Privacy Policy

Amara – H2 Technologies GmbH · As of June 2026

  1. Responsible party

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

H2 Technologies GmbH, Jägerndorfer Zeile 48, 12205 Berlin, Germany. Email: info@amara.app. Website: www.amara.app

Data Protection Officer:

If you have any questions regarding data protection or the exercise of your rights, please feel free to contact us at any time: HeyData GmbH, Schützenstraße 5, 10117 Berlin, Germany datenschutz@heydata.eu · www.heydata.eu

  1. Subject Matter and Scope

This Privacy Policy provides information about how we process personal data when you use our AMARA mobile app, visit our website at www.amara.app, contact us, or use our paid services (e.g., subscriptions, in-app purchases).

Personal data is any information relating to an identified or identifiable natural person (e.g., name, contact details, device identifiers, usage data).

  1. Data Processing in Detail

3.1 Visiting Our Website

When you visit our website, we automatically collect technical connection data (e.g., IP address, browser type, pages viewed, timestamps) that your browser transmits to our server. This data is used exclusively for the operation, security, and technical optimization of the website and is generally deleted after 90 days.

Legal basis: Article 6(1)(f) of the GDPR, Section 25(2)(2) of the TTDSG.

3.2 Download from app stores

When you download the app, certain data (e.g., App Store ID, email address, device ID) is transmitted to the respective app store operator (Apple, Google). We have no control over this processing; please refer to the privacy policy of the respective store.

3.3 Using the App

When you use the app, we process technical device data, usage statistics, and log data that are necessary for the stable and secure operation of the app. For the infrastructure and monitoring services used in this process (AWS, Supabase, Sentry, Shorebird), please refer to the list of service providers in the appendix.

Legal basis: Article 6(1)(f) of the GDPR.

3.4 Registration and User Account

When you create a user account, we process your personal and contact information (e.g., name, email address), login credentials, account settings, and all content you enter or generate while using the app (e.g., chat history, preferences). This data is stored for the duration of the active contractual relationship and is deleted after the account is closed in accordance with statutory retention periods. This also includes the stored podcast playback history (episode ID, timestamp, playback progress).

Legal basis: Article 6(1)(b) of the GDPR.

3.5 In-App Purchases and Subscriptions

Payments are processed through the respective app store (Apple, Google) or via RevenueCat. We receive only transaction-related confirmation data (e.g., transaction ID, subscription status). We do not process full payment details (e.g., credit card numbers). Details about RevenueCat can be found in the appendix.

Legal basis: Article 6(1)(b) and (c) of the GDPR.

3.6 Contacting Us and Customer Support

When you contact us—via email, the contact form, or in-app support—we process your contact information and the content of your inquiry for handling and documentation purposes. We use Intercom for in-app support (see the appendix for details). Support correspondence is generally deleted after 24 months.

Legal basis: Article 6(1)(b) and (f) of the GDPR.

3.7 App Permissions and Special Categories of Data

Device Permissions: Certain features of the app require permissions at the operating system level (e.g., microphone for voice input, camera for photo uploads, location for location-based services, push notifications). You can revoke any permissions you’ve granted at any time in your device’s settings.

Legal basis: Article 6(1)(b) of the GDPR for permissions required for the performance of a contract; Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG for optional permissions (consent).

Health and fitness data: If you explicitly enable this in the app settings, we will process health and fitness data (e.g., step count, heart rate, exercise activities). This data constitutes a special category of personal data within the meaning of Article 9 of the GDPR and will be processed solely on the basis of your explicit consent. You can withdraw this consent at any time in the app settings.

Legal basis: Article 9(2)(a) in conjunction with Article 6(1)(a) of the GDPR.

  1. AI services and third-party content providers

To provide you with smart features (e.g., voice calls, news search, media content), we work with specialized third-party providers. In doing so, user input (text, audio, metadata) is transmitted to the respective providers. We have entered into data processing agreements (DPAs) with all providers in accordance with Article 28 of the GDPR and have contractually ensured that your data will not be used to train AI models.

The services used are listed by category in the appendix: AI & Language (OpenAI, ElevenLabs, LiveKit), Search & Content (Perplexity, Tavily, Brave Search, NewsAPI), Analytics & Context (Google Gemini, Vertex AI), Notifications (OneSignal), Maps (Google Maps), and Entertainment & Media (YouTube, Radio Browser, Podcast Index).

Legal basis: Article 6(1)(b) of the GDPR for services necessary for the website to function; Article 6(1)(a) of the GDPR for services that include personalized content or tracking.

