Funnel — Privacy Policy

Last updated: June 10, 2026

Funnel ("we", "the app") is a daily IT news briefing app operated by Martin Wirth. This policy explains what data we collect, how we use it, and your rights under the EU/UK GDPR.

Data controller

Martin Wirth, contactable at hey@martas.digital, is the controller responsible for the personal data described below.

1. Data we collect

Account data

• Email address — used as your login identifier and to send account-related emails (e.g. verification, inactivity warnings).
• Password — stored securely by AWS Cognito; we never have access to your plaintext password.

Preferences

• Your selected news feeds and importance thresholds.
• Subscription tier.
• Your device's IANA timezone (e.g. Europe/Berlin) — used to schedule your daily briefing notification at the right local time.

Usage metadata

• Last-seen timestamp — updated when the app contacts our servers during normal use. Used to detect and clear inactive accounts (see Section 6).
• Server logs — IP address, user agent, and request timestamps are recorded in AWS CloudWatch and automatically deleted after 7 days.

Device tokens

• Push-notification token — a Firebase Cloud Messaging (FCM) device token is stored on our server so we can send you daily briefing notifications. The token is removed when you sign out or delete your account.

Anonymous product analytics (opt-in)

• If you opt in — at sign-up via a checkbox, or later from Settings → Account — the app sends a small set of anonymous product events (for example: app opened, screen viewed, feed refreshed, filter changed, article source clicked). Events are tagged with a random per-install identifier generated on your device; your email, account ID, and other identifying details are never stored alongside them on the server.
• You can turn analytics off at any time from Settings → Account. Turning it off rotates the per-install identifier on your device, so any later opt-in starts a fresh, unlinkable trail.

On-device data

• Authentication tokens, cached articles, and UI preferences (theme) are stored locally on your device. Sensitive values are kept in encrypted storage.

2. Data we do NOT collect

• We do not use third-party analytics, crash-reporting, or advertising SDKs. Our product analytics, if you opt in, are first-party and anonymous — see Section 1.
• We do not track your location.
• We do not sell or share your data with third parties for marketing.

3. How we use your data & legal basis

We process the data above on the following legal bases (GDPR Art. 6):

• Performance of a contract — to authenticate you, deliver your personalised news briefing, send the daily push notification, and operate the features you've signed up for.
• Legitimate interests — to monitor and fix service errors, keep our systems secure, and clear accounts that have been inactive for an extended period (see Section 6).
• Consent — to process the anonymous product analytics described in Section 1, where you have explicitly opted in. You can withdraw your consent at any time from Settings → Account.
• Legal obligation — to retain records where required by applicable law.

4. Third-party services (sub-processors)

We rely on the following cloud services to operate:

• Amazon Web Services (AWS) — authentication (Cognito), data storage (DynamoDB), compute (Lambda), logging (CloudWatch), and transactional email (SES) for account notifications. Data is processed in the EU (Ireland, eu-west-1).
  AWS privacy policy: aws.amazon.com/privacy
• Google Firebase Cloud Messaging (FCM) — used to deliver push notifications to your device. Your FCM device token is sent to Google's servers; no other personal data is shared with Google through this service.
  Google privacy policy: policies.google.com/privacy
• Anthropic (Claude API) — article summaries are generated by an AI model. Only article titles, descriptions, and publisher/source names are sent; no personal data is shared with Anthropic.

5. International data transfers

Personal data processed by AWS stays in the EU (Ireland). Google (FCM) and Anthropic process data in the United States. Where data leaves the EEA, we rely on the Standard Contractual Clauses (SCCs) under GDPR Art. 46, made available by those providers, as the lawful transfer mechanism.

6. Data retention

• Account, preferences & device tokens — kept until you delete your account or your account is cleared for inactivity.
• Inactivity deletion — if you don't open the app for 24 months, we delete your account automatically. We email a heads-up to the address on file a few months before that happens, so you can keep the account by simply opening the app.
• Server logs — automatically deleted after 7 days.
• Anonymous analytics events — automatically deleted 90 days after they are recorded.
• Article summaries — shared content, not personal data; retained indefinitely.

7. Your rights

Under the GDPR you have the following rights:

• Access & portability — request a copy of the personal data we hold about you, in a machine-readable format. In the app: Settings → Account → Download my data returns your full record as JSON. You can also email us.
• Erasure ("right to be forgotten") — delete your account at any time. In the app: Settings → Account → Delete account. This permanently removes your Cognito account and all stored preferences.
• Rectification — ask us to correct inaccurate data.
• Restriction & objection — ask us to stop or limit processing of your data.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint — you may complain to the data protection supervisory authority in your EU/EEA country if you believe your rights have been infringed.

8. Children's privacy

Funnel is not directed at children under 16. We do not knowingly collect data from children.

9. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will reflect the most recent revision.

10. Contact

Questions or requests? Email hey@martas.digital.