Privacy Policy

Last updated: June 21, 2025

We appreciate your interest in our mobile app “Paperjungle” (hereinafter referred to as the App). We believe that it is particularly important for document management apps like Paperjungle to be as economical as possible with data. To this end, we try to process as much data as possible exclusively on your end devices. Should this not be possible, we try to process the data primarily on our systems before third parties are involved.

When using the app locally, the data entered into the app, such as folder structure, documents, tags, and collections, always remains only on the device.

When using our cloud service, this data is stored on our servers for synchronization. The thumbnails, scanned documents, extracted texts, and full-text search data are end-to-end encrypted, which means that they can only be decrypted by your account with the help of your password.

In the event of an error, relevant data for an error/crash is shared with the US-based provider Sentry (see 4.6).

We try to be as transparent as possible with the use of your data. If you have any questions about our privacy policy, please feel free to write to us at the email address mentioned below.

Below, we inform you in detail in accordance with the General Data Protection Regulation (GDPR) about the nature, scope, and purpose of the collection and use of your personal data in the context of using our app.

1. Name and Contact Details of the Controller

The controller for data processing within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

Jonas Becker
Marschallstraße 14
42329 Wuppertal
Germany
Email: contact@happy-square.de

2. Contact Details of the Person for Data Protection Inquiries

An external data protection officer has not been appointed. The contact person for data protection inquiries is Jonas Becker. You can reach him using the contact details of the controller mentioned above or directly via email at: contact@happy-square.de.

3. Definitions

Our privacy policy is based on the terms used by the European legislator for directives and regulations when issuing the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance. In this privacy policy, we use, among others, the following terms: personal data, data subject, processing, restriction of processing, controller, recipient, third party, consent. The definitions of these terms can be found in Art. 4 GDPR.

4. Data Processing in Detail

4.1. Voluntary Data Donation for Service Improvement

IMPORTANT NOTE: This feature is an optional opt-in feature and is disabled by default.

We offer you the opportunity to contribute scans of your documents to improve our services through explicit consent. This function must be actively enabled by you in the app settings (opt-in). We understand that even if you wish to share documents to improve our services, you may not want to do this with all documents. For this purpose, the app allows you to decide for each individual document whether it should be shared. Even after activating this function, consent must be given for each document to be shared (opt-in), unless it is activated in the settings that every document should be donated. In this case, however, it is possible to deactivate (opt-out) this feature for each document. Although this data is not linked to your account, these documents are available in plain text. Since these documents are not linked to your account, they are not automatically deleted when your account is deleted. To remove this data, please send us an (also informal) email to contact@happy-square.de. The deletion periods from section 4.7 apply to these emails.

  • Data categories:

    • Scanned document images (unencrypted)
    • Technical metadata (scan quality, settings used)
    • IMPORTANT: The information contained in the documents (names, addresses, contract data, etc.) remains fully legible and recognizable

  • Purpose: The donated data is used exclusively to improve our edge detection and OCR technology, to optimize text recognition, and to generally improve the app’s functionalities.

  • Legal basis: Art. 6(1)(a) GDPR (Consent). The processing is based solely on your explicit and voluntary consent.

  • Recipients: The data is stored and processed on our own servers (see 4.3).

  • Withdrawal: You can withdraw your consent at any time in the app settings. The withdrawal only affects the future - already donated data can be deleted upon request.

  • Storage period: These documents are stored for up to 10 years unless an explicit deletion is requested beforehand.

  • Voluntariness: The use of the app is possible completely independently of this data donation. You will not suffer any disadvantages if you do not participate.

4.2. Use of the App and Analytics

To continuously improve our app, analyze user behavior, identify popular features, and optimize the user experience, we use an analysis tool. In doing so, we try to collect data that is relevant to us while protecting your privacy and not using permanent identifiers. We will never use data such as thumbnails, documents, document texts, tags, and other user data.

