This privacy policy informs you about the nature, scope and purpose of processing your personal data. This applies to the application ‘Why?!’ and the associated website ‘ask-why.app’ of Looking4Cache UG (limited liability) (hereinafter “we” or “our”).

The collection and processing of your personal data takes place in compliance with applicable data protection regulations, in particular the General Data Protection Regulation (hereinafter “GDPR”).

The purpose of collecting and processing your personal data is to provide functional services and communicate with you.

Name and Address of the Controller

The controller within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection provisions is:

Looking4Cache UG (haftungsbeschränkt)
Oberer Wasen 12 74626 Bretzfeld Germany E-mail: info@ask-why.app

Legal Basis for Processing Personal Data

Based on Art. 13 GDPR, we inform you of the legal basis for our data processing. Unless otherwise stated, the processing of your personal data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. Obtaining your consent takes place in accordance with Art. 7 GDPR.

Right to Confirmation and Information

You have the right at any time to receive confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have the right to receive free information from us about the personal data stored about you together with a copy of this data. Furthermore, you have the right to the following information:

the purposes of processing;
the categories of personal data being processed;
the recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly recipients in third countries or international organizations;
where possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining this duration;
the existence of a right to rectification or erasure of personal data concerning you or restriction of processing by the controller or a right to object to such processing;
the existence of a right to lodge a complaint with a supervisory authority;
where the personal data is not collected from you, all available information about the source of the data;
the existence of automated decision-making including profiling pursuant to Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and intended effects of such processing for you.

Where personal data is transferred to a third country or international organization, you have the right to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

Right to Rectification

You have the right pursuant to Art. 16 GDPR to demand the immediate rectification of inaccurate personal data concerning you. Taking into account the purposes of processing, you have the right to demand the completion of incomplete personal data.

Right to Restriction of Processing

You have the right pursuant to Art. 18 GDPR to demand from us the restriction of processing if one of the following conditions is met:

The accuracy of the personal data is contested by you
The processing is unlawful and you refuse deletion
We no longer need the personal data, but you need it to assert legal claims
You have objected pursuant to Art. 21 GDPR

Right to Data Portability

You have the right pursuant to Art. 20 GDPR to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent or a contract and is carried out using automated procedures.

Right to Object

You have the right pursuant to Art. 21 GDPR to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR.

Right to Erasure (Right to be Forgotten)

You have the right pursuant to Art. 17 para. 1 GDPR to demand from us that personal data concerning you be deleted immediately, and we are obliged to delete personal data immediately if one of the following reasons applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
You withdraw your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
You object pursuant to Art. 21 para. 1 GDPR to the processing and there are no overriding legitimate grounds for the processing, or you object pursuant to Art. 21 para. 2 GDPR to the processing.
The personal data has been unlawfully processed.
The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the member states to which we are subject.
The personal data was collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

If we have made the personal data public and are obliged to delete it pursuant to Art. 17 para. 1 GDPR, we shall take reasonable measures, including technical measures, taking into account available technology and implementation costs, to inform controllers processing the personal data that you have requested the deletion of all links to this personal data or copies or replications of this personal data.

Automated Decisions Including Profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

Automated decision-making based on the collected personal data does not take place.

You have the right to withdraw consent to the processing of personal data at any time.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the member state of your residence, workplace, or the place of the alleged infringement, if you believe that the processing of personal data concerning you is unlawful.

Storage Duration

In accordance with legal requirements, we delete your data. If this is not possible, processing will be restricted.

Unless otherwise specified in the individual sections of this privacy policy, we delete the data as soon as it is no longer necessary for the stated purpose and deletion is not prevented by legal retention obligations.

If a legal retention obligation (e.g., commercial and tax law reasons, logging of consent) prevents deletion, the processing of the data will be restricted. This means that the data is blocked and not used for other purposes.

Cookies

We do not use cookies. If necessary, a technically necessary cookie may be set by the CDN service provider (see below).

Security Measures

In accordance with Art. 32 GDPR, we implement security measures such as shortening your IP address and SSL encryption.

