100 Reasons

Privacy Policy

Last Updated: 2026-02-02 Effective Date: 2026-02-02

Version: 1.0 Last Updated: February 2, 2026 Effective Date: February 2, 2026

Our Commitment

We will never sell your personal data. Your information—including the love reasons you write—is private and will never be shared with advertisers, data brokers, or third parties for any purpose other than powering 100 Reasons (see list of subprocessors for details).

Scope of This Policy

This Privacy Policy applies to:

  • Website (100reasons.love)

    • 🌐 Browsing: Analytics cookies (with consent)
    • 📧 Early Access Signup: First name and email collection

  • App (app.100reasons.love)

    • 📱 Full account functionality with love reason creation and delivery

Different sections apply depending on which service you use, clearly marked with:

  • 🌐 Website Browsing Only
  • 📧 Early Access Signup
  • 📱 App Only
  • 🌐📱 Website and App

Table of Contents

  1. Who We Are
  2. Why We Process Your Data
  3. What Data We Collect
  4. Third-Party Services We Use
  5. International Data Transfers
  6. How Long We Keep Your Data
  7. Your Data Protection Rights
  8. Withdrawing Your Consent
  9. Automated Decision-Making and Profiling
  10. Special Categories of Personal Data
  11. Cookies and Tracking Technologies
  12. Data Security
  13. Children’s Privacy
  14. Third-Party Links
  15. Changes to This Policy
  16. Contact Us
  17. Version History

Who We Are

Data Controller: doto one GmbH (operating as “100 Reasons”)

Registered Address: Buschingstrasse 55 81677 München Germany

Commercial Register: HRB 119227, Registergericht München

VAT ID: DE 192123563

Contact Email: [email protected]

Data Protection Contact: Alexander Jansen ([email protected])

Managing Directors: Alexander Jansen, Inge Jansen-Hertz

Why We Process Your Data

We process personal data for the following purposes:

PurposeLegal BasisApplies To
Account creation and managementContract (Art. 6(1)(b))📱 App
Email marketing and launch notificationsConsent (Art. 6(1)(a))📧🌐📱 Website + App
Analytics and usage insightsConsent (Art. 6(1)(a))🌐📱 Website + App
Security and fraud preventionLegitimate interest (Art. 6(1)(f))📱 App
Payment processingContract (Art. 6(1)(b))📱 App

What We Do NOT Do With Your Data

  • Sell your personal information to third parties
  • Share your love reasons with anyone - including ourselves
  • Use your content for AI training
  • Rent or lease your email address
  • Track you across other websites for advertising purposes
  • Analyze or process special categories of personal data (see Special Categories section below)

What Data We Collect

🌐 Website Browsing (100reasons.love)

Only with your consent:

  • Google Analytics 4 data (pageviews, clicks, device info)
  • Referrer URL (how you found us)
  • Approximate location (country/city level)
  • Device type and browser information

No personal identifiers - We do not collect names, emails, or IP addresses during browsing.

📧 Early Access Signup (100reasons.love form)

When you submit the early access form:

  • First name (optional)
  • Email address (required)
  • Consent timestamp (when you agreed)
  • Privacy policy version (which version you accepted)
  • Form source metadata (which page you signed up from)

This data is stored in Loops.so (our email service provider).

📱 App (app.100reasons.love)

Account Information:

  • Email address (your login identifier)
  • Password (hashed with bcrypt - we never store plaintext passwords)
  • Display name
  • Timezone (for correct daily limit resets)
  • Profile settings

Relationship Data:

  • Partner connections (Giver-Receiver relationships)
  • Relationship settings (Daily Limit, bonus grants)
  • Invitation history

Love Reasons:

  • Content you create (love reasons text)
  • Delivery status (viewed/not viewed)
  • Reactions (if receiver provides feedback)
  • Creation and view timestamps

Usage Information:

  • Feature usage patterns (what you click, how you navigate)
  • Login activity (last login timestamp)
  • Device information (mobile vs desktop)
  • Session data (stored in Supabase Auth)

Analytics Data:

  • Google Analytics 4 events (with consent)
  • BigQuery analytics warehouse (with consent)
  • User ID (Supabase UUID - pseudonymized, not your email)

Payment Information (handled by Stripe):

  • Subscription plan (Free, Individual, Family)
  • Payment method (card last 4 digits only)
  • Billing address
  • Transaction history

We do NOT store: Full credit card numbers, CVV codes, or government IDs.

