Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Justin Lanfermann

Email: Justin@Lanfermann.dev

Further details can be found in our Imprint.

Overview of Data Processing

NeatPass converts tickets, documents, and confirmations into Apple Wallet passes using on-device machine learning. Here is a summary of our data processing:

• Your tickets and documents: Processed on your device only—content never leaves your device
• Cryptographic hashes for pass signing: Transmitted to our signing server (hashes only, no personal content)
• Device identifier for security: Transmitted to our signing server (pseudonymous, but personal data)
• IP address and request metadata: Processed transiently on our signing server for security
• App usage statistics: Collected directly by Apple—we receive only aggregated statistics
• Bug reports (if you choose to submit one): Submitted voluntarily to our servers—you control exactly what is included

On-Device Processing

Document Analysis and Pass Creation

When you share a PDF, image, or screenshot with NeatPass, all analysis and pass creation occurs locally on your iPhone using Apple's MLX framework. This includes:

• Text recognition and extraction
• Barcode and QR code detection
• Date, time, and location parsing
• Pass layout and formatting

Your ticket content never leaves your device. The machine learning models run entirely on your iPhone. You can verify this by using the App offline—pass creation works without any internet connection.

From a GDPR perspective, we act as controller for this processing because we define the purpose and functionality of the App. However, the personal data contained in your tickets remains exclusively on your device and is not accessible to us. We do not receive, store, or have any means to access your ticket content on our servers.

The App may store extracted ticket data and associated images locally on your device together with your saved passes so that you can view and manage them later. This local storage takes place only within the App's sandbox and is not accessible to us or other apps. You can delete this data at any time by permanently deleting the corresponding pass or uninstalling the App.

The legal basis for this on-device processing is Article 6(1)(b) GDPR, as it is necessary to provide the core functionality of the App that you have requested (conversion of your tickets into Wallet passes).

Device Permissions

NeatPass may request the following permissions:

• Photo Library: To import tickets from your photos. Images you select are processed locally in the App and may be stored inside the App's local storage together with the corresponding pass (for example, so you can reopen or regenerate the pass later). These images are not uploaded to our servers.
• Camera (if applicable): To capture tickets directly. Photos taken inside the App are processed locally and stored inside the App's local storage together with the corresponding pass. They are never uploaded to our servers. You can remove them by permanently deleting the corresponding pass or uninstalling the App.
• Files: To import PDFs from your device storage. Files you select are processed locally and may be stored in the App's local storage together with the pass data. They are not uploaded to our servers.
• Background Wallet Access (iOS 26+): To add passes to Apple Wallet in the background without requiring confirmation each time. This is a one-time authorization that lets the App seamlessly add passes you create. No data is sent to our servers—passes are added directly to Wallet on your device.

You can revoke these permissions at any time in your iPhone's Settings → NeatPass.

Data We Process on Our Servers

Apple Wallet Pass Signing

To create valid Apple Wallet passes, the pass package must be cryptographically signed. Our signing service receives only the manifest.json file, which contains SHA-1 hashes (checksums) of the pass files—not the files themselves.

These cryptographic hashes are one-way transformations. Based on the current state of cryptography, it is not practically possible to reconstruct your ticket content from these hashes. Your personal information (names, ticket numbers, barcodes, event details) remains on your device and is never transmitted to us.

Legal basis: Article 6(1)(b) GDPR—processing is necessary for the performance of the service you requested (creating a valid Wallet pass).

Retention: Hashes are processed in memory only and are not stored after signing is complete. We do not log the content of signing requests.

Device Identifier for Security (App Attestation)

We use Apple's App Attest security feature to verify that requests to our signing service come from a genuine, unmodified version of NeatPass. This generates a pseudonymous device identifier unique to your app installation.

Important: The App Attest identifier is a pseudonymous identifier. On its own it does not identify you by name, but it is still considered personal data under the GDPR because it can be associated with your device and app installation (see GDPR Recital 30).

Purpose: Fraud prevention and protecting our service from abuse and unauthorized access.