  1. Cookies, Tracking, and Advertising Measurement

We use cookies and similar technologies on our website, in advertorials, and on other digital platforms.

Technically necessary technologies are used without consent to the extent that they are strictly necessary for the operation of our services (Art. 6(1)(f) GDPR, § 25(2)(2) TTDSG).

Analytics and advertising technologies are used solely on the basis of your consent (Art. 6(1)(a) of the GDPR in conjunction with § 25(1) of the TTDSG). You can withdraw your consent at any time using our cookie settings tool.

We use the following services, the details of which are listed in the appendix: Google Analytics (website & advertorials), Meta Pixel (website & advertorials), Taboola Pixel (advertorials), Mixpanel (app analytics), Adjust (app attribution).

  1. Recipients and Data Processors

We engage external service providers as data processors in accordance with Article 28 of the GDPR. These service providers process personal data exclusively in accordance with our instructions. Where service providers located outside the EU/EEA are engaged, we base the data transfer on the EU-US Data Privacy Framework (provided the provider is certified) or on EU Standard Contractual Clauses (SCCs). Details regarding the respective legal bases for data transfers can be found in the service provider directory in the appendix.

  1. Storage period and deletion

We process personal data only for as long as is necessary for the specific purpose. Unless a specific retention period is specified in this statement, data will be deleted as soon as the purpose no longer applies—or, in the case of statutory retention requirements (typically 6 or 10 years under commercial and tax law), upon the expiration of those periods.

  1. Your rights as a data subject

You have the following rights with respect to us: Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent (Art. 7(3) GDPR). To exercise your rights, simply send an informal message to the contact information provided in Section 1.

  1. Right to object pursuant to Art. 21 GDPR

To the extent that we process data on the basis of Article 6(1)(f) of the GDPR (legitimate interests), you have the right to object at any time on grounds relating to your particular situation. We will then cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests. You may object to processing for direct marketing purposes at any time without providing a reason.

  1. Right to Appeal

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for our headquarters is:

Berlin Commissioner for Data Protection and Freedom of Information Alt-Moabit 59–61, 10555 Berlin · www.datenschutz-berlin.de

  1. Automated Decision-Making

Automated decision-making, including profiling as defined in Article 22 of the GDPR, does not take place unless expressly stated otherwise in individual cases. The provision of certain data (e.g., registration and payment data) is required to use the app; without this data, the app cannot be used or can only be used to a limited extent.

  1. Social Media and Digital Publications

We maintain profiles on Facebook, Instagram, YouTube, LinkedIn, TikTok, X (formerly Twitter), and a newsletter channel on Substack. When you visit these profiles, the respective platform operators process data in accordance with their own privacy policies, over which we have no control. We process any personal data you provide to us through these channels solely for the purposes of communication and handling inquiries.

Legal basis: Article 6(1)(f) of the GDPR. For the Substack newsletter, Article 6(1)(a) of the GDPR (consent) also applies; you can unsubscribe at any time using the unsubscribe link in the newsletter.

Facebook / Instagram: Meta Platforms Ireland Ltd., Dublin, Ireland https://www.facebook.com/privacy/policy

YouTube: Google Ireland Limited, Dublin, Ireland https://policies.google.com/privacy

LinkedIn: LinkedIn Ireland Unlimited Company, Dublin, Ireland https://de.linkedin.com/legal/privacy-policy

TikTok: TikTok Technology Limited, Dublin, Ireland https://www.tiktok.com/legal/privacy-policy

X: X Corp., San Francisco, USA https://x.com/privacy

Substack: Substack, Inc., New York, USA https://substack.com/privacy

  1. Data security

We take appropriate technical and organizational measures to protect your data from loss, destruction, unauthorized access, and misuse (including TLS/HTTPS encryption, access restrictions, firewall systems, and regular security audits).

  1. Current Status of This Statement

This Privacy Policy is current as of June 2026. We reserve the right to update it in response to changes in the legal landscape, our services, or technological developments. The most recent version is available in the app and on our website.

Appendix: Directory of Service Providers

All third-party providers used are listed below, along with standard required fields. Transfers to the United States are based on the EU-US Data Privacy Framework (DPF, where certified) or EU Standard Contractual Clauses (SCC).

A. AI & Language Services

OpenAI

Purpose: Listening comprehension, conducting a conversation, formulating responses.

Data processed: text entries, call logs, metadata.

Provider: OpenAI Ireland Ltd., Ireland / OpenAI, L.L.C., USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

ElevenLabs

Purpose: Text-to-speech synthesis (converting AI text responses into speech).

Data processed: Text content of the AI responses.

