Privacy Policy

1. Who we are (data controller)

The data controller for all apps listed below is:

• Bram van der Horn — private individual, resident in the Netherlands, trading informally as Ahorn Software Solutions.
• Contact: info@ahorn.app

This policy covers these apps:

• Jubilee — jubilee.ahorn.app (also distributed as an Android app)
• My Media — mymedia.ahorn.app
• LoveJudge — lovejudge.ahorn.app
• Party Vibe — partyvibe.ahorn.app
• Cosmic Twins — cosmictwins.ahorn.app
• Ahorn Auth — auth.ahorn.app (shared login for the apps above)
• Stok'd — stokd.ahorn.app (also distributed as a mobile app)

Nederlands: De verwerkingsverantwoordelijke voor alle apps hieronder is Ahorn Software Solutions (zie hierboven voor de identiteit van de natuurlijke persoon achter de dienst). Contact: info@ahorn.app.

2. How login works across all apps

Every app in the list above that has accounts uses our shared login service at auth.ahorn.app (Ahorn Auth). There are three login paths:

• Email + password — you sign up with your email address and a password. Passwords are stored only in hashed form using a one-way function; we never see, log, or store your plaintext password.
• Google Sign-In — you authenticate via Google. We receive your email address and a Google account identifier — nothing else (no password, no contact list, no profile picture unless Google surfaces one through the standard sign-in scope). If the same email already has a password account, the two are linked automatically.
• Anonymous mode (only in apps that offer it, such as Jubilee) — you use the app without logging in. No email, no server account, no cross-device sync. Your data lives only in your browser's local storage on that single device.

If you log in via either of the first two paths, an email address IS stored on our side — it is not optional. Only anonymous-mode users have no server-side email.

Nederlands: Alle apps met accounts gebruiken de gedeelde inlogdienst auth.ahorn.app. Drie opties: e-mail + wachtwoord (alleen als hash, nooit in leesbare vorm), Google Sign-In (we krijgen e-mail + Google-ID), of anoniem (alleen in apps die dat ondersteunen, zoals Jubilee — alles blijft lokaal in je browser, geen e-mail, geen synchronisatie).

3. What we collect globally (across all apps)

For each logged-in user we store, centrally, only what is needed to operate accounts and login:

• Your email address.
• Account-level metadata needed to operate the service (which login method you use, your access status for each app, and operator-side flags such as account suspension).
• A password hash if you signed up with email + password.
• Session credentials that keep you logged in.

We do not collect: real names, profile pictures, phone numbers, contact lists, calendar data, device identifiers (IMEI, advertising ID), location, or any data you did not explicitly enter. A display name is only stored if a specific app has a field for it and you chose to fill it in.

Exception — Stok'd: Stok'd is currently a peer-to-peer relay that stores nothing persistently and does not require an email to use; see the per-app section below for the full picture.

Each app also stores its own app-specific content — see the per-app sections below for what.

We run no third-party tracking, advertising, behavioural analytics, or fingerprinting inside the apps. The landing page at ahorn.app uses Google Analytics (GA4) for aggregate traffic metrics; the apps themselves do not.

Minimal technical logs (IP address, user agent, HTTP status) are kept for up to 30 days for debugging and abuse prevention.

Nederlands: Centraal slaan we per ingelogde gebruiker op: e-mail, account-metadata om de dienst te draaien (loginmethode, toegangsstatus per app, eventuele blokkeringsvlaggen), een wachtwoord-hash (indien van toepassing) en sessie-gegevens. Geen namen, foto's, telefoonnummers, contacten of locatie. Technische logs 30 dagen. Geen tracking of advertenties in de apps.

4. Payment data

Some apps (currently Jubilee) sell a one-time paid unlock. For each payment we record a single bookkeeping entry containing:

• The payment channel (e.g. Ko-fi, Tikkie, Google Play, or a free comp from the operator).
• The external transaction reference from the provider, so we can reconcile with their records.
• The amount, currency, and timestamp of the payment.
• A contact email for the payment when the provider forwards one (e.g. Ko-fi includes the buyer's checkout email so we can match it to your account).
• Optional notes (e.g. why a free comp was issued).

We do not see or store: card numbers, CVV codes, full billing addresses, PayPal account details, or bank account numbers. Those stay with the payment provider.