What the identifier is NOT:

• It is not your Apple ID or any account information
• It cannot directly identify you by name
• It is unique to this app installation and changes if you reinstall the app
• It is generated by Apple's Secure Enclave and the private key never leaves your device

Legal basis: Article 6(1)(f) GDPR—our legitimate interest in preventing fraud and ensuring service security. This is explicitly recognized as a legitimate interest in GDPR Recital 47.

Balancing test: We have conducted a balancing assessment and determined that this processing does not override your privacy rights because: (1) only technical, pseudonymous identifiers are processed, (2) the processing protects all users from service abuse, (3) your interests are safeguarded through pseudonymization, and (4) the identifier cannot be used to track you across other apps or services.

Retention: Device identifiers are stored for as long as they are needed to provide security verification for our signing service and to protect our systems from abuse, and in any case for no longer than 12 months after the last successful signing request from your device. We are not technically able to detect when you uninstall the App, so uninstalling the App does not automatically remove the corresponding identifier from our backend systems. However, if you stop using the App, the identifier associated with your device will be automatically deleted once no successful signing requests have been received for 12 months. You may also request deletion at any time by contacting us at Justin@Lanfermann.dev. To process your deletion request, you will need to provide your device identifier (available in the App under Settings → Privacy), as we have no other way to identify which record belongs to you.

Your right to object: You have the right to object to this processing under Article 21 GDPR. However, please note that the App cannot function without this security verification, as our signing service would be unable to authenticate your requests.

Server Logs and IP Addresses

When you connect to our signing service, your IP address and technical request metadata (such as timestamp, HTTP method, route, response status, and latency) are processed in our server logs and API access logs for the purpose of providing the service and ensuring security.

Legal basis: Article 6(1)(f) GDPR—our legitimate interest in maintaining the security and operability of our service, including protection against DDoS attacks and abuse. This is explicitly recognized in GDPR Recital 49.

Retention: IP addresses and technical request metadata in our server and API access logs are deleted or anonymized after 30 days.

Bug Reports and Diagnostics

NeatPass includes an optional bug reporting feature that allows you to report issues directly from the App. Bug reports are an exception to our general "data never leaves your device" principle. Submitting a bug report is entirely voluntary, and you control what information is included.

What We Collect

When you submit a bug report, the following data is transmitted to our servers:

Always included (when you submit):

• Your description of the issue (title and details you write)
• Category and severity you select
• Device information: device model, iOS version, and App version
• Recent App activity logs (technical logs that help us reproduce the issue)
• A unique reference ID (displayed to you after submission, used for tracking and deletion requests)
• Your IP address (processed transiently; see "Server Logs and IP Addresses" above)

Optional (only if you provide them):

• Your email address, if you choose to enter one for follow-up
• Steps to reproduce and expected behavior, if you choose to describe them

Document attachments (only if you actively enable them):

The attachment toggle is disabled by default. If you enable it and attach PDFs, screenshots, or images, NeatPass will attempt to automatically redact barcodes and QR codes from those files on your device before transmission. However, this automatic redaction may not detect all personal information contained in your documents. Attached files may still include personal data such as names, addresses, booking references, or other details visible on the document. By enabling the attachment toggle and tapping "Submit," you consent to this data being transmitted to and stored on our servers.

Important: Please review any attachments before submission. Only attach documents if you are comfortable with us receiving their contents. You are not required to attach any files to submit a bug report.

Legal Basis

We process bug report data based on your consent (Article 6(1)(a) GDPR), which you provide by voluntarily completing and submitting the bug report form. You are never required to submit a bug report to use NeatPass.

For document attachments specifically, your consent is provided through a separate affirmative action: enabling the attachment toggle (which is disabled by default) and then tapping "Submit."

You may withdraw your consent at any time by requesting deletion of your bug report (see below). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Storage and Security

Bug report data is stored on Amazon Web Services infrastructure in the United States (us-east-1 region):

• Report metadata (reference ID, description, device information, status, timestamps) is stored in DynamoDB
• Files (activity logs and any attachments you include) are stored in S3 with AES-256 server-side encryption

All data is encrypted in transit using TLS.

For information about the legal basis for this international transfer and the safeguards in place, see "Amazon Web Services (AWS)" under "Third-Party Services" below.

