Privacy Policy

We Lofi GmbH (“we” or “us”) are committed to protecting your privacy when you access and use our websites and use and/or receive our Services and to ensure the security and integrity of your personal data in accordance with applicable data protection laws. 

Personal data means any information relating to an identified or identifiable natural person. 

This Privacy Policy governs our websites including https://reyapp.io/, the application and other services offered by us (collectively “Services”). It gives details of what data is collected by and/or provided to us when accessing and using and/or receiving our Services, how we may store and use such personal data and what rights you have as a data subject regarding your personal data.

  1. DATA CONTROLLER

The data controller for the processing of personal data is

Lofi GmbH

Kolonnenstraße 8

D-10827 Berlin

linh@reyapp.io

For further information on this Privacy Policy and for exercising your statutory data protection rights laid down in Section J of this Privacy Policy, you may contact us at the above contact details.

  1. COLLECTION OF PERSONAL DATA

We collect your personal data when

  • you use/receive our Services,

  • you contact us via any means, including via phone, email, social media or contact forms,

  • you disclose or submit information via channels operated by us (including our Services) or register for or log-in to such channels operated by us, and

  • third parties (e. g. calendar service providers, social media providers, business partners, users, resellers, subcontractors) provide us with your personal data in accordance with applicable data protection laws.

It is necessary for us to collect personal data in order to offer you our Services. If you do not provide us with the personal data that we request, we may not be able to offer you our Services properly.

  1. TYPES OF DATA COLLECTED

We may collect the following data from you:

  • Contact Data: Personal information such as name, address and email address.

  • Contract Data: Information relating to any contract between you and us such as contract numbers, user ID, contractual dates and subscription plan.

  • Transaction Data: Details about transactions made between you and us.

  • Payment Data: Information such as billing name and address, payment meta data.

  • Preferences: Information regarding how you wish to interact with us such as information regarding how you wish to be contacted by us and how you wish to use and/or receive our Services, e.g. app settings and other user preferences.

  • Input Data: Information you provide when you contact us or information you disclose or submit within channels operated by us (including our Services) or when you register for or log-in to such channels operated by us.

  • Application Data: Information you provide to us in connection with your job application, including any attachments and cover letters you include with your application, as well as other publicly available information relevant to your application (e.g., from any profiles on Xing, LinkedIn or similar professional networks). Your Application Data may contain special categories of personal data pursuant to Article 9 (1) GDPR (e.g. information about your health, photographs that allow conclusions to be drawn about your ethnic origin and, if applicable, your eyesight and/or religion, and information that may allow conclusions to be drawn about your sex life or sexual orientation).

  • Usage Data: Information about how you use and interact on our websites and in relation to our Services such as type, IP address, IP location and unique device identifiers of your internet access device, information on browser type and version, information on browser plug-in types and versions, authentication credentials and log-in data, mobile network information, time zone settings, operating system and platform, URL clickstream to, through and from our Services, length and time of visit to our websites and use of our Services, information on what features of our Services are being used, interactions with user interfaces, page interactions including scrolling and mouseovers as well as app build, testing, and deployment events.

  1. PURPOSES OF PROCESSING | LEGAL BASIS OF PROCESSING | LEGITIMATE INTERESTS

We will only process your personal data insofar as such processing is permissible under applicable laws. 

The following table describes for what purposes and on what specific legal basis we process your personal data and – where the processing is based on Art. 6 (1) 1 f) of the EU General Data Protection Regulation (GDPR) – gives details about our legitimate interests for such processing:

Loading...

The respective legal basis mentioned in the above table is further described as follows:

  • Art. 6 (1) 1 a) GDPR: You have given your consent to the processing of your personal data by us.

  • Art. 6 (1) 1 b) GDPR: The processing by us is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such contract.

  • Art. 6 (1) 1 c) GDPR: The processing is necessary for us to comply with its legal obligations.

  • Art. 6 (1) 1 f) GDPR: The processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where your interests or your fundamental rights and freedoms which require the protection of personal data override such legitimate interests.

  • Art. 9 (2) a) GDPR – You have given your express consent to the processing of special categories of personal data by us.

  • Art. 9 (2) e) GDPR – The processing relates to certain special categories of personal data that you have manifestly made public.

  • § 26 (1) 1 BDSG – The processing of your personal data is necessary for the decision on the establishment of an employment relationship.

  1. USE OF COOKIES

We use cookie technology on our websites. When you access and use our websites, a cookie may be placed within the memory of your internet access device. A cookie is a small piece of data containing alphanumerical information that our websites can store via your internet access device for later retrieval. We use such cookies to provide you with a personalized and improved user experience. 

