Focus Mode One
Legal

Privacy Policy.

How we handle your data when you visit our website or use the Focus Mode One app. No surprises, no hidden trackers.

Last updated 21 April 2026
Controller Riverland International GmbH
Scope Website & iOS app

1. Privacy at a glance

General information

The following notes provide a simple overview of what happens with your personal data when you visit our website or use our app Focus Mode One. Personal data is any data that can be used to identify you personally. For detailed information on data protection, please refer to the full policy below.

Scope

This privacy policy applies to:

Who is responsible for data collection?

Data processing is carried out by the operator. You can find contact details in the section "Notice on the responsible controller".

How do we collect your data?

Your data is collected in part when you provide it to us — e.g. when registering in the app, through a contact form, or when subscribing to the newsletter.

Other data is collected automatically or with your consent when you visit the website or use the app. This is mainly technical data (e.g. device type, operating system version, app version, IP address, time of access).

What do we use your data for?

Some of the data is collected to ensure error-free provision of the website and app. Other data may be used to analyse your usage behaviour, to process subscriptions, to send notifications, and to communicate with you.

What rights do you have regarding your data?

You have the right at any time to receive free information about the origin, recipients, and purpose of your stored personal data. You also have the right to request correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

2. Hosting and backend

External hosting of the website (GitHub Pages)

The legal information under this domain is provided via GitHub Pages, a service of GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA. When you access these pages, GitHub typically processes your IP address, the date and time of access, browser type and version, and the page requested in server log files.

The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in secure, fast, and efficient provision of the pages). GitHub is certified under the EU-US Data Privacy Framework; the data transfer to the USA is therefore safeguarded. More info: docs.github.com/privacy.

We have concluded a data processing agreement (DPA) pursuant to Art. 28 GDPR with all processors where this is required under data protection law.

Supabase (backend, database, app authentication)

For the Focus Mode One app we use the backend infrastructure provided by Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore 318992 ("Supabase"). Supabase provides us with a PostgreSQL database, authentication services, and edge functions, through which we store and process your user account data, your in-app content (e.g. goals, tasks, reflections), and system logs.

The following data is processed: email address, encrypted password or authentication token, unique user ID, in-app content, timestamp of last login (last_active_at), IP address.

Processing is based on Art. 6 (1) lit. b GDPR (performance of a contract), as using the app is technically impossible without a backend. We have concluded a data processing agreement (DPA) with Supabase.

Supabase processes data within the EU (Frankfurt region) where configurable. Insofar as processing takes place outside the EU, it is safeguarded by the EU Commission's Standard Contractual Clauses.

More info: supabase.com/privacy

Apple (app distribution, in-app purchases, push notifications)

Our app is distributed through the Apple App Store, operated by Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, and Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA.

When you download our app from the App Store, required information is transmitted to Apple, in particular the username, email address, and customer number of your account, time of download, payment information, and the individual device identifier. We have no influence over this data collection; it is carried out exclusively by Apple.

For sending push notifications (e.g. reminders for your daily planning), we use the Apple Push Notification Service (APNs). An anonymous device token is transmitted to Apple. You will only receive push notifications if you have enabled them in iOS system settings. Consent can be revoked at any time by disabling in iOS settings.

The legal basis is Art. 6 (1) lit. a GDPR (consent) for push notifications and Art. 6 (1) lit. b GDPR (performance of a contract) for app distribution and payment processing.

Apple's privacy policy: apple.com/legal/privacy

3. General information and mandatory disclosures

Data protection

The operators of these pages and the app take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

Please note that data transmission over the internet (e.g. email communication) may have security gaps. Complete protection of data against access by third parties is not possible.

Notice on the responsible controller

Riverland International GmbH
Hangstraße 11
21075 Hamburg · Germany

Represented by: Pascal Weihrauch & Tham Nguyen
Phone: +49 (0) 1575 111 0598
Email: hello@focusmode.one

The responsible controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data (e.g. names, email addresses, etc.).

Storage duration

Unless a more specific storage duration is mentioned within this privacy policy, your personal data remains with us until the purpose of data processing ceases to apply. A summary of concrete retention periods per service is provided in Section 13.

If you assert a legitimate request for deletion or revoke consent to data processing, your data will be deleted, unless we have other legally permissible grounds for storing your personal data (e.g. tax or commercial retention periods); in the latter case, deletion takes place after these reasons cease to apply.

General notes on the legal basis for data processing

If you have consented to data processing, we process your personal data on the basis of Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR, insofar as special data categories under Art. 9 (1) GDPR are processed. In the case of explicit consent to the transfer of personal data to third countries, data processing is additionally based on Art. 49 (1) lit. a GDPR. If you have consented to the storage of cookies or to access to information in your end device (e.g. via device fingerprinting), data processing is additionally based on § 25 (1) TDDDG. Consent can be revoked at any time.

