Privacy Policy – quik connect | Personal CRM & Network Manager

Summary: quik connect stores your contacts and network data in Firebase Cloud (Google) for cross-device synchronization. For AI features, only name, relationship type, and your own notes are sent to Anthropic (Claude AI) – never phone numbers or email addresses. Emails via the feedback and ideas form are sent through Brevo (EU servers). This website uses Google Analytics for reach measurement; tracking is only activated after your explicit consent via the cookie banner (CookieScript) and can be revoked at any time.

1. Controller

The controller within the meaning of the GDPR for data processing on this website and in the quik connect iOS app is:

quik UG (haftungsbeschränkt)

Represented by: Felix Schmitz

Nievenheimerstraße 35, 50739 Cologne, Germany

info@quik-services.de

quik-startup.com/connect

VAT ID: DE369425979

2. Data Processing in the iOS App

2.1 Registration and Authentication

Using quik connect requires registration. This is possible via email and password, Apple Sign-In (Apple Inc.), or Google Sign-In (Google LLC). The following data is collected and stored in Firebase Authentication:

Internal user ID (UID) as primary data key
Email address
Password hash (email/password login only; the password itself is never stored in plain text)
Name (if provided during registration)
Login method (email/password, Apple, or Google)
Apple ID or Google Account identifier (for social login)
Timestamp of first registration and most recent login

Legal basis: Art. 6(1)(b) GDPR (performance of contract – the app cannot be used without an account).

2.2 Contacts, Circles, and History

The core app data – contacts, circles, and interaction history – is stored in Google Firebase Firestore (cloud database) and synchronized in real time across your devices. The following data is stored:

Contacts: Name, contact frequency (in days), preferred channel (WhatsApp / LinkedIn / email), relationship type, optional contact link (phone number, email, or LinkedIn URL), notes/annotations, circle membership, timestamp of last contact
Circles: Name, emoji, color, topic, news activation status
History: Timestamp of each contact marked as "done", associated contact ID and circle ID
Settings: Display language, appearance mode (light/dark), daily goal, streak and XP data, notification preferences

Legal basis: Art. 6(1)(b) GDPR (performance of contract). You can export all data at any time (Settings → Export Data) or delete it (Settings → Delete All Data).

2.3 Leaderboard Profile

If you participate in the global leaderboard, the following profile information is stored in a publicly readable Firestore collection and displayed to other users. Participation is opt-in and voluntary.

Display name (freely chosen by you)
Weekly XP and current streak
Level icon and level title
Optional fields: industry, city, short bio

You can change your display name at any time. Legal basis: Art. 6(1)(a) GDPR (consent via deliberate profile entry), or Art. 6(1)(b) GDPR for the ranking function itself.

2.4 AI Features (Claude AI / Anthropic)

quik connect uses the Claude language model by Anthropic PBC (USA) for two features:

Conversation hooks: On request, a short personalized conversation starter is generated. Data sent to Anthropic: contact's first name, relationship type (e.g. "Mentor"), circle name and circle topic, and your own notes about the contact.
Circle news summaries: For enabled circles, recent news articles (from public RSS feeds) are summarized. Data sent to Anthropic: the circle name and topic, plus the text of publicly accessible articles.

Never sent to Anthropic: phone numbers, email addresses, LinkedIn URLs, Firebase IDs, or your full contact history. Each request is logged in Firebase (anonymized: request type, timestamp, estimated token count) for quota management. You have 30 AI requests per month; your quota is visible in Settings.

Legal basis: Art. 6(1)(b) GDPR (performance of contract – use of an explicitly advertised app feature). For data transfers to the USA, see § 5.

2.5 Contact Import (Address Book)

quik connect offers an optional feature to import contacts from the iOS address book (CNContactStore). The following applies:

Access to the address book is granted only with your explicit permission via the iOS system dialog.
Only contacts you actively select (in particular name, and optionally phone number and email) are imported into the app. This third-party data is stored in Firebase Firestore (see § 2.2).
Access to these imported contacts is restricted exclusively to the respective account holder; no other user can view this data.
The app does not read your entire address book automatically; you select each contact manually.
quik connect does not retain ongoing access to your address book.