Our websites use both transient cookies and persistent cookies. 

  • Transient cookies: Transient cookies are automatically deleted upon closing of your browser. Such transient cookies also include, in particular, session cookies. Session cookies contain a session identifier, allowing different requests from your browser to be assigned to your particular browsing session and will allow your internet access device to be recognized upon your return to our websites. 

  • Persistent cookies: Persistent cookies will be automatically deleted after a specified period of time, which may vary depending on the type of cookie placed. We may use persistent cookies to help us to track use of our websites, such as the number and frequency of visits to our websites and which parts of our websites are visited.

Many browsers accept cookies per default. However, your browser settings can be configured in order to prevent the storage of cookies. You may also delete cookies placed by our websites at any time within your browser settings. Deactivating the storage of or deleting cookies may limit the functionality of our websites. 

  1. NO AUTOMATED DECISION-MAKING

No automated decision-making, including profiling, takes place.

  1. RECIPIENTS OF PERSONAL DATA | THIRD-PARTY SERVICES

We will not sell, license, rent or trade your personal data. We will not otherwise disclose your personal data except as described within this Privacy Policy.

To facilitate the purposes for processing your personal data (as described in Section D of this Privacy Policy), we may disclose your personal data to the following recipients in connection with services that these recipients perform for or with us, always provided that these recipients are restricted from using such personal data in any way other than to provide such services: 

  • email services, communication, messaging solution and marketing automation technology providers (currently Twilio Inc., OneSignal Inc.), 

  • Infrastructure, processing facility and data storage providers (currently Cloudflare, Inc., Render Services, Inc.),

  • single sign on solution providers (currently Google Ireland Limited, Apple Distribution International Ltd.),

  • electronic signature solution providers (currently Dropbox, Inc.),

  • payment and billing solution providers (currently Stripe Technology Europe, Limited, RevenueCat Inc.),

  • interactive fonts providers (currently Google Ireland Limited), and

  • data analytics providers (currently Microsoft Ireland Operations Limited, Framer B.V.).

We may also disclose your personal data to third parties, if required by law, e.g. in order to respond to a court or government request.

  1. THIRD-COUNTRY DATA TRANSFERS

We process personal data within the European Economic Area (EEA) unless otherwise stated below / in this Privacy Policy: 

  • We use Cloudflare for provision of processing facilities and data storage, provided by Cloudflare Inc. Cloudflare may process data outside the EEA. We ensure an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU – US Data Privacy Framework), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third‑country transfers and relevant case law of the Court of Justice of the European Union. Further details can be found in the Cloudflare Privacy Policy.

  • We use Dropbox Sign for the provision of electronic signature services, provided by Dropbox, Inc. Dropbox Sign may process data outside the EEA. We ensure an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU – US Data Privacy Framework), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third‑country transfers and relevant case law of the Court of Justice of the European Union. Further details can be found in the Dropbox Sign Privacy Policy.

  • We use Google Fonts on our Websites, a service of Google Ireland Limited for the integration of external fonts. In order to integrate such fonts, they are usually retrieved from a Google server in the USA. When you visit our websites, certain usage data as described in Section C of this Privacy Policy is transmitted to such server and stored by Google. Any transfer outside the European Economic Area (EEA) to USA within the Google group is based on the EU-US Data Privacy Framework, an EU Commission Adequacy Decision. We have also entered into EU Standard Contractual Clauses with Google. Information on the data use and retention practices of Google and its affiliates can be found within the Google Privacy Policy.

  • We use Microsoft Clarity on our websites, a session-recording and heatmap service provided by Microsoft Ireland Operations Limited. Microsoft Clarity uses cookies and session storage to collect anonymized interaction data - mouse movements, clicks, scroll depth, and rendering metrics - to help us understand how you navigate our website. Microsoft Clarity may process data outside the European Economic Area (EEA). Microsoft ensures an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU – US Data Privacy Framework), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third‑country transfers and relevant case law of the Court of Justice of the European Union. You can prevent Microsoft Clarity from collecting any data by declining consent in our cookie banner or by visiting https://clarity.microsoft.com/opt-out. Further details can be found in the Microsoft  Privacy Statement.

  • We use OneSignal for push notifications and in-app messaging, a service provided by OneSignal Inc. OneSignal may process data outside the European Economic Area (EEA). We ensure an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU – US Data Privacy Framework), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third‑country transfers and relevant case law of the Court of Justice of the European Union. Further details can be found in the OneSignal Privacy Policy.

