Elsen Technologies UG (haftungsbeschränkt), represented by its managing director Florian Elsen ("we", "us", or "our"), operates the Grace's Desire mobile application and website (the "Service"). This Privacy Policy describes how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). By using the Service you agree to the practices described here. Please also read our Terms of Service.
1. Data Controller (Verantwortlicher)
Elsen Technologies UG (haftungsbeschränkt)
Fliederweg 7, 34212 Melsungen, Deutschland
Vertreten durch den Geschäftsführer: Florian Elsen
Registergericht: Amtsgericht Fritzlar, HRB 13081
USt-IdNr.: DE461672213
E-Mail: info@elsen-technologies.de
We are a small company and not legally required to appoint a formal Data Protection Officer (Art. 37 GDPR). For all data-protection matters, please contact: info@elsen-technologies.de.
3. Special Category Data (Art. 9 GDPR)
Grace's Desire is an intimacy application. By using features such as the intimacy quiz, couple games, and the shared story tool, you may share information that relates to your sexual life or sexuality. Under Art. 9 GDPR, this constitutes special category personal data and is subject to a higher level of protection.
We process this data exclusively on the basis of your explicit, separate consent (Art. 9(2)(a) GDPR). This consent is obtained independently of, and in addition to, your general acceptance of these Terms — via a dedicated confirmation specific to these features, as described in Section 7 of our Terms of Service. Declining this consent only restricts access to the specific features listed above; it does not affect your ability to use the rest of the Service.
You may withdraw this consent at any time, with effect for the future, by deleting your account or contacting us. Withdrawal does not affect the lawfulness of any processing carried out before that point.
4. What Data We Collect
Account data — email address, username, and password hash when you register.
Date of birth — collected once during mandatory age-verification to confirm you are 18 or older. Stored only as the year to minimise data held.
Partner link data — a temporary or permanent partner code used to connect two accounts. No relationship details beyond the link itself are stored.
Referral code — if you use or share a referral code, we record that association to apply any promotional reward.
Push notification token — an APNs or FCM device token, stored only to deliver notifications you have enabled. Revocable at any time from device settings.
Usage data — anonymised interaction counts (e.g., quiz completions, article views, game plays) used to improve the app.
Purchase verification data — a receipt or token from Apple or Google to verify subscription status. We do not receive or store your payment details.
Intimacy/special category data — see Section 3 above.
5. Legal Basis for Processing
Explicit, separate consent (Art. 9(2)(a) GDPR) — for special category data relating to sexual life/sexuality (see Section 3).
Consent (Art. 6(1)(a) GDPR) — for processing beyond what is strictly necessary, such as push notifications and anonymised research.
Contract (Art. 6(1)(b) GDPR) — for processing necessary to provide the Service (account management, partner linking, subscription verification).
Legitimate interests (Art. 6(1)(f) GDPR) — for security monitoring and fraud prevention, where our interests are not overridden by your rights and freedoms.
Legal obligation (Art. 6(1)(c) GDPR) — where retention is required by applicable law.
6. How We Use Your Data
To create and maintain your account and authenticate you.
To enable partner linking between two accounts.
To deliver the app's core features (games, quiz, stories), which may involve storing your in-app activity.
To verify in-app purchases with Apple and Google.
To send push notifications you have opted into.
To respond to support requests.
To improve the app using anonymised, aggregated usage statistics.
To comply with legal obligations.
7. Data Sharing and Third-Party Services
We do not sell your personal data. The table below distinguishes services that process data on our behalf (as our data processor, Art. 28 GDPR) from services that process data for their own purposes (as an independent controller):
Service
Role
Purpose
Firebase Cloud Messaging (Google Ireland Limited)
Processor (Art. 28 GDPR Data Processing Agreement in place)
Delivery of push notifications you have enabled
Apple Sign-In
Independent controller
Authentication, if you choose social login via Apple
Google Sign-In
Independent controller
Authentication, if you choose social login via Google
Apple App Store
Independent controller
Payment processing for Premium purchases (iOS)
Google Play
Independent controller
Payment processing for Premium purchases (Android)
Where a provider acts as an independent controller, your data is processed under that provider's own privacy policy, and we have no access to or control over that processing (e.g. we never see your payment details). No special category data (Section 3) is shared with any third party.
8. Data Retention
Your personal data is retained for as long as your account is active. When you delete your account, all personal data — including any intimacy quiz results, game history, and story content — is permanently and irreversibly removed within 30 days. Routine database backups containing your data are overwritten on a rolling basis and are fully purged within 30 days of account deletion. Anonymised, aggregated usage data is not subject to deletion as it cannot identify you.
9. Data Security
We implement appropriate technical and organisational measures to protect your data:
Passwords are hashed using the Argon2id algorithm — we never store your plaintext password.
All data in transit between the app and our servers is encrypted via TLS 1.2 or higher.
Access to production systems is restricted to authorised personnel only.
Special category data is stored with the same protections as all account data and is not singled out for separate processing.
10. Children's Privacy
The Service is strictly for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us at info@elsen-technologies.de and we will delete the account promptly.
11. Your Rights Under GDPR (Betroffenenrechte)
If you are located in the EEA, you have the following rights:
Access (Art. 15) — obtain a copy of the data we hold about you.
Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
Erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data. You can also delete your account directly from the app's Settings screen.
Portability (Art. 20) — receive your data in a structured, machine-readable format.
Restriction (Art. 18) — ask us to restrict processing in certain circumstances.
Objection (Art. 21) — object to processing based on legitimate interests.
Withdraw consent (Art. 7(3) / Art. 9) — at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact info@elsen-technologies.de. We will respond within one month (Art. 12(3) GDPR).
You also have the right to lodge a complaint with a supervisory authority. In Germany, the federal authority is: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153, 53117 Bonn www.bfdi.bund.de
12. Where Your Data Is Stored
Our servers are operated by Hetzner Online GmbH and located in Germany. Your account data, app content, and special category data therefore remain within the European Union at all times.
Some third-party services described in Section 7 (e.g. Firebase, Apple, Google) may process data outside the EEA. Where this occurs, transfers are made under appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46 GDPR).
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via the app before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.