AboutFellowsChapterConsult
Apply
Home/About/Privacy Policy
EPIS Think Tank

Privacy Policy for EPIS Mobile Applications

Effective Date / Last Updated: 24 May 2026. This Privacy Policy applies to the EPIS iOS application and the EPIS Android application (collectively, the “App”).

1. Data Controller and Contact Information

The data controller responsible for processing your data through the App is:

Entity Name: EPIS Thinktank
Address:
+49 15 56 59 75 423
board.directors@epis-thinktank.com
Am Stadtgarten 50
44623 Herne
Germany

Authorized Representatives:
Theodor Himmel
Johannes Hollunder
Daniel Gerjets

Competent Supervisory Authority:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany

For any privacy-related inquiries or to exercise your data protection rights, please contact us at board.directors@epis-thinktank.com (unless EPIS publishes a dedicated privacy contact).

2. Data Processing: Types of Data and Purposes

The App processes different types of information depending on how you interact with it:

A. Content Delivery and App Functionality

To provide you with our public content (publications, PDFs, cover images, staff/people profiles, and delegation maps), the App fetches data from the EPIS backend and asset services.

Technical Data Processed: Request time, requested content path, HTTP status code, app platform (iOS/Android), app version/build, operating system version, device model, and user-agent information.

Purpose: To securely deliver the requested content, optimize app performance, and maintain server security.

B. Local Offline Storage (Caching)

To allow you to read selected content offline, the App stores public content locally on your device.

Data Processed: Downloaded publications and media assets.

Purpose: To enable offline functionality. This data remains on your device until it is overwritten by newer content, cleared by the App, or manually deleted via your device settings.

3. Analytics and Usage Tracking

We use analytics to understand how our App is used and to improve our public content. We do not use your data for third-party advertising, data broker sharing, or cross-app tracking.

A. First-Party Telemetry

The App sends basic Key Performance Indicator (KPI) events directly to the EPIS backend.

Data Processed: App open events, publication detail views, publication identifiers (IDs), and the app platform.

B. Matomo Analytics

The App transmits screen views and selected interaction events to our self-hosted Matomo instance located at https://matomo.espero.tech/matomo.php.

Data Processed: App screen path, event names, app version/build, screen resolution, user-agent information, request time, Matomo site ID, and a randomly generated, locally stored App Visitor ID.

IP Anonymization: For technical reasons, the temporary processing of the complete IP address by the responsible entity is necessary to transmit data over the internet. However, it is anonymized by Matomo immediately upon receipt. Matomo is configured to mask two bytes of the IP address (e.g.: 192.168.xxx.xxx), making it impossible to associate the IP address with the device used to access the site. No full IP addresses are stored.

4. Crash and Error Diagnostics (Sentry)

To ensure the stability of the App, we use Sentry (for production builds) to monitor, diagnose, and fix technical errors.

Data Processed: Crash logs, software stack traces, app version/build, deployment environment, device context (e.g., manufacturer, device model), operating system status, and specific app-defined error metadata.

Purpose: Rapid bug fixing and stability improvements.

5. Public Editorial and Personnel Data

The App displays public editorial and organizational content managed by EPIS. This includes publications, authors, and public profiles of our team and board members.

Data Processed: Names, public roles, organizational groups, public profile images, and external links approved for publication by the respective data subjects.

6. Legal Bases for Processing (GDPR & TDDDG)

Depending on the specific processing activity, EPIS relies on the following legal bases under the General Data Protection Regulation (GDPR) and the German Telecommunications-Digital-Services-Data Protection Act (TDDDG):

  • Legitimate Interests (Art. 6(1)(f) GDPR): For technical content delivery, ensuring backend security, diagnosing system errors (Sentry), and conducting basic, privacy-friendly analytics (Matomo) to improve our services. By anonymizing the IP address, we take into sufficient account the interest of the users in protecting their personal data.
  • Consent (Art. 6(1)(a) GDPR & § 25 TDDDG): Where required by applicable law or device operating systems, we will request your explicit consent. This applies to the use of cookies or similar technologies that access information on your terminal device, unless they are strictly necessary for the operation of the App. Note: If server-side tracking (e.g., via Matomo Log Analytics) is used without storing or accessing data on the user's device, consent may not be required under the TDDDG.
  • Legal Obligation (Art. 6(1)(c) GDPR): In the event that EPIS is legally required to retain or disclose certain technical logs or records to public authorities.

7. Service Providers and International Data Transfers

EPIS engages trusted third-party service providers (Data Processors) to host, distribute, and maintain the App. Our current partners include:

  • Google Cloud / Firebase: For backend infrastructure and cloud hosting.
  • Sentry (Functional Software, Inc.): For error and crash reporting.
  • EsperoTech: For technical implementation, development, and operational support.
  • Apple App Store & Google Play Store: For application distribution.

International Data Transfers: Some of our providers (e.g., Google, Sentry) are headquartered or utilize servers in the United States. Where personal data is transferred outside the European Economic Area (EEA), EPIS ensures a legally compliant level of data protection via Standard Contractual Clauses (SCCs) approved by the European Commission, alongside supplementary security measures.

8. Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

  • Server Logs: Retained for a maximum of 7 to 14 days for security monitoring and abuse prevention, then automatically deleted.
  • Analytics & Diagnostics: Aggregated or anonymized data is kept indefinitely for historical reporting. Raw diagnostic logs are purged after 90 days.
  • Local Device Cache: Stored indefinitely on your device until cleared by the user or the operating system.

9. Your Data Protection Rights

Under the GDPR (and subject to local variations in applicable law), you possess the following rights regarding your personal data:

  • Right to Access (Art. 15 GDPR)
  • Right to Rectification (Art. 16 GDPR)
  • Right to Erasure / “Right to be Forgotten” (Art. 17 GDPR)
  • Right to Restriction of Processing (Art. 18 GDPR)
  • Right to Data Portability (Art. 20 GDPR)
  • Right to Object (Art. 21 GDPR) – You have the right to object to processing based on our legitimate interests.
  • Right to Withdraw Consent (Art. 7(3) GDPR) – If processing is based on consent, you may withdraw it at any time.

To exercise these rights, or if you believe your data is being mishandled, please contact us at board.directors@epis-thinktank.com. You also have the right to lodge a complaint with a competent data protection authority.

10. Amendments and Updates

We may update this Privacy Policy from time to time to reflect changes in our App functionality, service providers, or legal obligations. The current version will always be available in the App and on our website. Continued use of the App after an update constitutes acceptance of the revised policy.

© 2026 EPIS · Independent · Non-partisan · Funded by the EPIS FellowsImprint · Privacy · RSS