How we process and handle your data

At tchop, we handle your data including the personal data of your customers or employees with great care, transparency, and in full compliance with the GDPR.

Below you’ll find a detailed overview of the types of data we process, for what purposes, and under what legal basis.

Types of data processed

We process the following categories of user related data as part of our service:

• User master data: Includes name or user identifier (real names not required), email address, and optionally further metadata such as a phone number (if voluntarily provided). This is needed to allow users acting as a known individual on the platform.

• Login and activity data: Whether a user has registered, the registration timestamp, and their last activity within the app. This gives you an idea how many users are still active, how many became active after registration.

• User-generated content: Posts, messages, comments, and replies contributed by users. This we simply need to store to show it within your app.

Some apps of course also using it without sign up. In these cases name name and e-mail are optional fields to be only stored, if the user decides to sign up.

In the user profile you may decide to offer other fields, like an "about me" description. These fields are optional, which means you can decide if you want to use them and in any case users can decide to leave them blank of course.

If you provide user authentication via your own SSO, you may decide to provide additional user data, which we then store to allow users acting on the platform. These fields would need to be added to the list of data processed.

Affected data subjects

Data subjects include two primary user groups:

• Administrators and editors: Selected employees of the your organization who manage content and user interactions via the tchop backend.

• Readers: All other users who access and consume content through the tchop apps, with or without registration.

Purpose of processing

• Master Data is used to invite or register users via email, allow administrators and editors to publish and manage content, and provide regular users access to read content.

• Login and Activity Data help admins and editors understand user engagement, e.g., who has registered or when a user last accessed the app.

• User-Generated Content facilitates communication and engagement between users, allowing them to voluntarily share opinions and participate in discussions.

Legal basis

Processing is carried out in accordance with:

• Art. 6 (1) a GDPR – Consent (e.g. during registration)

• Art. 6 (1) f GDPR – Legitimate interests (e.g. to enable smooth operation of the platform)

Source of data

• Users voluntarily provide their name and email during registration.

• Consent to terms of service and data protection is obtained through an opt-in process.

• Access to the platform is provided via email invitation or self-generated password.

• Data originates from use of the mobile apps (iOS/Android), the browser based web app and/or the CMS platform (for admins/editors).

User information & transparency

At tchop, transparency is a core principle of how we handle personal data. In line with Articles 12–14 of the GDPR, we ensure that users are fully informed—clearly, understandably, and at every relevant touchpoint.

When users register for the app (whether via email invitation or self-registration), they must:

• Explicitly opt in to the platform’s Terms of Service and Privacy Policy

• Provide clear and informed consent to the processing of their personal data, including how it will be used within the platform

• Confirm their registration through a secure email-based onboarding process (access code or password setup)

This ensures users are aware of the data they provide and how it will be used before they begin using the service.

Also we make it easy for users to access the most up-to-date legal and privacy documents at any time:

• Privacy Policy, Terms of Service, and other relevant information are available in the settings section of all tchop apps (iOS, Android, web)

• These documents can also linked in registration and transactional emails

• If documents are updated, the current version is always immediately accessible in the app interface

Communication of Updates

Whenever there are significant changes to our policies or data processing practices, users are:

• Proactively informed via email with a summary of changes

• Directed to the full, updated documents for review

• Provided with any necessary re-confirmation options if changes materially affect consent or usage terms

Data transfers & subprocessors

• Internal Access: Backend development, product management, and marketing teams may access data.

• External Transfers: Limited to essential service providers listed in [Annex 6 – Subprocessors] (not included here).

• Important Note: All data is stored exclusively in Germany.

• No Marketing Use: No data is ever shared for marketing purposes.

Data deletion & restrictions

In accordance with Art. 17 and Art. 18 of the GDPR, tchop provides users with full control over their personal data, including the right to request deletion ("right to be forgotten") and the right to restrict processing.

Users have the right to request the deletion of their personal data at any time. This includes, but is not limited to:

• Profile and account information (e.g., name, email address)

• Usage and activity data

• User-generated content (e.g., posts, comments, messages)

Upon receiving a deletion request, we will:

1. Confirm the identity of the requester to prevent unauthorized deletions.

2. Erase all personal data from our active systems without undue delay, unless retention is required for legal reasons (e.g. compliance, dispute resolution).

3. Inform the user when the deletion is complete.

In most cases, deletion is completed within 30 days of the request.

Log files and server access data

When users access the tchop app or backend services, certain technical data is automatically logged by our servers for security and operational reasons. This includes:

• IP address of the requesting device

• Date and time of the server request

• Requested resource or endpoint

• HTTP status code and other diagnostic metadata

These log entries are:

• Used solely for technical troubleshooting, performance monitoring, and security analysis (e.g., protection against DDoS attacks or misuse)

• Stored in accordance with data minimization principles and automatically deleted after a defined retention period

• Not linked to user profile data or other personally identifiable information (PII)

We do not use log files for profiling, marketing, or any form of automated decision-making. Their collection is strictly necessary to ensure the integrity, stability, and security of the platform and is therefore justified under Art. 6 (1) f GDPR (legitimate interests).

Security measures

All data is protected through technical and organizational measures (TOMs), as outlined in our separate documentation. This is also part of our ISMS, which is ISO27001 certified by german TÜV Süd.

If you have any questions or need any help, always get in touch with us.