Privacy Policy – ESM Vertretungsplan

This app is an unofficial student and teacher tool for the European School Munich. It displays timetable and substitution (Vertretungsplan) data from the school's official systems. We are committed to handling your data minimally and transparently.

Who We Are

ESM Vertretungsplan is an independently developed application and is not an official product of the Europäische Schule München or MySchool Ltd. For questions about this privacy policy, please contact us at the address listed in section 09.

For the purposes of the GDPR, the developer of ESM Vertretungsplan acts as the data controller for any personal data processed within the app itself.

What Data We Handle

The app processes the following categories of data:

Stored on your device only

Your O365 / SMS login credentials (username and password), stored in your device's secure encrypted storage (iOS Keychain / Android Keystore)
Authentication tokens returned by the O365 / SMS login service after a successful sign-in
Cached timetable and substitution data for offline access

Transmitted to third-party services

Anonymised crash reports and app diagnostics (via Firebase Crashlytics)
Anonymised usage analytics such as screen views and feature interactions (via Firebase Analytics)
Device push notification tokens, once push notifications are enabled (via Firebase Cloud Messaging — in development)

We do not collect your name, email address, or any other personal details independently. We do not run our own backend server. All school data is fetched directly from ESM and SMS systems using your own credentials.

How We Use Your Data

Credentials & tokens — solely to authenticate you with the O365 / SMS services and retrieve your timetable and substitution data
Cached school data — to display your timetable and Vertretungsplan when offline or between refreshes
Crash reports — to identify and fix bugs, improving app stability
Usage analytics — to understand which features are used, so we can improve the app
Push tokens (future) — to deliver substitution change notifications to your device

We do not use your data for advertising, profiling, or any commercial purpose.

Legal Basis (GDPR)

We process your data on the following legal bases under Article 6 GDPR:

Art. 6(1)(b) — Performance of a service: credential storage and data fetching are strictly necessary to provide the app's core functionality
Art. 6(1)(a) — Consent: analytics and crash reporting, which you can opt out of in the app's settings

Third-Party Services

The app integrates the following third-party services. Google LLC acts as a data processor under a Data Processing Agreement. Their servers may be located outside the EEA; Google relies on Standard Contractual Clauses for international transfers.

Firebase Crashlytics Collects anonymised crash reports and diagnostic information to help us fix bugs. firebase.google.com/support/privacy

Firebase Analytics Collects anonymised usage data (screen views, events). No personally identifiable information is sent. firebase.google.com/support/privacy

Firebase Cloud Messaging (in development) Will be used to deliver push notifications about substitution changes. Requires storing a device token on Google's servers. firebase.google.com/support/privacy

Microsoft O365 / SMS (sms.eursc.eu) Your credentials are submitted directly to Microsoft and MySchool's authentication endpoints over HTTPS. We never see or intercept your password in transit. privacy.microsoft.com

Data Retention

Credentials & tokens — retained on your device until you log out or uninstall the app
Cached school data — retained on your device and refreshed regularly; cleared on logout or uninstall
Crash & analytics data — retained by Google/Firebase per their own retention policies (typically 90 days for Crashlytics, 14 months for Analytics)

We have no server-side database, so there is no user data for us to delete upon request beyond what is held on your device or within Firebase.

Children & Minors

The app is intended for use by students and teachers of the European School Munich. Because the school serves students under the age of 18, we are particularly mindful of data minimisation. The app does not collect any personal data beyond what is strictly necessary for authentication and core functionality. Analytics data sent to Firebase is anonymised and does not include names, email addresses, or school-specific identifiers.

If you are a parent or guardian and have concerns about your child's use of the app, please contact us using the details in section 09.

Your Rights

Under the GDPR you have the following rights regarding your personal data:

AccessRight to know what data we hold about you

RectificationRight to correct inaccurate data

ErasureRight to have your data deleted

RestrictionRight to limit how we process your data

PortabilityRight to receive your data in a portable format

ObjectionRight to object to processing based on legitimate interests

Withdraw consentOpt out of analytics at any time in app settings

Lodge a complaintContact your national DPA (e.g. BayLDA in Bavaria)

To exercise any of these rights, contact us at the address in section 09. For data held by Firebase/Google or Microsoft, you may need to contact those providers directly.

Contact

For any questions, concerns, or rights requests regarding this privacy policy:

ESM Vertretungsplan — Developer Contact

European School Munich (student project)

esmunich.dev@gmail.com

You also have the right to lodge a complaint with the Bavarian State Office for Data Protection Supervision (BayLDA): www.lda.bayern.de

Security & Limitation of Liability

Your credentials are stored exclusively in your device's secure encrypted storage (iOS Keychain / Android Keystore) and are never transmitted to or stored on our servers. Authentication requests are sent directly from your device to Microsoft's and MySchool's own servers over HTTPS.

We have no access to your account credentials or school data at any time. Because we cannot access, view, or intercept your login information, we cannot be held responsible for:

Unauthorised access to your O365, SMS, or school account
Compromise of your credentials resulting from device theft, malware, phishing, or breaches at Microsoft's or MySchool's infrastructure
Actions taken by third parties who gain access to your device or account through means outside this app
Data loss or account suspension imposed by the Europäische Schule München or MySchool Ltd

If you believe your account has been compromised, please change your O365 password immediately and contact the school's IT department. The security of your account is governed by Microsoft's and MySchool's own terms of service and security practices.

We implement reasonable technical measures within the app (secure storage, HTTPS-only communication, no server-side credential logging), but we cannot guarantee absolute security of any internet-based system.

Changes to This Policy

We may update this policy as the app gains new features (such as push notifications). When we do, we will update the effective date at the top of this page and, where appropriate, notify users within the app. Continued use of the app after changes constitutes acceptance of the updated policy.