Privacy Policy
1. Data Controller
Controller within the meaning of GDPR Art. 4 No. 7:
- Name: Onur Kağan (sole proprietor, trading as Soraka)
- Email: onurkagaan@gmail.com [to be replaced with datenschutz@soraka.de]
- Address: [pending German business registration]
- Phone: [to be added]
2. Processing Principles
2.1 Legal Basis
- Art. 6 (1) (b) GDPR — Contract performance: Pre-order, app delivery, OBD-II adapter provision, optional cloud sync.
- Art. 6 (1) (a) GDPR — Consent: Voluntary participation in community features, opt-in crash and analytics reports.
- Art. 6 (1) (f) GDPR — Legitimate interest: IT security, fraud detection, app stability, error analysis.
2.2 Retention and Deletion
Personal data is retained only as long as needed for the relevant purpose or as required by statutory retention periods (e.g. § 257 HGB, 7 years for business records). After purpose completion or on objection, data is deleted.
3. Categories of Processed Data
3.1 Pre-order Form (www.soraka.de/pricing)
Data: email (required), country (ISO 3166-1 alpha-2), referrer source (UTM or "organic"), IP address as SHA-256 hash, User-Agent as hash. Purpose: contract initiation per Art. 6 (1) (b) GDPR.
Retention:
- Active pre-order: until conversion
- Converted order: 7 years (§ 257 HGB)
- Expired or cancelled pre-order: 6 months after status change, then deletion
3.2 Soraka Application (iOS / Android)
3.2.1 Account and Profile (optional)
Data: device UUID (local), username (optional, visible in community), email (if linked). Purpose: account creation, device pairing, cloud sync (Art. 6 (1) (b)). Retention: until account deletion + 30-day archive.
3.2.2 OBD-II Sensor Data
Data: real-time engine metrics (RPM, coolant temperature, MAF, boost pressure, DPF status, etc.), VIN stored only as SHA-256 hash, fault codes (DTC, ISO 14229), trip recordings. Purpose: diagnostics, health score (Art. 6 (1) (b)). Retention: indefinite locally; backend (if cloud sync enabled) until user deletion + 30 days. VIN is never stored in plaintext.
3.2.3 Crash and Error Logs
Data: stack trace (class names, line numbers, device specs), timestamp, app and OS version. Purpose: stability and diagnostics (Art. 6 (1) (f)). Retention: 90 days then auto-deletion.
3.2.4 Community Features (Leaderboard, Health Profile)
Data (only if enabled): username (public), aggregated sensor stats, vehicle model (hashed VIN), leaderboard rank. Purpose: community engagement, benchmarking (Art. 6 (1) (a), explicit consent). Raw data is not shared. License plates are blurred on-device before screenshot upload. Retention: while profile is active; after account deletion, anonymized or deleted within 30 days.
3.2.5 Bluetooth / BLE Connection
Data: OBD adapter MAC address (local only), connection messages. Purpose: device pairing (Art. 6 (1) (b)). Not transmitted to the backend.
3.2.6 Crash Reports and Usage Analytics (OPT-IN)
Data: Sentry stack traces (no source code), Aptabase usage metrics (pages visited, session duration, device OS), anonymous user UUID. Legal basis: Art. 6 (1) (a) GDPR (explicit consent).
Automatic PII filtering: fields containing email, VIN, license plate, phone, password, API keys or address are removed before transmission.
Processors / storage locations:
- Sentry GmbH (Frankfurt, Germany) — crash reports, deleted after 90 days. DPA per Art. 28 GDPR.
- Aptabase (EU data centers) — metrics, aggregated and anonymized after 120 days. DPA per Art. 28 GDPR.
Opt-out: anytime via Settings → Privacy → Crash Reports / Analytics.
3.3 Backend Server (api.soraka.de)
Processor: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (DPA per Art. 28 GDPR).
Categories: pre-order data, cloud sensor data (if enabled), community profile entries, error logs, access logs.
Location: Frankfurt am Main, Germany. Data does not leave the EU.
3.4 Cloudflare (Reverse Proxy, optional)
3.5 Google Fonts (CDN)
The site loads fonts from fonts.googleapis.com (Google Ireland Ltd.), which transmits your IP address to Google. Legal basis: Art. 6 (1) (f) GDPR. [Planned: self-hosted fonts, removing this transfer].
3.6 Third-country Transfers
Apple Inc. (USA, App Store) and Google LLC (USA, Play Store) receive data as part of app distribution. Transfers rely on the EU-US Data Privacy Framework and Standard Contractual Clauses per Art. 46 GDPR. See Apple Privacy and Google Privacy.
4. Your Rights
- Access (Art. 15): request what we store about you.
- Rectification (Art. 16): correct inaccurate data.
- Erasure (Art. 17): "right to be forgotten" unless retention obligations apply.
- Restriction (Art. 18): limit processing.
- Portability (Art. 20): export in structured, machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdrawal of consent (Art. 7 (3)): anytime, with future effect.
- Complaint (Art. 77): lodge a complaint with a supervisory authority.
To exercise rights: onurkagaan@gmail.com.
5. Security Measures
- TLS 1.2+ (HTTPS) for all app-to-backend transfers.
- SHA-256 hashing of sensitive identifiers (VIN, IP).
- Access control: only authorized personnel (currently Onur Kağan) access backend databases.
- Daily encrypted backups, 30-day retention.
6. Cookies and Tracking
Web (www.soraka.de): only technically necessary cookies (session, language). No Google Analytics, no pixel tracking, no profiling.
App: no cookies. Local data stays on the device.
Advertising IDs: app does not request Android AAID or iOS IDFA.
7. User Age
Soraka is not designed for children under 16. We do not knowingly process personal data of children under 16 without parental consent. If you become aware of such data, please contact us immediately.
8. Changes
Material changes (new data categories, new processors) will be announced at least 30 days in advance. Older versions are archived.
9. Right to Complain
You have the right to lodge a complaint with a supervisory authority, in particular the Federal Commissioner for Data Protection and Freedom of Information (BfDI) — www.bfdi.bund.de — or the data protection authority of the federal state where you reside.