kontur

Privacy Policy

As of June 21, 2026

This privacy policy informs you about the processing of personal data when using the app "kontur" (hereinafter "the app").

1. Controller

Responsible under the General Data Protection Regulation (GDPR):

Michael Schmidinger
Sommeregg 14
5301 Eugendorf
Austria
Email: [email protected]

For data protection inquiries, please email the address above with the subject "Privacy kontur".

2. Overview and legal basis

The app processes almost all data exclusively locally on your device. No transmission to the controller’s servers takes place. The app contains no advertising SDKs, no tracking and no usage analytics.

Data leaves your device in only two cases:

  1. Hammerhead login and activity retrieval (Art. 6 (1) lit. b GDPR, contract performance) — you actively connect to your Hammerhead account.

  2. Optional cloud AI features (Art. 6 (1) lit. a GDPR, consent) — only if you provide a Gemini API key yourself and actively ask questions or request analyses. The default AI runs on-device (see section 3.3) and transmits no data.

3. Data categories and processing purposes

3.1 Data processed locally on the device

When retrieving from Hammerhead, the following data is stored on your device (SwiftData database, encrypted when device encryption is enabled):

Purpose: display of your statistics, climbs and training analysis in the app. Storage duration: until manual deletion in the app (Settings → "Delete local data") or uninstallation of the app.

3.2 Hammerhead (data transmission)

When connecting to Hammerhead and syncing, data is exchanged between your device and Hammerhead (HQ Inc.):

Legal basis: Art. 6 (1) lit. b GDPR (contract performance with Hammerhead). Hammerhead (HQ Inc.) is responsible for processing on its side; their privacy policy applies. This app only retrieves data that Hammerhead has already collected from you — no additional collection takes place.

3.3 AI features (Apple Foundation Models on-device + optional cloud fallback)

The app offers AI-powered training analysis and a training assistant (chat). The AI works in two ways:

a) Default: Apple Foundation Models (AFM) — on-device, no transmission

On devices from A17 Pro with Apple Intelligence enabled, the app uses Apple Foundation Models. AI inference runs entirely locally on your device. No training data is transmitted to Apple or third parties. Apple does not see the requests, and no tracking takes place. Legal basis: Art. 6 (1) lit. b GDPR (contract performance) and Art. 9 (2) lit. a GDPR (explicit consent through use) for the purely local processing of health-related data.

b) Optional: Cloud fallback via Gemini API (only with stored API key)

If AFM is unavailable (device < A17 Pro or Apple Intelligence disabled) and you provide a Gemini API key in Settings, calling AI features transmits aggregated training data to Google LLC (generativelanguage.googleapis.com):

Legal basis: Art. 6 (1) lit. a GDPR (your consent by providing the API key and actively calling the feature). You can withdraw consent at any time by removing the API key in Settings. From the next call, no data will be transmitted. The transmitted data is subject to Google LLC’s privacy policy (third party / processor).

The API key itself is stored encrypted in the iOS Keychain and leaves the device only for authentication with Google.

4. Storage duration

5. Your rights (data subject rights)

Under the GDPR you have the right to:

Since all data is stored locally on your device, you can exercise most rights yourself through the app functions or by deleting the app. For questions, contact the address in section 1.

6. Special category: health data (Art. 9 GDPR)

Heart rate, power and training metrics may qualify as health data under Art. 9 GDPR. These are processed exclusively locally. The default AI (Apple Foundation Models) also runs on-device — health data is not transmitted to third parties here either. Transmission to third parties occurs only with the cloud fallback (Gemini API) enabled after explicit consent (section 3.3b). The legal basis for local processing is Art. 9 (2) lit. a GDPR (explicit consent through use of the app with your own Hammerhead data) in conjunction with Art. 6 (1) lit. b GDPR.

7. Children’s data

The app is not directed at persons under 16 and is not intended for them. We do not knowingly process data from minors.

8. Security

9. Changes to this privacy policy

This privacy policy may be updated when the app’s features change. The current version is always available in the app (Settings → Legal) and at the URL registered in App Store Connect.

10. Imprint

Michael Schmidinger
Sommeregg 14
5301 Eugendorf
Austria
Email: [email protected]

See the imprint for details.