Third-Party Services We Use

We share your data with trusted third-party services to operate 100 Reasons. All services have Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs) for international data transfers.

Infrastructure & Hosting

ServicePurposeData SharedPrivacy Policy
VercelApp + backend hostingRequest logs, usage dataVercel Privacy
Cloudflare PagesWebsite hostingAccess logs (temporary)Cloudflare Privacy

Database & Authentication

ServicePurposeData SharedPrivacy Policy
SupabaseDatabase, Auth, StorageAll app data, authentication sessionsSupabase Privacy

Email Communications

ServicePurposeData SharedPrivacy Policy
Loops.soTransactional + marketing emailsEmail address, first name, consent metadataLoops Privacy

Analytics

ServicePurposeData SharedPrivacy Policy
Google Analytics 4Website + app analyticsPseudonymized user ID (UUID), pageviews, eventsGoogle Privacy
Google Cloud BigQueryAnalytics data warehouseSame as GA4 (with consent)Google Cloud Privacy

Payments

ServicePurposeData SharedPrivacy Policy
StripeSubscription paymentsEmail, payment method, billing addressStripe Privacy

Data Processing Agreements

All services listed above provide Data Processing Agreements incorporating Standard Contractual Clauses for data transfers outside the EU. These agreements are either incorporated into their Terms of Service or available through their dashboards.

International Data Transfers

Your data may be transferred to and processed in countries outside the European Union, specifically the United States.

US-Based Processors

The following services process data in the United States:

  • Supabase - Database and authentication
  • Vercel - App and backend hosting
  • Loops - Email delivery
  • Google - Analytics (GA4 and BigQuery)
  • Stripe - Payment processing

Safeguards in Place

We ensure all international transfers comply with GDPR through:

  1. Standard Contractual Clauses (SCCs) - All US-based processors provide SCCs
  2. Data Processing Agreements - In place with all processors
  3. GDPR Compliance Certifications - All processors maintain GDPR compliance programs
  4. EU-US Data Privacy Framework - Google participates in the Data Privacy Framework where applicable

Cloudflare’s Global Network

Cloudflare processes data at the edge location nearest to you (could be EU, US, or other regions). This is done for performance and security. Cloudflare maintains GDPR compliance and has executed SCCs.

Your Rights

You have the right to obtain information about the safeguards we use for international transfers. Contact us at [email protected] for details.

How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes disclosed in this policy.

Data TypeRetention PeriodRationale
Active accountsUntil you delete your accountContract performance (GDPR Art. 6(1)(b))
Deleted accounts30 daysTechnical cleanup period, then permanent deletion
Analytics data (GA4)14 monthsGoogle’s free tier limitation
Analytics data (BigQuery)As long as Insights consent is activeUser-controlled; anonymized when consent withdrawn
Email marketing dataUntil unsubscribe + 90 daysHonor unsubscribe requests, legal obligation period
Payment records10 yearsGerman tax/accounting law (HGB §257, AO §147)
Backups30 daysAutomatic deletion cycle for disaster recovery
Early Access signupsUntil launch + 30 days or account creationLaunch notification purpose

Anonymized Data

Anonymized data (data that cannot be linked back to you) may be retained indefinitely for statistical analysis. Once anonymized, it is no longer considered personal data under GDPR.