IP Address

Your IP address is stored in shortened form whenever possible. This prevents or significantly complicates the identification of your person. IP address shortening does not occur for security-relevant processes. These include erroneous login attempts, password resets, and email address confirmation (consent).

SSL Encryption

Our services transmit your data only with active SSL encryption. You can recognize this by the protocol ‘https://’ in the address bar. We automatically redirect you to ‘https://’ if you attempt to open an unencrypted connection.

Minor Protection and Parental Gateway

Why?! is an app specifically developed for children. The protection of minors’ data is our highest priority. We have implemented a comprehensive “Parental Gateway” system that ensures parental consent BEFORE any data collection from children.

Our system complies with both the requirements of the Children’s Online Privacy Protection Act (COPPA) for the USA and GDPR Art. 8 for the EU:

Verified parental consent: The app can only be registered by adults who must confirm their identity through email verification and app store payment verification.
No direct data collection from children: Children cannot register independently. All children’s profiles are created exclusively by verified adults.
Data minimization: Only minimal data is collected from children (nickname, age). Chat histories are not stored on our servers.

Two-Stage Protection Process

Stage 1 - Adult Verification:

Email verification with one-time code (double opt-in)
Explicit adult confirmation
Payment verification through app store (in-app subscription)

Stage 2 - Children’s Profile Creation:

Creation only by verified adults
Explicit consent for AI usage
Individual security settings per child

Parental Control

Adults retain full control at all times:

Access to topic summaries of children’s chats
Configuration of security settings
Ability to delete profiles at any time

Data We Collect

Adult Account and Email Addresses

Registration with Why?! always takes place through an adult account that assumes the role of the so-called ‘Parental Gateway’. Authentication for an adult account is done via an email address and a one-time code. At least one email address must be provided for registration. We do not share the adult account data with third parties.

You may optionally grant us the right to contact you via newsletter.

Child Profile

You can add one or more child profiles to an adult account. The entered name is used only for clarity in profile selection. The date of birth is used only to calculate the age in years. The timezone of the device used as well as the resulting country is also stored. The timezone is necessary for resetting resources. The country is used when web searches are performed during chat messages.

When you delete a child profile, the data associated with the child is deleted. Technical statistical data (chat usage) is retained but completely anonymized.

We do not share the data stored in the child profile with third parties, except for the data described in ‘Processing of Chat Messages’.

Speech Recording Transcription

Voice recordings are uploaded and processed on our servers. The audio file is briefly stored, converted, and transmitted to our speech-to-text service provider OpenAI. After transcription, the file is deleted again and the transcribed text is returned.

Processing of Chat Messages

The texts entered manually or determined via transcription are transmitted to our servers. These are transmitted together with data from the child profile (age in years, excluded topics and formulation) as well as non-personalized instructions to a Large Language Model (LLM).

On our servers, the time, topic of the question, a summary of the answer, and technical statistical data (token consumption, seconds STT and TTS) are stored associated with the respective child profile. These serve for learning statistics and resource calculation.

Storage of the question and answer does not take place on our servers. On the servers of our AI service provider OpenAI, the conversation is stored for up to 30 days to enable follow-up questions. The ID necessary for accessing this data is stored only locally within the app, not on our servers. This means we cannot associate the chat content between app and AI service provider with any child profile or adult account.

The answer is spoken into an audio file by a text-to-speech service if desired, with only the answer text being passed on. The LLM’s answer and a link to the generated audio file are returned.

Local Data Storage in the App

Chat histories are stored locally on the device in the app. This local storage occurs for 30 days and enables previous conversations to be recalled in full chat mode. Access to these stored chats is only possible through the respective child profile within the app. After 30 days, the local chat data is automatically deleted. This data is not synchronized with our servers.

Avatar Generation

When creating avatars, the description you entered together with the child’s age (in years) is transmitted to our image generation service provider OpenAI (DALL-E 3). The generated avatar is added to our global avatar pool and can be selected by other users. The entered description is stored on our servers to enable avatar search. However, this description is not displayed to other users and serves exclusively for internal search purposes.