If your data is necessary for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6 (1) lit. b GDPR. Furthermore, we process your data insofar as this is necessary to fulfil a legal obligation, on the basis of Art. 6 (1) lit. c GDPR. Data processing may also be based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.

International data transfers

Some of the service providers we use are based in the USA or process data in the USA or other third countries outside the EU/EEA. For data transfers to the USA, we primarily rely on the EU-US Data Privacy Framework (DPF), which was recognised as a safe legal framework by an adequacy decision of the European Commission dated 10 July 2023. Insofar as a provider is not DPF-certified or additional safeguards are required, we have concluded Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR.

For each individual service provider, we inform you about the basis for the third-country transfer. More info on the DPF: dataprivacyframework.gov.

Recipients of personal data

In the course of our business activity, we work with various external parties. This sometimes requires the transmission of personal data to these external parties. We only pass on personal data to external parties when it is required for the performance of a contract, when we are legally obliged to do so (e.g. passing on data to tax authorities), when we have a legitimate interest under Art. 6 (1) lit. f GDPR in the transfer, or when another legal basis permits the data transfer. When using processors, we only pass on personal data of our customers on the basis of a valid data processing agreement.

Revocation of consent to data processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The lawfulness of data processing carried out up to the revocation remains unaffected by the revocation.

Right to object (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6 (1) LIT. E OR F GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA ON GROUNDS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA, UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS (OBJECTION UNDER ART. 21 (1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION UNDER ART. 21 (2) GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of breaches of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement. The right to complain exists without prejudice to other administrative or judicial remedies.

The supervisory authority responsible for us is: The Hamburg Commissioner for Data Protection and Freedom of Information (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit), Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of data to another controller, this will only be done insofar as it is technically feasible.

Information, correction, and deletion

Within the scope of applicable legal provisions, you have the right at any time to receive free information about your stored personal data, its origin and recipients, and the purpose of data processing, and, where applicable, a right to correction or deletion of this data. For this purpose and for further questions on the subject of personal data, you can contact us at any time.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

If you have restricted the processing of your personal data, this data — apart from its storage — may only be processed with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state.

SSL / TLS encryption

For security reasons and to protect the transmission of confidential content, this site and our app use SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock icon in your browser line.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

4. Data collection on our website

Cookies

Our websites use "cookies". Cookies are small data packets and do no damage to your end device. They are stored on your end device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted after the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until automatic deletion is performed by your web browser.

Cookies that are required to perform the electronic communication process, to provide certain functions you have requested, or to optimise the website (necessary cookies) are stored on the basis of Art. 6 (1) lit. f GDPR. Insofar as consent to the storage of cookies and comparable recognition technologies has been requested, processing takes place exclusively on the basis of this consent (Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG); consent can be revoked at any time.

Server log files

The provider of our pages (GitHub Pages) automatically collects and stores information in so-called server log files, which your browser automatically transmits. These are:

This data is not combined with other data sources. The collection of this data is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in the technically error-free display and optimisation of its website. Log file information is stored for a maximum of 30 days and then deleted or anonymised.

Contact form and contact via email

If you send us enquiries via contact form, email, or phone, your information, including the contact data you provide, will be stored with us for the purpose of processing the enquiry and for follow-up questions. We will not pass on this data without your consent.

The processing of this data is based on Art. 6 (1) lit. b GDPR, insofar as your enquiry is related to the performance of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in effective processing of enquiries addressed to us (Art. 6 (1) lit. f GDPR) or on your consent (Art. 6 (1) lit. a GDPR) if this has been requested; consent can be revoked at any time.

5. Registration and user account in the app

User account

To use Focus Mode One in full, a user account is required. The following data is collected as part of registration: email address, password (stored encrypted), and optionally name or display name.

Additionally, we store the IP address and time of registration to prevent misuse (Art. 6 (1) lit. f GDPR). During use of the app, we record the time of the last login (last_active_at) to identify inactive accounts and, where applicable, contact you again by email (Art. 6 (1) lit. f GDPR, legitimate interest in reactivation).

Processing of account data is based on Art. 6 (1) lit. b GDPR (performance of a contract). You can delete your user account yourself in the app at any time. In this case, all personal data linked to your account will be deleted immediately, unless statutory retention obligations apply (in particular commercial and tax obligations in connection with completed subscriptions).

Content data in the app

When using Focus Mode One, you store content such as goals, tasks, reflections, and progress data. This content is stored on your device and synchronised to our servers (Supabase) so you can access it across devices. We do not evaluate this content editorially and do not pass it on to third parties, insofar as this is not technically necessary to provide the service (e.g. backend storage with Supabase as processor).