  • Data categories: App version, operating system used and its version, country (derived from the IP address, which is not stored in full), usage events (e.g., which functions are used, clicks on certain elements), time of opening and closing the app. Instead of an installation or device ID, an anonymous identifier is used. This is derived on our server (see 4.3) with a strong hash function from your IP address, your user agent, and a random value. None of these values are stored or logged directly. It is not possible to deduce the individual values (IP address, user agent, random value) from this value. This identifier is regenerated every 24 hours and not linked to older identifiers.

  • Purpose: The collection of this data serves to analyze user behavior to improve app functionalities, identify particularly popular features, and generally optimize the user experience.

  • Legal basis: The processing of this data is based on our legitimate interest in analyzing user behavior to optimize the app in accordance with Art. 6(1)(f) GDPR.

  • User control and withdrawal: The collected data is stored for up to 2 years. It is not possible to request the deletion of the data, as it is stored anonymously and can no longer be traced back to you.

  • Recipients: The collected analytics data is stored on our own servers. There is no transfer of raw data to third parties. The evaluation is carried out internally.

  • Storage period: This data is stored for up to 2 years.

4.3. Registration and Use of the Optional Cloud Service

We offer you the option of using an optional cloud service for storing and synchronizing your documents. Some of this data is end-to-end encrypted (as indicated below). This means that this data is encrypted with your password. Your password itself is not transmitted to our services, only a value derived from the password. Thus, this data can only be viewed and decrypted by you.

  • Data categories during registration:

    • Email address
    • Language
    • Password (is hashed, i.e., encrypted and not stored in plain text)

  • Data categories when using the cloud service:

    • Your IP address
    • Metadata you have added or confirmed for your documents (e.g., title, tags, categories, folder structure)
    • The text of your documents recognized by the OCR function (text recognition) (this is stored end-to-end encrypted)
    • The upload date of your documents
    • A unique user ID assigned to your account
    • Thumbnails of the documents (these are stored end-to-end encrypted)
    • The document files you have uploaded yourself (e.g., PDF, JPG, PNG), which are also stored end-to-end encrypted on the servers

  • Purpose: The processing of this data serves to enable the creation and management of your user account, the provision and technical implementation of the optional cloud storage service, and the synchronization of your documents and metadata across various devices on which you are logged in with your account.

  • Legal basis: The processing of your data in the context of registration and use of the cloud service is necessary for the performance of the user contract for the cloud service (Art. 6(1)(b) GDPR).

  • Recipients: The data is stored on servers that we operate with the following host with a server location in Germany:

    • Netcup GmbH, Daimlerstraße 25, D-76185 Karlsruhe, Germany
    • We have concluded a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR with this host.

  • Storage period: Until the user account is deleted by you or by us (e.g., upon termination of the contract).

4.4. Local Storage of Documents (without using the cloud service)

The app allows you to capture, catalog, and manage documents purely locally on your end device, without the need to use the optional cloud service.

  • Data categories:

    • Metadata about your documents (e.g., title, tags, categories)
    • The text of your documents recognized by the OCR function (text recognition)
    • The document files themselves (e.g., PDF, JPG, PNG)

  • Purpose: This data is stored exclusively on your device to provide you with the basic app functionalities for local document management.

  • Legal basis: The processing of this data is necessary for the performance of the user contract for the basic functionalities of the app (Art. 6(1)(b) GDPR).

  • Storage period: The data stored on your device remains there until you delete it yourself or uninstall the app (depending on your operating system’s settings, uninstalling may also delete local data). We have no access to this data and no control over its deletion.

  • Important note for users: The documents and associated data stored locally on your device are not separately encrypted by the app. The protection of this data is subject to the security mechanisms of your operating system and your own precautions (e.g., device lock). You are responsible for backing up your locally stored data. There is no automatic transmission of this local data to us or third parties unless you use the optional cloud service.