Retention

Bug reports are automatically deleted 1 year after submission. This applies to both metadata in DynamoDB (deleted via TTL) and files in S3 (deleted via lifecycle policy).

You may request earlier deletion at any time by emailing Justin@Lanfermann.dev with your reference ID (displayed to you when you submitted the report). We will complete the deletion within 30 days.

What We Do NOT Collect Through Bug Reports

• We do not collect bug reports automatically or in the background
• We do not directly collect crash data outside of reports you voluntarily submit (Apple may separately collect crash data from users who opt in - see "Apple App Analytics" under "Third-Party Services")
• We do not use bug report data for advertising, profiling, or any purpose other than diagnosing and fixing the reported issue

Support and Correspondence

If you contact us by email, we process your message, email address, and any information you provide to handle your request.

Legal basis: Article 6(1)(b) GDPR if your inquiry relates to an existing contract or pre-contractual measures (e.g., questions about the App you purchased). Article 6(1)(f) GDPR (our legitimate interest in effectively handling inquiries) for all other correspondence.

Retention: Support correspondence is retained for 3 years after the conversation ends to document our interactions and improve our service, unless longer retention is required by law. Contract-related correspondence may be retained for up to 6 years under German commercial law (§257 HGB).

Zoho Mail (Email Service Provider)

We use Zoho Mail to send and receive emails, including support correspondence.

Data processed: Your email address, email content, attachments, and associated metadata (timestamps, subject lines, IP addresses from which emails are sent or received).

Purpose: To send, receive, and store email correspondence with you, including support inquiries.

Legal basis: Article 6(1)(b) GDPR for correspondence related to contract performance; Article 6(1)(f) GDPR (our legitimate interest in effective communication) for other inquiries.

Provider: Zoho Corporation B.V., Beneluxlaan 4B, 3527 HT Utrecht, The Netherlands (EU entity)

Storage location: Our Zoho Mail account is hosted on Zoho's EU data center infrastructure located in the Netherlands and Ireland.

Legal basis for transfer: As we use Zoho's EU data centers, email data is processed within the European Union. For any processing that may involve Zoho's global infrastructure, Zoho is certified under the EU-US Data Privacy Framework and our agreement includes the European Commission's Standard Contractual Clauses.

Data protection: All data is encrypted in transit using TLS. Zoho maintains ISO 27001, ISO 27017, and SOC 2 Type II certifications.

For more information: https://www.zoho.com/privacy.html and https://www.zoho.com/gdpr.html

Third-Party Services

Amazon Web Services (AWS)

Our pass signing service runs on Amazon Web Services infrastructure in the United States (us-east-1 region).

Data transferred: Pseudonymous device identifiers, cryptographic hashes of pass files, IP addresses, and—if you submit a bug report—report metadata, activity logs, and any files you choose to attach.

Data NOT transferred: Your ticket content, personal information, names, barcodes, or any readable ticket data.

Legal basis for transfer: AWS (Amazon.com, Inc.) is certified under the EU-US Data Privacy Framework, which was recognized by the European Commission as providing adequate protection for personal data (Adequacy Decision of July 10, 2023).

Additional safeguards: Our data processing agreement with AWS includes the European Commission's Standard Contractual Clauses as a fallback mechanism, so that data transfers remain protected if the adequacy decision is invalidated in the future. We apply these safeguards (Data Privacy Framework certification and Standard Contractual Clauses) to all international transfers of personal data, regardless of where you are located.

Technical measures: All data is encrypted in transit using TLS. Only pseudonymous identifiers and cryptographic hashes are transferred. Access is restricted through AWS IAM policies. Our infrastructure benefits from AWS's security certifications (ISO 27001, 27017, 27018).

For more information: https://aws.amazon.com/compliance/gdpr-center/

Apple Services

Apple Wallet: Once you add a pass to Apple Wallet, Apple processes that pass according to their own privacy policy. Apple syncs passes across your devices via iCloud if enabled. Apple acts as an independent data controller for this processing—not as our processor. See: https://www.apple.com/legal/privacy/

In-App Purchase (One-Time Unlock)

NeatPass offers a one-time in-app purchase to unlock all features after your first free pass.