Profile picture (optional)

If you upload a profile picture, iOS will ask you for access to your photo library or camera. The image is then encrypted and uploaded to Supabase Storage (EU region Frankfurt) and linked to your account. You can remove the profile picture at any time in the app settings — the file is then immediately deleted from Supabase Storage.

The legal basis is Art. 6 (1) lit. a GDPR (consent). Consent to camera / photo library use can be revoked at any time in iOS system settings (Settings → Focus Mode One → Photos / Camera).

6. Sign in with Apple and Google Sign-In

Sign in with Apple

As an alternative to email registration, we offer sign-in via Sign in with Apple, a service of Apple Distribution International Ltd., Hollyhill, Cork, Ireland (for users in the EEA). When you choose this option, Apple transmits to us — depending on your choice in the system dialog — your email address (potentially as a pseudonymous relay address hiding your actual address), your first and last name, and a unique Apple identifier to link to your account.

If you select the relay address, Apple forwards messages from us to your actual email address without disclosing it to us. Processing is based on Art. 6 (1) lit. b GDPR (performance of a contract). You can sever the link at any time in the Apple ID settings on your device.

More info: apple.com/legal/privacy/data/en/sign-in-with-apple

Google Sign-In

As a further login option, we offer Google Sign-In, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for users in the EEA). If you sign in via Google, Google transmits to us your primary Google account email address, your Google display name, optionally your Google profile picture, and a unique Google user ID to link to your account.

Processing is based on Art. 6 (1) lit. b GDPR (performance of a contract). The transfer of your data to Google and, where applicable, to the USA is safeguarded by the EU-US Data Privacy Framework; Google is DPF-certified.

You can revoke the app's Google Sign-In permission at any time in your Google account at myaccount.google.com/permissions.

More info: policies.google.com/privacy

7. Notifications and device permissions

Local notifications

Focus Mode One uses local notifications (flutter_local_notifications) to remind you of your daily and weekly planning and your anchor exercises. These notifications are triggered directly by your deviceno data is transmitted to our servers or to any external service.

iOS asks for permission for notifications on first launch. This consent can be revoked at any time in iOS system settings (Settings → Focus Mode One → Notifications). The legal basis is Art. 6 (1) lit. a GDPR (consent).

Push notifications (APNs)

For certain notifications that we trigger centrally (e.g. future announcements), Apple's Push Notification Service (APNs) may be used. iOS generates an anonymous device token, which we register with Apple. Direct linking with your identity only occurs once you have activated your account. See Section 2.

Camera and photo library

The app requests access to camera or photo library only when you actively wish to set a profile picture (see Section 5). Outside this context, we access neither your camera nor your photos.

8. Subscription management

RevenueCat (subscription management)

For managing in-app subscriptions (Supporter, Champion, Hero) we use RevenueCat, a service of RevenueCat, Inc., 2261 Market Street #4408, San Francisco, CA 94114, USA. RevenueCat processes information about subscription status, purchases, renewals, and cancellations processed through the Apple App Store.

Data processed: pseudonymous app user ID, subscription status, purchase date, renewal date, cancellation date, price, country of the App Store account, anonymised device identifiers. RevenueCat does not have direct access to your email address or your real name unless we specifically transmit them.

The legal basis is Art. 6 (1) lit. b GDPR (performance of a contract within the scope of the subscription agreement) in conjunction with Art. 6 (1) lit. f GDPR (legitimate interest in efficient subscription management).

Third-country transfer to the USA: safeguarded by Standard Contractual Clauses. We have concluded a data processing agreement with RevenueCat.

More info: revenuecat.com/privacy

9. Analytics and error monitoring

Sentry (crash reporting and error monitoring)

For technical stability and error analysis of the app, we use Sentry, a service of Functional Software, Inc. (d/b/a Sentry), 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. When an error or crash occurs in the app, Sentry automatically collects technical information that helps us reproduce and fix the error.

Data processed: error messages and stack traces, app version, device type, operating system version, anonymised user ID, time of error, where applicable IP address (anonymised after collection).

The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in a technically stable and error-free app). In the app settings (Privacy) you can fully disable the transmission of crash reports at any time.

Third-country transfer to the USA: safeguarded by Standard Contractual Clauses. We have concluded a data processing agreement with Sentry.

More info: sentry.io/privacy

Mixpanel (usage analytics, consent-based)

To analyse the usage of our app, we use Mixpanel, a service of Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, CA 94111, USA. Mixpanel allows us to understand how users interact with the app (e.g. which features are used, how long users stay in the app), so we can continuously improve Focus Mode One.

Processing is based exclusively on your explicit consent, which you can grant or revoke either at first launch of the app or later in the app settings (Privacy). Without your consent, no data is transmitted to Mixpanel.