4.5. Necessary Server Communication

To ensure security and stability, the app requests information from our server at startup and during operation, for example, to be able to inform about a necessary update.

  • Data categories:

    • Version of the app
    • IP address
    • User agent of the browser (if used)
    • Time of the request

  • Purpose: The purpose of the data is to ensure the stability of the app.

  • Legal basis: The processing of this data is based on our legitimate interest in the technically flawless, stable, and secure operation of the app in accordance with Art. 6(1)(f) GDPR.

  • Recipients: See 4.3

  • Storage period: This data is stored for up to one year.

4.6. System Monitoring, Error Reports, and Feedback (via Sentry)

To ensure the technical stability of our app, to identify and fix errors (crashes), to respond to feedback, and to ensure the general technical functionality and security of the service, we use the Sentry service.

  • Data categories: In the event of a crash or a technical error in the app, the following data may be transmitted to Sentry:
    • Crash reports and error details
    • Technical information about your device (e.g., model, manufacturer)
    • Information about the operating system and its version
    • The version of the app used
    • Time of the error
    • Stack traces (technical error logs)
    • If applicable, context information (“Breadcrumbs”) that describe the steps before the error occurred. These are configured sparingly to minimize the collection of personal data.
    • A unique installation ID or (if you are logged into the cloud service) your user ID may be transmitted for better assignment and faster error resolution.
    • Log entries from the app

Since we generally have little to no influence on the processing of your personal data, we cannot make any binding statements about the purpose and scope of the processing of your data. Further information can be found in Sentry’s privacy policy https://sentry.io/privacy.

  • Purpose: The collection of this data serves to ensure app stability, the identification and rapid correction of errors and crashes, and to ensure the technical functionality and security of our application.

  • Legal basis: The processing of this data is based on our legitimate interest in a technically flawless, stable, and secure operation of the app in accordance with Art. 6(1)(f) GDPR. The legal basis can also be the user’s consent in accordance with Art. 6(1)(a) GDPR towards the platform operator, which is given with consent to the privacy policy.

  • Recipients: The data is transmitted to Sentry (Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA).

  • Third-country transfer: Details on this can be found under section 6 “Data transfer to third countries”.

  • Storage period: Your information will be stored for as long as is necessary to fulfill the purposes described in this privacy policy or as required by law.

4.7. Contact

You have the option to contact us directly via email.

  • Data categories: Your email address (as sender), the content of your message, and any attachments you may have sent.

  • Purpose: The processing of this data serves to handle your inquiries, support cases, and your feedback for improving our app.

  • Legal basis:

    • If your contact is in connection with the initiation or execution of a contract with us (e.g., support requests for the cloud service), the legal basis is Art. 6(1)(b) GDPR.
    • In other cases, particularly when submitting general feedback for app improvement, the processing is based on our legitimate interest in effective communication and the improvement of our services (Art. 6(1)(f) GDPR).

  • Storage period: This data is stored until your request has been finally resolved. It will then be retained for a period of up to 6 months to be able to handle any follow-up questions, and then deleted, provided there are no statutory retention obligations (e.g., from commercial or tax law).

4.8. Cloudflare

We use the name server services of Cloudflare Inc., USA, for our domain.

  • Data categories: Your IP address

  • Purpose: The purpose is to offer our services.

  • Legal basis: The processing of this data is based on our legitimate interest in a technically flawless, stable, and secure operation of the app in accordance with Art. 6(1)(f) GDPR.

  • Third-country transfer: Details on this can be found under section 6 “Data transfer to third countries”.

5. Recipients of Data

Your personal data is generally only passed on to third parties if this is necessary for the performance of the contract, if we are legally obliged to do so, if you have given your consent, or if this is based on our legitimate interests.

  • Internal recipients: Within our company, only those employees have access to your data who need it to fulfill the purposes mentioned above (e.g., employees for technical support, server administration, evaluation of anonymized analytics data).