Payment channels currently in use:

• Ko-fi — web purchases. Ko-fi captures the checkout email and forwards the transaction to us.
• Tikkie — Dutch peer-to-peer payment. The buyer pays the operator directly and emails info@ahorn.app with proof and the account email; the operator records the transaction manually.
• Google Play Billing — Android in-app purchases (coming when the native Android build of Jubilee ships). Google acts as merchant of record for EU sales; we receive only the purchase confirmation + order ID.
• Operator comp — no external payment, used when the operator gives a free unlock (bug-fix apology, beta tester, family).

Nederlands: Betalingen (alleen Jubilee momenteel) leggen we vast als boekingsregels: kanaal, externe transactie-referentie, bedrag, datum, en — als de provider hem doorgeeft — het bijbehorende e-mailadres. Geen kaartnummers, geen bankrekeningen, geen volledige adressen — die blijven bij de betaalprovider.

5. How we store your data

All personal data is stored on infrastructure located in the European Union. Connections to the apps are protected end-to-end with HTTPS. Backups are taken daily and kept for a short rolling window for disaster recovery.

Data is protected at rest using infrastructure-level encryption, and industry-standard cryptographic standards are applied to sensitive fields such as account passwords and integration credentials.

Nederlands: Alle persoonlijke data staat op infrastructuur in de Europese Unie. Verbindingen zijn HTTPS. Dagelijkse backups, kort bewaard. Data is beveiligd via infrastructuur-encryptie en gangbare cryptografische standaarden voor gevoelige velden zoals wachtwoorden en integratiesleutels.

6. Retention

Your data is kept until you delete it yourself (via in-app controls) or request deletion by email. Technical logs are rotated out after 30 days. If you delete your account, all associated rows are removed within 30 days; backup snapshots age out within the same window.

Exception: payment transaction records are retained for 7 years, even after you delete your account. This is a Dutch legal retention requirement for accounting records (Art. 52 Algemene Wet inzake Rijksbelastingen / AWR). The retained record contains only the bookkeeping fields listed in section 4 — no app content.

Nederlands: We bewaren je data totdat je deze zelf verwijdert of ons e-mailt. Logs: 30 dagen. Uitzondering: betaaltransacties 7 jaar (wettelijke bewaarplicht, Art. 52 AWR).

7. Your rights (GDPR)

Under the GDPR (Art. 15-22) you have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data ("right to be forgotten"), subject to the 7-year payment-record retention exception above.
• Portability — request a machine-readable export of your data. Most apps have an in-app Settings → Export button that returns JSON.
• Object or restrict processing — limit how we use your data.

To exercise any of these rights, email info@ahorn.app or use the in-app Settings page where available. We respond within 30 days. Providing your email and (where applicable) password is required to create an account; without them you can only use apps that offer anonymous mode.

Nederlands: Onder de AVG heb je recht op inzage, correctie, verwijdering, dataportabiliteit en bezwaar. Mail info@ahorn.app of gebruik Instellingen in de app. Betalingen blijven 7 jaar bewaard (wettelijk). Je e-mail (en eventueel wachtwoord) opgeven is nodig om een account aan te maken; zonder die gegevens kun je alleen apps met anoniem-modus gebruiken.

8. Right to lodge a complaint

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with a data-protection supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens:

• Website: autoriteitpersoonsgegevens.nl

If you are resident in another EU/EEA member state, you may also complain to the supervisory authority in your own country.

Nederlands: Klagen over onze omgang met je persoonsgegevens kan bij de Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). Inwoners van een ander EU/EER-land kunnen ook bij hun eigen toezichthouder terecht.

9. Automated decision-making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. Some apps generate AI-based content (e.g. LoveJudge analyses, Stok'd entertainment results), but these outputs are informational only — they do not determine access, pricing, eligibility, or any other decision affecting you.

Nederlands: We doen geen geautomatiseerde besluitvorming of profilering met juridische of vergelijkbaar ingrijpende gevolgen voor jou. Sommige apps genereren AI-content (bv. LoveJudge, Stok'd), maar die output is puur informatief en bepaalt geen toegang, prijs of andere beslissing.

10. International data transfers

Personal data is stored on infrastructure in the European Union. Some third-party services we rely on (in particular Google, used for Google Sign-In and — for the Android app — Google Play Billing) may process limited data outside the EU/EEA. Where such transfers occur, they take place on the basis of an EU adequacy decision and/or the European Commission's Standard Contractual Clauses, as published by those providers in their respective data-processing terms.

We do not transfer personal data to any third country on our own initiative.

Nederlands: Persoonsgegevens worden opgeslagen op infrastructuur in de EU. Sommige derden waar we van afhankelijk zijn (vooral Google, voor Google Sign-In en — bij de Android-app — Google Play Billing) kunnen beperkte gegevens buiten de EU/EER verwerken. Dit gebeurt op basis van een EU-adequaatheidsbesluit en/of de modelcontractbepalingen van de Europese Commissie, zoals gepubliceerd door die providers. Wijzelf dragen geen persoonsgegevens uit eigen beweging over naar derde landen.

