Privacy Policy
Effective date: 2026-05-17 Last updated: 2026-06-05
1. Introduction and Scope
This Privacy Policy explains how Halora ("the App", "we", "us", "our") handles information when you use the Halora iOS application. Halora is operated by:
Lennox Kornmann Germany Email: halorasupport@gmail.com
We respect your privacy and have designed Halora to collect as little information as possible. The core of the App runs entirely on your device. The only personal data we ever process is what you choose to provide by optionally signing in, and what is needed to validate your one-time Halora Pro purchase.
This Privacy Policy applies to your use of the Halora iOS App distributed via the Apple App Store. It does not apply to any third-party services or websites that may be linked from the App.
2. Data We Collect (and Do Not Collect)
Data we do NOT collect
Halora has been built around the principle of data minimisation. We do not:
- Require an account to use the App — Mirror mode and all core features work fully as a guest, with no sign-in
- Collect your phone number or any contact details
- Use analytics SDKs (no Mixpanel, no Amplitude, no Firebase Analytics, no Google Analytics)
- Use attribution or tracking SDKs (no AppsFlyer, no Adjust, no Branch)
- Upload your photos, videos or camera frames to any server
- Display third-party advertising
- Track you across other apps or websites (we do not present an App Tracking Transparency prompt because we do not track you)
- Sell or rent any data about you
Data processed on your device only
The App processes the following information locally on your iPhone, without transmitting it anywhere:
- Camera frames used to render the live ring-light preview and to take photos or record videos. These frames are processed on-device only.
- Photos and videos you create with the App. These are stored in your iOS Photos library if you grant the relevant permission and only when you actively tap the shutter or recording control.
- App settings (such as last-used mode, preferred brightness, preferred colour temperature) stored in iOS UserDefaults locally on your device.
Account data (only if you choose to sign in)
Signing in is completely optional and exists solely to sync your Halora Pro unlock and your settings across your devices. You can use the entire App as a guest without providing any of the data below. If you choose Sign in with Apple or Sign in with Google, we collect:
- Your name and email address as provided by Apple or Google, and a user ID that identifies your account.
This account data is stored on our behalf by Supabase (our authentication and database provider; see section 5), which acts as our data processor and hosts the data in the European Union. You can delete your account and all associated data at any time from Settings → Account → Delete Account.
Data processed by Apple and our purchase processor
When you buy the optional one-time Halora Pro purchase, the following limited information is processed:
- An app user ID used to manage your purchase. For guest users this is a randomly generated, anonymous ID. If you are signed in, this ID is your account user ID, which is associated with the name and email from your sign-in.
- Purchase transaction information from Apple (purchase and refund events) for the purpose of verifying your Halora Pro entitlement.
This information is processed by RevenueCat, Inc. as our data processor (see section 5).
For App Store privacy-label purposes, Halora declares "Purchases" as collected because RevenueCat processes purchase transaction data on our behalf to verify your Halora Pro entitlement. For guest users this is not linked to your real identity; for signed-in users it is associated with your account ID.
Apple itself processes payment information when you make a purchase. Halora never sees or stores your payment details. Please refer to Apple's Privacy Policy for details: https://www.apple.com/legal/privacy/
3. Data We Share
We share data only as strictly necessary to operate the App:
| Recipient | Purpose | Data Shared | Their Policy |
|---|---|---|---|
| Apple Inc. | App distribution and In-App Purchase processing | Managed by Apple under its own policy | https://www.apple.com/legal/privacy/ |
| RevenueCat, Inc. | One-time purchase entitlement validation | App user ID, purchase transaction events | https://www.revenuecat.com/privacy |
| Supabase, Inc. | Optional account sign-in and cross-device sync (EU-hosted) | Name, email, account user ID — only if you sign in | https://supabase.com/privacy |
We do not share data with advertisers, data brokers, or any other third party. We do not sell personal information.
If you have explicitly enabled crash and analytics sharing in iOS Settings (Settings > Privacy & Security > Analytics & Improvements > Share With App Developers), Apple may share aggregated, anonymised crash reports with us. This is a setting you control entirely through iOS; Halora does not contain its own crash-reporting SDK.
4. Permissions We Request
Halora requests the minimum iOS permissions needed to function:
- Camera (NSCameraUsageDescription) — required so the App can show the live preview and capture photos or video. Camera access is used only while the App is in the foreground and only for the features you actively use.
- Add to Photos (NSPhotoLibraryAddUsageDescription) — required only so the App can save the photos and videos you capture to your Photos library. The App does not read your existing photo library; it only writes new media you have just captured, and only when you tap the save/shutter control.
You may revoke either permission at any time in iOS Settings > Privacy & Security. Revoking camera access will disable the App's core functionality; revoking Photos access will prevent saving captured media.
5. Third-Party Services
Supabase (optional account sign-in)
If you choose to sign in, we use Supabase to authenticate you (Sign in with Apple / Google) and to store your account record so your Halora Pro unlock and settings sync across devices. Under the GDPR, Supabase acts as our data processor (Auftragsverarbeiter). Supabase stores your name, email address and account user ID, and hosts this data in the European Union. See https://supabase.com/privacy. You can delete this data at any time via Settings → Account → Delete Account.
RevenueCat (purchase validation)
We use RevenueCat to validate Apple In-App Purchase receipts and manage your Halora Pro entitlement. Under the GDPR, RevenueCat acts as our data processor (Auftragsverarbeiter) on the basis of a written data processing agreement.
