ExBackGet the app

Legal

Privacy Policy

Last updated: 27 April 2026

This Privacy Policy explains how Digital App Group GmbH ("Digital App Group", "we", "us", or "our") processes personal data when you use the ExBack service. ExBack is the public brand under which our mobile application is marketed; in the Apple App Store and Google Play Store the application is also distributed under the name NoContact (bundle identifier de.digitalappgroup.nocontact). This policy applies to the ExBack mobile app (iOS and Android), the website at exback.app, and any related communications.

What ExBack is and is not. ExBack is an entertainment and self-improvement product. It offers conversational prompts, daily challenges, journaling-style check-ins, and tips you can choose to follow. It is not a medical device,not a psychotherapeutic treatment, and not a substitute for professional mental-health care, legal advice, or relationship counselling. Nothing in the app should be interpreted as a clinical diagnosis or as guaranteed advice on how to behave in your relationship; outcomes depend entirely on your own choices.

We have written this policy in plain language wherever possible. If you only read one section, please read the summary directly below.

At a glance

  • We are a German company (Digital App Group GmbH). We act as the controller for your personal data and you can reach us at digitalappgroupde@gmail.com.
  • We collect what we need to run the service: your account details, the conversations you have with our AI coach, and the WhatsApp chat summaries you choose to upload. We do not sell your personal data and we do not use your private content to train public AI models.
  • When you upload a WhatsApp chat export, the raw .txt or .zip file never leaves your device. The app parses it locally and only sends an anonymised summary plus a capped excerpt (sender names stripped) to our servers for analysis.
  • Our AI coach is powered by Google Gemini 3 Flash. Conversations are processed under Google's API terms with no use of your content for model training.
  • You can delete your account and all associated data from inside the app at any time, or by emailing us. You also have full access, rectification, and portability rights under the GDPR, the UK GDPR, and (for California residents) the CCPA/CPRA.

1. Who we are

Controller: Digital App Group GmbH
Registered address: Ferdinand-Koch Str. 31, 26133 Oldenburg, Germany
Register court: Amtsgericht Oldenburg · HRB 219130
VAT identification number (USt-IdNr.): DE358804170
Phone: +49 441 3793132
General contact: digitalappgroupde@gmail.com
Privacy enquiries: digitalappgroupde@gmail.com

We have not appointed a Data Protection Officer (DPO). We will appoint a DPO and update this section if our scale of processing or the categories of data we handle make this mandatory under Art. 37 GDPR or § 38 BDSG.

2. Scope and the names you may see

Throughout this policy "the app" means the mobile application you may know as ExBack or NoContact. "The website" means exback.app and its subdomains. Where a section applies to only one of these surfaces, we say so explicitly.

3. The personal data we process

The table below lists every category of personal data the app and the website handle, why we handle it, our legal basis under the GDPR, who receives it on our behalf, and how long we keep it. Specific sub-processors are described in section 10; international transfers in section 11; retention in section 12.

3.1 Account data

  • What: your email address (always), your display name (optional), and the OAuth identifier returned by Apple Sign-In or Google Sign-In if you use those methods. Email-based sign-in uses a one-time code; we do not store passwords.
  • Why: to create and authenticate your account.
  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Recipients: Supabase (auth and database), RevenueCat (subscriber attributes), Apple, Google.

3.2 Device and technical data

  • What: a randomly generated device identifier (UUID v4) we create on first launch, your device timezone and locale, your platform (iOS / Android), app version, and your push notification token (FCM on Android, APNs via Firebase on iOS).
  • Why: to operate the service across sessions, deliver push notifications, prevent fraud and abuse, and adapt features to your timezone.
  • Legal basis: performance of a contract for the identifier and platform data (Art. 6(1)(b) GDPR); consent for push notifications (Art. 6(1)(a) GDPR); legitimate interests in fraud prevention (Art. 6(1)(f) GDPR).
  • Recipients: Supabase; Google (FCM) for push tokens.

