10 Minuten Coaching

Privacy Policy

10 Minuten Coaching — Last updated: April 2026

1. Controller

XD Consulting GmbH
Marchfeldstraße 17/2/25
1200 Vienna
Austria

Business activity: Services in automated data processing and information technology
Commercial register no.: FN 612534k
Jurisdiction / commercial register: Commercial Court of Vienna
VAT ID: ATU79850859
GLN: 9110010394455
GISA: 26538570, 34919811

E-mail:

2. Overview of processing activities

Data category Specific data Purpose Legal basis
Profile data Name, age range, gender, profession, life stage, goals, primary challenge, motivations, coaching experience Personalisation of coaching Art. 6 (1) (b) GDPR (performance of contract)
Session data Conversation history, session summaries, mood indicators Conduct and contextualisation of coaching sessions Art. 6 (1) (b) GDPR (performance of contract)
Device ID identifierForVendor (vendor-specific UUID) Rate limiting (abuse prevention) Art. 6 (1) (f) GDPR (legitimate interest)
Subscription data Subscription status (Free/Pro), transaction verification via StoreKit Provision of the booked service Art. 6 (1) (b) GDPR (performance of contract)
Consent data Timestamp of privacy and disclaimer consent Proof of consent Art. 6 (1) (c) GDPR (legal obligation)
Usage data Streak counter, date of last session Motivational features within the app Art. 6 (1) (b) GDPR (performance of contract)
Attestation data Device ID, public cryptographic key (EC P-256), signature counter, Apple receipt, key ID, device environment Device integrity check (App Attest) to prevent API abuse Art. 6 (1) (f) GDPR (legitimate interest)

3. Special categories of data (Art. 9 GDPR)

During coaching sessions you may voluntarily share information that qualifies as special categories of personal data — in particular mood indicators and coaching content that could allow conclusions about your health.

Processing of such data is carried out exclusively on the basis of your explicit consent under Art. 9 (2) (a) GDPR. You give this consent the first time you use the app and may withdraw it at any time (see section 9).

4. Local storage

Your profile data, session histories and summaries are stored locally on your device (SwiftData). Your coaching content is not stored server-side. You retain full control over your data and can delete it at any time via the app settings.

5. iCloud backup

If you have iCloud backup enabled on your device, locally stored app data may be included in a device backup to your iCloud. This backup is user-initiated and protected by Apple's end-to-end encryption. Apple's own privacy policy applies to data processing by Apple.

6. API communication

When you run a coaching session, the following data is transmitted via an encrypted connection (HTTPS/TLS):

  • App → Supabase Edge Function (EU/Frankfurt): conversation messages (system prompt and the most recent 40 messages), device ID (for rate limiting and attestation), app version, App Attest signature and key ID
  • Supabase → OpenAI API (USA): conversation messages (without device ID, without app version, without attestation data)

The device ID is used solely for server-side rate limiting and integrity verification and is not forwarded to OpenAI. App version and attestation data are removed before forwarding to OpenAI.

OpenAI does not use data submitted via the API to train its models (per OpenAI's API data usage policy). OpenAI retains API requests for a maximum of 30 days for abuse detection.

Text-to-speech (TTS): coaching responses can optionally be played back as audio. The response text is transmitted via the Supabase Edge Function to the OpenAI TTS API. The same protections apply as for chat communication (no device ID to OpenAI, encrypted transmission).

App Attest (device integrity check): on first launch, a cryptographic key is generated on your device via Apple's App Attest service (DeviceCheck framework). Apple verifies the integrity of your device and app installation. The resulting attestation object is transmitted to our Supabase Edge Function and verified there. With every subsequent API request a cryptographic signature (assertion) is included to ensure request authenticity. The private key always remains in the Secure Enclave of your device. The corresponding key identifier is stored in the iOS keychain (hardware-protected, excluded from backups).

