Sundain (“Sundain”, “we”, “us”, “our”) operates the Sundain mobile app and this website (together, the “Service”). Sundain helps you discover real-world events and meetups and connect with people nearby, with the help of an AI “host”. This Privacy Policy explains what personal data we process, why, and the rights you have. We are an EU-first product and store personal data in the EU. We draft this policy in line with the EU General Data Protection Regulation (GDPR) and applicable German data-protection law.
1. Who we are (data controller)
Sundain is currently operated by an individual (a sole operator / natural person) based in Cologne, Germany — there is no company entity yet. Under the GDPR, that individual is the data controller responsible for your personal data:
- Leonard Bauer (sole operator), Cologne, Germany
- Email: [email protected]
Data Protection Officer. We have not appointed a Data Protection Officer, because the statutory thresholds for a mandatory appointment (GDPR Art. 37 / § 38 BDSG) are not met at our current scale. Privacy questions go to [email protected]. We will revisit this as the team grows.
2. Data we collect
We collect and process the following categories of personal data:
| Data | What it includes | Why we process it |
|---|---|---|
| Phone number | Your mobile number in international (E.164) format | Create your account and send / verify SMS one-time passcodes (OTP) for login |
| Name | The name you enter during onboarding | Personalise your profile and the Service |
| Date of birth / age | Your birthday and the age derived from it | Confirm you meet the minimum age and tailor suggestions |
| Interests | Topics you select during onboarding | Match you with relevant events, meetups and people |
| Location | Device geolocation, collected “while using the app” | Find events, meetups and people near you (see section 4) |
| Chat content | Messages you send to the AI host | Host and curate events and generate suggestions (see section 5) |
| Usage & analytics | Events such as screen views, onboarding steps and event interactions (RSVP / interested, dismiss), tied to a randomly generated anonymous device identifier — not your name or phone number | Understand and improve the Service (first-party product analytics) |
| Push token | Apple Push Notification service (APNs) device token | Send you push notifications |
| Technical / device data | App version, device model, IP address (in server logs) | Operate, secure and troubleshoot the Service |
Please avoid sharing special-category data. Your interests and chat messages could in some cases reveal sensitive information (for example about health, religion, political opinions or sexual orientation). Please don’t share such information unless you intend to. Where you knowingly make such data public through the Service, or where we otherwise process it, we rely on your explicit consent (GDPR Art. 9(2)(a)) and you can withdraw it at any time.
3. Purposes and legal bases
We rely on the following legal bases under Art. 6(1) GDPR:
| Purpose | Legal basis |
|---|---|
| Creating and operating your account, sending OTP login codes, and delivering the core features you request (matching, events, meetups, chat) | Performance of a contract — Art. 6(1)(b) |
| Collecting and using your precise device location for nearby matching | Your consent — Art. 6(1)(a) — given through the operating-system location permission, in addition to contract performance |
| Sending push notifications | Your consent — Art. 6(1)(a) — given through the operating-system notification permission; you can withdraw it at any time in device settings |
| First-party, anonymous-identifier analytics; keeping the Service secure, reliable and improving it | Our legitimate interests — Art. 6(1)(f) |
| Meeting legal, regulatory and safety obligations (e.g. responding to lawful requests) | Legal obligation — Art. 6(1)(c) |
Where we rely on consent, you may withdraw it at any time; this does not affect the lawfulness of processing before withdrawal. Where we rely on legitimate interests, you may object (see section 9).
4. Location data — “precise store, coarse show”
When you grant location access, the app collects your device location while you are using the app. We process and store your precise location on our servers so we can match you with events, meetups and people near you.
However, we only ever display city-level (coarse) location in the product — both to you and to other users. Your precise coordinates are never shown to other users; other people only ever see an approximate, city-level area. We describe this as “precise store, coarse show”: precise where it’s needed to make matching work on our servers, coarse everywhere it’s displayed.
You can turn location access off at any time in your device settings. Some nearby-matching features may then stop working.
5. AI processing of your chat
Sundain uses an AI model to act as your event “host”. The messages you send in the chat are processed by an AI model — reached through our AI subprocessor OpenRouter (see section 6) — to understand what you’re looking for, curate events and meetups, and generate suggestions.
