Privacy Policy — AVMS Showcase Player

Last updated: 2026-06-16

1. Controller

Sven Conrad Dreieichstraße 29, 60594 Frankfurt am Main Email: conrad@avms-germany.de

2. About this app

The “AVMS Showcase Player” (“the app”) is a viewer for licensed business content (product showcases, PDF catalogs, image galleries). The app does not sell anything, contains no advertising, no tracking and no third-party analytics. It is unlocked with an activation key issued by the provider under a B2B license; after activation the app runs fully offline.

3. What data is processed?

3.1 On the device

• Activation key and license token, stored locally so the app can operate offline.
• Downloaded project content (images, PDFs, layout data) in the app’s sandboxed storage (iOS: Library/NoCloud — explicitly excluded from iCloud backup; Android: app-private storage).
• A device-local identifier (a hash of stable device properties) used to bind the license to this one device. This identifier leaves the device only as a cryptographic SHA-256 hash; the raw values are never transmitted.

3.2 Sent to the license server (https://api.jorisconrad.com)

During activation and during later deactivation / re-activation requests we transmit:

• the activation key the user entered,
• the SHA-256 device hash (see 3.1),
• the IP address of the request (technically unavoidable),
• a timestamp.

While project content is being downloaded, the license token is sent as an HTTP header on each request so the server can confirm the request belongs to the license.

3.3 Optional: heartbeat telemetry

If enabled (off by default), the app may send a small “heartbeat” to the license server every 5 minutes so the provider can see whether the device is online (e.g. for availability monitoring on a customer dashboard during trade shows). Only the following are transmitted:

• the SHA-256 device hash (see 3.1),
• the brand key of the running showcase,
• the manifest hash of the installed project,
• app version, platform (iOS/Android) and OS version,
• the IP address of the connection (technically unavoidable),
• a timestamp.

The feature can be disabled at any time on the device (app Settings → “Heartbeat”) and by the provider in the customer dashboard per device. No profiling, no location collection, no cross-device tracking.

3.4 Not collected

We do not use advertising identifiers (IDFA / AAID), no location data, no contact data, no profiling-grade usage analytics and no third-party analytics / tracking SDKs.

4. Legal basis and purpose

Processing is necessary to perform the B2B license agreement between Sven Conrad and the licensee company (GDPR Art. 6(1)(b)), and to protect legitimate interests in license abuse prevention and server stability (GDPR Art. 6(1)(f), in particular IP-based rate limiting).

5. Retention

• Activation and deactivation events: up to 12 months for license accounting and abuse analysis.
• Device hash and key: as long as the license is active; deactivating the device immediately releases the device slot.
• Server access logs (IP, timestamp, requested path): typically 30 days rolling at most.

6. Recipients / processors

• License server hosting: <TODO hoster name, country, e.g. Hetzner, Germany>.
• Network tunnel: <TODO if Cloudflare Tunnel: Cloudflare, Inc., USA — Standard Contractual Clauses in place>.

There is no transfer to advertising or marketing services.

7. International transfers

Where a recipient under section 6 is located outside the EEA, transfers are based on the EU Standard Contractual Clauses with additional technical safeguards (TLS encryption in transit).

8. Your rights

You have the right to access (GDPR Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21), as well as the right to lodge a complaint with a supervisory authority. Please send requests to conrad@avms-germany.de.

Note: The simplest way to have your device hash erased is to deactivate the device in the app (maintenance menu: tap the logo 7 times) — the license server immediately releases the slot and removes the binding.

9. Security

All communication with the license server is encrypted (TLS). Content downloads are protected by a redeemable license token; once the device is deactivated, the token is invalidated server-side.

10. Changes

We may update this notice if the legal situation or our data processing changes. The current version is always available at https://showcase.jorisconrad.com/privacy-de/.