• Privacy Policy (First Aid Made Simple App)

The Privacy Policy of the First Aid Made Simple App

Privacy Policy (First Aid Made Simple App)

Privacy Policy (First Aid Made Simple App)

Introduction

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter referred to as “data”) we process, for what purposes, and to what extent within the scope of providing our First Aid Made Simple App.

The terms used are not gender-specific.

Status: April 26, 2026

Responsible Party

Gleea Educational Software GmbH
Hubert-Dammert-Str. 1
86836 Klosterlechfeld

Authorized representatives: Stefanie Graumann, Christian Brugger, Christoph Graumann, Andreas Voit.

Email address: [email protected].

Legal Notice: https://gleea.de/en/imprint.

Local legislation

Electronic Communications Law: For access to information stored on users’ devices (e.g. local storage, push tokens), the EU ePrivacy Directive 2002/58/EC and its national implementations apply. In Germany, this is implemented through the TDDDG (§ 25). In the United Kingdom, the equivalent rules are set out in the Privacy and Electronic Communications Regulations 2003 (PECR). In all other EU/EEA member states, the relevant national transposition of the ePrivacy Directive applies. Access to device storage is only permitted with prior informed consent (opt-in) or where technically strictly necessary to provide the requested service.

Simple Summary

The FIRST AID MADE SIMPLE app can be used entirely without registration and without a user account. You do not need to share any personal data with us to use the app.

When you first launch the app, you will be asked to acknowledge this privacy policy. This acknowledgment is stored locally on your device.

All your learning progress, earned stars, achievements, and settings are stored exclusively on your device and are not transmitted to us.

The following data is generated during app use:

  • Local device data: Learning progress, results, difficulty level, language setting, country setting, and purchases – stored exclusively on your device.
  • Anonymized usage statistics: We collect anonymized usage data to further develop the app. This data cannot be linked to your identity.
  • Server log files: When communicating with our backend (e.g., for in-app purchases or content retrieval), technical connection data (IP address, timestamp) is briefly logged.

Push Notifications

If you enable push notifications, we process your device token via Firebase Cloud Messaging (Google) to send you notifications. You can disable push notifications at any time in your device’s system settings.

In-App Purchases

When you purchase scenario packs, the purchase is processed through the Apple App Store or Google Play Store. We only receive confirmation of a successful purchase, but no payment data. Your purchase history is stored locally on your device.

Global High Score (Planned)

A future version will introduce an optional anonymous global high score. For this purpose, a random anonymous user ID will be automatically generated on first launch. You may optionally set a self-chosen alias (nickname) that will appear publicly in the high score. No real name or email address is required. We will announce this feature with a separate consent prompt before it becomes active.

Privacy Policy on First App Launch

When you first launch the app, this privacy policy will be presented for your acknowledgment. The app is only fully usable after acknowledgment. This acknowledgment is stored locally on your device and serves as confirmation that the privacy information has been provided (Art. 13 GDPR, § 25 TDDDG).

Target Audience and Minors

The app is intended for the general public, particularly individuals without medical training. Since no registration and no provision of personal data is required, there are no special risks for minor users. The app does not collect data that would allow identification of minors. For in-app purchases, the age verification mechanisms of the Apple App Store and Google Play Store apply.

App Permissions and Device Access

The app requires the following device permissions to provide its functions:

  • Push Notifications: To inform you about new scenarios and updates – only with your explicit consent (§ 25 para. 1 TDDDG).
  • Internet Access: For in-app purchases, content retrieval, and anonymized usage statistics (technically necessary, § 25 para. 2 TDDDG).
  • Device Storage (local app data): To store learning progress, settings, and scenarios for offline use (technically necessary, § 25 para. 2 TDDDG).
  • Device Region (country identifier): For automatic detection of the local emergency number (e.g., 911 for USA, 112 for Europe). This is handled via expo-localization without a separate permission request and does not constitute personal data within the meaning of the GDPR, as no location data is collected.

All other device access (camera, GPS location, microphone, contacts) is not used by this app.

Detailed Privacy Policy

Types of Processed Data

  • Meta/communication data (e.g., IP address, timestamp) – during backend communication.
  • Usage data (anonymized – e.g., access times, features used).
  • Device token for push notifications (only when push notifications are enabled).
  • Anonymous user ID and alias (only in V2, when opting into high score).
  • Purchase confirmations (in-app purchases, without payment data).

Categories of Affected Persons

  • App users (general public, no medical qualification required).

Purposes of Processing

  • Provision of app functions and content.
  • Technical operation and security of the infrastructure.
  • Anonymized usage analysis for app improvement.
  • Sending push notifications (only with consent).
  • Processing of in-app purchases.
  • Global anonymous high score (V2, only when opting in).

Storage Periods

  • Server log files / IP addresses: Maximum 7 days, then automatic deletion or anonymization.
  • Anonymized usage statistics: Indefinite, as no personal identification is possible.
  • Device token (push): For as long as push notifications are enabled; upon deactivation, the token is no longer used.
  • Pseudonymous user ID: For as long as the user participates in the high score; deletable upon request.
  • Local device data (learning progress, settings): Stored exclusively on the user’s device; deleted upon app uninstallation.

Automated Decision-Making and Profiling

We conduct no automated profiling with legal effect pursuant to Art. 22 GDPR. The calculation of scores and achievements takes place locally on the user’s device and serves exclusively to support gamified learning.

Below is an overview of the legal bases under the GDPR on which we process personal data:

  • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – for push notifications and the optional high score (V2).
  • Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – for processing in-app purchases.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – for technical operation of the infrastructure (server log files) and anonymized usage statistics.

National Data Protection Regulations in Germany: In addition to the GDPR, national regulations apply, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and state data protection laws.

Regulations for Digital Services (TDDDG): For access to users’ terminal equipment, the German Telecommunications and Digital Services Data Protection Act (TDDDG) applies. Access to terminal equipment is only permitted on the basis of informed consent (§ 25 para. 1 TDDDG) or – where technically strictly necessary – without consent (§ 25 para. 2 TDDDG). Details are described in the “App Permissions and Device Access” section.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements and considering the state of the art to ensure a level of protection appropriate to the risk (Art. 25 GDPR). All communication between the app and the backend server is exclusively via SSL/TLS-encrypted connections (https).

As the essential usage data is stored exclusively locally on the device, the risk of unauthorized data disclosure through a security incident on our side is structurally minimized.

Transfer of Personal Data

In the context of our processing, data may be transferred to the following categories of recipients: IT service providers (hosting, analytics), app store providers (for in-app purchases), push notification services. In such cases, we comply with legal requirements and conclude appropriate data processing agreements.

Data Processing in Third Countries

If we have data processed in a third country (outside the EU/EEA), this is done only in accordance with legal requirements, in particular on the basis of standard contractual clauses of the EU Commission (Art. 46 GDPR) or an adequacy decision (Art. 45 GDPR). Details on the services used are listed in the “Services Used and Service Providers” sections.

Provision of Online Offer and Web Hosting

For the operation of our backend infrastructure, we use Amazon Web Services. When communicating between the app and the server, technical connection data (IP address, timestamp, request type) is logged in server log files. Server log files are stored for a maximum of 7 days.

  • Processed data types: Usage data (access times, requests), meta/communication data (IP addresses, device information).
  • Affected persons: App users.
  • Purposes of processing: Technical operation, security, stability assurance.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

Push Notifications

If you enable push notifications, your device token is processed via Firebase Cloud Messaging (FCM) to send notifications to your device.

  • Processed data types: Device token, notification delivery metadata.
  • Affected persons: Users who have enabled push notifications.
  • Purposes of processing: Delivery of push notifications about app news and updates.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR, § 25 para. 1 TDDDG).
  • Objection possibility (Opt-Out): Push notifications can be disabled at any time in your device’s system settings under Settings → Notifications → First Aid Made Simple.

Used Services and Service Providers:

  • Firebase Cloud Messaging (FCM): Push notification service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy Policy: https://policies.google.com/privacy; Basis for third-country transfer: Standard contractual clauses of the EU Commission.

Anonymized Usage Analysis (Analytics)

We use an analytics service to collect anonymized usage statistics and to further develop the app. The data collected cannot be linked to your identity and is evaluated exclusively in aggregated form.

  • Processed data types: Anonymized event data (e.g., screens accessed, scenarios completed, features used), device category, operating system version – without direct personal identification.
  • Affected persons: App users (anonymized).
  • Purposes of processing: App improvement, error analysis, usage understanding.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Used Services and Service Providers:

In-App Purchases

When you purchase scenario packs, the purchase is processed entirely through the Apple App Store or Google Play Store. Gleea Educational Software GmbH only receives a purchase confirmation (transaction ID and package ID), but no payment data or payment methods. The management of your purchase history and payment processing is handled exclusively by Apple or Google in accordance with their privacy policies.

  • Processed data types: Transaction ID, package ID (stored locally on the device).
  • Affected persons: Users who make in-app purchases.
  • Purposes of processing: Unlocking purchased scenario packs.
  • Legal bases: Contract fulfillment (Art. 6 para. 1 sentence 1 lit. b GDPR).

Used Services and Service Providers (Payment Processing):

Optional Username

When the app is first launched, a random anonymous user ID (UUID) is automatically generated and stored locally. This ID enables pseudonymous participation in the high score. Users may optionally set a self-chosen alias (nickname) that is publicly visible in the high score. A link to an identity is only possible by the user themselves, as no name, email address, or other identifying information is collected.

Deletion of Data

Data we process on the server side is deleted in accordance with legal requirements once consents are revoked or the processing purpose ceases.

Data stored locally on your device (learning progress, settings, purchase history) is automatically deleted when the app is uninstalled. Gleea Educational Software GmbH has no access to this data and cannot delete it – this is entirely within your control.

Data deletion upon request: Should you wish to have server-side data deleted (e.g., high score entries), you can contact us at any time at [email protected]. Requests will be processed within 30 days.

Changes and Updates to the Privacy Policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing we perform make it necessary. We inform you as soon as changes require a contribution from you (e.g., consent) or if an individual notification becomes necessary.

Rights of Data Subjects

As a data subject, you have the following rights under the GDPR, in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data which is based on Art. 6 para. 1 lit. e or f GDPR.
  • Right to withdraw consent: You have the right to revoke consents at any time (e.g., disable push notifications in your device settings).
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data in accordance with legal requirements.
  • Right to rectification: You have the right to request the correction of inaccurate data concerning you.
  • Right to deletion and restriction of processing: You have the right to request that data concerning you be deleted immediately or alternatively to request a restriction of data processing.
  • Right to data portability: You have the right to receive data concerning you in a structured, commonly used, and machine-readable format.
  • Complaint to supervisory authority: You have the right to lodge a complaint with a supervisory authority if you believe that the processing of data concerning you violates the GDPR.

Supervisory authority responsible for us:

Bavarian State Office for Data Protection Supervision
Postfach 1349
91504 Ansbach
Phone: 0981/180093-0
Email: [email protected]

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).
  • Controller: The natural or legal person that alone or jointly with others determines the purposes and means of processing personal data (Art. 4 No. 7 GDPR).
  • Processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means (Art. 4 No. 2 GDPR).
  • Pseudonymization: The processing of personal data in such a manner that the data can no longer be attributed to a specific person without the use of additional information (Art. 4 No. 5 GDPR). This applies to the anonymous user ID in the high score (V2).