Privacy Policy

CARLON — Breathe Beyond · Effective: April 2026 · Version 1.0

1. Controller (Art. 4(7) GDPR)

Vitalkultur
Jan Rohwedder
Kapellenstraße 9
76473 Iffezheim, Germany
Email: jan@vitalkultur.com
Website: https://vitalkultur.com

2. Principle: No Tracking, Fully Offline (Art. 5 & 25 GDPR)

CARLON was built with Privacy by Design and Privacy by Default (Art. 25 GDPR). We follow a minimal-data approach: what we don't need, we don't collect.

We do NOT collect:

Usage statistics or analytics data
Behavioral profiles or usage patterns
Telemetry or crash reports (to external services)
Location data
Device identifiers or advertising IDs
IP addresses during app use
Usernames, email addresses, or accounts

All data stays exclusively on your device:

Session recordings (duration, technique, breathing rate)
Heart rate, heart rate variability (HRV), blood oxygen (SpO₂)
Mindful Minutes
Custom Presets
Safety consent timestamp

Vitalkultur operates no servers, databases, or cloud services for the operation of this app. No personal data is transmitted to Vitalkultur or third parties.

3. Data Categories and Legal Basis

3.1 Health Data via Apple HealthKit (Art. 9 GDPR)

With your explicit consent, CARLON accesses the following health data in Apple HealthKit:

Data Type	Purpose	Legal Basis
Heart Rate	Display during and after breathing sessions	Art. 9(2)(a) + Art. 6(1)(a) GDPR
Heart Rate Variability (HRV)	Progress tracking, coherence feedback	Art. 9(2)(a) + Art. 6(1)(a) GDPR
Blood Oxygen (SpO₂)	Safety monitoring during breath retention	Art. 9(2)(a) + Art. 6(1)(a) GDPR
Mindful Minutes	Recording completed sessions	Art. 9(2)(a) + Art. 6(1)(a) GDPR

HealthKit access requires your active opt-in. You can revoke permissions at any time in Settings → Privacy & Security → Health → CARLON.

HealthKit data is not used for advertising, market research, or any other purpose. Vitalkultur has no access to data stored in Apple Health outside the app environment.

3.2 On-Device App Data

Completed sessions (date, duration, preset name, retention times)
Custom presets (name, breathing parameters)
Safety consent: timestamp, app version
Settings (language, haptics, display options)

This data never leaves your device.

3.3 Data Export — Art. 20 GDPR (Data Portability)

CARLON supports exporting your session data as JSON or CSV directly to your device.

4. App Store — Data Processing by Apple

Purchases are processed by Apple Inc. as independent controller. Vitalkultur receives no payment data — only anonymized purchase statistics.

Apple may transfer data to the USA under EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). See: apple.com/privacy

5. Watch-iPhone Sync

Data syncs between your Apple Watch and iPhone via Apple's WatchConnectivity framework — device-to-device, no servers involved.

6. Email Contact

If you contact us via email, we process your address and message content to handle your inquiry.

Legal basis: Art. 6(1)(b)/(f) GDPR
Retention: Until resolved, typically up to 3 years for the defense of legal claims (Art. 6(1)(f) GDPR in conjunction with German statute of limitations)

7. Website

This website is hosted on GitHub Pages (GitHub, Inc., USA). GitHub may collect technical access data in server logs. The processing of these server logs is GitHub's responsibility. Vitalkultur does not systematically access these log files. See: GitHub Privacy Statement. GitHub is certified under the EU-US Data Privacy Framework.

This website uses no cookies, no analytics, and no embedded third-party services.

8. No Third-Party Sharing

Vitalkultur shares no personal data with third parties, except Apple Inc. for App Store purchases and where required by law.

9. Retention Periods (Art. 5(1)(e) GDPR)

Data Category	Storage	Retention
HealthKit data	Local (Apple HealthKit)	Until manual deletion in Health app
Session data	Local (device)	Until app uninstall
Custom presets	Local (device)	Until deletion or uninstall
Safety consent	Local (UserDefaults)	Until app uninstall
Email correspondence	Email inbox	Typically up to 3 years

10. Your Rights (Art. 15–22 GDPR)

To exercise your rights, you may contact us at any time at the email address stated above.

Right	How CARLON Implements It
Access (Art. 15)	Email jan@vitalkultur.com
Rectification (Art. 16)	Directly in the app
Erasure (Art. 17)	Uninstall app; HealthKit: via Health app
Data Portability (Art. 20)	JSON/CSV export in the app
Withdraw Consent	iOS Settings → Health → CARLON

Supervisory Authority:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
www.baden-wuerttemberg.datenschutz.de

11. Data Security (Art. 32 GDPR)

Local storage: All sensitive data stays on-device
iOS Sandbox: App data protected from other apps
HealthKit encryption: AES-256 at device level
No own server connections: The app does not establish its own network connections to Vitalkultur servers
No user account: No password risk

12. Health Data — Special Category (Art. 9 GDPR)

Heart rate, HRV, and SpO₂ are special category health data under Art. 9(1) GDPR. Processing is based on your explicit consent (Art. 9(2)(a) GDPR) through:

Confirming the safety notice on first app launch
Granting HealthKit permissions in the iOS system dialog

Both consents are voluntary. The app is fully usable without HealthKit.

13. Children

CARLON is not intended for use by persons under the age of 16 (Art. 8 GDPR in conjunction with German law). The Provider does not knowingly collect data from minors under 16.

14. Changes

Material changes will be communicated in-app. The current version is always available at: vitalkultur.com/privacy