Data Deletion

When you delete your account:

  1. Your account data is marked for deletion immediately
  2. Backups are cleared within 30 days
  3. Analytics data in GA4 and BigQuery is anonymized (user identifiers removed) to preserve statistical validity per GDPR Article 17(3)(d)
  4. Email address is removed from Loops (hash retained to prevent re-subscription)
  5. Payment records retained for 10 years per German law

Your Data Protection Rights

Under GDPR and other privacy laws, you have the following rights:

🔍 Right to Access (Article 15)

What it means: Request a copy of all personal data we hold about you.

How to exercise: Email [email protected] with subject “Data Access Request”

What you’ll receive: JSON file with all your data (account info, love reasons, analytics data if Insights consent was given, payment records)

Response time: Within 30 days (GDPR requirement)

Cost: Free (first request per year)

✏️ Right to Rectification (Article 16)

What it means: Correct inaccurate or outdated information.

How to exercise:

Response time: Immediate (for Settings updates) or within 30 days (for email requests)

🗑️ Right to Erasure - “Right to be Forgotten” (Article 17)

What it means: Request deletion of your personal data.

How to exercise:

  • Click “Delete Account” in app Settings
  • Email [email protected] with subject “Delete My Data”

What happens:

  • Account deleted immediately
  • Backups cleared within 30 days
  • Analytics data anonymized (user identifiers removed, aggregated statistics retained for statistical purposes per GDPR Article 17(3)(d))
  • Email removed from Loops
  • Payment records retained for 10 years (German law requirement)

Exceptions: We cannot delete data we’re legally required to retain (e.g., payment records for tax compliance) or data retained for statistical purposes with anonymized user identifiers (GDPR Article 17(3)(d)).

🛑 Right to Restrict Processing (Article 18)

What it means: Temporarily pause processing of your data.

How to exercise: Email [email protected] with subject “Restrict Processing Request”

What happens: We will pause non-essential processing while investigating or resolving your concern.

📦 Right to Data Portability (Article 20)

What it means: Receive your data in machine-readable format (JSON) to transfer to another service.

How to exercise: Email [email protected] with subject “Data Export Request”

What you’ll receive: JSON file with:

  • Account information
  • All love reasons you created
  • Relationship settings
  • Analytics data (if Insights consent was given)

Format: JSON (can be imported into other systems)

✋ Right to Object (Article 21)

What it means: Object to processing based on legitimate interests or for marketing.

How to exercise:

  • Marketing emails: Click “Unsubscribe” in any email
  • Analytics: Revoke Insights consent in Settings or cookie banner
  • Other processing: Email [email protected]

Effect: Immediate cessation of the specific processing.

🔄 Right to Withdraw Consent

What it means: Withdraw consent at any time without affecting past processing.

How to exercise:

  • Email marketing: Click “Unsubscribe” in any email
  • Analytics cookies: Use cookie banner or Settings page
  • Other consents: Email [email protected]

Effect: We stop processing based on that consent going forward.

⚖️ Right to Lodge a Complaint

What it means: If you’re unhappy with how we handle your data, complain to a supervisory authority.

EU/EEA users:

UK users: Information Commissioner’s Office (ICO) Website: https://ico.org.uk/

📧 How to Exercise Your Rights

Email: [email protected]

Subject lines for faster processing:

  • Data Access Request
  • Data Export Request
  • Delete My Data
  • Restrict Processing Request
  • Privacy Policy Question

Response time: We aim to respond within 7 days, maximum 30 days (GDPR requirement).

Identity verification: For security, we may ask you to verify your identity before fulfilling certain requests.

You have the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

How to withdraw:

  • Click “Unsubscribe” link in any email (one-click, instant)
  • Toggle off “Email notifications” in app Settings page
  • Email [email protected]

Effect: Immediate removal from all marketing emails. Transactional emails (e.g., password resets, security alerts) continue as they are necessary for service operation.

