Privacy Policy
As of: May 2026 | Version 1.2
1. Data Controller
NormanPilot UG (haftungsbeschränkt)
Represented by Managing Director Batikaan Sarikurt
Friedrichstraße 15
70174 Stuttgart
Germany
Commercial Register: HRB 805193, Amtsgericht Stuttgart
Email: support@nis2pilot.app
Note on Controllership: NormanPilot UG (haftungsbeschränkt) has been the data controller within the meaning of Article 4 No. 7 GDPR since its registration in the Commercial Register on 23 April 2026. Prior to this date, the service was offered by Batikaan Sarikurt as an individual. Existing data records have been transferred to the UG. Purpose and scope of processing remain unchanged. Existing rights under GDPR remain fully preserved.
2. What Data Is Processed?
2.1 Locally Stored Data
The following data is stored exclusively locally on your device:
- Company data entered by you
- Your answers and results
- App settings and progress
This data is not transmitted to our servers.
2.2 Purchase Data (In-App Purchases)
In-app purchase transactions are processed through the Apple App Store. We use RevenueCat Inc. (USA) to manage purchases. The following data is processed:
- Anonymous device ID
- Purchase status (active/inactive)
- Product identifier of the purchase
We receive no payment data or names. The website does not collect personal data (see 2.4).
2.3 Technical Data (Crash Reports)
For error analysis, the app uses Sentry (Functional Software Inc., USA). Crash reports are collected only with your explicit consent and are disabled by default. Only technical crash data is transmitted: no personal data, no inputs, no company data.
2.4 Website
The website does not collect personal data. Only local browser storage (localStorage/sessionStorage) is used for convenience functions (see above).
2.5 Feedback Form
Through our feedback form, you can share wishes, issues or general feedback with us. The following data is processed:
- Message text: Your feedback (required)
- Email address: Only if you want a reply (optional)
- Technical data: App version, product tier and request origin (automatically transmitted, not personal)
Your message is forwarded to the operator via email. There is no permanent storage on the server. If you provide an email address, we use it exclusively to respond to your inquiry. Deletion occurs after processing, at most after 6 months.
2.6 Progress Tracking (Optional)
When the Progress feature is enabled, your activity data — timestamps and result values of completed assessments, quick checks, training modules, and risk entries — is stored locally on your device with AES-256 encryption. No transmission to any server. You can disable the feature in settings and delete all data at any time. Your rights under GDPR Articles 15 (access) and 17 (erasure) are directly fulfilled via the Progress screen and the delete button — see Section 7 for additional rights.
3. Purpose and Legal Basis
- Local data storage: Contract performance (Art. 6(1)(b) GDPR) — necessary for app functionality
- In-app purchases: Contract performance (Art. 6(1)(b) GDPR) — processing your order
- Crash reports: Consent (Art. 6(1)(a) GDPR) — only with your consent
- Feedback form: Consent (Art. 6(1)(a) GDPR) — processing your feedback
- Website convenience functions: Legitimate interest (Art. 6(1)(f) GDPR) — localStorage/sessionStorage for theme and usage preferences
4. Recipients and Third-Party Providers
The following third-party providers may process data:
- Apple Inc. (USA) — App Store, payment processing
Privacy Policy - Google LLC (USA) — Play Store, payment processing
Privacy Policy - RevenueCat Inc. (USA) — purchase management
Privacy Policy - Functional Software Inc. (Sentry) (USA) — crash reports (disabled by default, only with your consent)
Privacy Policy - STRATO AG (Germany) — web hosting
Privacy Policy
5. Transfer to Third Countries
RevenueCat Inc. is based in the USA. Data transfer is based on:
- EU-US Data Privacy Framework (adequacy decision by the European Commission)
- Additionally: Standard Contractual Clauses (SCCs)
6. Storage Duration
- Local data: Until you delete it in the app or uninstall the app
- Purchase data at RevenueCat: According to their retention policies (max. 3 years after contract end)
- Website data: localStorage entries remain in the browser until manual deletion; sessionStorage is deleted when the tab is closed
- Rate limiting data: Anonymized IP hashes are automatically deleted after 1 hour
7. Your Rights
You have the following rights under GDPR:
- Access (Art. 15) — What data we hold about you
- Rectification (Art. 16) — Correction of inaccurate data
- Erasure (Art. 17) — In the app: Settings → Delete all data
- Restriction (Art. 18) — Restriction of processing
- Data portability (Art. 20) — Export of your data
- Objection (Art. 21) — Against certain processing
Contact for inquiries: support@nis2pilot.app
8. Withdrawal of Consent
If you have given consent (e.g. for crash reports via Sentry), you can withdraw it at any time. You can disable crash reports in the app settings. The lawfulness of processing carried out before the withdrawal remains unaffected.
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority is:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
www.baden-wuerttemberg.datenschutz.de
10. No Automated Decision-Making
There is no automated decision-making or profiling within the meaning of Art. 22 GDPR.
11. Changes
We reserve the right to update this privacy policy to reflect changes in the legal situation or features. The current version is always available at this URL.