1. Data Controller and Data Protection Officer
The controller within the meaning of the General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (revDSG) is:
Vibes4Foundation
Selzweg 11
3422 Kirchberg
E-Mail: info@vibes4foundation.org
Data Protection Contact:
André Saile (Chairman)
E-Mail: privacy@vibes4foundation.org
2. Applicable Legal Basis
Vibes4Foundation is based in Switzerland and also provides its services to users in the European Union. Therefore, the following apply concurrently:
– the revised Swiss Data Protection Act (revDSG), in effect since September 1, 2023
– The EU General Data Protection Regulation (GDPR) for users residing in the EU
Throughout this document, the legal bases under the GDPR are cited, which are consistent in substance with the requirements of the revDSG.
3. Data Processing Principles
Vibes4Foundation is a nonprofit, tax-exempt organization. Our motto is: “We walk for those who cannot.” All data collected is used exclusively to ensure the functionality of our platform and to support our charitable mission.
We do not process personal data for advertising purposes, do not send newsletters, and do not use any analytics or advertising tracking tools. Technical device identifiers are used exclusively for system integrity purposes (prevention of multiple accounts), not for behavioral tracking or advertising.
4. Collection and Processing of Personal Data
4.1 Registration and User Identification
To register, you only need your email address and a username that hasn’t been used yet. This is used to uniquely identify you and to authenticate and authorize your account. First and last names are optional, and if provided, they will be stored along with your email address. This information will not be used for advertising purposes or to send newsletters.
Legal basis: Article 6(1)(b) of the GDPR (performance of a contract)
4.2 Contact Form
When you contact us via the form, we collect the following information:
– Name
– Email address
– Content of your message
This data is used exclusively to process your inquiry and is deleted afterward.
Legal basis: Article 6(1)(b) and (f) of the GDPR
4.3 Donation receipt and address information
A mailing address is stored only if a registered user actively requests a donation receipt. In this case, the following information is stored:
– First and last name
– Mailing address
This data is used exclusively for the purpose of issuing the donation receipt and is deleted once the statutory retention periods have expired.
Legal basis: Art. 6(1)(c) GDPR (legal obligation)
4.4 Donations and Payment Processing
Donations are processed via the GiveWP plugin (provider: Impress.org, LLC, USA) in conjunction with PayPal (PayPal Europe S.à r.l. et Cie, S.C.A., Luxembourg). We do not store any complete payment details (e.g., credit card numbers or bank account information) ourselves—payment processing is handled directly by PayPal. A Data Processing Agreement (DPA) is concluded with both providers in accordance with Art. 28 GDPR, which contractually ensures the protection of your data. Donation receipts are retained in accordance with the statutory retention periods (10 years). For more information, please refer to the providers’ privacy policies: GiveWP Privacy Policy · PayPal Privacy Policy
Legal basis: Article 6(1)(b) and (c) of the GDPR
4.5 ChariToken – Conversion of Steps and Ranking
As part of the app’s functionality, users’ recorded steps are converted into ChariTokens. ChariTokens are an internal unit of value system developed by Vibes4Foundation and have no trading value on stock markets or exchanges. They serve exclusively the charitable purpose of the platform.
Data is processed for the following purposes:
– Conversion: Steps are algorithmically converted into ChariTokens and credited to the user’s account.
– Monthly Ranking: Users are ranked monthly based on their step count. The top rankings are rewarded with additional ChariTokens.
This processing is a technically necessary core function of the app and does not constitute profiling within the meaning of Article 22 of the GDPR, as no automated decisions are made that have legal effects or significantly adversely affect the user.
Legal basis: Article 6(1)(b) of the GDPR (performance of a contract / terms of use)
4.6 Wallet address and blockchain
To transfer ChariTokens to users, a wallet address is required, which the user must create independently and outside of our platform and provide to us. The following applies:
– We do not permanently store the wallet address.
– It is used exclusively via email for transaction processing.
– Once the ChariTokens have been transferred, we will immediately delete the wallet address.
– The transaction itself is recorded on a public blockchain. Blockchain entries are technically immutable and cannot be altered or deleted by us.
– Since we do not permanently store the wallet address and do not link it to a specific individual, from our perspective this constitutes pseudonymized data with no direct reference to a specific person.
– Vibes4Foundation has no influence over the blockchain infrastructure and is not responsible for its operation.
Users who provide a wallet address acknowledge that blockchain transactions are, by their very nature, permanent and publicly viewable. This is inherent to blockchain technology and beyond the control of Vibes4Foundation.
Legal basis: Article 6(1)(b) of the GDPR (performance of a contract)
4.7 Cookies and session data
Our website uses only technically necessary session cookies. These are used to maintain your login session. They do not contain any personal data and expire automatically after a set period of inactivity.
No analytics or tracking tools are used. Our website is not connected to any analytics service. Only general, anonymized statistical data that does not identify individuals (e.g., total number of page views) is collected. Separate consent is not required for technically necessary cookies.