Provider: Eleven Labs Inc., USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

LiveKit Cloud

Purpose: Real-time audio transmission for voice calls within the app (WebRTC transport service).

Data processed: Audio streams during active voice sessions, technical connection data (IP address, session ID, network data).

Provider: LiveKit, Inc., San Francisco, USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

Note: LiveKit acts solely as a transport service; audio streams are not permanently stored.

B. Search & Real-Time Information

Perplexity AI

Purpose: AI-powered summarization of news articles and search queries (model: sonar-pro).

Data processed: Search queries as text entries, metadata.

Provider: Perplexity AI, Inc., USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

Tavily

Purpose: Specialized real-time search engine for AI agents.

Data processed: Search queries entered as text.

Provider: Tavily Ltd., Israel.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: Israel. Basis: Adequacy decision by the European Commission.

Brave Search

Purpose: Independent web search for AI-powered conversational features.

Data processed: Anonymized search queries, IP address (anonymized on the server side).

Provider: Brave Software, Inc., San Francisco, USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

Note: Brave Search does not create user-specific search profiles.

NewsAPI / Mediastack

Purpose: To provide raw news data (headlines, news feeds).

Data processed: Request parameters, IP address.

Provider: NewsAPI, USA / apilayer, USA/EU.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

C. AI Analysis & Context

Google Gemini

Purpose: Analysis of news content, creation of summaries, context management.

Data processed: text input, conversation context, metadata.

Provider: Google Ireland Limited, Dublin, Ireland / Google LLC, United States.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: DPF / SCC.

Google Vertex AI

Purpose: Hosting and inference of AI models (text processing, embedding generation, contextual analysis).

Data processed: text input, embedding vectors, metadata.

Provider: Google Ireland Limited, Dublin, Ireland / Google LLC, United States.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: DPF / SCC.

Note: Vertex AI and Google Gemini are operated on the same Google Cloud infrastructure; the same Terms of Service apply.

D. Push Notifications & Email

OneSignal

Purpose: Sending push notifications and transactional emails; optional marketing communications.

Data processed: Push tokens, device and operating system data, send and open timestamps, interaction data.

Provider: OneSignal, Inc., San Mateo, USA.

Legal basis: Article 6(1)(b) of the GDPR for transactional messages; Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG for marketing communications (consent).

Transfer to a third country: United States. Basis: SCC.

E. Maps & Location

Google Maps

Purpose: To display maps and location-based features within the app.

Data processed: Request parameters (address, coordinates), IP address, location data (if consent is given).

Provider: Google Ireland Limited, Dublin, Ireland / Google LLC, United States.

Legal basis: Article 6(1)(b) of the GDPR for map-based features; Article 6(1)(a) of the GDPR for location data (consent).

Transfer to a third country: United States. Basis: DPF / SCC.

F. Entertainment & Media Content

YouTube

Purpose: Embedding and playing video content within the app.

Data processed: IP address, device information, video IDs accessed, timestamps, interaction data.

Provider: Google Ireland Limited, Dublin, Ireland / Google LLC, United States.

Legal basis: Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG (consent). Content is loaded only after the user takes active action.

Transfer to a third country: United States. Basis: DPF / SCC.

Radio Browser

Purpose: To access an open internet radio directory for selecting and playing stations.

Data processed: IP address, search query parameters (country, genre), timestamp.

Provider: Community-run open-source project (api.radio-browser.info); no central commercial operator.

Legal basis: Article 6(1)(b) of the GDPR.

Transfers to third countries: Primarily EU servers; transfers to third countries cannot be completely ruled out due to the decentralized operating model.

Note: During playback, the app connects directly to the hosting server of the respective podcast provider. These providers receive your IP address, device information, timestamps, and the episode you are listening to. In this regard, they act as independent data controllers within the meaning of Article 4(7) of the GDPR. We have no influence over their data processing.

Podcast Index

Purpose: To access an open podcast directory for displaying and playing podcast content.

Data processed: IP address, API request parameters (search term, category, podcast ID), timestamp.

Provider: Podcast Index LLC, USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

Note: When playing a podcast, the app connects directly to the podcast provider’s hosting server. We have no control over this data processing.

G. Support & Customer Communication

Intercom

Purpose: In-app chat and support system, management of support requests, in-app notifications.

Data processed: Name, email address, support conversation content, timestamps, user ID, device information, app version, IP address.

Provider: Intercom R&D Unlimited Company, Dublin, Ireland / Intercom, Inc., San Francisco, USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

H. Subscriptions & Payment Processing

RevenueCat

Purpose: Management of in-app subscriptions, transaction validation, and cross-platform synchronization of subscription status.