RevenueCat receives only:
- Your app user ID (a random anonymous ID for guests, or your account user ID if you are signed in)
- Purchase transaction events from Apple (such as purchase and refund)
RevenueCat does not receive your name, email address, payment details, photos, or videos.
RevenueCat is based in the United States. See its privacy policy at https://www.revenuecat.com/privacy and its security and compliance information at https://www.revenuecat.com/security.
Apple In-App Purchase
All payments are processed by Apple. Halora never receives or stores your payment card or Apple ID credentials. See https://www.apple.com/legal/privacy/.
6. Children's Privacy
Halora is rated 4+ in the App Store. The App is suitable for general audiences and does not contain content directed at children.
We do not knowingly collect personal information from children under the age of 16 (or the applicable age in your jurisdiction). Because Halora can be used fully without an account, most users provide no personal data at all.
In-app purchases require either the user's Apple ID password or a parent's approval through Apple's Family Sharing and Ask to Buy features. Parents are encouraged to use Apple's parental control and Screen Time settings to manage in-app purchases on a child's device.
If you believe that a child has provided personal data to us, please contact halorasupport@gmail.com and we will take reasonable steps to delete it.
7. Your Rights
Under the EU General Data Protection Regulation (GDPR) and similar laws (including the UK GDPR, the Swiss FADP, Brazil's LGPD, and the California Consumer Privacy Act/CPRA), you have the following rights regarding your personal data:
- Right of access — to know what personal data we hold about you
- Right to rectification — to correct inaccurate data
- Right to erasure ("right to be forgotten") — to have your data deleted
- Right to restriction of processing — to limit how we use your data
- Right to data portability — to receive your data in a portable format
- Right to object — to object to certain processing
- Right to withdraw consent at any time, where processing is based on consent
- Right to lodge a complaint with a supervisory authority
If you signed in, you can exercise your right to erasure directly in the App via Settings → Account → Delete Account, which deletes your account and associated data from Supabase. You can also email halorasupport@gmail.com for any request, including resetting or deleting the purchase app user ID held by RevenueCat.
California residents (CCPA/CPRA)
If you are a California resident, you also have the right to:
- Know what personal information is collected about you
- Request deletion of personal information collected about you
- Opt out of the sale or sharing of personal information (we do not sell or share personal information in the meaning of the CCPA)
- Not be discriminated against for exercising your rights
To exercise any of these rights, contact halorasupport@gmail.com. We will respond within the timeframes required by applicable law.
Supervisory authority
EU/EEA residents have the right to lodge a complaint with their local data protection supervisory authority. The competent authority for the operator is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit (or the supervisory authority of the operator's federal state in Germany)
8. International Data Transfers
Your optional account data is stored with Supabase in the European Union, so account sign-in does not, by itself, involve a transfer outside the EU/EEA.
RevenueCat, Inc. is established in the United States. When we transmit app user IDs and purchase transaction information to RevenueCat, this constitutes a transfer of data to a third country in the meaning of GDPR Articles 44 et seq. We rely on the following safeguards for this transfer:
- The EU-U.S. Data Privacy Framework (DPF) where applicable, and
- The European Commission's Standard Contractual Clauses (SCCs) as supplemental safeguards
For details, see RevenueCat's processing terms at https://www.revenuecat.com/dpa and its privacy notice at https://www.revenuecat.com/privacy.
Apple processes data globally under its own legal framework; see https://www.apple.com/legal/privacy/.
9. Retention
- On-device data (app settings, captured media in your Photos library) remains on your device until you delete the App or remove the media yourself. We have no access to it.
- Account data (name, email, account user ID) held by Supabase is retained until you delete your account (Settings → Account → Delete Account) or otherwise request deletion.
- App user ID and purchase state held by RevenueCat are retained for as long as needed to administer your Halora Pro entitlement and to comply with applicable tax and accounting obligations (typically up to 10 years under German law for financial records associated with purchases).
- Apple-held transaction records are governed by Apple's own retention policies.
10. Security
We apply reasonable technical and organisational measures to protect any data we process:
- All network communications use TLS encryption in transit.
- Optional account data is stored by Supabase (EU) behind authentication and row-level access controls; we do not run our own additional servers.
- RevenueCat and Supabase maintain industry-standard security practices; see https://www.revenuecat.com/security and https://supabase.com/security.
- Captured photos and videos never leave your device.
No security measure can be guaranteed to be perfect; however, given how little personal data we process, the practical risk from a Halora-side breach is limited.
11. Legal Bases for Processing (GDPR)
Where the GDPR applies, our legal bases for processing are:
- Performance of a contract (Art. 6(1)(b) GDPR) — for validating your Halora Pro purchase via RevenueCat and Apple, and for providing the optional account sign-in and cross-device sync that you request
- Consent (Art. 6(1)(a) GDPR) — when you choose to sign in (providing your name and email) and when you grant Camera or Photos permissions
- Legitimate interests (Art. 6(1)(f) GDPR) — for basic purchase validation and fraud prevention
- Legal obligation (Art. 6(1)(c) GDPR) — for retention of financial records under German tax law
You may withdraw consent at any time by deleting your account, or by revoking the relevant permission in iOS Settings.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this document indicates when the policy was last revised. Material changes will be communicated within the App or by updating the policy at https://halora-app.pages.dev/privacy.
Continued use of the App after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.
13. Contact
If you have any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact:
Lennox Kornmann Email: halorasupport@gmail.com Web: https://halora-app.pages.dev
We will respond to verifiable requests within the timeframes required by applicable law (typically within one month under GDPR).