Hinatadocs

Privacy Policy#

Last updated: 15 July 2026

Protecting your personal data matters to us. In accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR), we inform you below about the data processing connected with the use of the Hinata application ("App"). The German version of this policy is authoritative.

Important — scope: This Privacy Policy applies solely to the App itself and to the way the App communicates with a server you choose. Hinata is a client application for self-hosted server instances: the publisher of the App does not operate any server instance and has no access to the servers you connect the App to. The respective operator of each server instance is solely responsible for all server-side data processing (see Section 2).

1. Controller for the App#

The controller within the meaning of Art. 4(7) GDPR for the provision of the App (distribution via the app stores or as a web application) and for the processing described in this policy is:

Rebar Ahmad Weberstr. 58 47798 Krefeld Germany E-mail: mail@ahmadre.com

No data protection officer is legally required or appointed.

2. Roles: App publisher and instance operators#

Hinata is a project and issue management application that organizations self-host on their own infrastructure. The App connects exclusively to the server instance whose address you or your organization enter.

  • The App publisher (Section 1) merely provides the application software. He does not operate any server instance, does not store any account or content data, and has no access to the data you transmit to a server instance through the App.
  • The operator of the respective server instance (e.g. your organization) is the sole controller within the meaning of the GDPR for all server-side data processing — in particular for accounts, content (projects, issues, comments, attachments, time tracking, knowledge base), server logs, e-mail delivery (the operator configures its own e-mail/SMTP provider) and the storage and hosting infrastructure used.

For access, erasure and all other data subject rights concerning data stored on an instance, please contact the operator of your instance; its privacy notice applies.

3. Processing by the App on your device#

The App itself processes data exclusively locally on your device, to the extent technically necessary for its operation:

  • the server address(es) you enter,
  • sign-in tokens (access/refresh tokens) for the selected instance(s),
  • application settings (e.g. language, theme, notification preferences).

This data remains on your device and is not transmitted to the App publisher. The App uses no cookies or comparable technologies for analytics or advertising, embeds no tracking services and sends no telemetry to the App publisher. The legal basis for this local storage is Art. 6(1)(b) GDPR and, where applicable, Section 25(2) of the German TDDDG (technical necessity).

4. Communication with the server instance you choose#

All data you enter in the App (e.g. credentials, content, comments, files, voice messages) is transmitted by the App directly and transport-encrypted (TLS/HTTPS) to the server instance you selected. The App publisher is not involved in this transmission and cannot access it. The controller for the processing of this data is exclusively the operator of the instance (Section 2).

5. Push notifications (Hinata Connect and Firebase Cloud Messaging)#

If you enable push notifications, they are delivered technically via a central relay component ("Hinata Connect") operated by the App publisher, and via Firebase Cloud Messaging (FCM), a service of Google Ireland Limited / Google LLC. In doing so, the App publisher processes:

  • a device- or installation-specific push identifier (FCM token),
  • the content of the respective notification — exclusively transiently for the purpose of delivery; the App publisher does not permanently store notification content.

The legal basis is Art. 6(1)(a) GDPR (your consent, given by enabling push notifications). Push notifications are optional; you can disable them at any time in your device system settings or in the App's notification settings. Without push notifications, no data processing by the App publisher takes place at all.

6. International data transfers#

When Firebase Cloud Messaging is used (Section 5), data may be processed by Google LLC in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework; in addition, the European Commission's standard contractual clauses (Art. 46(2)(c) GDPR) are relied upon as appropriate safeguards. Beyond this, the App publisher performs no third-country transfers. Whether and where the operator of your server instance transfers data can be found in its privacy notice.

7. Retention#

The App publisher stores personal data only to the extent and for as long as required for push delivery (Section 5); push identifiers are deleted when they become invalid or when you disable push notifications. You can delete the local data on your device (Section 3) yourself at any time by clearing the App's data or uninstalling the App. The respective instance operator is responsible for the retention of server-side data.

8. Your rights as a data subject#

Under the GDPR you have, in particular, the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection to processing based on Art. 6(1)(f) GDPR (Art. 21), and withdrawal of consent with effect for the future (Art. 7(3)).

  • For the processing described in this policy (App, push delivery), please direct your requests to the contact address in Section 1.
  • For account and content data on a server instance, the respective operator is the correct addressee. Depending on the instance, the App provides self-service features for this (e.g. data access/export under Art. 15 GDPR and account deletion under Art. 17 GDPR directly in the App); these requests are processed by the respective instance.

Without prejudice to any other remedy, you have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement.

9. No automated decision-making#

There is no solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR by the App publisher.

10. Minors#

The App is not directed at children under the age of 16. Persons under 16 should only use the App with the consent of their legal guardians.

11. Data security#

The App transmits data exclusively transport-encrypted (TLS/HTTPS) and stores sign-in tokens in the protected storage areas of the respective operating system. The respective instance operator is responsible for the security of server-side processing.

12. Changes to this Privacy Policy#

We update this Privacy Policy where changes to the App or the legal framework require it. The version available at the time of your use applies. The date at the top of this policy indicates the current version. Note: the operator of your server instance may supplement or replace this policy with its own instance-specific privacy notice; for server-side processing, the operator's notice always prevails.

13. Contact#

For questions about data protection relating to the App, contact us at: mail@ahmadre.com