App Privacy Policy

For the Taskey mobile application (Android)

Google Play Data Safety

App privacy policy under the GDPR and Google Play Data Safety

This document describes which data the Taskey app collects, the purposes for which it is processed, the recipients to whom it is transmitted and how users can exercise their rights. It complements the privacy policy for the taskeyapp.com website and is the authoritative document for the Google Play Store review.

This document is a translation for convenience. The legally binding version is the German original.

1. Controller

The controller responsible for data processing in the Taskey app is:

Fynn-Luca Schulz
Schulz & Stosse GbR
In der Acht 44
66333 Völklingen, Germany
Email: fynn@taskeyapp.com
Phone: +49 151 68488999

Contact for privacy requests and account deletion: fynn@taskeyapp.com

2. Scope

This privacy policy applies exclusively to the Taskey mobile application (hereinafter the app), which is distributed via the Google Play Store and additional channels. The processing of personal data during a visit to the taskeyapp.com website is governed by the separate website privacy policy available at taskeyapp.com/datenschutz.

3. What data the app collects

The app collects and processes the following categories of personal data. The list is exhaustive.

3.1 Account data

When signing in to an existing Taskey account, the following data is processed: first and last name, business email address, password (stored solely as a cryptographic hash), role within the organisation, association with the contracting company. Account data is stored on the Taskey backend, which is operated by Schulz & Stosse GbR within the European Union.

3.2 Location data (approximate and precise location)

For on-site verification during digital time tracking and to display nearby job sites, the app accesses the device's approximate and precise location (Android permissions ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION). Location access happens exclusively as part of an active user action (clock in or out, map view, trip documentation) and only after the user has granted the system permission. Location coordinates are transmitted to the Taskey backend together with the time or action entry and stored with that entry. No permanent background tracking takes place.

3.3 Camera

The app uses camera access (CAMERA permission) exclusively to scan QR codes at job sites and on work orders. Image processing takes place entirely on the device (Google ML Kit Barcode Scanning, on-device). Camera images are neither stored nor transmitted to the Taskey backend or to third parties. Only the character strings decoded from the QR code (such as object or work-order identifiers) are further processed.

3.4 NFC

The app uses the NFC interface (NFC permission) to read NFC tags attached at job sites. Tags are used for clocking in and out in the digital time-tracking feature. The identifier read from the tag is transmitted to the Taskey backend together with the timestamp and associated with the time entry.

3.5 Push notifications

The app uses Firebase Cloud Messaging (FCM) provided by Google Ireland Limited to deliver functional push notifications (work-order assignments, schedule changes, approvals, chat messages). On first launch, FCM issues a pseudonymous registration token for the device. This token is transmitted to the Taskey backend and associated with the user account solely for delivering notifications. The POST_NOTIFICATIONS system permission can be revoked in the device settings at any time.

3.6 In-app activity, work-order and time data

During use of the app, the following functional data is processed and stored on the Taskey backend: time entries (start, end, break, job site, NFC tag identifier if used), work-order and task data (title, description, status, assignment, attachments), customer, object and vehicle data from the respective company's records, chat messages between members of the same organisation, and files uploaded by the user such as documentation photos, evidence of completion and signatures.

3.7 Device and diagnostic information

For operational security, the following technical data is transmitted between the app and the backend and stored temporarily in server logs: IP address, request timestamp, requested API endpoint, HTTP status code, app version, Android version, device model. Server logs are used for error analysis and are deleted after 30 days.

3.8 Payment data

The app itself does not process any payment data. Paid use is agreed exclusively on the basis of a contract between the contracting company and Schulz & Stosse GbR, outside the app. No credit-card, bank-account or invoicing information is collected within the app.

4. Purposes and legal bases

Processing takes place for the following purposes and on the following GDPR legal bases.

  • Provision of the user account and app functions: Art. 6(1)(b) GDPR (contract with the contracting company and the users)
  • Digital time tracking, work-order and object documentation: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest of the employer in a verifiable record of work)
  • Verification of the job site via location, NFC and QR code: Art. 6(1)(b) GDPR in conjunction with the user's employment relationship with the contracting company
  • Push notifications via Firebase Cloud Messaging: Art. 6(1)(b) GDPR (performance of a contract)
  • Server logs for operational security and error analysis: Art. 6(1)(f) GDPR (legitimate interest in secure operation)
  • Storage of the sign-in token in encrypted device storage: Art. 6(1)(b) GDPR in conjunction with Art. 32 GDPR

5. Recipients and integrated services (SDKs)

The app integrates the following services and libraries. No further recipients of personal data are envisaged.