How to withdraw:

  • Use cookie consent banner on first visit (click “Reject” or “Manage”)
  • Settings page: Toggle off “Insights” consent group
  • Email [email protected]

Effect:

  • Immediate cessation of GA4 tracking
  • BigQuery data collection stops
  • Existing analytics data is anonymized (user identifiers removed, aggregated statistics retained for statistical purposes per GDPR Article 17(3)(d))

You can re-grant consent at any time through the same methods. You will need to confirm your choice (double opt-in for email, explicit toggle for analytics).

Automated Decision-Making and Profiling

We do not use automated decision-making or profiling as defined by GDPR Article 22.

  • No AI makes decisions about your personal data or evaluates your behavior
  • Reason delivery is user-controlled (you choose when to view reasons)
  • Daily Limits within relationships are set by the Giver, not by algorithms
  • Service features are determined by your subscription tier, which you voluntarily selected
  • No automated credit, insurance, or employment decisions
  • No algorithmic content filtering or behavioral profiling

Service access is based solely on your chosen subscription, not on automated evaluation of your characteristics or behavior.

Special Categories of Personal Data

GDPR Article 9 defines special categories as particularly sensitive data: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

Our Approach

We do not intentionally collect, process, or analyze special categories of personal data.

However, as 100 Reasons allows you to write free-text love reasons, you may voluntarily choose to include such information. If you do:

  • We do NOT analyze the special category nature of your content
  • We do NOT use AI to detect or categorize sensitive information
  • We only store and display the content to the intended recipient (your partner)
  • We do NOT process the data for any purpose beyond storage and display

Your Responsibility

You control what you write in love reasons. Our Terms of Service prohibit:

  • Illegal content
  • Content that violates the platform’s intended purpose
  • Harassment or abusive content

But we do not actively monitor or filter your love reasons for special category data.

Why This Matters

Because we don’t process special category data (only store and display it), we don’t require explicit Article 9 consent. The storage and display is covered by our contract with you (GDPR Article 6(1)(b)).

Security

All love reasons are encrypted at rest and protected by Row Level Security policies. Only you and your partner can access them.

Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device when you visit our website. We use cookies to understand how you use our site and to improve your experience.

We follow the opt-in model required by GDPR and German TTDSG §25: non-essential cookies are blocked until you give explicit consent.

We use two categories of cookies:

Purpose: Store your cookie consent preferences so we remember your choice.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) - necessary for website operation

Cannot be disabled: These cookies are essential for the cookie banner to function.

Cookie details:

Cookie NamePurposeDurationDomain
cc_cookieStores your cookie consent choices180 days.100reasons.love

2. Analytics Cookies (Requires consent - OFF by default)

Purpose: Understand how visitors interact with our website to build a better product.

NOT used for advertising: We do NOT use analytics for advertising, retargeting, remarketing, or sell your data to third parties.

Legal basis: Consent (GDPR Art. 6(1)(a), TTDSG § 25)

Provider: Google Analytics 4

Can be disabled: Via cookie banner or Settings page

Data collected:

  • Page views and navigation paths
  • Click events and button interactions
  • Scroll depth and time on page
  • Device type, browser, operating system
  • Approximate location (country/city level)
  • Referral source (how you found our site)

Data NOT collected:

  • Personal information (name, email, phone)
  • Precise geolocation (GPS coordinates)
  • IP addresses (anonymized by Google in EU)

Data retention: 14 months (Google’s free tier limit)

Cookie details:

Cookie NamePurposeDurationDomain
_gaDistinguishes unique users2 years.100reasons.love
_ga_*Persists session state for analytics2 years.100reasons.love
_gidDistinguishes users (short-term)24 hours.100reasons.love

Google Analytics 4 Details

Why we track: To understand which features people use most, identify usability issues, and prioritize improvements based on real user needs.

