Legal · Last updated: April 27, 2026

Privacy Policy

This English translation is provided for convenience. In case of any discrepancy, the German version is legally binding.

This privacy policy explains how personal data is processed when you use the iOS app napsip and our website napsip.de. We take the protection of your data seriously and treat it confidentially, in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller within the meaning of the GDPR is:

Fabian Littmann
Meyerhofstraße 29A
40589 Düsseldorf
Germany
Email: napsip@fabianlittmann.de

2. What data we process

The following personal data is processed when you use napsip:

3. Purposes of processing

The collected data is processed exclusively for the following purposes:

4. Legal basis

We process your data on the basis of Art. 6(1)(b) GDPR (processing necessary for the performance of a contract or for pre-contractual measures), as it is required to provide the services of the app and the website.

Insofar as the children’s tracking data mentioned above qualifies as health data within the meaning of Art. 9(1) GDPR, it is processed on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR. You give this consent by creating the family and voluntarily entering the respective data. You may withdraw your consent at any time with effect for the future — simply send a message to napsip@fabianlittmann.de.

Because the data concerns children under 16 years of age, Art. 8 GDPR additionally applies: processing is carried out by the parents holding parental responsibility or with their explicit consent; the app is not intended for direct use by children.

The push token is processed on the basis of Art. 6(1)(a) GDPR (consent), which you give by enabling notifications.

Server log files are processed on the basis of Art. 6(1)(f) GDPR (legitimate interest) for the technical delivery of content and the security of our systems.

5. Website hosting & server log files

The website napsip.de is hosted by:

Vercel Inc.
340 S Lemon Ave #4133, Walnut, CA 91789, USA
vercel.com/legal/privacy-policy

When you visit our pages, Vercel processes technical connection data (IP address, user agent, referrer, date/time, requested resource) to deliver the content and to ensure security. This data is recorded in server log files and deleted or anonymized after 30 days at the latest. A data processing agreement (DPA) is in place with Vercel. As Vercel is based in the USA, data may be transferred to a third country; such transfers are based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

6. Backend & real-time synchronization (Supabase)

For the database, authentication, edge functions (including verification of App Store purchases) and real-time synchronization we use:

Supabase Inc.
970 Trestle Glen Rd, Oakland, CA 94610, USA
supabase.com/privacy

A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Supabase. As Supabase Inc. is headquartered in the USA, data is transferred to a third country; this transfer is based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR and, where applicable, the EU-US Data Privacy Framework (adequacy decision of July 10, 2023).

7. Apple App Store, in-app purchases & push notifications

The app download and in-app purchases (e.g. the one-time Family Unlock for €14.99) are technically handled through the Apple App Store, provided by:

Apple Distribution International Ltd.
Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland
apple.com/legal/privacy

When you purchase or download, Apple processes Apple account and device data under its own responsibility. From Apple we receive only the signed purchase receipt (JWS) and the opaque Apple account ID, in order to verify the Family Unlock entitlement server-side. No credit card or address data is transferred to us.

Push notifications are delivered via the Apple Push Notification service (APNs). The push token generated by the operating system is transmitted to Apple; Apple forwards the notification to your device. This processing only takes place if you have actively allowed push notifications in iOS (Art. 6(1)(a) GDPR).

8. Fonts

This website uses exclusively self-hosted fonts (Nunito, Outfit, Cormorant Garamond, DM Sans), served from our own server (Vercel, see section 5). No connection to Google Fonts or other external font services is established; accordingly, no IP addresses are transmitted to Google or other third parties.

9. Cookies and local storage

This website sets no cookies, uses no analytics, no ad tracking, no social media plugins and no comparable tracking technologies. Neither cookies nor local storage entries are created. Consent pursuant to Section 25(1) of the German Telecommunications Digital Services Data Protection Act (TTDSG) is therefore not required.

10. Encryption (TLS/HTTPS)

All content transferred between your device and our servers is encrypted via HTTPS (TLS). This protects the data against interception and manipulation in transit.

11. Retention & account deletion

Your app data is stored for as long as your user account is active. After you delete your account, all associated data is permanently deleted within 30 days, unless statutory retention obligations (e.g. Section 257 of the German Commercial Code (HGB), Section 147 of the German Fiscal Code (AO)) require otherwise. Server log files are deleted or anonymized after 30 days at the latest.

You can delete your account directly in the app under Settings → Account → Delete account. The following applies:

Alternatively, you can still request deletion by email to napsip@fabianlittmann.de.

12. Your rights

You have the following rights regarding your personal data regarding your personal data:

To exercise these rights, contact: napsip@fabianlittmann.de.

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Our competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia:

LDI NRW · Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
ldi.nrw.de

13. No automated decision-making

We do not use fully automated decision-making, including profiling, within the meaning of Art. 22 GDPR. Prediction features such as the sleep-window calculation (“Sleep Prediction”) serve solely as a hint in the UI and have no legal or similarly significant effect.

14. Changes to this privacy policy

We reserve the right to amend this privacy policy as needed to reflect changes in the legal situation or changes to the app and website. The current version is always available at this URL. In the event of significant changes, we will inform you via the app.