Privacy Policy
Attenya is built to be privacy-first: the app has no user accounts, no advertising, and no analytics or tracking SDKs, and the data that powers it stays on your device. This policy explains the limited processing that nevertheless happens around the app — if you email us, buy a subscription through Apple, or visit this website — as required by the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss FADP and comparable laws worldwide.
1. Who is responsible (Controller)
Laurenz Zuser, Vienna, Austria · Email: support@attenya.app · full postal address in the Imprint. We have not appointed a Data Protection Officer because we are not legally required to.
2. The short version
- The app stores your settings and Apple Screen Time selections (opaque tokens) only locally on your device. We cannot see them and they are never transmitted to us.
- We do not track you, show ads, or use third-party analytics. No App Tracking Transparency prompt is needed because we do not track.
- We only process personal data when you contact us, when you buy a subscription (handled by Apple), and through ordinary web server logs when you open this site.
3. What we process, why, and the legal basis
3.1 Data processed locally on your device
The app stores on your device your protected-app selection (Apple FamilyControls tokens), balances, vault and crystallized totals, schedules, settings and your local activity ledger. The app processes this data locally on your device. We do not gain access to your FamilyControls selection, Screen Time tokens or your local activity history, and this data is not transmitted to us. You can erase it any time (Section 8).
3.2 Subscriptions and in-app purchases (via Apple)
Attenya Pro is sold as an auto-renewable subscription (monthly, yearly) or a one-time purchase through Apple’s In-App Purchase. Apple is the seller (merchant of record) and an independent controller for the payment. We never receive your payment details; from App Store Connect we only receive aggregated, anonymized statistics. Legal basis: Art. 6(1)(b) GDPR (contract). See Apple’s privacy policy.
3.3 Support and feedback (only if you contact us)
If you use “Report a problem” or email us, we process your email address, your message and the diagnostics you choose to attach. The diagnostics are deliberately non-identifying (app/iOS version, device model, locale and aggregate counters) and contain no app names, no Screen Time tokens and no detailed activity history. You see the full content before sending. If you voluntarily send diagnostics by email, they may be linked to your email address while we handle your request. Legal basis: Art. 6(1)(b) and/or (f) GDPR.
3.4 This website
This website is hosted on Cloudflare Pages (Cloudflare, Inc., USA), acting as our processor. Cloudflare processes standard server log data (e.g. IP address, time, requested page, browser type, user agent, HTTP status) to deliver the site, defend against attacks and ensure performance. Legal basis: Art. 6(1)(f) GDPR (secure, reliable delivery and protection of the site). We set no tracking cookies, no analytics cookies and no advertising cookies. A complete overview of all cookies that Cloudflare can technically set under each product configuration is given in Section 12. Cloudflare’s official cookie documentation and privacy policy apply additionally.
4. What we do not do
No advertising, no ad IDs, no cross-app/web tracking, no profiling, no selling or sharing of personal data, and no automated decision-making producing legal effects (Art. 22 GDPR).
5. Recipients / processors
Apple (App Store, In-App Purchase) as an independent controller; Cloudflare, Inc. (website hosting) and our email provider as our processors. We use no other third parties for personal data.
6. International transfers
Some providers (e.g. Apple and Cloudflare) may process data outside the EU/EEA, including in the USA, safeguarded by appropriate mechanisms such as the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
7. Retention
- On-device data: until you delete it (in-app reset or uninstalling the app).
- Support emails: typically up to 12 months after resolution unless statutory duties apply.
- Server logs: typically 7–30 days (host-dependent).
- We do not process our own payment/billing data (Apple is the merchant of record).
8. Your rights
You have the right to access, rectification, erasure, restriction, data portability, and to object to processing based on legitimate interests, as well as to withdraw consent. Contact support@attenya.app. You may also lodge a complaint with a supervisory authority — in Austria the Österreichische Datenschutzbehörde (DSB), Barichgasse 40–42, 1030 Wien, dsb.gv.at. To delete data on your device, use the in-app reset or delete the app.
9. Children
Attenya is not directed to children. We do not knowingly process personal data of children below the applicable age of digital consent (in Austria, 14).
10. California / USA (CCPA/CPRA)
We do not sell or share personal information as defined by the CCPA, and we do not process sensitive personal information for purposes requiring an opt-out.