Privacy protections:

  • IP anonymization enabled (required in EU)
  • No cross-domain tracking for advertising
  • No Google Ads integration
  • No remarketing lists
  • User ID is pseudonymized (Supabase UUID, not email)

Your opt-out options:

  1. Cookie banner: Click “Reject” or toggle off “Insights” consent group
  2. Settings page: Turn off analytics consent at any time
  3. Browser extension: Google Analytics Opt-out Browser Add-on
  4. Browser settings: Block third-party cookies entirely

BigQuery Integration: If you consent to analytics, we also export GA4 data to Google BigQuery (our analytics data warehouse) for deeper insights. This data is pseudonymized and follows the same retention policy. When you withdraw Insights consent, BigQuery data collection stops immediately.

Google’s privacy policy: https://policies.google.com/privacy

You can change your cookie preferences at any time:

  1. Cookie banner: Click “Cookie Preferences” link in footer
  2. Settings page: App users can manage consent in Settings → Privacy
  3. Browser settings: Block/delete cookies in your browser
  4. Browser extensions: Use cookie management extensions

To withdraw analytics cookie consent:

  1. Open cookie preferences (footer link or Settings page)
  2. Toggle off “Analytics Cookies” or “Insights” consent group
  3. Click “Save Preferences”

Effect: All GA4 cookies are immediately deleted, and tracking stops. Existing data in GA4/BigQuery is anonymized (user identifiers removed).

Per Section 25 of the German Telecommunications-Telemedia Data Protection Act (TTDSG), we:

  • ✅ Obtain explicit consent before setting analytics cookies
  • ✅ Block non-essential cookies until consent is given (prior blocking)
  • ✅ Provide clear information about cookie purposes
  • ✅ Allow granular control over cookie categories
  • ✅ Do not use cookie walls or forced consent
  • ✅ Make “Reject All” as easy as “Accept All” (no dark patterns)

Questions?

Contact us at [email protected] for cookie-related questions.

Data Security

We implement industry-standard security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction.

Technical Measures

Encryption:

  • In transit: All data transmitted between you and our services uses HTTPS/TLS 1.3 encryption
  • At rest: Database encryption via Supabase (AES-256)
  • Passwords: Hashed with bcrypt (industry standard, never stored in plaintext)

Access Controls:

  • Row Level Security (RLS) policies in database
  • Role-based access control (RBAC)
  • Limited personnel access to production data
  • Two-factor authentication (2FA) for administrative access

Infrastructure:

  • Vercel serverless architecture (no long-lived servers to compromise)
  • Supabase managed PostgreSQL (automated security updates)
  • Cloudflare DDoS protection and Web Application Firewall (WAF)

Organizational Measures

Policies:

  • Regular security audits (quarterly)
  • Security incident response plan
  • Data breach notification procedures (within 72 hours per GDPR Article 33)

Training:

  • Development team trained on OWASP Top 10 vulnerabilities
  • Secure coding practices enforced via code review

Third-Party Security:

  • All subcontractors SOC 2 Type II certified or equivalent
  • DPAs require subcontractors to maintain adequate security

Limitations

No method is 100% secure. While we implement robust security measures, we cannot guarantee absolute security. You are responsible for:

  • Keeping your password confidential
  • Using a strong, unique password
  • Enabling two-factor authentication (when available)
  • Logging out on shared devices

Data Breach Notification

In the unlikely event of a data breach affecting your personal information:

We will notify you within 72 hours via email to your registered email address.

Notification will include:

  • Nature of the breach (what data was affected)
  • Likely consequences
  • Measures we’ve taken to address the breach
  • Recommendations for protecting yourself

Contact for security incidents: [email protected]

You also have the right to report the breach to your data protection authority (see Right to Lodge a Complaint section).

Children’s Privacy

100 Reasons is intended for adults (18+).

We do not knowingly collect data from children under 16 (or under 13 in jurisdictions with lower age thresholds).