Google Ireland Limited (Firebase Cloud Messaging)

Receives the device's FCM registration token and delivers push notifications. Data transmitted: FCM token, instance ID, timestamp of delivery.

https://policies.google.com/privacy

Google Ireland Limited (Google Play Services Location)

Provides the device location determined by the operating system via the system interface when the app actively uses a location-based feature.

https://policies.google.com/privacy

Google Ireland Limited (Google ML Kit Barcode Scanning)

Processes camera images for QR-code recognition entirely on the device (on-device). No images or recognised content are transmitted to Google.

https://developers.google.com/ml-kit/terms

OpenStreetMap Foundation (via the OSMDroid library)

Delivers map tiles to display job sites. When map tiles are loaded, the device's IP address is transmitted to the OpenStreetMap tile servers.

https://osmfoundation.org/wiki/Privacy_Policy

Taskey backend (Schulz & Stosse GbR)

Stores account, time-tracking, work-order, object and chat data. Server operation takes place within the European Union. No data processing outside the EEA takes place.

Personal data is not shared for advertising purposes and is not sold. The app contains no advertising SDKs, no analytics or attribution tracking, and no third-party advertising identifiers.

6. Data security

Communication between the app and the backend takes place exclusively over TLS-encrypted HTTPS connections. Passwords are stored on the backend solely as a cryptographic hash. On the device, the app uses encrypted Android security storage (AndroidX Security EncryptedSharedPreferences) to store the sign-in token. Access to the backend is protected by role- and tenant-based permissions.

7. Storage period

Account, work-order, object and time data is stored for as long as the user account and the corresponding contract with the contracting company remain active. Server logs are deleted automatically after 30 days. Following account deletion, personal data is removed from productive systems within 30 days. Data subject to statutory retention obligations (for example under the German Commercial Code and the Fiscal Code) is exempt; such data is blocked and deleted after the retention period has expired.

8. Account deletion and data deletion

Users can request the deletion of their account and the associated personal data at any time.

  1. Send an email with the subject line "Taskey account deletion" to fynn@taskeyapp.com.
  2. The request must contain the email address associated with the account so that the request can be matched.
  3. After confirmation, deletion is completed within 30 days. Completion is confirmed by email.
  4. Data subject to statutory retention obligations is first blocked and then deleted once the retention period has expired.

Public URL for account deletion (for use in the Google Play Store listing): https://www.taskeyapp.com/en/datenschutz-app#account-deletion

9. Rights of data subjects

Under the GDPR, data subjects have the following rights. Requests can be sent to fynn@taskeyapp.com at any time.

  • Access to the processed data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Complaint to a supervisory authority (Art. 77 GDPR)

10. Children

The app is aimed exclusively at professional users within an employment or service relationship and is not intended for persons under the age of 16. No knowing processing of children's data takes place.

11. International data transfers

User data stored on the Taskey backend is hosted within the European Union. Firebase Cloud Messaging and Google Play Services are provided by Google Ireland Limited. Google processes operational data globally; for transfers to third countries Google relies on the Standard Contractual Clauses of the European Commission.

12. Automated decisions

The app does not make any automated decisions within the meaning of Art. 22 GDPR. No profiling of users takes place.

13. Summary of the Google Play Data Safety declaration

The following overview mirrors the declaration made in the Google Play Data Safety form.

  • Data types collected: personal information (name, email), location (approximate and precise), app activity (in-app user actions), device or other IDs (FCM registration token), files and documents (uploaded proof and evidence).
  • Data use: app functionality, account management, digital time tracking, messaging. No advertising, no sale, no analytics tracking.
  • Data sharing with third parties: Google (Firebase Cloud Messaging, Play Services Location) and OpenStreetMap Foundation (map tiles). No sale, no advertising.
  • Data security: transmission exclusively via TLS, passwords stored as a hash, sign-in token stored encrypted on the device.
  • Data deletion: account and data deletion upon request by email to fynn@taskeyapp.com within 30 days.

14. Changes to this app privacy policy

This policy will be updated whenever the technical implementation of the app, the services used or the applicable legal requirements change. The current version is available at taskeyapp.com/datenschutz-app.

As of: July 15, 2026

App Privacy Policy – Taskey | Taskey