Legal basis: Art. 6(1)(a) GDPR (consent) for address book access; Art. 6(1)(b) GDPR for storage of imported contact data.

2.6 Push Notifications

quik connect uses local notifications only. No server-side push messages are sent, and Firebase Cloud Messaging (FCM) is not used. Notifications are scheduled and delivered entirely on-device by the iOS notification system. Notification text may include the names of contacts stored in your app. Push notifications can be disabled at any time in the iOS system settings or within the app settings.

Legal basis: Art. 6(1)(a) GDPR (consent via activation).

2.7 News Cache (Circle News)

For enabled circles, quik connect retrieves current news articles from public RSS feeds (e.g. Google News). The article titles and URLs displayed are stored in Google Firebase Firestore as a cache to avoid showing already-seen items again. This data is private and accessible exclusively to the respective account holder. No personal data is transmitted to the feed provider during these requests.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.8 Local Storage (Device)

The following data is stored exclusively on your device (iOS UserDefaults) and is not synchronized with Firebase:

Daily goal and notification settings
Language selection
Seen news articles (URL/title) as a local duplicate cache
AI quota counter (fast local cache; source data resides in Firebase)

After account deletion, this data no longer relates to any person and is automatically removed when the app is uninstalled.

2.9 Contact via Email (In-App)

If you contact us via the feedback form or directly by email, your email address, name (if provided), and message content are stored solely to process your request. Data is not shared without your consent. Legal basis: Art. 6(1)(b) GDPR.

3. Data Processing on This Website

3.1 Server Log Files

When you visit this website, the following technical information is automatically recorded in server log files:

IP address of the requesting device (anonymized after 7 days)
Date and time of access
Name and URL of the requested resource
HTTP status code
Volume of data transferred
Browser type, browser version, and operating system
Referrer URL (the previously visited page)

This data is required for the technical provision of the website and is used exclusively to ensure stable operation and to defend against attacks. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Logs are deleted after no more than 30 days.

3.2 Google Fonts

This website loads typefaces from Google Fonts (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). When the page loads, a connection to Google servers is established, which may transmit your IP address. Legal basis: Art. 6(1)(f) GDPR. You can prevent this by disabling JavaScript in your browser.

3.3 Font Awesome via Cloudflare CDN

For icon rendering we use Font Awesome delivered via the Cloudflare CDN (Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA). Your IP address is transmitted to Cloudflare when icons are loaded. Cloudflare is certified under the EU–US Data Privacy Framework (DPF). Legal basis: Art. 6(1)(f) GDPR.

3.4 Forms (feedback & roadmap ideas) and submission to n8n

When you submit the feedback form (/feedback) or the idea form on the roadmap page (/roadmap), the data you entered is transmitted to our workflow automation n8n Cloud (provider: n8n GmbH, Berlin, Germany; hosted in the EU). Only the fields you actually filled in are transmitted (e. g. name, email, message, rating, category or idea), together with an event identifier ("feedback" or "roadmap_idea") used to route the workflow, a timestamp, and the selected language code. Transmission is encrypted (HTTPS).

n8n processes the incoming data automatically (e. g. forwarding to our internal mailbox, optional storage for tracking). No additional data such as IP address, location, or browser fingerprint is sent to n8n beyond what you entered in the form. By ticking the mandatory privacy checkbox below the form you grant your explicit consent to this processing.

Legal basis: Art. 6(1)(a) GDPR (consent via form checkbox). A data processing agreement pursuant to Art. 28 GDPR is in place with n8n. You can revoke your consent at any time with effect for the future by writing to info@quik-services.de. The lawfulness of processing prior to revocation remains unaffected.

3.5 Google Tag Manager

We use Google Tag Manager (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to manage tags such as Google Analytics on a consent basis. The Tag Manager itself collects no personal data and sets no cookies prior to consent. When the page loads, however, your IP address is transmitted to Google to load the script. Downstream tags are only activated after your consent via the CookieScript banner (Google Consent Mode v2 with default setting "denied"). Legal basis for loading the Tag Manager: Art. 6(1)(f) GDPR (legitimate interest in privacy-compliant tag management).

