Privacy Policy

Effective date: 2026-05-17 Last updated: 2026-05-17

1. Introduction and Scope

This Privacy Policy explains how Halora ("the App", "we", "us", "our") handles information when you use the Halora iOS application. Halora is operated by:

Oliver Kornmann Germany Email: halorasupport@gmail.com

We respect your privacy and have designed Halora to collect as little information as possible. Most of the App functions entirely on your device, without any data leaving your iPhone.

This Privacy Policy applies to your use of the Halora iOS App distributed via the Apple App Store. It does not apply to any third-party services or websites that may be linked from the App.

2. Data We Collect (and Do Not Collect)

Data we do NOT collect

Halora has been built around the principle of data minimisation. We do not:

• Create user accounts or require any login or registration
• Collect your name, email address, phone number, or any contact information
• Use analytics SDKs (no Mixpanel, no Amplitude, no Firebase Analytics, no Google Analytics)
• Use attribution or tracking SDKs (no AppsFlyer, no Adjust, no Branch)
• Upload your photos, videos or camera frames to any server
• Display third-party advertising
• Track you across other apps or websites (we do not present an App Tracking Transparency prompt because we do not track you)
• Sell or rent any data about you

Data processed on your device only

The App processes the following information locally on your iPhone, without transmitting it anywhere:

• Camera frames used to render the live ring-light preview and to take photos or record videos. These frames are processed on-device only.
• Photos and videos you create with the App. These are stored in your iOS Photos library if you grant the relevant permission and only when you actively tap the shutter or recording control.
• App settings (such as last-used mode, preferred brightness, preferred colour temperature) stored in iOS UserDefaults locally on your device.

Data processed by Apple and our subscription processor

When you subscribe to the optional Premium tier, the following limited information is processed:

• A randomly generated anonymous app user ID that Halora assigns to your installation. It is not linked to your Apple ID, name, email or any other identifier.
• Subscription transaction information from Apple (purchase, renewal, cancellation, refund events) for the purpose of verifying your subscription entitlement.

This information is processed by RevenueCat, Inc. as our data processor (see section 5).

For App Store privacy-label purposes, Halora declares "Purchases" as collected because RevenueCat processes anonymous subscription transaction data on our behalf. This declaration is required by Apple's definition of "collect" (data sent off the device in a non-ephemeral way) and is not linked to your real identity. It exists only to verify your active subscription entitlement.

Apple itself processes payment information when you purchase a subscription. Halora never sees or stores your payment details. Please refer to Apple's Privacy Policy for details: https://www.apple.com/legal/privacy/

3. Data We Share

We share data only as strictly necessary to operate the App:

| Recipient | Purpose | Data Shared | Their Policy | |-----------|---------|-------------|--------------| | Apple Inc. | App distribution and In-App Purchase processing | Managed by Apple under its own policy | https://www.apple.com/legal/privacy/ | | RevenueCat, Inc. | Subscription entitlement management | Anonymous app user ID, subscription transaction events | https://www.revenuecat.com/privacy |

We do not share data with advertisers, data brokers, or any other third party. We do not sell personal information.

If you have explicitly enabled crash and analytics sharing in iOS Settings (Settings > Privacy & Security > Analytics & Improvements > Share With App Developers), Apple may share aggregated, anonymised crash reports with us. This is a setting you control entirely through iOS; Halora does not contain its own crash-reporting SDK.

4. Permissions We Request

Halora requests the minimum iOS permissions needed to function:

• Camera (NSCameraUsageDescription) — required so the App can show the live preview and capture photos or video. Camera access is used only while the App is in the foreground and only for the features you actively use.
• Add to Photos (NSPhotoLibraryAddUsageDescription) — required only so the App can save the photos and videos you capture to your Photos library. The App does not read your existing photo library; it only writes new media you have just captured, and only when you tap the save/shutter control.

You may revoke either permission at any time in iOS Settings > Privacy & Security. Revoking camera access will disable the App's core functionality; revoking Photos access will prevent saving captured media.

5. Third-Party Services

RevenueCat (subscription management)

We use RevenueCat to manage subscription entitlements and to validate Apple In-App Purchase receipts. Under the GDPR, RevenueCat acts as our data processor (Auftragsverarbeiter) on the basis of a written data processing agreement.

RevenueCat receives only:

• The randomly generated anonymous app user ID assigned by Halora
• Subscription transaction events from Apple (such as purchase, renewal, cancellation)

RevenueCat does not receive your name, email address, payment details, photos, videos, or any identifier linked to your real identity.

RevenueCat is based in the United States. See its privacy policy at https://www.revenuecat.com/privacy and its security and compliance information at https://www.revenuecat.com/security.