In-App Purchases and Payment Data

Why?! is a paid app with a subscription model. Payment processing is handled exclusively through official app store payment systems:

Payment Providers:

iOS: Apple Pay / App Store (Apple Inc.)
Android: Google Pay / Play Store (Google LLC)

Stored Payment Data: We store exclusively the transaction IDs provided by Apple or Google for verification of your subscription. We do not receive or store payment method information such as credit card numbers or bank data. These are processed exclusively by Apple or Google.

Subscription Management:

Management of your subscription is done directly through your app store account
We store the subscription status and expiration date
Cancellations are automatically handled through the app stores
Renewals occur automatically according to your app store settings

The processing of payment IDs is based on contract fulfillment pursuant to Art. 6 para. 1 lit. b GDPR.

Web Server Log Files

Each access to our server is logged in log files. This happens whenever you use our services.

The following information is stored:

Called URL
Date and time
Anonymized IP address
Anonymized data of the HTTPS call and HTTPS responses

The purpose of logging is to trace errors and analyze server stability. No assignment to your person takes place.

Deviating Legal Basis The legal basis for logging is our legitimate interest, pursuant to Art. 6 para. 1 lit. f GDPR.

Storage Duration The logs are automatically deleted after 30 days.

International Data Transfer

When using service providers based in the USA (OpenAI, Google), personal data is transferred to the USA. This transfer is based on:

Standard contractual clauses pursuant to Art. 46 GDPR
Adequacy decision of the EU Commission (where available)
Your explicit consent pursuant to Art. 49 para. 1 lit. a GDPR

We ensure that all service providers offer adequate guarantees for the protection of your data.

Third Parties

Google Firebase

We use Google Firebase for the following services:

Crashlytics: For capturing and analyzing app crashes to continuously improve the stability and quality of our app. Technical information about the crash, the device used, and the app version is captured.

Analytics: For anonymized analysis of app usage to improve our services. Collection occurs without assignment to a specific user or user profile.

Processing is based on our legitimate interest in improving and optimizing our app pursuant to Art. 6 para. 1 lit. f GDPR.

Google Firebase’s privacy policy can be viewed here: https://firebase.google.com/support/privacy

OpenAI

We use OpenAI’s services for:

Large Language Model (LLM): For processing and answering children’s questions. Conversations are stored on OpenAI servers for up to 30 days to enable follow-up questions within a session.

Image Generation / Avatars: To generate new avatars we use OpenAI services.

No personal data such as names or email addresses are transmitted to OpenAI. Processing is based on our legitimate interest in providing app functionalities pursuant to Art. 6 para. 1 lit. f GDPR.

OpenAI’s privacy policy can be viewed here: https://openai.com/policies/privacy-policy

Google Cloud

We use Google Cloud Text-to-Speech (TTS) to convert text responses into speech. The text to be spoken is transmitted to Google Cloud and returned as an audio file. No personal data such as names or email addresses is transmitted.

Processing is based on our legitimate interest in providing the read-aloud function pursuant to Art. 6 para. 1 lit. f GDPR.

Google Cloud’s privacy policy can be viewed here: https://cloud.google.com/security/privacy

Cloudflare

We use Cloudflare as a Content Delivery Network (CDN) and for protection against attacks such as DDoS attacks and spam. A CDN stores static website content on globally distributed servers so that it can be delivered faster and fewer requests reach our server.

Processing is based on our legitimate interest in ensuring the security and performance of our services pursuant to Art. 6 para. 1 lit. f GDPR.

Cloudflare’s privacy policy can be viewed here: https://www.cloudflare.com/privacypolicy/

Hosting Service Providers

We use the following hosting providers for operating our servers and infrastructure:

Hetzner Online GmbH
Our main servers are hosted with Hetzner in Germany. This ensures that your data is processed in German data centers and subject to strict German data protection law.

Processing is based on our legitimate interest in reliable and secure operation of our services pursuant to Art. 6 para. 1 lit. f GDPR.

Hetzner’s privacy policy: https://www.hetzner.com/de/legal/privacy-policy

Hostkey B.V.
For additional infrastructure components, we use servers from Hostkey.