3.6 Google Analytics 4

We use Google Analytics 4 (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) for statistical reach measurement. Measurement ID: G-LXQT7TVDNC. Google Analytics sets cookies (including _ga, _ga_LXQT7TVDNC) and processes pseudonymous usage data such as pages viewed, session duration, device type, approximate region (city/country level derived from the IP, which is shortened immediately upon collection), and referrer. No identification of individual persons takes place; data is not merged with other Google services.

Processing occurs only after your explicit consent, which we collect via the cookie banner (CookieScript). Until consent is granted, Google Analytics is fully blocked via Google Consent Mode v2 (analytics_storage: 'denied'). You can revoke your consent at any time by opening the "Cookie Settings" link in the footer. Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.

Third-country transfer: Data may be transferred to servers of Google LLC in the USA. Google LLC is certified under the EU–US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR have been concluded as an additional safeguard. Retention period: User and event data in our GA4 property is automatically deleted after 14 months.

3.7 CookieScript (Consent Management)

To collect, manage, and document consent for cookies and third-party tags we use CookieScript (provider: CookieScript Ltd., Dublin, Ireland). CookieScript displays a cookie banner on first visit and stores your selection in a strictly necessary cookie (CookieScriptConsent) for a maximum of 12 months. CookieScript signals consent state to Google Analytics via Google Consent Mode v2.

Data processed: your consent decision (anonymized), timestamp, a random consent ID, browser language. No identification of your person takes place. Legal basis: Art. 6(1)(c) GDPR in conjunction with § 25(2) no. 2 TDDDG (legal obligation to document consent), and our legitimate interest in being able to demonstrate GDPR compliance (Art. 6(1)(f) GDPR).

4. Processors and Third-Party Providers

We use the following processors and third-party providers. Data processing agreements pursuant to Art. 28 GDPR have been concluded with all processors:

Google Firebase (Firestore & Auth)

Cloud database for contacts, circles, history, settings, and leaderboard data. Authentication infrastructure.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (EU entity)

Art. 6(1)(b) GDPR · EU–US DPF · Standard Contractual Clauses

Anthropic PBC (Claude AI)

AI language model for conversation hook generation and circle news summaries. Data: contact name, relationship type, circle topic, notes.

Provider: Anthropic PBC, 548 Market Street PMB 90375, San Francisco, CA 94104, USA

Art. 6(1)(b) GDPR · Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR

Apple Inc. (Sign-In & APNs)

Apple Sign-In for authentication; Apple Push Notification Service (APNs) infrastructure for local push notifications.

Provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA

Art. 6(1)(b) GDPR · EU–US DPF

Google LLC (Google Sign-In)

Optional authentication via Google account. An OAuth 2.0 connection to Google servers is established; the response returns a unique Google user ID and email address.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Art. 6(1)(b) GDPR · EU–US DPF

Google News RSS / Public News Feeds

Retrieval of public news articles for the circle news feature. Only technical HTTP requests are made; no personal data is transmitted to the feed provider.

Provider: Google LLC and other news providers

No personal data · Technical retrieval of public content

Cloudflare, Inc. (Font Awesome CDN)

Delivery of the Font Awesome icon library via Cloudflare CDN on the website. IP address is transmitted when icons load.

Provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA

Art. 6(1)(f) GDPR · EU–US DPF

Google Fonts

Loading the "Inter" typeface from Google servers on the website. IP address is transmitted when fonts load.

Provider: Google Ireland Limited / Google LLC

Art. 6(1)(f) GDPR · EU–US DPF

Brevo SAS (Email Delivery)

Transactional emails (e.g. contact requests via the feedback form and roadmap idea submissions). Brevo processes name, email address, and message content to deliver the respective email.

Provider: Brevo SAS (formerly Sendinblue), 7 rue de Madrid, 75008 Paris, France (EU entity)

Art. 6(1)(b) GDPR · DPA pursuant to Art. 28 GDPR · Processing within the EU

n8n GmbH (Workflow Automation)

Receives and automatically processes submissions from the feedback form and the roadmap idea form via a webhook. Data: only the fields filled in by the user, an event identifier for workflow routing, a timestamp, and the language code.

