Privacy Policy | PeppermintBytes

1. Scope

This privacy policy applies to:

the website peppermintbytes.com
all iOS apps developed and published by PeppermintBytes (currently: CoreFiles, Work2Rule, My§34aApp, plus all future apps under the PeppermintBytes label)

Each app is described in a dedicated section (Part B) where app-specific processing applies. The general section (Part A) applies to the website and to all apps where relevant.

Part A - General (Website & Cross-App)

2. Controller

Controller within the meaning of the GDPR:

Daniel Rosier
PeppermintBytes
c/o IP-Management #9686
Ludwig-Erhard-Str. 18
20459 Hamburg
Germany

Phone: +49 511 8076 2010
Email: privacy@peppermintbytes.com
Website: peppermintbytes.com

3. Legal Bases

Depending on the processing activity, we rely on the following legal bases under the GDPR:

Art. 6(1)(a) GDPR - consent
Art. 6(1)(b) GDPR - contract or pre-contractual measures
Art. 6(1)(c) GDPR - legal obligation
Art. 6(1)(f) GDPR - legitimate interests

The applicable legal basis is indicated for each processing activity.

4. Hosting & Server Logs

Our website is hosted by netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany. On each page request, the web server automatically stores server logs including:

anonymized IP address
date and time of access
requested URL
referrer URL
browser type and operating system

Legal basis: Art. 6(1)(f) GDPR. Logs are automatically deleted after 7-30 days. A data processing agreement pursuant to Art. 28 GDPR is in place with netcup.

5. Cookies

Our website uses cookies. Technically necessary cookies are set based on Art. 6(1)(f) GDPR. Analytics cookies (e.g. Matomo) are used only with your consent (Art. 6(1)(a) GDPR). You can adjust cookie settings at any time in your browser or via our cookie controls.

6. Web Analytics with Matomo

We use Matomo (Open Source) for website usage statistics. Matomo is self-hosted on our servers at netcup in Germany. No data is shared with third parties.

Matomo processes, among other things: anonymized IP addresses, visited pages, dwell time, referrer, browser/OS and country. Legal basis: Art. 6(1)(f) GDPR (or Art. 6(1)(a) GDPR where cookie consent applies).

Opt-out: enable Do-Not-Track in your browser or use the Matomo opt-out option on our website.

7. Social Network Links

Our website contains simple links (no embedded plugins) to:

Instagram - Meta Platforms Ireland Limited, Dublin 2, Ireland
LinkedIn - LinkedIn Ireland Unlimited Company, Dublin 2, Ireland
Reddit - Reddit Inc., San Francisco, CA, USA
Bluesky - Bluesky PBLLC, USA
Mastodon - decentralized network (the respective instance operator is responsible)

When you click one of these links, you leave our website and the privacy policy of the respective provider applies. No automatic transfer takes place merely by visiting our site.

8. Link to Apple App Store

Our website contains links to the Apple App Store. When opening these links, Apple Inc. (One Apple Park Way, Cupertino, CA 95014, USA) may process personal data. We have no influence on this. Apple privacy information:

apple.com/privacy

9. In-App Purchases & Apple StoreKit

Some apps offer paid features or subscriptions via the Apple App Store (in-app purchases). Payment processing is handled exclusively by Apple via StoreKit. We do not receive payment data such as credit card numbers.

Apple may process personal data in the purchase flow (e.g. Apple ID, purchase history). Please refer to Apple's privacy policy and App Store terms. We only store anonymized purchase status locally on the device to unlock features.

Legal basis: Art. 6(1)(b) GDPR.

10. Your Rights

You have the right to:

access (Art. 15 GDPR)
rectification (Art. 16 GDPR)
erasure (Art. 17 GDPR)
restriction of processing (Art. 18 GDPR)
data portability (Art. 20 GDPR)
objection (Art. 21 GDPR)
withdraw consent (Art. 7(3) GDPR)

To exercise your rights, contact: privacy@peppermintbytes.com

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. Our competent authority is:

Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany
Phone: +49 40 42854-4040
www.datenschutz-hamburg.de

12. Data Deletion and Retention

Personal data is deleted or blocked as soon as the purpose for storage no longer applies, unless statutory retention obligations require longer storage.

Part B - App-Specific Privacy Notices

This section describes data-protection specifics for each PeppermintBytes app. New apps will be added here. Part A applies in addition to all apps.

CoreFiles

Overview

CoreFiles is a local file manager for iOS. By default, the app processes files exclusively on your device.

Optional connections to external storage and cloud services enable access to third-party systems you select. All connections are voluntary and are activated only through your active setup in the app settings.

Locally processed data (without external connection)

Managed files and folder structures on the device
App settings and configurations
Favorites, connection profiles, and scan shortcuts
Connection credentials (e.g. tokens, app passwords) stored exclusively in iOS Keychain
Local encrypted data backups (including .cfbak, AES-256-GCM), stored only locally or in locations selected by you

No data from this local processing is transferred to our servers. We have no access to your files.

Optional feature: AI-supported filename suggestions during scanning

CoreFiles can generate filename suggestions while scanning based on recognized content, dates, or document types.

Processing primarily uses system capabilities available on the device. The exact processing available depends on iOS version, device support, and, where applicable, enabled Apple Intelligence features.

We do not receive file contents from your scans. You can edit every suggested filename at any time or enter a fully manual name.