3.3 Onboarding and program data

  • What:the answers you give during onboarding (your situation, your goal, what you are struggling with, an optional first name, and a generated "chance score"), your current program day, your streak, and which daily challenges you have completed.
  • Why: to tailor the program to your circumstances and to track your progress.
  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR). If your free-text answers include information that falls within Art. 9 GDPR (for example references to your health, sexual orientation, or religious beliefs), we process those parts on the basis of your explicit consent under Art. 9(2)(a) GDPR, given by your decision to type them into the app. You should not enter this kind of information unless you are comfortable having it processed by our service.
  • Recipients: stored locally on your device in app preferences and synced to Supabase. Not shared with Google Gemini unless they appear inside a coach conversation you initiate.

3.4 AI coach conversations

  • What:the messages you send to the AI coach and the coach's replies. These messages are stored so the coach can maintain conversation context across sessions.
  • Why: to provide the core coaching feature.
  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Recipients: Supabase (storage); Google LLC for the purpose of generating a single reply (see section 5).

3.5 WhatsApp chat upload

Because of how this feature works, we describe it in detail in section 4 below.

3.6 Purchases and credits

  • What: the credit packages you buy, your current credit balance, billing-session ledger entries (one entry per paid AI conversation), and the email and display name we forward to RevenueCat as subscriber attributes.
  • Why: to process purchases through the App Store and Google Play, validate receipts, restore purchases on a new device, and meter paid coaching sessions.
  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR); compliance with tax and accounting obligations (Art. 6(1)(c) GDPR, in conjunction with §§ 147 AO and 257 HGB) for retention of billing records.
  • Recipients: RevenueCat, Apple (App Store) or Google (Google Play). We never see or store your payment card details.

3.7 Notifications and engagement

  • What: the fact that a push notification was tapped, which notification it was, and when.
  • Why: to navigate you to the relevant screen and to measure how useful our reminders are.
  • Legal basis: consent for sending notifications (Art. 6(1)(a) GDPR); legitimate interests in measuring engagement (Art. 6(1)(f) GDPR).
  • Recipients: Supabase.

3.8 Website data

  • What: on exback.appwe and our hosting provider record standard server log data (your truncated IP address, browser user-agent, timestamp, and the page requested) and, only with your consent, fire the Meta Pixel and Meta Conversions API to measure ad performance. Your consent state is stored in your browser's local storage under the key exback_consent.
  • Why: to operate the website, prevent abuse, and measure the performance of our advertising.
  • Legal basis: legitimate interests for the server logs (Art. 6(1)(f) GDPR); consent for the Meta Pixel and the Meta Conversions API (Art. 6(1)(a) GDPR and § 25(1) TDDDG, the German digital-services data protection act formerly known as TTDSG). You can withdraw consent at any time by clearing your browser storage for our site.
  • Recipients: Meta Platforms Ireland Limited (and Meta Platforms, Inc. for the parts of the service hosted in the United States).

4. WhatsApp chat upload (the most important section)

The app lets you upload a WhatsApp chat export so the AI coach can understand the dynamic between you and the other person. Because chat exports contain personal data about a third party (the "ex" or other counterparty) who has not directly agreed to our privacy policy, we treat this feature with particular care.

4.1 What stays on your device

The raw .txt or .zip file you select with the file picker never leaves your device. Parsing, cleanup, and the calculation of statistics all happen locally on your phone before any network call is made.

4.2 What we send to our server

For a full chat analysis we send to our server:

  • Aggregated statistics: total message count, the percentage of messages sent by each side, average characters per message, the median response time of each side, and the resulting response-time ratio.
  • An anonymised excerpt: at most the 150 most recent messages, capped at 12 000 characters in total, and each message labelled only as "user" or "other"— the actual sender names are stripped before transmission.
  • The first name (or alias) you entered for yourself in onboarding, and the name shown for the other person in the export, so that the analysis result can address you by name. You can edit or remove these names in the app.

For a follow-up analysis you may attach up to three screenshots. They are sent as base64-encoded image data to our server and from there forwarded to Google Gemini for vision analysis. They are processed only to generate the follow-up reply suggestion and are not retained beyond what is needed to complete that request and the standard log-retention window (see section 12).

4.3 The other person's data

You must inform the other person before you upload the chat. Their messages are personal data and they have not signed up to our service. By using the WhatsApp upload feature you confirm that you have already told the other person that you are sharing the chat with us for the purpose of an automated analysis, and that they have had the opportunity to object. This obligation is part of the terms on which we make the feature available to you; without it the feature would not exist.

On that basis we process the other person's data under Art. 6(1)(f) GDPR (legitimate interests) strictly to deliver the analysis you have asked for. Our balancing test concluded:

  • You inform: the other person knows that the chat is being shared before any upload happens, which removes the surprise element that legitimate-interests balancing usually weighs against the controller.
  • We minimise: sender names are stripped, only an anonymised excerpt (at most 150 messages, capped at 12 000 characters) is sent, no profile is built about the other person, and no data is enriched against external sources.
  • We restrict purpose: the data is used only to generate your analysis. It is not used to train models, sold, shared with advertising networks, or made available to other users.
  • We respect objections: if the other person contacts us at digitalappgroupde@gmail.com and asks us to delete material relating to them, we will do so to the extent we can identify and isolate it.

Sharing the contents of private communications can additionally be restricted by law in your jurisdiction — for example by §§ 201, 201a StGB in Germany, or, in the United States, by federal and state wiretap statutes such as Cal. Penal Code § 632. The notification we require above is not a substitute for any other consent or notice the law of your country may demand. If you are not certain that uploading is lawful in your situation, do not upload the chat.

4.4 Where the result is stored

The text of the analysis result (pattern name, tips, suggested reply, etc.) is cached on your device in the app's local preferences, keyed by the other person's display name. You can delete a single analysis from the app, or delete every analysis by deleting your account.

5. The AI coach, daily challenges, and tips

The core entertainment feature of ExBack is a written conversation with an AI coach, supplemented by daily check-ins, self-improvement challenges, and generic tips. The coach is software, not a person; its replies are generated automatically based on the message you send and the recent conversation context.

Conversations and chat-analysis output are generated by Google Gemini (currently the Gemini 3 Flash model family), operated by Google LLC, under our Google API agreement. Each turn we send Google the recent conversation context and any analysis results you have asked the coach to consider; Google returns a single generated reply that we relay back to your device. We may change the underlying model over time without further notice as Google releases new versions; the processor (Google LLC) and the legal terms of the relationship will not change without an update to this policy.

On the API tier we use, Google does not use your content to improve or train its general-purpose models. A copy of each request and response is held in Google's logs for a limited period (as described in Google's Gemini API terms) and is then deleted.

For entertainment and self-improvement only. The AI coach is not a therapist, not a licensed counsellor, and not a medical device. It cannot recognise or treat depression, anxiety, addiction, abuse, or any other clinical condition, and it cannot give legal advice. If you are in crisis, please contact a qualified professional or the emergency services in your country. In Germany you can reach the Telefonseelsorge at 0800 111 0 111 (free, 24/7); in the United States the 988 Suicide and Crisis Lifeline; in the United Kingdom the Samaritans at 116 123.

6. Payments and credits

All purchases happen through Apple's or Google's in-app billing. We use RevenueCat to validate receipts, restore purchases on new devices, and track your virtual-currency (credit) balance. We share your account email and display name with RevenueCat as subscriber attributes so that we can support you if a purchase fails.

We do not see, store, or process your payment card or bank details. Those are handled exclusively by Apple, Google, and their payment processors.

7. Push notifications

Push notifications are delivered through Firebase Cloud Messaging (FCM), operated by Google LLC. When you grant the system permission to receive notifications, your device is issued a push token that we store in our database and use to address notifications to you. You can revoke notification permission at any time in your device's operating-system settings, in which case we stop sending you notifications and your stored token becomes inactive.

8. Marketing and advertising

8.1 Website (exback.app)

With your consent, we use the Meta Pixel in your browser and the Meta Conversions APIon the server side to measure how our advertising on Facebook and Instagram is performing. The pixel reports page views and standard events to Meta; the Conversions API additionally allows us to send hashed events directly from our server. No content from the app or your account is ever sent to Meta — only events from the public website.

