Privacy policy

This statement contains all general information about the processing of personal data within the website at https://moment2fa.de and in the associated mobile smartphone apps and browser extensions in accordance with §13 GDPR. This statement applies to these offers. Processing is in accordance with the GDPR and the BDSG.

Data controller

DIBITS UG (haftungsbeschränkt)
Bruggenerstr. 5/1
88284 Wolpertswende

Telefon: +49 (0) 7502 5779520
Fax: +49 (0) 7502 5779528
E-Mail: info@moment2fa.de

Managing Director: Paul Vincent Spieß
Register court Ulm – HRB 746047

Tax number: 77025/13198
VAT ID: DE360818135

Hereinafter also referred to as “DIBITS” or “we.”

Data processing operations

When using the apps or browser extension

All data collected in connection with the apps is processed on our own servers in Germany. When using the app, each user can decide for themselves whether data should be transmitted. In the default state immediately after download, privacy-friendly default settings are selected. Initially, only the app’s own analytics are activated. The following data is collected (Android & iOS app only):

• When the app is opened
• When you display a token
• How many tokens you have
• How many favorites you have
• How many directories are created
• Whether your device is registered in our backend
• Whether you prefer to display your tokens in a grid or a list

This data is collected anonymously and stored separately from your user account.
Data processing basis according to §6 (1) lit. f) GDPR: We collect this data to understand how you use our app in order to improve it. The data is stored for an indefinite period. The collection of further analytics data can be objected to in the app settings.

Online features

To use additional online features such as logos or triggers, you must explicitly activate them in the settings. From this point on, the following data will be collected and linked to your device / account:

• Unique ID of the app instance (not the device ID)
• Push-messaging ID (connected to your device through Google Firebase)
• Upon registration: Username and password (processed using a one-way hash function and not stored in plain text)
• When downloading logos: The name of the token to identify the website.

Data processing basis according to §6 (1) lit. a) GDPR: You explicitly consent to this processing by activating the online functions. To revoke your consent, simply uninstall the app. A user account without an active subscription and without activity will be deleted after 30 days.

Push messages

For receiving push notifications, the app uses push services provided from the operating system and Google Firebase. When sending push messages, we never send your tokens to Google or any other processor. Only an internal ID for your token will be send to your device through Google Firebase and / or Apple Push messaging services. The push message itself is generated on your phone. Data processing basis according to §6 (1) lit. a) GDPR: You explicitly consent to this processing by activating the online functions. To revoke your consent, simply uninstall the app. A user account without an active subscription and without activity will be deleted after 30 days.

Error-Tracking using Sentry

To track errors and crashes on our apps, we rely on a self-hosted instance of Sentry, an error-tracking tool. Sentry gathers crucial debugging-information for us. Part of it is how an error happened, which includes naviagtion paths through the app and general user behaviour. In case of a crash, the last minute of user activity will be transmitted to our servers. All private data is masked and not transmitted. We will never collect your currently active tokens or logos of the visible tokens. All error-tracking activity is bound to your device id, if you activated the Online-features (see above).

Basis for data processing according to Section 6 (1) (f) GDPR: The storage of this data is important for us in order to ensure the functionality and operation of our products. The storage of the data is absolutely necessary for the provision of our services. All error-tracking data is deleted after 90 days.

General server communication

The following data is processed for all server communications, regardless of type:

• User agent (browser or app version/operating system)
• IP address
• Timestamp
• Size of the data sent and received
• Referrer URLs (pages from which you accessed our site)

Basis for data processing according to Section 6 (1) (f) GDPR: The storage of this data is important for us in order to ensure the functionality and operation of our products. The storage of the data is absolutely necessary for the provision of our services. In addition, logging is necessary for the security of our systems. This allows us to identify attacks and, if necessary, take action. These logs are never used for other purposes or passed on to third parties. The logs are deleted after 60 days.

When using the website

When you visit our website, personal data is transmitted to us. Each time you visit, the following data is collected and temporarily stored in a log:

• User agent (browser version/operating system)
• IP address
• Time stamp
• Page accessed, including any parameters visible in the link
• Size of the data sent and the data received
• Referrer URLs (pages from which you accessed our site)

Basis for data processing according to Section 6 (1) (f) GDPR: The storage of this data is important for us in order to ensure the functionality and operation of our website. The storage of the data is absolutely necessary for the provision of the website. In addition, logging is necessary for the security of our systems. This allows us to identify attacks and, if necessary, take action. These logs are never used for other purposes or passed on to third parties. The logs are deleted after 60 days.

Statistics

In addition, we store the above-mentioned data in anonymized form for statistical purposes using Matomo. Your IP address is anonymized, which means that the statistics can no longer be traced back to you.
The statistics are created locally on our server and remain there—they never leave our hands. They remain stored there for 180 days.
Data processing basis according to §6 (1) lit. f) GDPR: The storage of this data is important for us to ensure the functionality and operation of our website. We have an interest in optimizing our website for you.
We offer you the option right here to stop us from tracking your visit (we can remember this by setting a cookie without personal content in your browser):

Opt-out complete; your visits to this website will not be recorded by the Web Analytics tool. Note that if you clear your cookies, delete the opt-out cookie, or if you change computers or Web browsers, you will need to perform the opt-out procedure again.

You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.

You are not opted out. Uncheck this box to opt-out. You are currently opted out. Check this box to opt-in.

The tracking opt-out feature requires cookies to be enabled.

When contacting us

If you contact us electronically by email, all data contained in your message will be transmitted to us. We store this data in order to respond to your request. In accordance with legal regulations, this data may be stored for a longer period of time, depending on the retention period.
If your contact concerns a pre-contractual discussion or a dialogue during an order, processing is carried out in accordance with §6 (1) lit. b) GDPR. In this case, the collection of data is necessary, as we would otherwise be unable to prepare an offer or similar for you. Otherwise, the legal basis is §6 (1) lit. f) GDPR – we would like to respond to your message and must process the data for this purpose.

The same applies if you contact us by analog means (letter, telephone, or fax).

General storage period

We store and process any personal data only for the period necessary to fulfill the respective purpose. This period may be deviated from if applicable law prevents the controller from deleting the data. In this case, we may – if applicable law permits – stop processing and mark your data as “blocked.” Once the purpose has been fulfilled, the data is regularly deleted.

Processor for hosting

As a provider, we use Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, to provide our website and servers for Moment 2FA.

Rights of data subjects

You are entitled to the rights of data subjects granted by the GDPR.

• Right to information under Section 15 GDPR: We will provide you with information about the data we have collected about you.
• According to §16 GDPR, you have the right to have stored data corrected.
• According to §17 and §18 GDPR, you can have your data deleted or restricted by us.
• Right to data portability according to §20 GDPR: We can provide you with your data in a structured, commonly used, and machine-readable format.
• According to §21 GDPR, you can object to our processing of your data.

If you wish to complain about our data processing, for example because you believe it to be unlawful, you can lodge a complaint with the competent data protection supervisory authority in accordance with §77 GDPR.

Profiling

We do not use automated decision-making in accordance with §22 GDPR.

Changes to the privacy policy

We reserve the right to make changes to this policy – please read it regularly. No notification will be given. Status: 29/12/2025