Apple In-App Purchase

All payments are processed by Apple. Halora never receives or stores your payment card or Apple ID credentials. See https://www.apple.com/legal/privacy/.

6. Children's Privacy

Halora is rated 4+ in the App Store. The App is suitable for general audiences and does not contain content directed at children.

We do not knowingly collect personal information from anyone, including children under the age of 16 (or the applicable age in your jurisdiction). Because Halora does not require an account and does not collect personal data, we have no means of identifying minors.

In-app purchases require either the user's Apple ID password or a parent's approval through Apple's Family Sharing and Ask to Buy features. Parents are encouraged to use Apple's parental control and Screen Time settings to manage in-app purchases on a child's device.

If you believe that a child has somehow provided personal data to us, please contact halorasupport@gmail.com and we will take reasonable steps to delete it.

7. Your Rights

Under the EU General Data Protection Regulation (GDPR) and similar laws (including the UK GDPR, the Swiss FADP, Brazil's LGPD, and the California Consumer Privacy Act/CPRA), you have the following rights regarding your personal data:

• Right of access — to know what personal data we hold about you
• Right to rectification — to correct inaccurate data
• Right to erasure ("right to be forgotten") — to have your data deleted
• Right to restriction of processing — to limit how we use your data
• Right to data portability — to receive your data in a portable format
• Right to object — to object to certain processing
• Right to withdraw consent at any time, where processing is based on consent
• Right to lodge a complaint with a supervisory authority

Because Halora does not collect personal data in the conventional sense, we typically have nothing to provide, correct, or delete. If we hold data linked to your anonymous app user ID via RevenueCat, you can request that this ID be reset or deleted by emailing halorasupport@gmail.com.

California residents (CCPA/CPRA)

If you are a California resident, you also have the right to:

• Know what personal information is collected about you
• Request deletion of personal information collected about you
• Opt out of the sale or sharing of personal information (we do not sell or share personal information in the meaning of the CCPA)
• Not be discriminated against for exercising your rights

To exercise any of these rights, contact halorasupport@gmail.com. We will respond within the timeframes required by applicable law.

Supervisory authority

EU/EEA residents have the right to lodge a complaint with their local data protection supervisory authority. The competent authority for the operator is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit (or the supervisory authority of the operator's federal state in Germany)

8. International Data Transfers

RevenueCat, Inc. is established in the United States. When we transmit anonymous app user IDs and subscription transaction information to RevenueCat, this constitutes a transfer of data to a third country in the meaning of GDPR Articles 44 et seq.

We rely on the following safeguards for this transfer:

• The EU-U.S. Data Privacy Framework (DPF) where applicable, and
• The European Commission's Standard Contractual Clauses (SCCs) as supplemental safeguards

For details, see RevenueCat's processing terms at https://www.revenuecat.com/dpa and its privacy notice at https://www.revenuecat.com/privacy.

Apple processes data globally under its own legal framework; see https://www.apple.com/legal/privacy/.

9. Retention

• On-device data (app settings, captured media in your Photos library) remains on your device until you delete the App or remove the media yourself. We have no access to it.
• Anonymous app user ID and subscription state held by RevenueCat are retained for as long as needed to administer your subscription entitlement and to comply with applicable tax and accounting obligations (typically up to 10 years under German law for financial records associated with purchases).
• Apple-held transaction records are governed by Apple's own retention policies.

10. Security

We apply reasonable technical and organisational measures to protect any data we process:

• All network communications use TLS encryption in transit.
• We do not store personal identifiers on our own servers (we do not operate a Halora account backend).
• RevenueCat maintains industry-standard security certifications; see https://www.revenuecat.com/security.
• Captured photos and videos never leave your device.

No security measure can be guaranteed to be perfect; however, given that we do not collect personal data, the practical risk from a Halora-side breach is very limited.

11. Legal Bases for Processing (GDPR)

Where the GDPR applies, our legal bases for processing are:

• Performance of a contract (Art. 6(1)(b) GDPR) — for processing your subscription entitlement via RevenueCat and Apple
• Legitimate interests (Art. 6(1)(f) GDPR) — for the operation of basic, anonymous subscription validation and fraud prevention
• Legal obligation (Art. 6(1)(c) GDPR) — for retention of financial records under German tax law
• Consent (Art. 6(1)(a) GDPR) — where you explicitly grant Camera or Photos permissions

You may withdraw consent at any time by revoking the relevant permission in iOS Settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this document indicates when the policy was last revised. Material changes will be communicated within the App or by updating the policy at https://halora-app.pages.dev/privacy.

Continued use of the App after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

13. Contact

If you have any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact:

Oliver Kornmann Email: halorasupport@gmail.com Web: https://halora-app.pages.dev

We will respond to verifiable requests within the timeframes required by applicable law (typically within one month under GDPR).