  • External recipients / Data processors:

    • Sentry (Functional Software, Inc. dba Sentry, USA): For system monitoring and error reporting (see section 4.6). A data processing agreement has been concluded with Sentry, which includes standard data protection clauses.
    • Cloudflare Inc. (USA): For name server services (see section 4.8).
    • Hoster for all other services:
      • Netcup GmbH, Daimlerstraße 25, D-76185 Karlsruhe, Germany
      • This hoster stores the data of our cloud service (user accounts, documents, metadata) as well as our self-hosted analytics instance in data centers in Germany. A Data Processing Agreement pursuant to Art. 28 GDPR has been concluded with this hoster.

Your data will not be transferred to other third parties for their own commercial purposes unless you have given your express consent.

6. Data Transfer to Third Countries (outside the EU/EEA)

A transfer of your personal data to countries outside the European Union (EU) or the European Economic Area (EEA), so-called third countries, takes place in the following cases:

  • Sentry (USA): As part of error analysis and system monitoring (see section 4.6), technical error information and, if applicable, anonymized IDs or user IDs are transmitted to Sentry’s servers in the USA. The data transfer is based on the EU-US Data Privacy Framework, as Functional Software Inc. (Sentry) is certified under this framework. In addition, we have agreed with Sentry on Standard Contractual Clauses (SCCs) of the EU Commission pursuant to Art. 46(2)(c) GDPR.

  • Cloudflare (USA): As part of the name server services, your IP address is transferred to Cloudflare in the USA. The data transfer is based on the EU-US Data Privacy Framework, as Cloudflare Inc. is certified under this framework. For more information on data protection at Cloudflare, please visit: https://www.cloudflare.com/privacypolicy/.

All other data processing mentioned in this statement, in particular the storage of your documents and metadata within the optional cloud service and the storage of analytics data, takes place on servers within Germany (and thus within the EU/EEA), or the data remains on your end device.

7. Storage Period

We process and store your personal data only for the period necessary to achieve the respective storage purpose or as provided for by the European or national legislator in laws or regulations to which we are subject. If the storage purpose ceases to apply or a legally prescribed storage period expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

Specifically, the storage periods of the individual data processing operations apply (see 4).

8. Your Rights as a Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights against us as the controller:

  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed; if this is the case, you have a right to access this personal data and to further information in accordance with Art. 15 GDPR.
  • Right to rectification (Art. 16 GDPR): You have the right to obtain the rectification of inaccurate personal data concerning you and, if applicable, the completion of incomplete personal data without undue delay.
  • Right to erasure (“right to be forgotten”) (Art. 17 GDPR): You have the right to request from us the erasure of personal data concerning you without undue delay, provided that one of the grounds mentioned in Art. 17 GDPR applies and the processing is not necessary.
  • Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing if one of the conditions mentioned in Art. 18 GDPR is met.
  • Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent or a contract and is carried out by automated means.
  • Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) (public interest) or (f) (legitimate interest) GDPR; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
  • Right to withdraw consent (Art. 7(3) GDPR): You have the right to withdraw a data protection consent given to us (e.g., for the processing of analytics data) at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. You can generally declare the withdrawal via the app’s settings or by sending a message to us (see contact details under section 1 or 2).
  • Right not to be subject to a decision based solely on automated processing – including profiling (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. Such automated decision-making does not currently take place by us within the app.

To assert your rights as a data subject, please contact us using the contact details provided in section 1 or 2.

9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right, pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority responsible for us, as our headquarters are in Wuppertal (North Rhine-Westphalia), is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia Kavalleriestraße 2-4
40213 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-999
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de

10. Automated Decision-Making and Profiling

Automated decision-making in individual cases, including profiling within the meaning of Art. 22 GDPR, does not take place through the app. The analysis of usage data (see section 4.2) serves to improve the app and not to create user profiles for automated individual decisions.

11. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with the current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to your next visit or further use of the app. We recommend that you review this privacy policy regularly.