Privacy Policy

Last updated: May 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

moabeach labs
Boris Lenhof
Blumenstr. 15 B
66636 Tholey
Germany
Email: legal@moabeach.com

2. Overview

yooya is a private photo and video platform for closed groups. Access is exclusively by personal invitation from an existing group member; public registration is not possible. This policy describes what personal data we process when operating the app and website, the legal basis for doing so, and the rights available to you.

3. Data processed and purposes

3.1 User account

When you accept an invitation the following data is stored:

• Email address (for identification and system messages)
• Username (freely chosen, visible to other group members)
• Password (stored as a bcrypt hash; your plaintext password never leaves your device unencrypted)
• Language preference and preferred colour scheme (light / dark / system)
• Timestamp of last sign-in

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.2 Group profile

Within a group you may optionally provide:

• Profile picture (avatar, cropped square)
• Short description and personal introduction

This information is visible only to other members of the same group. It is stored per group and can differ independently across groups.

Legal basis: Art. 6(1)(b) GDPR.

3.3 Photos and videos

Photos and videos you upload to a group are stored on our servers. We process:

• The media file itself (potentially in multiple quality levels and formats for optimal display)
• Optional caption
• Optional location tag (if provided by you or derived from image metadata, after explicit consent)
• Date and time of upload

Photos and videos are accessible only to members of the respective group. You can delete your own content at any time. Content is removed from our servers immediately upon deletion.

Legal basis: Art. 6(1)(b) GDPR.

3.4 Interactions (comments and likes)

Comments and likes are associated with your account and visible to all members of the respective group. You can delete your own comments at any time.

Legal basis: Art. 6(1)(b) GDPR.

3.5 Push notifications

If you enable push notifications, a cryptographic subscription token (Web Push Subscription) is stored on our servers. This token is used solely to send you notifications about activity in your group (e.g. new photos, comments, likes). The token contains no personal information and is deleted as soon as you disable notifications in the app settings.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time in the app settings; this does not affect the lawfulness of processing prior to withdrawal.

3.6 Invitations and emails

When a group member invites you, your email address is stored to deliver the invitation and enable account creation. During normal use we send system emails (e.g. verification links when changing your email address). We do not send marketing emails.

Legal basis: Art. 6(1)(b) GDPR.

3.7 Server logs

Each request to our servers is automatically logged with the following data:

• IP address of the requesting device (anonymised after a short retention period)
• Date and time of the request
• Page accessed (URL) and HTTP method
• HTTP status code
• Data volume transferred
• Browser and operating system (user-agent)
• Referrer URL (previously visited page)

These data are used solely to ensure technical operation, diagnose errors, and detect abuse. They are not combined with other datasets. Log files are automatically deleted after 7 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation of the service).

3.8 Venue maps (OpenStreetMap)

When a group member adds a map to a venue, a map from OpenStreetMap is embedded directly in the app. Your browser establishes a direct connection to the servers of the OpenStreetMap Foundation (OSMF), St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. Your IP address may be transmitted to the OSMF in this process.

The OSMF operates OpenStreetMap as a non-profit project; to our knowledge the OSMF does not use this data for advertising or profiling purposes. For more information see the OSMF privacy policy: osmfoundation.org/wiki/Privacy_Policy

Legal basis: Art. 6(1)(b) GDPR (provision of the agreed functionality).

---

4. Authentication and session management

After signing in you receive a JSON Web Token (JWT) stored locally in your browser (localStorage). This token is sent with each request to our API to authenticate your session. No persistent login cookies are set.

5. Hosting and international transfers

This website and the app are operated on a server run by moabeach labs, using infrastructure provided by netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany. All processing and storage of server data takes place exclusively in Germany. No transfer of personal data to third countries takes place.

For sending system emails we use our own mail server, also operated by moabeach labs.

6. Disclosure to third parties

Personal data is not disclosed to third parties unless we are legally required to do so or you have given explicit consent. Processors (hosting provider, email service provider) are contractually bound to comply with the GDPR and may use the data only to provide their service.

7. Retention and deletion

• Account data: Until deletion of the account by the user or the operator.
• Group profiles and content: Until deleted by the user or the group.
• Push subscriptions: Until notifications are disabled in the app.
• Invitation data: Until acceptance, rejection, or expiry of the invitation.
• Server logs: 7 days after creation.

Statutory retention obligations remain unaffected.

8. Your rights under the GDPR

You have the following rights against the controller:

• Access (Art. 15 GDPR): You may request information about the data we process about you.
• Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
• Erasure (Art. 17 GDPR): You may request deletion of your data, unless a statutory retention obligation applies.
• Restriction of processing (Art. 18 GDPR): You may request restriction of processing under certain conditions.
• Data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21 GDPR): You may object at any time to processing based on our legitimate interest.
• Withdrawal of consent (Art. 7(3) GDPR): Where processing is based on your consent (e.g. push notifications), you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise your rights, please contact: legal@moabeach.com

9. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is generally that of your place of residence or the place of the alleged infringement.

The supervisory authority competent for the controller is:
Unabhängiges Datenschutzzentrum Saarland
Fritz-Dobisch-Straße 12, 66111 Saarbrücken, Germany
www.datenschutz.saarland.de

10. Changes to this policy

We reserve the right to update this privacy policy if the legal framework or the technical implementation of the service changes. The current version is always available on this page. Registered users will be notified by email of any material changes.