7. Recipients and third-country transfers

Recipient Purpose Location Safeguards
Apple Inc. App distribution, in-app purchases (transaction verification and payment processing via StoreKit), iCloud backup, App Attest (via DeviceCheck) USA EU-US Data Privacy Framework (DPF)
Supabase Inc. Edge Function proxy (API relay, rate limiting); PostgreSQL database (attestation credentials, rate-limit counters) EU (Frankfurt) Processing in the EU; Standard Contractual Clauses (SCCs)
OpenAI Inc. AI language model for coaching responses USA EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs); no use of API data for model training
Hostinger International Ltd. Web hosting and DNS for 10minutes.app (server log files including IP addresses, access timestamps, pages requested) Lithuania / EU Processing in the EU; data processing agreement (DPA)

Data processing agreements (DPAs) under Art. 28 GDPR are in place with Supabase, OpenAI and Hostinger.

8. Retention periods

  • Local data (profile, sessions, summaries): until deleted by you in app settings or until uninstalling the app.
  • Attestation challenges (device ID + nonce): maximum 5 minutes in the Supabase PostgreSQL database, automatic deletion.
  • Attestation credentials (device ID, public key, counter, receipt): maximum 90 days in the Supabase PostgreSQL database, automatic deletion. Existing credentials are replaced when the app is reinstalled.
  • Rate-limiting data (device ID + counter): maximum 48 hours in the Supabase PostgreSQL database, automatic deletion.
  • OpenAI API logs: maximum 30 days, automatic deletion by OpenAI.
  • Consent timestamps: stored locally, until deletion of your app data.

All server-side data is pseudonymised (linked only via device ID) and automatically deleted when the relevant retention period expires. Manual deletion of individual server-side records is not possible because no user account exists. Uninstalling and reinstalling the app generates a new device ID, so prior server-side data can no longer be linked to a device and is automatically purged when the retention periods expire.

9. Your rights (Art. 15–22 GDPR)

You have the following rights regarding your personal data:

  • Right of access (Art. 15): you may request information about the data we hold about you.
  • Right to rectification (Art. 16): you may request correction of inaccurate data. Profile data can be edited directly in the app.
  • Right to erasure (Art. 17): you may request deletion of your data. Local data can be deleted directly in the app settings.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20): you may request your data in a structured, machine-readable format.
  • Right to object (Art. 21): you may object to processing based on legitimate interests.
  • Right to withdraw consent: consents given may be withdrawn at any time with effect for the future.

To exercise your rights, contact us at .

Right to lodge a complaint: you have the right to lodge a complaint with the competent data protection authority. Our lead supervisory authority is the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, www.dsb.gv.at. You may also contact the supervisory authority of your country of residence.

10. Website (10minutes.app)

When you visit our website, the hosting provider (Hostinger) automatically records the following data in server log files:

  • IP address (anonymised or full, depending on server configuration)
  • Date and time of access
  • Page accessed (URL)
  • Referrer URL (previously visited page)
  • Browser and operating system used
  • Volume of data transferred

Processing is based on Art. 6 (1) (f) GDPR (legitimate interest in the technical provision and security of the website). Server log files are automatically deleted after a maximum of 30 days. The website uses neither cookies nor tracking tools.

11. Cookies and tracking

The app and website use no cookies, no analytics, no advertising SDKs and no third-party tracking SDKs. No tracking of your usage behaviour takes place.

12. Automated decision-making

AI-generated coaching responses do not constitute automated individual decisions within the meaning of Art. 22 GDPR producing legal effects concerning you or similarly significantly affecting you. The responses serve solely as coaching impulses and have no binding character.

13. Data security

We implement the following technical measures to protect your data:

  • iOS Data Protection (hardware-based encryption of local data)
  • Encrypted data transmission via HTTPS/TLS
  • No server-side storage of coaching content
  • Device ID is not forwarded to the AI provider
  • Server-side message limit (maximum 40 messages per request)
  • Apple App Attest: cryptographic device integrity check using ECDSA signatures (Secure Enclave)
  • Replay protection via monotonic signature counters on every API request
  • Challenge-response procedure to prevent attestation forgery
  • Secure key storage in the iOS keychain (hardware-protected, excluded from backups)

14. Changes to this privacy policy

We reserve the right to update this privacy policy to reflect changes in law or in the app. The current version is always available at this address. Material changes will be communicated via an app update.

15. Contact

For questions about data protection, contact us at: