Alarmox Privacy Policy

Last updated: May 9, 2026

This Privacy Policy explains how Wotaso GmbH processes personal data when you use the Alarmox iOS app. Alarmox is designed to be local-first for alarm challenges: camera, microphone, speech, and location challenge data is processed on your device unless this policy says otherwise.

This policy is based on the current app implementation. If Alarmox adds account login, server-side media upload, advertising, or additional analytics, this policy must be updated before release.

1. Controller

The controller responsible for Alarmox is Wotaso GmbH, Bostonring 5, 71686 Remseck am Neckar, Germany. Email: support@alarmox.com. Legal details are available in the Alarmox imprint.

No data protection officer has been appointed because this is not currently required for Wotaso GmbH. Privacy requests can be sent to the email address above.

2. Data We Process

App data stored on your device

Alarmox stores alarm settings, onboarding state, challenge preferences, proof-video setting, analytics consent, cached entitlement status, and cached friend/profile data on your device using local app storage. This is necessary to provide the app and remember your settings.

Anonymous app account and friends

Alarmox uses Supabase Anonymous Auth to create a persisted anonymous user ID. If social features are enabled, Supabase stores your anonymous user ID, display name, avatar, RevenueCat app user ID when available, friendships, wake result duration, wake target label, wake timestamp, and a client-synced subscription snapshot. Wake results and profile information may be visible to accepted Alarmox friends inside the app.

You can delete this anonymous Alarmox account in Settings. Account deletion removes the Supabase auth user and cascades deletion to the profile, friendship, wake result, and subscription snapshot records linked to that user. The app also clears locally stored Alarmox account data on the device.

Alarm challenges

Camera-based object, grass, and push-up challenges are processed locally on your device. The app may capture temporary frames or snapshots to classify objects or poses locally. Alarmox does not automatically upload camera frames or proof videos.

Walk challenges use your location locally to measure progress toward the selected walking distance. Voice-repeat challenges use microphone access and on-device speech recognition to check whether the phrase was spoken. Alarmox does not upload raw location tracks, microphone recordings, or speech audio to Wotaso servers.

Optional proof videos

Proof video recording is off by default. If you enable it, Alarmox records camera-only video locally during real alarm scans. The video stays on your device unless you choose to share it through the native iOS share sheet. The recipient and further processing then depend on the service you choose in the share sheet.

Purchases and subscriptions

In-app purchases and subscriptions are processed by Apple. Alarmox uses RevenueCat to manage subscription status and restore purchases. RevenueCat processes anonymous app user IDs, purchase and entitlement information, product identifiers, timestamps, and technical purchase diagnostics needed to provide subscriptions.

Error tracking

If error tracking is enabled in the production build, Alarmox sends crash and error data to Wotaso's GlitchTip/Sentry-compatible error tracking endpoint. This can include technical data such as app version, device model, operating system, stack traces, timestamps, and diagnostic context. The app is configured with default personal information disabled and strips user payloads before sending events.

Analytics

Alarmox uses AnalyticsCLI for optional product analytics only when configured and only after you choose to share optional analytics. These events can include screen views, onboarding answers, challenge results, paywall and purchase events, app version, build number, and operating system. Alarmox connects these events across sessions using your anonymous RevenueCat app user ID. No email address or real name is attached by Alarmox, and analytics does not include camera frames, proof videos, microphone audio, or raw location tracks. You can change the analytics choice in Settings.

Support and feedback

If you contact us by email or send feedback, we process your email address, message, and any information you include so we can respond and provide support.

3. Purposes and Legal Bases

Providing alarms, challenges, app settings, anonymous account state, and friend features: contract performance or pre-contractual measures, Art. 6(1)(b) GDPR.
Processing optional proof videos on device and opening the share sheet after your action: contract performance, Art. 6(1)(b) GDPR, and your active choice.
Purchase handling, subscription status, restore purchases, fraud prevention, and billing support: contract performance, Art. 6(1)(b) GDPR, and legitimate interests, Art. 6(1)(f) GDPR.
Error tracking, security, abuse prevention, and reliability improvements: legitimate interests, Art. 6(1)(f) GDPR.
Optional analytics that connects sessions using an anonymous app user ID: consent, Art. 6(1)(a) GDPR. You may withdraw consent at any time in Settings.
Support communication: contract performance, Art. 6(1)(b) GDPR, and legitimate interests, Art. 6(1)(f) GDPR.
Legal record keeping and compliance: legal obligation, Art. 6(1)(c) GDPR.

4. Recipients and Processors

Depending on configuration and your use of Alarmox, data may be processed by:

Apple, for App Store distribution, in-app purchases, subscriptions, and refunds.
RevenueCat, for subscription entitlement management and purchase restoration.
Supabase, for anonymous authentication, database hosting, and friend/result data.
GlitchTip/Sentry-compatible error tracking, for crash and error diagnostics.
AnalyticsCLI, for product analytics events when configured and permitted.
Email providers used by you and Wotaso when you contact support.

We enter into data processing agreements where required and configure providers to minimize personal data where possible.

5. International Transfers

Some providers may process data outside the European Economic Area, including in the United States. Where required, transfers are based on an adequacy decision, the EU Standard Contractual Clauses, provider data processing terms, or another lawful transfer mechanism.

6. Retention

Local app data remains on your device until you delete it, reset the app, or uninstall Alarmox.
Supabase auth, profile, friendship, wake result, and subscription snapshot data is kept while the anonymous app account is active and is deleted when you use Delete account in Alarmox Settings, unless legal duties require longer retention.
Error tracking data is kept only as long as needed for debugging and reliability. The current GlitchTip default retention is generally up to 90 days unless configured differently.
Analytics events are kept as long as needed for product analysis and then deleted or aggregated.
Support emails are usually kept for up to three years after the matter is resolved, unless longer retention is required for legal claims or accounting.
Purchase records are retained by Apple and RevenueCat according to their own legal and operational retention rules.

7. Your Choices

You can deny camera, microphone, speech recognition, and location permissions in iOS.
You can change analytics consent in Alarmox Settings.
You can turn proof video recording off in Alarmox Settings.
You can delete your anonymous Alarmox account in Settings.
You can clear local app data by deleting the app.
You can manage or cancel subscriptions through your Apple ID subscription settings.

8. Your GDPR Rights

Subject to the legal requirements, you have the right to request access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. Where processing is based on consent, you may withdraw consent at any time with effect for the future.

To exercise these rights, use Delete account in Alarmox Settings or contact support@alarmox.com. We may need information that lets us identify the relevant anonymous app account, for example your in-app profile or anonymous user ID.

9. Complaint to a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Wotaso GmbH is the Landesbeauftragte fuer den Datenschutz und die Informationsfreiheit Baden-Wuerttemberg, Heilbronner Strasse 35, 70191 Stuttgart, Germany. Website: baden-wuerttemberg.datenschutz.de.

10. Children

Alarmox is not intended for children under 16. If you believe a child has provided personal data through Alarmox, contact us so we can review and delete the data where required.

11. Changes

We may update this Privacy Policy when Alarmox changes or legal requirements change. The current version is published at this URL.