Provider: n8n GmbH, Berlin, Germany (hosted in the EU)

Art. 6(1)(a) GDPR (consent) · DPA pursuant to Art. 28 GDPR · Processing within the EU

Google Tag Manager (Website)

Consent-based loading and management of third-party tags (e.g. Google Analytics) on the website. Sets no marketing cookies itself and sends no data to downstream tags before consent (Google Consent Mode v2, default "denied").

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Art. 6(1)(f) GDPR (legitimate interest) · EU–US DPF · SCCs

Google Analytics 4 (Website)

Statistical reach measurement using pseudonymous usage data (Measurement ID G-LXQT7TVDNC). Sets cookies (e.g. _ga, _ga_LXQT7TVDNC) and transfers data only after explicit consent via the cookie banner. Retention: 14 months.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (with data transfer to Google LLC, USA)

Art. 6(1)(a) GDPR · § 25(1) TDDDG · EU–US DPF · SCCs pursuant to Art. 46(2)(c) GDPR

CookieScript Ltd. (Consent Management)

Display of the cookie banner, collection and documentation of your consent, and orchestration of Google Consent Mode v2. Sets the strictly necessary cookie CookieScriptConsent (retention max. 12 months). Processes consent decision, timestamp, anonymous consent ID.

Provider: CookieScript Ltd., Dublin, Ireland (EU entity)

Art. 6(1)(c) GDPR in conj. with § 25(2) no. 2 TDDDG · Art. 6(1)(f) GDPR

5. Data Transfers to Third Countries

The following providers are based in the USA, meaning your data may be transferred there:

Google Firebase and Google Fonts: Data is processed on Google Cloud servers, which may be located primarily in the EU (region europe-west1). Google LLC is certified under the EU–US Data Privacy Framework (DPF) and additionally offers Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR.
Apple Inc. (Sign-In & APNs): Apple is certified under the EU–US DPF.
Google LLC (Google Sign-In): Google LLC is certified under the EU–US DPF.
Anthropic PBC (Claude AI): Anthropic is based in the USA. The transfer is based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) concluded with Anthropic. Only the minimal data listed in § 2.4 is transferred.
Cloudflare, Inc.: Cloudflare is certified under the EU–US DPF.

DPF certification and Standard Contractual Clauses each ensure a level of data protection equivalent to EU standards.

6. Retention Periods

We store personal data only for as long as necessary for the respective purposes or as required by law:

Contacts, circles, history, settings, AI logs, news cache, leaderboard profile (Firebase): For as long as the account is active. Upon account deletion, all data is removed immediately and completely from Firebase.
Firebase Auth data (UID, email, name): Until permanent account deletion by the user (in the app: Settings → Delete Account).
AI request logs (Anthropic calls): 13 months, then automatic deletion. Purpose: cost control and quota calculation.
Circle news cache (Firebase): 48-hour TTL, then automatically overwritten.
Local data (UserDefaults): Remains until app uninstallation. After account deletion, this data no longer relates to any identifiable person.
Server log files (website): Maximum 30 days.
Email correspondence: Until the matter is fully resolved, at most 3 years.

7. Your Rights as a Data Subject

Under the GDPR you have the following rights. Many can be exercised directly in the app:

Right of Access Art. 15

You may request information about which personal data we hold about you at any time.

In the app: Settings → Export Data (JSON)

Right to Rectification Art. 16

You may request correction of inaccurate or incomplete personal data. Contacts and profile information can be edited directly in the app.

In the app: Edit Contact

Right to Erasure Art. 17

You may request deletion of your personal data. Upon account deletion, the following are removed immediately and completely: contacts, circles, contact history, AI logs, news cache, settings, leaderboard profile, and Firebase Auth account.

Settings → Delete Account

Right to Restriction Art. 18

In certain cases you may request that the processing of your data be restricted (e.g. while a rectification is being reviewed).

Request by email

Data Portability Art. 20

You may receive your data in a structured, machine-readable format (JSON export) and transfer it to another controller.

