs, June 2021) and, where applicable, the UK IDTA, to ensure adequate protection under Art. 46 GDPR.

You can request a copy of the applicable transfer safeguards by contacting us at the address in Section 1.

────────────────────────────────────────

Section 8

Retention periods

Account and list data

Retained for the duration of your account, plus 30 days after deletion to allow recovery.

Usage and crash logs

Anonymised within 14 days; raw logs deleted after 90 days.

Support correspondence

2 years after case closure.

Transaction records

10 years as required by §§ 238, 257 HGB and § 147 AO (German commercial and tax law).

Consent records

3 years after withdrawal for accountability purposes.

────────────────────────────────────────

Section 9

Your rights under GDPR and BDSG

Under the GDPR (Arts. 15–21) and the German Federal Data Protection Act (BDSG), you have the following rights:

Access (Art. 15)

Request a copy of all personal data we hold about you.

Rectification (Art. 16)

Correct inaccurate or incomplete data.

Erasure (Art. 17)

Request deletion of your data ("right to be forgotten").

Restriction (Art. 18)

Limit how we process your data in certain circumstances.

Portability (Art. 20)

Export your data in a machine-readable format (JSON/CSV).

Objection (Art. 21)

Object to processing based on legitimate interests.

To exercise any right, email privacy@yourapp.com. We respond within one month, free of charge. We may ask you to verify your identity before fulfilling a request.

Right to lodge a complaint: If you believe we have violated your rights, you may file a complaint with your local supervisory authority. In Germany, the lead authority is determined by our registered office. A full list is available at bfdi.bund.de.

────────────────────────────────────────

Section 10

Children's privacy

The app is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us immediately and we will delete it.

Family plan accounts where a parent or guardian invites a minor remain the responsibility of the account holder, who confirms they have the legal authority to consent on behalf of any minor added to their plan.

────────────────────────────────────────

Section 11

Security

We implement appropriate technical and organisational measures under Art. 32 GDPR:

— All data in transit is encrypted with TLS 1.2 or higher.

— Data at rest is encrypted using AES-256.

— Passwords are stored as salted hashes (bcrypt).

— Access to production data is restricted to authorised staff, logged, and reviewed.

— We conduct regular security assessments and follow responsible disclosure practices.

In the event of a personal data breach likely to risk your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and inform affected users without undue delay where required by Art. 34 GDPR.

────────────────────────────────────────

Section 12

Changes to this policy

We may update this policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email and/or an in-app notice at least 30 days before the changes take effect. Continuing to use the app after that date constitutes acceptance of the revised policy.

Previous versions of this policy are available on request.

────────────────────────────────────────

Section 13

Contact and complaints

For any privacy-related question or to exercise your rights, please reach out:

Email: privacy@getleest.com

Response time: within 30 days

If we cannot resolve your concern, you have the right to contact your national data protection authority. For users in Germany, a full list is available at bfdi.bund.de.

────────────────────────────────────────

© 2026 Leest · Privacy Policy · Version 1.0