Privacy Policy — encirkl & Berlin Green Quest

1. Data Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Marian Kulisch
Green Quest powered by CursusX
Republic of Korea
Email: contact@cursusx.de

A full postal address will be provided upon legitimate request.

This Privacy Policy applies to the services encirkl (available at encirkl.de / encirkl.com) and Berlin Green Quest, which are operated on the CursusX technical platform.

2. Overview of Data Processing

Our Core Principle: Privacy by Design. We do not store individual movement profiles. Location data is processed exclusively for real-time loop validation and is subsequently aggregated into anonymised area data (polygons). Individual GPS traces are not stored permanently.

2.1 Which services does this policy cover?

encirkl: Urban loyalty programme — loop validation, badge system, wallet card, partner benefits
Berlin Green Quest: Gamification for climate action — climate territories, green labels, CO₂ visualisation, team loops
CursusX Platform: Technical infrastructure — GPS validation, NFC waypoints, app delivery, partner API

3. Types of Data Collected

3.1 Usage Data (collected automatically)

Data Category	Purpose	Legal Basis	Retention Period
Device ID (pseudonymised)	Session management, badge assignment	Art. 6(1)(b) GDPR (performance of contract)	Until account / app deletion
Browser and device type	App optimisation, compatibility checks	Art. 6(1)(f) GDPR (legitimate interest)	90 days
IP address (truncated)	Security, abuse prevention	Art. 6(1)(f) GDPR	7 days

3.2 Location Data (GPS)

Particularly sensitive processing: Location data is only collected when you actively start a loop. Collection is based exclusively on your explicit consent (Art. 6(1)(a) GDPR). You can revoke location access at any time in your device settings.

Data Category	Purpose	Processing
GPS coordinates during a loop	Real-time validation: distance, speed, continuity of the walking route	Processed in real time by the CursusX engine; then aggregated into an anonymous polygon (area data)
Loop completion (area/polygon)	Badge award, climate territory assignment, CO₂ calculation	Stored permanently as anonymised area data; no inference to individual route possible
NFC scan events	Physical proof at waypoints	Timestamp + location of the NFC point; linked to session, not to person

3.3 Voluntarily Provided Data

Data Category	Purpose	Legal Basis
Name / display name	Display on wallet card, leaderboards, personalised badges	Art. 6(1)(a) GDPR (consent)
Photo uploads (photo walks)	Community gallery, GPS-validated submission	Art. 6(1)(a) GDPR
Green labels (tree markings)	Citizen-driven urban green data, tree watering reports	Art. 6(1)(a) GDPR
Team membership	Team loops, collaborative badges	Art. 6(1)(b) GDPR
Invitation links	Community growth (anchor point badge)	Art. 6(1)(a) GDPR

4. Wallet Card and App

encirkl is delivered as a native app via the Google Play Store and the Apple App Store. The wallet card is stored locally on your device (Apple Wallet / Google Wallet). The following data is stored on your device:

Display name (if provided)
Badge status and unlocked badges
Current partner benefit status

The wallet card communicates with the server via the CursusX API to update badge status in real time and to unlock partner benefits. This communication is encrypted (TLS).

5. Data Sharing with Partners

5.1 Anonymised Movement Reports

Anchor Partners (Tier 1) may receive anonymised, aggregated movement reports. These contain exclusively area data (polygons) and frequency counts — never individual routes, location histories, or personal data.

5.2 Badge Status to Route Partners

When you redeem a partner benefit (e.g. a discount at a route partner), your current badge status is transmitted to the partner's point-of-sale system via the CursusX API. Only the following data is transmitted:

Badge status level (e.g. "City Walker")
Eligibility for the specific benefit (yes/no)

No names, location data, movement history, or other personal data is transmitted to partners.

5.3 Green Labels and Urban Green Data

Green labels (markings placed at trees and green spaces) may be shared in anonymised form with mission partners such as Insel Projekt Berlin or the city administration to support urban green maintenance. It is not possible to trace the marking back to the individual who placed it.

6. Cookies and Local Storage

The app uses only technically necessary storage mechanisms:

Local cache: For offline capability of the app
Session token: For assigning active loops (temporary)
Wallet data: Local storage of badge status on your device

No marketing cookies or tracking pixels are used. There is no tracking via Google Analytics, Facebook Pixel, or comparable services.

For anonymous analysis of website usage, we use Plausible Analytics — a privacy-friendly analytics tool based in the EU. Plausible does not use cookies, does not store personal data, and is fully GDPR-compliant. Only aggregated data is collected (e.g. page views, referral sources, device type). Identification of individual users is not possible. More information: plausible.io/data-policy.

7. Hosting and Data Processing

The technical infrastructure (CursusX platform) is hosted on servers within the European Union. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with the hosting provider.

Hosting provider: Servers within the EU. Details available upon request at contact@cursusx.de.

8. Your Rights

Under the GDPR, you have the following rights:

Right of access (Art. 15): You may request information about which data we process about you.
Right to rectification (Art. 16): You may request the correction of inaccurate data.
Right to erasure (Art. 17): You may request the deletion of your data, provided no statutory retention obligations apply.
Right to restriction of processing (Art. 18): You may request the restriction of the processing of your data.
Right to data portability (Art. 20): You may receive your data in a structured, commonly used format.
Right to object (Art. 21): You may object to the processing of your data based on Art. 6(1)(f) GDPR.
Right to withdraw consent (Art. 7(3)): You may withdraw any consent given (particularly for location data and photo uploads) at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

To exercise your rights, please contact: contact@cursusx.de

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. As the Services are primarily aimed at users in Germany, any German state data protection authority has jurisdiction. For users based in Berlin, this is:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59–61, 10555 Berlin
www.datenschutz-berlin.de

9. Use by Minors

encirkl and Berlin Green Quest are generally aimed at persons aged 16 and over. For persons under 16, parental or guardian consent is required (Art. 8 GDPR). Team loops in a school context require parental consent and must be organised by the responsible teacher.

10. Data Security

We implement appropriate technical and organisational measures (TOMs) to protect your data:

Encrypted transmission (TLS/HTTPS) of all data between app and server
Pseudonymisation of device IDs
Anonymisation and aggregation of location data after real-time validation is complete
Access controls and logging on the CursusX platform
Regular security reviews

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy as needed — for example, when expanding the Services, when the legal framework changes, or when new partners are added. We will inform you of material changes via the app or by email (if an email address is on file). The current version is always available on this page.

Last updated: April 2026 · For privacy-related questions, please contact contact@cursusx.de.