  • We use Render for application hosting, infrastructure, and data storage. The service is provided by Render Services, Inc. Render may process data outside the European Economic Area (EEA). We ensure an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU – US Data Privacy Framework), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third‑country transfers and relevant case law of the Court of Justice of the European Union. Further details can be found in the Render Services, Inc. Privacy Policy.

  • We use RevenueCat to manage in-app subscriptions. The service is provided by RevenueCat, Inc. RevenueCat may process data outside the European Economic Area (EEA). We ensure an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU – US Data Privacy Framework), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third‑country transfers and relevant case law of the Court of Justice of the European Union. Further details can be found in the RevenueCat Privacy Policy.

  • We use SendGrid for email services, provided by Twilio Inc. SendGrid may process data outside the European Economic Area (EEA). We ensure an adequate level of data protection by relying on EU Commission Adequacy Decisions, where available (e.g. the EU – US Data Privacy Framework), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third‑country transfers and relevant case law of the Court of Justice of the European Union. Further details can be found in the Twilio Privacy Notice.

  • We use Stripe on our websites, a payment-processing service provided by Stripe Technology Europe, Limited. Stripe may process data outside the EEA. We ensure adequate protection by relying on EU Commission Adequacy Decisions (where available), or EU Standard Contractual Clauses and additional security measures (e.g. encryption, access controls), in line with GDPR, applicable EU guidance on third-country transfers, and relevant case law of the Court of Justice of the European Union. Further details can be found in the Stripe Privacy Policy.

  1. RETENTION TIME

We store your personal data for the period of time that is necessary for the purpose for which it was collected (see part D of this Privacy Policy) and/or for as long as we have a legitimate interest in storing such data. We also store your personal data for a period prescribed by law, by court order or by official regulation – the exact period may vary from case to case. To the extent necessary, we also store your personal data until the expiry of applicable limitation periods for the enforcement of our own claims. 

The criteria applied by us to determine the storage period include:

  • The period of time over which we provide our websites and Services to you,

  • whether there is a legal retention obligation to which we are subject, and

  • whether retention is advisable in view of our legal position.

  1. DATA SUBJECT RIGHTS

You have the following rights under the GDPR with regards to the processing of your personal data:

  • The right to obtain confirmation as to whether or not your personal data is being processed and, where that is the case, access to such personal data and certain relevant information. Such information includes, inter alia, the purposes of processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data has been or will be disclosed (Art. 15 GDPR). Please note that the rights and freedoms of other individuals may restrict your right of access.

  • The right to obtain the rectification and completion of your personal data, where such data is inaccurate or incomplete (Art. 16 GDPR).

  • The right to obtain the erasure of your personal data without undue delay under certain circumstances (“right to be forgotten”) (Art. 17 GDPR).

  • The right to obtain the restriction of processing of your personal data under certain circumstances (Art. 18 GDPR).

  • The right to receive your personal data in a structured, commonly used and machine-readable format and the right to transmit such data to another controller without hindrance from us (Art. 20 GDPR).

  • The right to object to the processing of your personal data in certain circumstances, where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller pursuant to Art. 6 (1) 1 e) GDPR, is based on legitimate interests of us or a third party pursuant to Art. 6 (1) 1 f) GDPR, or such personal data is processed for direct marketing purposes (Art. 21 GDPR). 

  • The right to withdraw, at any time, any consent you had previously provided to us regarding our processing of your personal data. Such withdrawal will not affect the lawfulness of the processing prior to your withdrawal.

To exercise the above rights, please contact us at the contact details provided in Section A of this Privacy Policy.

Irrespective of the above rights, you have the right to lodge a complaint with a competent supervisory authority.

  1. DATA SECURITY

We have established a privacy program designed to help protect your personal data. We maintain reasonable administrative and technical safeguards intended to protect against the loss, misuse, unauthorized access, alteration, or disclosure of your personal data. All data is securely stored and can only be accessed by entitled employees of us on a “need to know basis”.

  1. SENSITIVE DATA

We ask that you not disclose sensitive information (e.g. political opinions, religion, health, genetic or biometric information) to us through or in connection with our websites and Services unless we have explicitly requested such disclosure from you.

  1. VERSION

This is the current version of our Privacy Policy. We may revise this Privacy Policy from time to time (e.g. in the event that applicable laws are altered or our websites and Services are modified). Changes to this Privacy Policy will be made by updating this page and will be communicated to you, if required. We nevertheless recommend that you check this Privacy Policy at regular intervals.


Last Updated: August 19, 2025.