Payment processing: The purchase is processed exclusively by Apple via the App Store. We do not receive your credit card number, bank details, or billing address. Apple may provide us with non-identifying information such as a transaction ID and the fact that a purchase was completed, so we can verify entitlement and unlock the premium features on your device.

Legal basis: Article 6(1)(b) GDPR—processing is necessary to fulfill your purchase and provide the premium functionality you requested.

Retention: We do not maintain separate customer databases for purchases. Transaction identifiers received from Apple are used only to verify entitlement to the one-time unlock and may be kept in aggregated or pseudonymous form for accounting and fraud-prevention purposes in line with statutory retention periods.

Apple App Analytics: We use Apple's built-in App Analytics through App Store Connect. Apple collects usage statistics, crash reports, and performance data directly from users who have opted in through their iOS device settings.

From our perspective, we receive only aggregated, anonymized statistics that do not allow us to identify individual users. Apple acts as an independent controller for any personal data processed as part of App Analytics and relies on its own legal bases, as described in Apple's privacy policy.

How to opt out: Settings → Privacy & Security → Analytics & Improvements → disable "Share iPhone Analytics" and "Share with App Developers"

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy or as required by law:

• Ticket/document content: Stored locally on your device with the App; not stored on our servers—needed to display and manage passes; you can delete by permanently deleting the pass or uninstalling the App
• Cryptographic hashes: Not retained—processed in memory only, deleted immediately
• Device identifiers: Up to 12 months after the last successful signing request, or sooner if you request deletion—required for ongoing security verification and abuse prevention
• IP addresses in logs: 30 days—for security monitoring and troubleshooting
• Support correspondence: 3 years (up to 6 for contracts)—for documentation and legal obligations
• Bug reports (metadata and files): 1 year after submission—automatically deleted via DynamoDB TTL and S3 lifecycle policy; you may request earlier deletion by emailing Justin@Lanfermann.dev with your reference ID

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): You may request confirmation of whether we process your personal data and obtain a copy of that data.
• Right to rectification (Article 16): You may request correction of inaccurate personal data.
• Right to erasure (Article 17): You may request deletion of your personal data. For device identifiers, please contact us with your device ID (found in the App under Settings → Privacy).
• Right to restriction (Article 18): You may request restriction of processing under certain circumstances.
• Right to data portability (Article 20): You may request to receive your personal data in a structured, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. Note that objecting to device identifier processing will prevent the App from functioning.
• Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Article 77): You have the right to lodge a complaint with a supervisory authority if you believe our processing violates the GDPR.

To exercise any of these rights, please contact us at: Justin@Lanfermann.dev

We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity of the request. We will inform you of any such extension.

Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for complaints regarding our processing is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18, 91522 Ansbach, Germany

Phone: +49 (0) 981 180093-0

Email: poststelle@lda.bayern.de

Website: https://www.lda.bayern.de

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU.

Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption: All data transmitted to our servers uses TLS encryption
• Pseudonymization: Device identifiers cannot be linked to your identity without additional information we do not possess
• Minimal data collection: We only process what is strictly necessary for the service
• On-device processing: Your ticket content never leaves your iPhone
• Access controls: Server access is restricted through AWS IAM policies and monitored
• Infrastructure security: Our infrastructure benefits from AWS's security certifications (ISO 27001, 27017, 27018)
• Log minimization: IP addresses and access log data are retained for a maximum of 30 days for security and troubleshooting, then deleted or anonymized

Data breach notification: In the unlikely event of a personal data breach affecting our systems, we will assess the risk and, where required by law, notify the competent supervisory authority within 72 hours and affected users without undue delay.

Children's Privacy

NeatPass is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at Justin@Lanfermann.dev, and we will delete such data.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes through the App or by other appropriate means before they take effect. The "Last updated" date at the top indicates when this policy was last revised.

We encourage you to review this privacy policy periodically.

Contact Us

If you have questions about this privacy policy or our data practices, please contact us:

Email: Justin@Lanfermann.dev

Imprint: https://lanfermann.dev/imprint

We aim to respond to all inquiries within 48 hours.