11. Changes
We may update this policy as the app or the law evolves. The current version with its date is always available here. For material changes we will provide an appropriate notice (e.g. in the app).
12. Cookies — overview
We do not set any first-party cookies on this website. The only third party that may technically set cookies is our hosting provider Cloudflare — and only when the corresponding Cloudflare feature is enabled. The table below lists all cookies Cloudflare documents as settable, their purpose, lifetime, whether they are actually set under our current configuration, and the legal basis. All of them are strictly necessary cookies within the meaning of § 165(3) TKG 2021 (Austria) / ePrivacy; they are not used for tracking, analytics or advertising and require no consent under GDPR / § 165(3) TKG 2021 (Austria).
12.1 Default configuration (Cloudflare Pages, Free plan)
Under our current configuration — Cloudflare Pages without enabled bot products, without Load Balancer Session Affinity, without Rate-Limiting rules and without Always Online — no cookies are set by Cloudflare at all. The site is cookie-free in this respect.
12.2 Cookies that may arise when additional Cloudflare features are enabled
| Cookie | Provider / purpose | Type / lifetime | Active? | Legal basis |
|---|---|---|---|---|
__cf_bm |
Cloudflare Bot Management / Bot Fight Mode. Distinguishes human visitors from bots to protect the site against abuse, scraping and DDoS. Contents: encrypted bot score; with Anomaly Detection enabled, a session identifier. | HTTP cookie, session / 30 minutes of inactivity | No (Bot Fight Mode not currently enabled; only set when enabled) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) (strictly necessary) |
__cflb |
Cloudflare Load Balancer with Session Affinity. Routes consecutive requests from the same visitor to the same origin server. | HTTP cookie, session / seconds to 24 hours (configurable) | No (no Load Balancer in use) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
cf_clearance |
Cloudflare Challenge platform. Stores the result of a JavaScript check (e.g. “I’m not a bot”) so the same visitor isn’t challenged again. Attributes: SameSite=None; Secure; Partitioned. |
HTTP cookie, session / 1 day to 30 days (configurable) | No (no Cloudflare Challenges configured) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
_cfuvid |
Cloudflare Rate-Limiting Rules. Allows the Cloudflare WAF to distinguish individual visitors behind the same IP (e.g. NAT). | HTTP cookie, session | No (no Rate-Limiting rules using cf.unique_visitor_id) |
Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
cf_ob_info, cf_use_ob |
Cloudflare Always Online. Serves pages from cache when the origin is down. | Persistent, 30 seconds each | No (Always Online disabled) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
__cfwaitingroom |
Cloudflare Waiting Room. Queueing during traffic spikes. | Session | No (not in use) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
__cfseq |
Cloudflare Bot Management (Sequence Rules). Records the order and timing of requests to evaluate sequence-based security rules. | HTTP cookie, session | No (Sequence Rules not in use) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
cf_chl_rc_i, cf_chl_rc_ni, cf_chl_rc_m |
Cloudflare Challenge platform (internal). Lets Cloudflare identify production issues while serving challenges. | HTTP cookie, session | No (no Cloudflare Challenges configured) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
__cfruid |
Cloudflare Rate Limiting. Helps manage incoming traffic and gives better visibility into the origin of requests. | HTTP cookie, session | No (no Rate-Limiting rules in use) | Art. 6(1)(f) GDPR; § 165(3) TKG 2021 (Austria) |
12.3 Third-country storage note
Cloudflare primarily processes cookie and connection data in the United States, with the option of relocation to the EEA (Regional Services / Customer Metadata Boundary). For data transfers to the United States, Cloudflare relies on the EU-US Data Privacy Framework (certified by the U.S. Department of Commerce) and additionally on the EU Standard Contractual Clauses. The current safeguards are documented in Cloudflare’s privacy policy, Section 7.
12.4 Your choices
You can disable all cookies in your browser — however, parts of the Cloudflare protection features above may then stop working, and the site may be unavailable or limited for you (e.g. if a bot check cannot be passed without cf_clearance). Because none of the cookies serve tracking, analytics or advertising purposes, disabling them has no effect on the “What we do not do” guarantees in Section 4.
13. Contact
Questions about privacy? Email support@attenya.app.