Optional cloud/external connections – overview

CoreFiles supports, among others, the following optional connections:

Microsoft SharePoint / OneDrive (via Microsoft Graph API) – OAuth 2.0
Google Drive (Google Drive API) – OAuth 2.0
Dropbox (Dropbox API v2) – OAuth 2.0
Nextcloud – Login Flow v2, then WebDAV (app password/basic auth)
pCloud (pCloud API) – OAuth 2.0
Additional WebDAV services (e.g. MagentaCLOUD) via WebDAV credentials

For all external connections, the following applies: we do not receive, store, or process cloud file contents. Connections are established directly between your device and the respective provider. Credentials (tokens/passwords) are stored exclusively in iOS Keychain. Each connection can be removed at any time in app settings, and credentials can be deleted.

OAuth 2.0 services

With OAuth 2.0 services, you do not provide your password directly to CoreFiles.

You authorize CoreFiles through the provider's login dialog. The app receives access tokens, which are stored locally in iOS Keychain.

Microsoft SharePoint / OneDrive (Microsoft Graph)

Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA

When connected, the following is transmitted directly to Microsoft:

Authentication data (OAuth token via Microsoft Identity Platform)
File operations (read/write/delete) within SharePoint/OneDrive resources connected by you
Technical connection data (e.g. IP address, timestamps)

Legal basis: Art. 6(1)(b) and Art. 6(1)(a) GDPR

Microsoft privacy information: privacy.microsoft.com/en-us/privacystatement

Google Drive

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for users in the EU)

When connected, the following is transmitted directly to Google:

Authentication data (OAuth token via Google Identity Services)
File operations within Google Drive areas shared/linked by you
Technical connection data (e.g. IP address, timestamps)

CoreFiles uses Google Drive permissions within the scope of drive.file (picker-based access), i.e. no blanket full access to the entire Drive account.

Legal basis: Art. 6(1)(b) and Art. 6(1)(a) GDPR

Google privacy information: policies.google.com/privacy?hl=en

Dropbox

Provider: Dropbox International Unlimited Company, One Park Place, Dublin 2, Ireland (for users in the EU)

When connected, the following is transmitted directly to Dropbox:

Authentication data (OAuth token)
File operations (read/write/delete) within your Dropbox storage
Technical connection data (e.g. IP address, timestamps)

Legal basis: Art. 6(1)(b) and Art. 6(1)(a) GDPR

Dropbox privacy information: dropbox.com/privacy

Nextcloud

Nextcloud is typically self-hosted. The responsible party is the respective operator of the Nextcloud server connected by you.

When connected, the following is transmitted to your Nextcloud server:

App password/credentials for basic auth (stored locally in iOS Keychain)
File operations via WebDAV (read/write/delete)
Technical connection data (e.g. IP address, timestamps)

We recommend using app passwords instead of the main account password.

Legal basis: Art. 6(1)(b) and Art. 6(1)(a) GDPR

pCloud

Provider: pCloud AG, Poststrasse 24, 6300 Zug, Switzerland

When connected via OAuth 2.0 and pCloud API, the following is transmitted directly to pCloud:

Authentication data (OAuth token; stored locally in iOS Keychain)
File operations (read/write/delete) within your pCloud storage
Technical connection data (e.g. IP address, timestamps)

Note: pCloud is based in Switzerland and subject to Swiss data protection law and applicable GDPR requirements for EU users.

Legal basis: Art. 6(1)(b) and Art. 6(1)(a) GDPR

pCloud privacy information: pcloud.com/privacy_policy.html

WebDAV services (e.g. MagentaCLOUD)

For WebDAV connections, the app authenticates directly against the respective server using username/password or an app-specific password. These credentials are stored encrypted in iOS Keychain and are not transmitted to us.

Matomo analytics in CoreFiles (optional)

CoreFiles can collect usage statistics via a self-hosted Matomo instance (hosting in Germany), provided you have consented.

No file contents are transferred; only usage events for product improvement (e.g. features accessed). You can withdraw consent at any time in app settings.

Legal basis: Art. 6(1)(a) GDPR

Permissions

File access: required for core app functionality
Camera/Photos (optional): for scan and import features
Face ID / Touch ID (optional): to protect local sensitive areas (e.g. "Private Data")
Network access (optional): only when using external connections (e.g. cloud, SMB, WebDAV, SFTP)

Telemetry / crash reporting

No usage statistics are transferred without your consent.

Additional third-party crash/advertising SDKs (e.g. Firebase Crashlytics) are not part of standard processing.

Work2Rule

Overview

Work2Rule is a purely local iOS app. No personal data is transferred to external servers.

Locally Processed Data

All data entered in the app is stored exclusively on your device. We have no access to it.

Network Access

Work2Rule has no network access and does not send data to external servers.

Telemetry

The app does not collect telemetry or analytics data.

My§34aApp

Overview

My§34aApp is a purely local iOS app. No personal data is transferred to external servers.

Locally Processed Data

All data entered in the app is stored exclusively on your device. We have no access to it.

Network Access

My§34aApp has no network access and does not send data to external servers.

Telemetry

The app does not collect telemetry or analytics data.

Future Apps

When a new app is launched, a dedicated section will be added here. If the app works locally only and uses no third-party services, the Work2Rule/My§34aApp model applies. Additional processing (network access, third-party services, location etc.) will be documented in detail.

13. Updates and Changes

This privacy policy is updated as of April 2026 and available at peppermintbytes.com/privacy. If significant changes occur (especially when adding new apps with network access or new third-party services), this policy will be updated and the date revised.