Privacy Policy

Datenschutzerklärung

Last Updated: January 3, 2026

1. Overview and Controller

We take your privacy seriously. This privacy policy informs you about the nature, scope, and purpose of the processing of personal data when using the StayGray iOS App, Browser Extension, and Website.

Controller (Data Controller)

Matthias Neuwirth-Trapp
Vogelweide 29
31337 Hildesheim, Germany
Email: contact@staygray.app
Website: https://staygray.app

We have not appointed a Data Protection Officer (DPO) because we are not legally required to do so.

2. General Principles

We process personal data in accordance with the GDPR and applicable national laws. We process only the data necessary to provide the service, keep it secure, and fulfill contractual and legal obligations.

No website tracking: Our website does not use cookies, localStorage, analytics tools, embedded third-party content, third-party fonts, or website error tracking.

3. Website Hosting and Extension Validation API (Vercel)

Our website and the validation API for our browser extension are hosted by Vercel Inc. (USA).

Data processed (technical access data):

  • IP address
  • Date and time of request
  • Requested URL
  • User agent (browser type/version, operating system)
  • Referrer (if provided by the browser)
  • Security and error-related technical data (where applicable)

Purpose: Providing the website and API; ensuring security and stability (including abuse prevention and defense against attacks).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation).

Retention (Vercel logs on the free plan):

  • Runtime logs: stored for 1 hour on the Hobby (free) plan
  • Build logs: stored indefinitely for each deployment

We avoid logging unnecessary personal data in application logs.

International transfers (USA):

Vercel may process data in the USA. Vercel provides a Data Processing Agreement and supports transfer mechanisms such as Standard Contractual Clauses (SCC). Vercel also states it is certified under the EU-U.S. Data Privacy Framework (DPF).

4. Data Processing in the iOS App

4.1 Subscriptions and Payments (Apple App Store and RevenueCat)

Subscriptions are sold via the Apple App Store. We use RevenueCat to manage subscription status in the app.

Data we receive / process:

  • From RevenueCat: an (typically pseudonymous) App User ID, subscription status (active/expired), entitlements, and purchase metadata such as purchase date
  • We do not receive credit card details or full payment information from Apple

Purpose: Provide and manage "Plus" features and verify subscription status.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Retention:

  • We keep the minimum subscription status/identifier data needed to provide access for the duration of the subscription and for subscription-related support, then delete upon request where feasible
  • Apple retains App Store purchase-related data for periods required by financial and legal obligations (often long retention periods)

4.2 Crash Diagnostics (No third-party SDK)

We do not use a third-party crash reporting SDK.

If users have enabled sharing of Apple diagnostics, Apple may provide us with aggregated or device diagnostic information to help improve stability.

Data processed (if provided via Apple diagnostics):

  • Device state at time of crash
  • Device type and iOS version
  • Crash/diagnostic logs

Purpose: Improve app stability.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product quality and stability).

Retention: We keep diagnostic information only as long as necessary to investigate and fix issues, then delete or aggregate it.

5. Data Processing in the Browser Extension

5.1 Permissions and Local Functionality

The extension requires access to websites solely to inject CSS code that turns the page grayscale.

Local processing only: We do not collect, store, transmit, or analyze your browsing history or page content.

5.2 License Purchase and License Validation (Lemon Squeezy + Vercel API)

Payments for the extension are handled by Lemon Squeezy (Merchant of Record). To activate the extension, you enter a license key. The extension validates it daily by sending it via our Vercel API to Lemon Squeezy for verification.

Data processed:

  • License key (entered by you)
  • Validation result (valid/invalid and related status metadata)
  • Technical request data (IP address, timestamp, user agent) when calling our API and Lemon Squeezy

Purpose: License verification and fraud prevention.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Retention:

  • Extension: license key stored locally so the extension remains activated (removable by uninstalling or clearing extension data)
  • Vercel: runtime request logs retained for 1 hour on Hobby; build logs indefinitely
  • Lemon Squeezy: retains purchase-related data as needed for providing its service and for legal/accounting obligations (per its policies)

6. Contact and Support

If you contact us via email, we process your email address and the content of your message.

Purpose: Responding to inquiries and support.

Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

Retention: Deleted 30 days after the request has been fully resolved, unless statutory retention obligations apply.

7. Required vs Optional Data

  • Paid extension features: a license key is required to activate paid extension features; otherwise activation fails
  • "Plus" features in the iOS app: subscription status is required to unlock "Plus" features
  • Website/API delivery: technical access data is necessary to deliver the service securely

8. Automated Decision-Making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

9. Your Rights

You have the GDPR rights of access, rectification, erasure, restriction, data portability, and objection (Art. 15 to 21 GDPR). To exercise them, contact: contact@staygray.app.

Some data is handled by third parties as independent controllers (for example Apple for App Store purchases), in which case you may also need to contact the relevant provider.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Competent authority for us: Die Landesbeauftragte fĂĽr den Datenschutz Niedersachsen.

11. Children's Privacy

Our services are not directed specifically at children. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will take appropriate steps.

12. Changes to this Privacy Policy

We may update this privacy policy when necessary. The "Last Updated" date indicates the current version.