Subpoint Get the app

Privacy

Privacy Policy

Last updated: May 29, 2026

1. Who we are

This policy explains how personal data is handled on the website subpoint.space and in the Subpoint mobile app (currently in private testing). It is written to be honest and specific: Subpoint is built privacy-first, and there is very little data to talk about.

Responsible party (Verantwortlicher) under the GDPR:
Maximilian Weber, Krohnskamp 48, 22301 Hamburg, Germany.
Email: privacy@subpoint.space

2. This website (subpoint.space)

This site is a set of static pages. It sets no cookies, runs no analytics, and embeds no third-party trackers. Fonts and images are served from this domain - there are no calls to Google Fonts, a CDN, or social widgets. We do not fingerprint you and there is no contact form.

The only data processed when you visit is what any web server records: your hosting provider writes server log files containing your IP address, the date and time of the request, the page requested, the referring page, and your browser/operating system. This is technically necessary to deliver the site and to keep it secure (legal basis: legitimate interest, Art. 6(1)(f) GDPR). These logs are kept for a limited time and then deleted by the provider.

3. Hosting

The website is hosted in Germany by ALL-INKL.COM - Neue Medien Münnich, Inhaber: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany. The provider processes the server log data described above on our behalf as a processor under a data processing agreement (Art. 28 GDPR).

4. The mobile app

The Subpoint app is built so that your location never leaves your device. Pass predictions are computed entirely on the phone. The GPS coordinates the app briefly reads are never sent to a server, never stored outside the app, and never linked to an identity - there are no user accounts. There is deliberately no backend table named user_locations; that is a documented architectural decision.

The app fetches read-only content (modules, experiments, astronauts, daily activity, orbital elements) from our backend. As with any network request, your device's IP address is transmitted to the backend provider because it is technically required to deliver a response; it is not used to profile you.

5. Backend provider

The app's read-only content is served from a database hosted by Supabase, Inc. (USA), as a processor. Connection metadata (such as your IP address at the moment of a request) is processed to deliver the requested data. Transfers outside the EU are based on the EU Standard Contractual Clauses. No personal account data is involved, because the app has no accounts.

6. What we do not do

  • We do not sell or share your personal data.
  • We do not use advertising or cross-site tracking.
  • We do not collect payment, health, or biometric data.
  • We do not transmit or store your location off-device.

7. Your rights (GDPR)

Under the GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectification of inaccurate data (Art. 16).
  • Erasure (“right to be forgotten”, Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Lodge a complaint with a supervisory authority.

To exercise these rights, contact privacy@subpoint.space. The supervisory authority responsible for us is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Hamburg.

8. Children

Subpoint is not directed at children under 16, and we do not knowingly collect personal data from them. The app holds no personal data to begin with.

9. Changes

We may update this policy as the app moves toward public release. Changes are posted on this page with a new revision date above. Questions in the meantime? privacy@subpoint.space.