Please don’t share sensitive personal information in chat that you would not want processed for these purposes. AI-generated suggestions can be inaccurate or incomplete (see our Terms of Service).
We do not use your chat content to train our own models, and we do not sell it. Your messages are sent to the AI subprocessor solely to generate responses and suggestions, and that processing is governed by the provider’s terms.
6. Sharing, recipients & subprocessors
We share personal data only with service providers (“processors” / “subprocessors”) that help us run the Service, under contracts that require them to protect your data and process it only on our instructions. Categories of recipients:
- SMS / OTP delivery — seven.io (seven communications GmbH & Co. KG, Germany, EU), to deliver your OTP login codes.
- AI processing — OpenRouter (OpenRouter, Inc., USA), which routes your chat prompts to underlying AI model providers (which may include AWS Bedrock) to generate suggestions.
- Apple Push Notification service (APNs) — to deliver push notifications.
- Third-party event and venue data sources — to source events and venue information (e.g., Ticketmaster and similar event platforms; venue / map data such as OpenStreetMap).
- Hosting & infrastructure — Scaleway (France, EU), to host the Service and store data.
We do not sell your personal data, and we do not use third-party advertising SDKs. We may also disclose data where required by law, to protect the rights, safety and security of users or the Service, or in connection with a corporate transaction (e.g., merger or acquisition), subject to appropriate safeguards.
7. International transfers
We host the Service and store personal data in the EU. Scaleway (France) and seven.io (Germany) are located in the EU. AI model inference via our subprocessor OpenRouter (USA) — and the underlying model providers it routes to, which may include AWS Bedrock — may involve a transfer of chat data to the United States (the exact processing region depends on configuration). Where that happens, we rely on the European Commission’s Standard Contractual Clauses (SCCs), together with supplementary measures where needed. You can request a copy of the relevant safeguards from us.
8. Data retention
We keep personal data only as long as necessary for the purposes above, or as required by law.
- Account-linked personal data — your account and phone number, name, date of birth, interests, precise location, chat content, and analytics tied to your account — is retained for the life of your account and is deleted when you delete your account, subject to a short backup / rotation window and to any longer retention strictly required by law.
- Server / technical logs (including IP address) — kept for up to 30 days by default. This period is adjustable as needed for security and troubleshooting.
9. Your rights under the GDPR
Subject to the conditions in the GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your data — the “right to be forgotten” (Art. 17).
- Restrict processing in certain cases (Art. 18).
- Data portability — receive your data in a portable format (Art. 20).
- Object to processing based on our legitimate interests (Art. 21).
- Withdraw consent at any time where processing is based on consent, without affecting processing carried out before withdrawal (Art. 7(3)).
To exercise any of these rights, contact us at [email protected]. We will respond within the statutory time limits.
You also have the right to lodge a complaint with a supervisory authority. Our competent authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), the data-protection authority for Cologne / North Rhine-Westphalia; you may also complain to the authority where you live or work. (To be confirmed once our place of establishment is finalised.)
10. Security
We use technical and organisational measures to protect your data, including encryption in transit, access controls, secure credential storage (your login session is held in the device keychain), and EU-based hosting. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
11. Children & minimum age
Sundain is not intended for children. You must be at least 18 years old to use Sundain. Because Sundain enables meeting people in real life and processes location, we set an 18+ minimum. We do not knowingly collect data from anyone under 18; if you believe a minor has provided us data, contact us and we will delete it.
12. Website cookies, local storage & analytics
This marketing website is a static site. It sets no non-essential or analytics cookies — only strictly necessary cookies, if any — so no cookie-consent banner is required, and it does not use third-party advertising or cross-site tracking cookies. The Sundain app uses first-party analytics keyed to a random, anonymous device identifier (not your name or phone number) to understand product usage; there are no third-party advertising SDKs.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the new version here and update the “Last updated” date; where changes are significant, we may also notify you in the app. Last updated: 2026-07-07.
14. Contact
Sundain is operated by an individual (sole operator) based in Cologne, Germany. Questions or requests about this policy or your data:
- Leonard Bauer (sole operator), Cologne, Germany
- Email: [email protected]
We have not appointed a Data Protection Officer (the GDPR Art. 37 / § 38 BDSG thresholds are not met at our current scale); this will be revisited as we grow.