Data processed: Transaction ID, App Store receipt, subscription status, anonymous user ID, device type, operating system.

Provider: RevenueCat, Inc., San Leandro, USA.

Legal basis: Article 6(1)(b) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

Note: RevenueCat does not receive complete payment details; payment processing is handled exclusively by the respective app store.

I. Analysis & Attribution

Mixpanel

Purpose: Analysis of app usage (e.g., features accessed, completion rates, frequency of use), creation of user cohorts.

Data processed: Pseudonymous user ID (Distinct ID), event data, device information, IP address (deleted after geolocation).

Provider: Mixpanel, Inc., San Francisco, USA.

Legal basis: Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG (consent).

Transfer to a third country: United States. Basis: DPF (Mixpanel is certified).

Adjust

Purpose: Tracking app installations and in-app events, attributing them to marketing channels, and preventing fraud.

Data processed: Device identifiers (IDFA/GAID, if consent has been given), IP address, timestamp, app version, campaign parameters.

Provider: Adjust GmbH, Berlin, Germany (a subsidiary of AppLovin Corporation, USA).

Legal basis: Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG (consent). On Apple devices, exclusively following ATT consent.

Transfers to third countries: Primarily Germany; possibly the U.S. (AppLovin). Basis: SCCs.

J. Tracking & Advertising Measurement

Google Analytics

Purpose: To analyze the use of our website, advertorials, and other digital platforms; to optimize content and advertising efforts.

Data processed: Pages viewed, usage behavior (time spent on site, clicks), approximate location, IP address, technical device data, randomly generated user ID.

Provider: Google Ireland Limited, Dublin, Ireland / Google LLC, United States.

Legal basis: Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG (consent).

Transfer to a third country: United States. Basis: DPF / SCC.

Meta Pixel

Purpose: Measuring the success of Facebook and Instagram advertising campaigns, retargeting, and campaign optimization.

Data processed: Pages viewed, IP address, technical device data, pseudonymous user ID, ad click ID.

Provider: Meta Platforms Ireland Limited, Dublin, Ireland.

Legal basis: Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG (consent).

Transfer to a third country: United States. Basis: SCC.

Taboola Pixel

Purpose: Conversion tracking and retargeting for native advertising campaigns (especially advertorials), campaign optimization.

Data processed: IP address, pages viewed and conversion events, pseudonymous user ID (Click-ID), timestamps, technical device data.

Provider: Taboola.com Ltd., New York, USA / Taboola Europe Limited, London, UK.

Legal basis: Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TTDSG (consent).

Transfer to a third country: United States. Basis: SCC.

K. Infrastructure & Monitoring

Amazon Web Services (AWS)

Purpose: Cloud infrastructure and hosting platform for backend systems (computing power, storage, network services).

Data Processed: All personal data processed in the AWS-hosted systems (as specified in Sections 3.3 and 3.4).

Provider: Amazon Web Services EMEA SARL, Luxembourg / Amazon Web Services, Inc., USA.

Legal basis: Article 6(1)(b) and (f) of the GDPR.

Transfer to a third country: Primary region: eu-central-1 (Frankfurt, Germany). Data is stored within the EU. For support access from outside the EU: SCC.

Note: AWS is certified to ISO 27001 and SOC 2 and is listed in the EU-US Data Privacy Framework.

Supabase

Purpose: Database hosting, user authentication, server-side data storage, file storage.

Data processed: All personal data stored in the user account (in accordance with Sections 3.3 and 3.4).

Provider: Supabase, Inc., USA (hosted on AWS eu-central-1, Frankfurt).

Legal basis: Article 6(1)(b) and (f) of the GDPR.

Transfers to third countries: Primarily within the EU (Frankfurt). For transfers to the U.S.: SCC.

Sentry

Purpose: Real-time error detection (crash reporting), performance monitoring, and diagnosis of technical issues.

Data processed: Error messages, stack traces, device information, app version, anonymized user ID, IP address (truncated on the server side).

Provider: Functional Software, Inc., doing business as Sentry, San Francisco, USA.

Legal basis: Article 6(1)(f) of the GDPR.

Transfer to a third country: United States. Basis: SCC.

Note: Sentry is configured so that no user content (e.g., chat messages) is included in error reports, and IP addresses are anonymized.

Shorebird

Purpose: Delivering app updates directly to end devices without an App Store review (OTA / code push).

Data processed: App version, device type, operating system, anonymous device ID, timestamp.

Supplier: Shorebird, Inc., USA.

Legal basis: Article 6(1)(b) and (f) of the GDPR.

Transfer to a third country: United States. Basis: SCC.