Data processed (only with consent): pseudonymous user ID, app events (e.g. screen views, feature usage, wizard interactions), session duration, device type, operating system version, app version, timezone information, and where applicable coarse-grained geographic data at country/region level.

We operate Mixpanel in the EU data region (api-eu.mixpanel.com) and have configured the platform so that IP addresses are anonymised or not stored.

The legal basis is Art. 6 (1) lit. a GDPR (consent). Consent can be revoked at any time for the future in the app settings.

Third-country transfer to the USA: safeguarded by Standard Contractual Clauses. We have concluded a data processing agreement with Mixpanel.

More info: mixpanel.com/legal/privacy-policy

10. Newsletter and email communication

Loops.so (lifecycle emails in the app)

For sending transactional emails and lifecycle emails (e.g. welcome emails, onboarding mails, reactivation when inactive, subscription confirmations) we use the service Loops by Loops Inc., 2261 Market Street #4150, San Francisco, CA 94114, USA.

Data processed: email address, name or display name, user ID, timestamps of usage events, subscription status.

The legal basis is Art. 6 (1) lit. b GDPR (performance of a contract) for transactional emails (e.g. registration confirmation, purchase confirmation) and Art. 6 (1) lit. f GDPR (legitimate interest in user retention and improvement of user experience) for onboarding and reactivation emails. You can object to receipt at any time, e.g. via the unsubscribe link at the end of every email.

Third-country transfer to the USA: safeguarded by Standard Contractual Clauses. We have concluded a data processing agreement with Loops.

More info: loops.so/privacy

Newsletter (landing page)

If you sign up for our newsletter on our website, we use the service Systeme.io, operated by Systeme.io SAS, 16 Allée du Cloître, 60280 Venette, France. For registration we need your email address and information that allows us to verify that you are the owner of the email address given and that you consent to receiving the newsletter (double-opt-in procedure).

Processing is based on your consent (Art. 6 (1) lit. a GDPR). You can revoke your consent at any time, e.g. via the "unsubscribe" link in the newsletter. The lawfulness of data processing already carried out remains unaffected by the revocation.

After you unsubscribe from the newsletter distribution list, your email address may be stored on a blacklist if this is necessary to prevent future mailings. Data from the blacklist is only used for this purpose and is not combined with other data. Legal basis: Art. 6 (1) lit. f GDPR.

More info: systeme.io/privacy-policy

11. Plugins and tools (website)

Google Fonts

Our website uses Google Fonts for uniform display of fonts, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you access a page, your browser loads the required fonts into its browser cache to display text and fonts correctly.

For this purpose, the browser you use must connect to Google's servers. This allows Google to know that this website has been accessed via your IP address.

Use is based on Art. 6 (1) lit. a GDPR (consent), insofar as consent has been given via our consent management tool. Consent can be revoked at any time.

Third-country transfer: the company is certified under the EU-US Data Privacy Framework (DPF). More info: dataprivacyframework.gov

Google's privacy policy: policies.google.com/privacy

12. Protection of minors

Focus Mode One is intended exclusively for users aged 16 and over. We do not knowingly collect personal data from children under 16. By registering, the user confirms they have reached the minimum age.

If you are a parent or legal guardian and become aware that we have received data from a minor under 16, please contact us at hello@focusmode.one. We will delete the data immediately.

13. Retention periods at a glance

The following table summarises how long we store which data. Shorter periods apply if you delete your account or revoke your consent.

Data type / service Retention period
Account data + content (Supabase) Until account deletion by you. For payment-relevant data, up to 10 years pursuant to § 147 AO (German tax retention obligation for commercial and tax records).
Mixpanel (usage analytics) 1 year from event origination.
Sentry (crash reports) 180 days from time of error.
RevenueCat (subscription data) Duration of subscription + 7 years for billing records.
Loops.so (lifecycle emails) Duration of customer relationship + 3 years.
Systeme.io (newsletter list) Until revocation by you. Afterwards, possibly a blacklist entry to prevent future mailings.
Server logs (GitHub Pages) Maximum of 30 days.
Contact enquiries (email) As long as processing of the enquiry requires + 6 months for possible follow-up questions; beyond that only in case of statutory retention obligation.

14. Changes and updates to this privacy policy

We ask you to stay informed about the content of our privacy policy regularly. We adjust the privacy policy as soon as changes to the data processing operations we carry out make this necessary. We will inform you as soon as changes require action on your part (e.g. consent) or other individual notification.

15. Governing language

This English version of the privacy policy is provided for convenience. The legally binding version is the German "Datenschutzerklärung". In case of any discrepancy between the two versions, the German version prevails.

Version history