Settings → Export Data (JSON)

Right to Object Art. 21

Where we process data on the basis of legitimate interests (Art. 6(1)(f)), you may object at any time.

Request by email

Withdrawal of Consent Art. 7(3)

Consents (e.g. for push notifications or the contact import) may be withdrawn at any time without giving reasons, without affecting the lawfulness of processing prior to withdrawal.

iOS Settings → Notifications

Right to Lodge a Complaint Art. 77

You have the right to lodge a complaint with a supervisory authority. The competent authority is the State Commissioner for Data Protection and Freedom of Information NRW.

ldi.nrw.de

To exercise your rights, contact: info@quik-services.de – We respond within 30 days.

8. Data Security

We implement technical and organizational measures (TOMs) to protect your data against loss, destruction, unauthorized access, alteration, and disclosure:

Transport encryption: The website is served exclusively over HTTPS (TLS 1.2+). All communication between the app and Firebase as well as Anthropic is encrypted via HTTPS.
Database rules (Firebase Security Rules): Each user can access only their own data. Leaderboard data is publicly readable only; writable only by the respective user.
Firebase Authentication: Your account is secured by the respective identity provider (Apple/Google); we never store passwords.
Data minimization (AI): Only the minimal data listed in § 2.4 is sent to Anthropic. No contact history, no phone numbers, no email addresses.
On-device security: The iOS app is protected by iOS's own security architecture (sandboxing, App Transport Security).

9. No Ad Tracking, No Analytics SDKs

quik connect contains no advertising tracking, no analytics SDKs (neither Firebase Analytics, Mixpanel, Amplitude, Meta SDK, nor similar services), and no advertising banners. No user data is shared with third parties for advertising purposes.

Note on minors: quik connect is not directed at children or young people under the age of 16. We do not knowingly collect personal data from persons under 16. If you become aware that a child under 16 has created an account, please contact info@quik-services.de.

10. Cookies, Analytics & Consent Management

The website quik-startup.com/connect uses only the cookies and comparable storage technologies listed below. No marketing or retargeting cookies are used; there is no advertising tracking and no data sharing with advertising networks.

10.1 Strictly necessary cookies

CookieScriptConsent (CookieScript Ltd.) – stores your consent decision so the banner is not redisplayed on every visit. Retention: max. 12 months. Legal basis: Art. 6(1)(c) GDPR in conjunction with § 25(2) no. 2 TDDDG (legal obligation to document consent).

10.2 Statistics cookies (only with consent)

_ga (Google Analytics) – pseudonymous user ID to distinguish visitors. Retention: 2 years.
_ga_LXQT7TVDNC (Google Analytics 4) – session and campaign information for the GA4 property. Retention: 2 years.

These cookies are set only after your explicit consent via the cookie banner. Without consent, all analytics tags are blocked via Google Consent Mode v2 (analytics_storage: 'denied'). Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.

10.3 Revoke consent / change cookie settings

You can revoke your consent at any time with effect for the future. Click "Cookie Settings" in the footer or delete the CookieScriptConsent cookie in your browser; the banner will reappear on your next visit. The lawfulness of processing prior to revocation remains unaffected.

10.4 Third-party connections without cookies

When embedded resources are loaded (Google Fonts, Font Awesome via Cloudflare CDN, Google Tag Manager), your IP address is transmitted to the respective providers without necessarily setting cookies. Processing is based on Art. 6(1)(f) GDPR. See §§ 3.2, 3.3, 3.5 and § 4 of this Policy for details.

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy when legal requirements, the technologies used, or the app's feature set change. The current version is always available at quik-startup.com/connect/en/privacy. The date of the most recent update is shown in the page header. For material changes that affect your rights, we will notify you via the app or by email.

12. Contact and Right to Complain

For questions about privacy, to exercise your rights, or to file a complaint, contact us at:

quik UG (haftungsbeschränkt) – Privacy

Felix Schmitz · Nievenheimerstraße 35 · 50739 Cologne, Germany

info@quik-services.de

Competent supervisory authority:

State Commissioner for Data Protection and Freedom of Information NRW

P.O. Box 20 04 44, 40102 Düsseldorf, Germany