Legal basis: Article 6(1)(f) of the GDPR (legitimate interest in operating the website)
5. Mobile App (iOS – Apple App Store)
5.1 Step counter data (Apple Health)
With your explicit consent, the app accesses step count data from the Apple Health app. This data forms the basis of the app’s functionality (see Section 4.5). Step counter data is considered health data within the meaning of Article 9 of the GDPR and is subject to a higher level of protection. It is:
– will not be shared with third parties,
– will not be used for advertising purposes,
– will be used exclusively to calculate ChariToken and the monthly ranking.
You can revoke access at any time in the iOS Settings under Privacy & Security → Health.
Legal basis: Article 9(2)(a) in conjunction with Article 6(1)(a) of the GDPR (explicit consent)
5.2 App Tracking Transparency
The app does not use cross-device ad tracking and does not use an Advertising Identifier (IDFA). Consent under the Apple App Tracking Transparency Framework (ATT) is therefore not required.
5.3 Device data
To improve app stability and prevent abuse, we use the technical device data during app usage:
– Device type and operating system version
– App version
– Anonymized device identifiers
This data is used exclusively to prevent misuse: only one account is permitted per device in order to protect the integrity of the reward system (ChariToken). The device identifiers are used solely to detect multiple accounts on the same device and not to identify individual persons.
Legal basis: Article 6(1)(f) of the GDPR (legitimate interests)
5.4 In-app donations
Donations made through the app are processed via Apple In-App Purchase. Payment processing is handled exclusively by Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. We receive only a transaction confirmation, not the full payment details. Apple’s Privacy Policy: https://www.apple.com/de/privacy/
Legal basis: Article 6(1)(b) of the GDPR (performance of a contract)
5.5 Android / Google Play (planned)
An Android version of the app is planned for a future release. This Privacy Policy will be updated accordingly prior to launch to reflect any additional data processing by Google LLC or the Google Play infrastructure.
6. Transfer of data to third countries
The following service providers are based outside the EU/EEA and Switzerland, specifically in the United States:
Apple Inc. (In-App Purchase, App Store, Health Framework)
Apple is certified under the EU-U.S. Data Privacy Framework. Data is transferred on the basis of an adequacy decision or the European Commission’s Standard Contractual Clauses (SCCs).
GiveWP / Impress.org, LLC (Donation Processing) Impress.org, LLC is based in the United States. Data is transferred on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission. For more information, see: https://givewp.com/privacy-policy
Public Blockchain
Blockchain transactions are globally visible and subject to no geographical restrictions. Since the transferred data (wallet address) is pseudonymized and we have no influence over the blockchain infrastructure, we cannot control a classic transfer to a third country. Users are expressly notified of this (Section 4.6).
7. Order Processing
To the extent that we use external service providers who process personal data on our behalf (e.g., hosting, payment processing), we enter into data processing agreements (DPAs) with them in accordance with Article 28 of the GDPR. These agreements require the service providers to comply with data protection requirements.
The website is hosted by za-internet GmbH. The hosting provider processes server log data (IP addresses, access times) on our behalf. A Data Processing Agreement (DPA) in accordance with Art. 28 GDPR has been concluded with the hosting provider.
8. Retention period
| Data category | Retention period |
|---|---|
| Contact Requests | Until processed, then deleted |
| Email address (registration) | Until the account is deleted |
| First and last name (optional) | Until the account is deleted or upon request |
| Address (Donation Receipt) | 10 Years (statutory retention requirement) |
| Donation data | 10 Years (for tax purposes) |
| Wallet-Address | Deletion following the transfer of ChariTokens |
| Session-Cookies | Automatic expiration after inactivity |
| Step counter data | Processing period; not permanently stored |
9. Account deletion
You may request the deletion of your account and all associated personal data at any time. To do so, please send an informal email to:
privacy@vibes4foundation.org
We will delete your data immediately, or within 30 days at the latest provided there are no legal retention requirements that prevent us from doing so. A direct in-app delete function is planned for a future version of the app.
10. Your rights
You have the following rights under the GDPR and the amended Data Protection Act:
– Right of access (Art. 15 GDPR / Art. 25 revDSG): Access to your stored data
– Rectification (Art. 16 GDPR / Art. 32 revDSG): Correction of inaccurate data
– Erasure (Art. 17 GDPR / Art. 32 revDSG): Erasure of your data, provided there are no retention obligations
– Restriction of processing (Art. 18 GDPR)
– Data portability (Art. 20 GDPR): Receipt of your data in a machine-readable format
– Objection (Art. 21 GDPR)
– Withdrawal of consent (Art. 7(3) GDPR) – at any time with future effect
Please direct inquiries to: privacy@vibes4foundation.org
Competent supervisory authorities:
Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern
https://www.edoeb.admin.ch
EU (for users residing in the EU):
The competent national data protection authority in your country of residence.
11. Data security
All data transfers are encrypted via HTTPS. We implement technical and organizational measures (TOMs) to protect your data from unauthorized access, loss, or tampering.
12. Current Status of This Statement
This Privacy Policy is current as of April 2026. Users will be notified of any significant changes via email or through the app.
