Privacy Policy
Last updated: 10 April 2026
1. Who we are
Asklune is operated by Tradegroup Swiss GmbH, Riestrasse 30, 8152 Glattbrugg, Switzerland (UID: CHE-112.050.620). You can reach us at privacy@asklune.com.
Our EU representative pursuant to Article 27 GDPR: [To be appointed — we are in the process of designating an EU representative. Until then, contact privacy@asklune.com.]
Asklune is intended for users aged 16 or older. If you are under 16, you may only use the Service with the consent of a parent or legal guardian.
2. What we collect
We collect the minimum needed to run the service.
- Account data — your email address, and (if you sign in with Google) the profile name you authorise.
- Monitored emails — up to 5 addresses you explicitly ask us to watch for breaches. These are hashed before being compared against public breach sources.
- Chat content — your conversations with Asklune, stored encrypted so we can remember context and show you history.
- Device data — platform, device name, OS version, app version, VPN status.
- Telemetry signals — DNS activity (stored as SHA-256 hashes only), login events (IP processed in real time for geolocation then immediately discarded, only hash + approximate location retained), Wi-Fi changes and process hints.
- Diagnostic data — anonymised crash reports and performance metrics, with no content attached.
3. What we do not do
- We do not sell or rent your data. Ever.
- We do not ship third-party ad trackers.
- We do not use your chat content to train third-party AI models.
- We do not read your messages in other apps.
4. Legal bases (GDPR / Swiss FADP)
| Processing activity | Legal basis |
|---|---|
| Providing the Service (account, chat, device monitoring) | Performance of a contract (GDPR Art. 6(1)(b)) |
| Sending security alerts and push notifications | Performance of a contract (GDPR Art. 6(1)(b)) |
| Breach monitoring for additional email addresses | Your explicit consent (GDPR Art. 6(1)(a)) |
| Crash reporting and performance diagnostics | Legitimate interest in service stability (GDPR Art. 6(1)(f)) |
| Payment processing | Performance of a contract (GDPR Art. 6(1)(b)) |
| Fraud prevention and abuse detection | Legitimate interest (GDPR Art. 6(1)(f)) |
Where we rely on legitimate interests, you may object at any time by contacting privacy@asklune.com. We will then cease the processing unless we can demonstrate compelling legitimate grounds.
5. Automated processing and AI
Asklune uses automated rules to block malicious DNS requests and AI models to generate threat assessments and chat responses. These automated processes do not produce legal effects or similarly significantly affect you within the meaning of GDPR Art. 22.
- DNS blocking is based on community-maintained threat lists. You can review and override blocked domains in the app.
- AI-generated advice is informational only and does not constitute professional security or legal counsel.
The underlying logic: DNS queries are compared against known-malicious domain hashes; login pattern anomalies are flagged based on geolocation and timing. No fully automated decision made by Asklune leads to legal consequences for you.
6. Where your data lives
Our primary infrastructure is located in Germany (EU). The following sub-processors may process data outside the EU:
- Expo / EAS (USA) — push notification tokens. Transfer mechanism: Standard Contractual Clauses (SCCs).
- Stripe — payment processing via its Irish entity; SCCs in place for any US-based operations.
- RevenueCat (USA) — subscription status. Transfer mechanism: SCCs.
The European Commission considers Switzerland as providing an adequate level of data protection. For transfers to the USA, we rely on Standard Contractual Clauses (Commission Implementing Decision 2021/914).
You may request a copy of the applicable safeguards by writing to privacy@asklune.com.
7. How long we keep it
- Account & chat data — retained while your account is active; deleted within 30 days after account deletion.
- Telemetry signals — IP addresses are discarded within milliseconds of processing; anonymised derivatives (country, approximate coordinates) are retained up to 90 days.
- Diagnostic data — retained up to 90 days.
- Billing records — 10 years (Swiss CO Art. 958f).
- Breach monitoring emails — removed when you remove them from your account, or within 30 days of account deletion.
8. Your rights
You can access, export, correct, or delete your data at any time — directly in the app, or by writing to privacy@asklune.com. In addition, you have the right to:
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Restriction of processing — request that we limit how we process your data in certain circumstances.
- Object to processing — object to processing based on legitimate interests (see Section 4).
- Lodge a complaint — with your local data protection authority.
In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, you may contact the supervisory authority of your habitual residence or place of work.
9. Sub-processors
We use the following service providers to operate Asklune:
- IONOS SE (Germany) — VPS hosting, data storage
- Supabase (self-hosted on our VPS) — authentication
- Microsoft Azure (EU region) — AI inference (GPT-4o-mini) for chat and threat explanations
- Expo / EAS (USA, SCCs in place) — mobile push notifications
- Stripe (Ireland/USA, SCCs in place) — payment processing
- RevenueCat (USA, SCCs in place) — subscription management
- MaxMind — GeoLite2 database (downloaded locally, no data transfer)
- XposedOrNot — breach feed comparison (hashed email only, no PII transferred)
Changes to this list are communicated via email before they take effect.
10. Cookies and similar technologies
The Asklune mobile app does not use cookies. It stores an authentication token locally on your device to keep you signed in. Our website (asklune.com) loads fonts locally from our own server. No font-related requests are sent to third parties. No other tracking cookies or analytics are used on our website.
11. Changes
If we change this policy in a way that affects you, we will tell you by email before the change takes effect.