Privacy Policy

Last updated: 29 April 2026

This Privacy Policy explains what personal data we process when you use the Namelli app and the website namelli.com, for what purposes, and on what legal basis. It is governed by the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data Controller

The controller within the meaning of Art. 4(7) GDPR is:

Renting & Renting GbR
Represented by: Leila Renting, Alex Renting
Industriestraße 8
67304 Eisenberg, Germany
Email: privacy@namelli.com

We are not required to appoint a Data Protection Officer under §38 BDSG — we fall below the statutory threshold. For any data-protection enquiry, please contact us at the email address above.

2. Personal Data We Process

2.1 Sign in with Apple

When you sign in with your Apple ID, Apple provides us with a pseudonymous Apple User ID (apple_sub) and, if you permit it in the Apple dialog, a display name you choose. Apple also transmits an email address, but we do not store it; only the Apple User ID and display name are saved in our user table.

2.2 App Content

  • Sessions in which you are an owner or member (title, filters, memberships)
  • Likes and passes on individual first names
  • Matches (names liked by all members of the same session)
  • Blocked-name lists (names excluded by you or the session owner)
  • Optional: due date, if you choose to provide it

2.3 Usage and Technical Data

  • Activity timestamp last_active_at — used to detect inactive members in the matching algorithm.
  • Push token (Expo / APNs / FCM) — only if you have enabled push notifications.
  • Server logs (IP address, timestamp, app version) for stability and abuse prevention; IP is anonymised after 7 days.

We do not engage in cross-app or cross-site tracking, and we do not integrate advertising or analytics providers that transfer personal data to the US or other third countries.

3. Purposes and Legal Bases

  • Providing the service (account, sessions, swipes, matches): Art. 6(1)(b) GDPR — performance of a contract with you.
  • Match calculation via server-side triggers: Art. 6(1)(b) GDPR. No profiling within the meaning of Art. 22 GDPR takes place — the algorithm arranges name IDs only, with no personality assessment.
  • Service push notifications (match alert, catch-up nudge): Art. 6(1)(b) GDPR; token storage under §25(2)(2) TDDDG (strictly necessary for the function).
  • Stability and abuse prevention (server logs): Art. 6(1)(f) GDPR — legitimate interest in a functioning, secure service.

4. Recipients and Data Processors

The following data processors are involved in operating Namelli:

  • Supabase Pte. Ltd. — database hosting and authentication in the AWS region eu-central-1 / Frankfurt. Data Processing Agreement (DPA) under Art. 28 GDPR including EU Standard Contractual Clauses is in place.
  • Vercel Inc. — hosting of namelli.com in an EU region. DPA under Art. 28 GDPR; Vercel is certified under the EU-US Data Privacy Framework.
  • Apple Inc. — Sign in with Apple and Apple Push Notification Service (APNs). Part of the Apple platform ecosystem.
  • 650 Industries, Inc. (Expo) — Expo Push Service as an abstraction layer over APNs/FCM. DPA in place; certified under the EU-US Data Privacy Framework.
  • Sentry GmbH — crash and error reporting via the German Sentry instance (de.sentry.io, Germany region). A Data Processing Agreement under Art. 28 GDPR is in place; no transfer to third countries takes place for this processing.
  • Google LLC— “Sign in with Google” (OAuth authentication) for users who choose this sign-in method. DPA in place; Google is certified under the EU-US Data Privacy Framework.

We do not share your data with any other recipients or use it for advertising purposes.

5. International Data Transfers

Apple, Expo, Vercel and Google have corporate affiliates in the United States. Where personal data is transferred there, we rely on the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) and additionally on EU Standard Contractual Clauses. A transfer impact assessment is available on request.

6. Retention Periods

  • Account data: retained until you delete your account; backups overwritten within 30 days.
  • Inactive sessions: anonymised after 12 months of no activity.
  • Inactive accounts with no login for more than 24 months: deleted after prior notice.
  • Push tokens: refreshed or deleted after 60 days of inactivity.
  • Server logs: raw IP for 7 days, then aggregated; fully deleted after 30 days.

7. Your Rights

Under Arts. 15–22 GDPR you have the following rights:

  • Access to the personal data we hold about you (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure of your data (Art. 17) — immediately available in the app under "Profile → Delete account"
  • Restriction of processing (Art. 18)
  • Data portability — export of your data in machine-readable form (Art. 20)
  • Objection to processing based on legitimate interests (Art. 21)
  • Withdrawal of any consent you have given, with effect for the future (Art. 7(3))

Send requests informally to privacy@namelli.com. We will respond within one month as required by Art. 12(3) GDPR.

8. Right to Lodge a Complaint

Under Art. 77 GDPR you have the right to lodge a complaint with a supervisory authority — in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. The competent authority for our registered address in Rhineland-Palatinate is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz. A list of all German supervisory authorities is available at bfdi.bund.de.

9. Changes to This Privacy Policy

This policy may be updated when we add features or engage new data processors. The current version is always published here; we will notify you of material changes in the app.

DEEN