The pixel and the Conversions API are gated by our cookie banner. We only fire either of them once you click "Accept". Your consent decision is stored in your browser's local storage as exback_consent and as the runtime flag window.__exback_consent. You can withdraw consent at any time by clearing your browser's storage for our site or by using any consent control we offer in the footer.

8.2 Mobile app

The mobile app currently contains no analytics, attribution, or advertising SDKs: Firebase Analytics is explicitly disabled, no Meta SDK is embedded, and no third-party crash-reporting tool is in use.

At launch we plan to integrate AppStack as a Mobile Measurement Partner (MMP) so that we can attribute new installs to the marketing campaigns that produced them. AppStack will receive install and event postbacks containing your truncated IP address, device model, operating system, locale, and an AppStack-issued device identifier.

  • On iOS, attribution will rely primarily on Apple's SKAdNetwork. Your IDFA is requested only if you grant permission to the App Tracking Transparency (ATT) prompt; if you decline, no IDFA is shared.
  • On Android, your Google Advertising ID is processed only with your consent, in line with Google Play's Data Safety requirements.
  • Conversions are reported to Meta server-to-server through AppStack. We do not embed the Meta App Events SDK in the app itself.

We will update this section before AppStack is enabled in a public release. If this section still says "will" rather than "does", the SDK is not yet active in the version of the app on your device.

9. Sub-processors and third-party services

We use the following providers to operate the service. Each acts on our written instructions under a data processing agreement compliant with Art. 28 GDPR.

  • Supabase— authentication, database, edge functions, realtime sync. Hosts our application data.
  • Google LLC (Firebase Cloud Messaging)— delivery of push notifications.
  • Google LLC (Gemini API)— generation of AI coach replies and chat-analysis output, including vision processing of follow-up screenshots.
  • RevenueCat, Inc.— receipt validation, subscription state, and virtual-currency balance.
  • Apple Inc. and Google LLC— App Store / Google Play distribution, in-app billing, and Sign-In with Apple / Google.
  • AppStack— mobile attribution measurement (planned; see section 8.2).
  • Meta Platforms Ireland Limited— advertising measurement on the website.
  • Pravatar (i.pravatar.cc) — temporary placeholder avatar images for coach personas. Loading an avatar transmits your IP address to that CDN. We plan to replace these placeholders with self-hosted images and will remove this entry from the list when we do.
  • Google Fonts— webfonts referenced by the app and downloaded on demand.
  • Our hosting provider for exback.app — the website is served by an EU-based hosting provider which keeps standard server-access logs on our behalf. We will name the specific provider here once our deployment is final.

We will update this list when sub-processors change. We never sell personal data, and none of the providers above are authorised to use your personal data for their own purposes.

10. International transfers

Some of the providers above process data outside the European Economic Area — in particular Google LLC, RevenueCat, Apple, and Meta. Where personal data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses (Module 2 / 3 as applicable), supplemented where necessary by additional technical and organisational safeguards (encryption in transit and at rest, access restrictions, audit logging). For the United States we additionally rely, where the recipient has certified, on the EU-U.S. Data Privacy Framework. You can request a copy of the relevant transfer mechanism by emailing digitalappgroupde@gmail.com.

11. How long we keep your data

We keep personal data only for as long as needed for the purpose for which it was collected, plus any period required by law:

  • Account profile, onboarding answers, and program state: for the lifetime of your account. We may delete accounts that have been inactive for an extended period (no sign-in for at least 24 months); we will give you reasonable notice before doing so where we have your email address.
  • AI coach chat history: for the lifetime of your account, unless you delete individual conversations or your account in the app.
  • WhatsApp analysis results: for as long as you keep them in the app. Server-side, the anonymised statistical payload is processed by the analysis function and is retained only as long as our standard server logs (see below).
  • Follow-up screenshots: sent through our server to Google Gemini for vision processing in a single request. They are not stored by us as a permanent record beyond the standard server-log retention period.
  • Push notification tokens: until the token is rotated by the operating system, you disable notifications, or you sign out.
  • Purchase records: for the period German tax and commercial law require us to keep them (currently 10 years pursuant to §§ 147 AO and 257 HGB).
  • Server access logs: retained for security and abuse-prevention purposes for up to 90 days, after which they are purged.

12. Security

We protect your data with industry-standard measures: TLS for all traffic between your device and our servers, encryption at rest on our databases, row-level security so that one user account cannot read another's data, and access controls limited to staff who need them for support and operations. We do not store passwords because we do not use them — authentication is by one-time email code or OAuth via Apple or Google. If we ever experience a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours pursuant to Art. 33 GDPR and inform you without undue delay where required by Art. 34 GDPR.

13. Your rights

13.1 EU and EEA residents (GDPR)

You have the right to: access the personal data we hold about you (Art. 15), have it corrected (Art. 16), have it deleted (Art. 17), restrict our processing of it (Art. 18), receive it in a portable format (Art. 20), object to processing based on legitimate interests (Art. 21), and withdraw any consent you have given without retroactive effect (Art. 7(3)). To exercise any of these rights, contact us at digitalappgroupde@gmail.com. You can delete your account and all associated personal data directly from the app's settings without contacting us.

If you believe our processing of your personal data infringes the GDPR you may lodge a complaint with a supervisory authority, in particular the data protection authority for Lower Saxony, where Digital App Group GmbH is registered — Die Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover, Germany, lfd.niedersachsen.de— or with the supervisory authority of your habitual residence or place of work.

13.2 United Kingdom residents (UK GDPR)

Your rights under the UK GDPR mirror those above. The competent supervisory authority is the Information Commissioner's Office (ICO), ico.org.uk.

13.3 California residents (CCPA / CPRA)

If you are a California resident, you additionally have the right to:

  • Know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with which we share it. The inventory in section 3 of this policy contains that information.
  • Delete your personal information, subject to the legal exceptions in CCPA § 1798.105(d).
  • Correct inaccurate personal information.
  • Opt out of sale or sharing. We do not sell your personal information for money. However, the use of the Meta Pixel and the Meta Conversions API on our website may qualify as "sharing" for cross-context behavioural advertising under the CPRA. You can opt out by clicking "Decline" in the cookie banner on our website, by clearing your browser storage for our site at any later time, or by emailing digitalappgroupde@gmail.com. We are working on adding automatic recognition of the Global Privacy Control (GPC) browser signal; until that is in place you should treat the cookie banner as the authoritative opt-out mechanism.
  • Limit the use of sensitive personal information. The contents of WhatsApp chat excerpts you upload may qualify as sensitive personal information under CCPA § 1798.140(ae) because we are not the original intended recipient of those messages. We process such excerpts only to provide the analysis you asked for and never to infer characteristics about you for advertising or for sale. Messages you send to the AI coach are addressed to our service, so we are the intended recipient and they generally do not fall within the "contents of communications" sub-category of sensitive personal information.
  • Non-discrimination. We will not deny you service or charge you a different price for exercising any of these rights.

You may use an authorised agent to make a request on your behalf; we will require reasonable proof of authorisation before responding.

14. Children

ExBack is intended exclusively for adults aged 18 and over. We do not target our advertising at minors, we do not knowingly direct the service at anyone under 18, and we do not knowingly collect personal data from anyone under 18. If you become aware that a person under 18 has created an account, please contact us at digitalappgroupde@gmail.com and we will delete the account and any associated data without delay.

15. Changes to this policy

We will update this policy when our processing changes or when the law requires us to. The date at the top of the page indicates the most recent version. If a change is material we will additionally notify you in the app or by email before it takes effect.

16. Contact

Privacy enquiries: digitalappgroupde@gmail.com
General contact: digitalappgroupde@gmail.com
Postal address: Digital App Group GmbH, Ferdinand-Koch Str. 31, 26133 Oldenburg, Germany

A German-language version of this policy is available at /privacy/de. In case of conflict between language versions, the English version prevails.