Our Policy

If we discover we’ve collected personal data from a child under 16:

  • We will delete the data within 7 days
  • We will notify the user (if contact information is available)
  • We will investigate how the collection occurred

Parental Rights

If you’re a parent and believe your child under 16 provided us with personal data:

Contact us immediately: [email protected]

Subject line: “Child Privacy Concern”

We will:

  1. Verify the relationship (may require proof of guardianship)
  2. Delete the child’s data within 7 days
  3. Confirm deletion via email

Age Verification

We rely on users to truthfully represent their age during signup. We do not actively verify ages beyond requiring users to confirm they are 18+.

Our service may contain links to third-party websites, services, or social media profiles.

We are not responsible for the privacy practices of these third parties.

Before providing personal information to any third-party website:

  1. Review their privacy policy
  2. Understand what data they collect
  3. Know your rights under their policy

Third-party sites we may link to:

  • Subcontractor privacy policies (linked in this document)

Our responsibility ends at the point you click a link and leave 100reasons.love or app.100reasons.love.

Changes to This Policy

We may update this Privacy Policy as we develop 100 Reasons and as legal requirements change.

How We’ll Notify You

For minor changes (typo fixes, clarifications, updated links):

  • Update “Last Updated” date at top
  • Increment minor version (e.g., 1.0 → 1.1)
  • No email notification

For major changes (new subcontractor, new data category, change in legal basis):

  • Update “Version” number (e.g., 1.0 → 2.0)
  • Update “Last Updated” and set future “Effective Date”
  • Email notification to all users at least 14 days before effective date
  • Add entry to Version History section

What Constitutes a Major Change

Examples of major changes requiring notification:

  • Adding a new third-party service
  • Collecting new categories of personal data
  • Changing retention periods significantly
  • Changing legal basis for processing
  • Introducing automated decision-making
  • Changing data transfer mechanisms

What Happens After Changes

Continued use of 100 Reasons after the effective date of changes means you accept the updated policy.

If you don’t agree with changes:

  • You can delete your account before the effective date
  • We will process your data under the old policy until your account is deleted
  • You have at least 14 days’ notice to make this decision (for major changes)

Accessing Previous Versions

All previous versions are available in the Version History section at the bottom of this page. Each version includes:

  • Effective date
  • Summary of changes
  • Link to full archived policy

Questions About Changes?

Contact us at [email protected] or [email protected] (data protection contact).

Contact Us

Questions, concerns, or data rights requests?

General Privacy Inquiries

Email: [email protected]

Response time: Within 7 business days (GDPR requires maximum 30 days)

Data Protection Contact

Name: Alexander Jansen

Email: [email protected]

Role: Data protection inquiries and GDPR rights requests

Subject Lines for Faster Processing

Use these subject lines for specific requests:

  • Data Access Request (Article 15)
  • Data Export Request (Article 20)
  • Delete My Data (Article 17)
  • Restrict Processing Request (Article 18)
  • Withdraw Consent (Article 7)
  • Privacy Policy Question (General)
  • Data Breach Report (Security incident)
  • Child Privacy Concern (Under-16 data)

Postal Address

doto one GmbH Buschingstrasse 55 81677 München Germany

Commercial Register: HRB 119227, Registergericht München

Supervisory Authority (If We Can’t Resolve Your Concern)

Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) Website: https://www.bfdi.bund.de/

EU/EEA: List of Data Protection Authorities

Thank you for trusting us with your data. We’re committed to protecting your privacy as we build 100 Reasons.

More than 100 reasons to love,

The 100 Reasons Team

Version History

We maintain a public record of all changes to this Privacy Policy.

Version 1.0 (Effective: February 2, 2026)

Initial Release:

  • Comprehensive privacy policy covering Website (100reasons.love) and App (app.100reasons.love)
  • GDPR Articles 13-14 compliant disclosures
  • Data Processing Agreements (DPAs) in place with all 6 subcontractors
  • Standard Contractual Clauses (SCCs) for international data transfers
  • Cookie consent implementation (TTDSG §25 compliant)
  • User data rights procedures documented

Questions about this policy? Contact us at [email protected]

Data protection contact: Alexander Jansen ([email protected])