11. Cookies

The apps use a single secure session cookie per app to keep you logged in. It expires when you log out or after a reasonable period of inactivity. No tracking cookies, no advertising cookies, no cross-site cookies.

The landing page (ahorn.app) sets a Google Analytics cookie for aggregate traffic statistics. The apps themselves do not.

Nederlands: Alleen een veilige sessie-cookie per app om je ingelogd te houden, met een redelijke vervaltermijn. Geen tracking-cookies. Alleen de landingspagina gebruikt Google Analytics.

12. Third parties

We use these categories of third parties to deliver the service. Each receives only the minimum needed for its function.

• EU-based infrastructure providers — hosting, DNS, and email delivery for our domains. Located within the European Union under standard subprocessor terms.
• Google LLC / Google Ireland Limited — Google Sign-In (OAuth) and, for native Android apps, Google Play Billing. Google acts as merchant of record for EU Play sales; we receive a purchase confirmation + order ID, no card details.
• Ko-fi — web payment processor for paid unlocks. Captures the buyer's email at checkout and forwards the transaction to us.
• Tikkie / ABN AMRO — peer-to-peer payment mechanism for Dutch users. We have no API integration; the buyer pays the operator directly and emails proof.
• App-specific external APIs — individual apps call third-party content APIs (e.g. for movie / book / videogame metadata, music embeds, speech-to-text and AI analysis). These calls are made server-side with no personally-identifying information attached; see the per-app sections.

We do not sell, rent, or share personal data with advertisers, data brokers, or unrelated third parties.

Nederlands: Derde partijen: EU-infrastructuurproviders (hosting, DNS, e-mailaflevering), Google (Sign-In + Play Billing), Ko-fi (web-betalingen, ontvangt jouw e-mail bij afrekenen), Tikkie/ABN AMRO (peer-to-peer, geen API-koppeling) en per app enkele externe content-API's. Geen verkoop van gegevens.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Earlier versions are available on request via info@ahorn.app.

Nederlands: We kunnen dit privacybeleid van tijd tot tijd bijwerken. De datum "Laatst bijgewerkt" bovenaan weerspiegelt de meest recente versie. Eerdere versies zijn op verzoek beschikbaar via info@ahorn.app.

App Jubilee

jubilee.ahorn.app and the Android app. Jubilee is a personal milestone tracker for anniversaries and important dates.

What we store when you are logged in (via email+password or Google Sign-In):

• The dates you enter and any labels, categories, tags, or notes you assign to them.
• Your in-app settings (language preference, notifications, theme, milestone visibility).
• Your email address (only when logged in — see section 2).
• If you purchased the one-time unlock: the bookkeeping entry described in section 4.

Anonymous mode: if you use Jubilee without logging in, nothing is stored on our servers. No email, no account, no cross-device sync — your data lives in your browser's local storage on that single device only. There is no anonymous device identifier.

What we do NOT collect: real names, profile pictures, location, photos, contacts, calendar access, device identifiers (IMEI, advertising ID), microphone, camera.

Export: Settings → Export returns all your dates and settings as JSON at any time (works both logged in and anonymous).

Nederlands: Ingelogd (e-mail + wachtwoord of Google): we slaan je datums (met labels, categorieën, tags, notities), instellingen en e-mail op — en bij aankoop een boekingsregel. Anoniem: alles blijft in je browser, niets op onze server, geen apparaat-ID, geen synchronisatie. Geen namen, foto's, locatie of contacten.

App My Media

mymedia.ahorn.app. Personal library for tracking movies, series, books, music, videogames, and saved websites.

What we store:

• Your email address (only when logged in — login is via email+password or Google Sign-In).
• The media items you add and any personal ratings, status (e.g. watchlist / watched / reading / read), tags, notes, and custom titles you attach to them.
• Your in-app preferences (e.g. which media types are enabled).
• Payment bookkeeping entries if a paid tier ever launches (none currently).

My Media calls third-party content APIs to fetch metadata about the items you add. These calls are made server-side and do not carry your identity.

Nederlands: My Media slaat je e-mail, mediabibliotheek (titels, ratings, tags, status, notities) en voorkeuren op. Login via e-mail + wachtwoord of Google Sign-In. Metadata komt van externe API's zonder jouw identiteit mee te sturen.

App LoveJudge

lovejudge.ahorn.app. AI-powered weekly check-in for couples.

What we store:

• Your email address (required; accounts are admin-approved before first use).
• Your audio recordings of the weekly conversation, temporarily, until transcription completes (or permanently if you enable "keep recordings" in Settings).
• The transcript and AI analysis / feedback of each session.
• Session metadata (timestamps, tags, notes).

Audio is sent to third-party speech-to-text and AI providers for processing. Their contracts forbid using your data for model training. Raw audio is deleted after the transcript is ready unless you have enabled keep-recordings.

Nederlands: LoveJudge slaat e-mail, (tijdelijke) opnames, transcripten en AI-analyses op. Audio wordt door externe spraak- en AI-providers verwerkt en daarna verwijderd, tenzij je "bewaar opnames" aanzet.

App Party Vibe

partyvibe.ahorn.app. Real-time playlist voting for parties.

What we store:

• Host email address (required for the host; accounts are admin-approved).
• Party data — party name, song list, votes, timestamps.
• Voter session identifiers — ephemeral, anonymous, not tied to any account.

Voters do not log in and no voter email is collected. Music metadata is fetched from public streaming-platform embed APIs — no credentials or personal identifiers are sent.

Nederlands: Party Vibe: host is ingelogd (e-mail verplicht), stemmers zijn anoniem (tijdelijke sessie-ID, geen e-mail). Party-data en stemmen worden opgeslagen.

App Cosmic Twins

cosmictwins.ahorn.app. Connect with people who share your exact birth date.

What we store:

• Your email address (required).
• Your date of birth and the date of birth of any comparison subject you enter.
• Optional profile fields (display name, short bio) if you choose to fill them in.

No third-party API beyond Ahorn Auth.

Nederlands: Cosmic Twins slaat e-mail, geboortedatum (van jou en eventuele vergelijkingspersoon) en optionele profielvelden op.

App Ahorn Auth

auth.ahorn.app and admin.ahorn.app. The central account service used by every app above.

What we store:

• Your email address.
• Account-level metadata needed to operate the service (which login method you use, your access status for each app, and operator-side flags such as account suspension).
• A password hash if you use email + password login.
• A Google account identifier if you linked Google Sign-In.
• Payment bookkeeping entries for any app you paid in (see section 4).
• Session credentials that keep you logged in.

The auth service never sees your app content (dates, media entries, transcripts, etc.) — it only issues login tokens that each app verifies. Deleting your Ahorn Auth account removes your login path across every app at once.

Nederlands: Ahorn Auth is de centrale accountdienst. Slaat op: e-mail, account-metadata (loginmethode, toegangsstatus per app, eventuele blokkeringsvlaggen), wachtwoord-hash, Google-ID, betaaltransacties en sessie-gegevens. Het ziet nooit je app-inhoud. Verwijderen hiervan betekent uitloggen bij alle apps tegelijk.

App Stok'd

stokd.ahorn.app. Dating compatibility entertainment app (also distributed as a mobile app).

What we store today:

• Nothing is stored persistently. Stok'd relays data between phones in real time and discards it once the session ends.
• Ephemeral session state (transient device identifiers + routing tokens) lives only in server memory while two phones are connected.

What we may store if you opt into a future paid feature:

• Your email address, used to log you in and bind any unlock to your account.
• A record of any one-time purchases you make (channel, transaction ID, amount, currency, timestamp).
• An aggregate counter of matches you've completed — for the unlock entitlement, not visible to anyone else.

What we never store:

• Names, photos, conversation content, location, contacts.
• AI-generated analyses are computed on-device or returned in real time and discarded.

Anonymous mode: by default Stok'd does not require login. Stop using the app and there is nothing left on our servers.

Results are for entertainment only and have no predictive validity. Do not enter real third-party names without their consent.

Nederlands: Vandaag slaat Stok'd niets persistents op — het is een peer-to-peer relay tussen telefoons en sessiestaat (vluchtige device-IDs + routing-tokens) leeft alleen in het servergeheugen zolang twee telefoons verbonden zijn. Als je later een betaalde functie aanzet, slaan we alleen op: je e-mailadres (login + unlock-koppeling), een boekingsregel per eenmalige aankoop, en een telling van je voltooide matches voor de unlock-entitlement (niet zichtbaar voor anderen). Wat we nooit opslaan: namen, foto's, gesprekken, locatie, contacten; AI-analyses worden op het toestel of in real time berekend en daarna weggegooid. Standaard is Stok'd anoniem — stop met gebruiken en er staat niets meer op onze servers.