Privacy Policy
Last updated: May 15, 2026
1. Controller and EU Representative
Controller within the meaning of the GDPR and other national data protection laws of the Member States:
Ibilities Inc.
8583 10TH St N, Apt C
St. Petersburg, FL 33702
USA
Email: support@ibilities.com
Web: https://ipin2.de
EU Representative pursuant to Art. 27 GDPR:
Frank Möller
Max‑Beckmann‑Straße 20
60599 Frankfurt am Main
Germany
Email: support@ibilities.com
This Privacy Policy applies to the iPIN2 app on the platforms Windows (Microsoft Store), iOS/iPadOS (Apple App Store), macOS (Mac App Store), and Android (Google Play), as well as to the website https://ipin2.de.
2. What Data We Process
2.1 Data that stays exclusively on your device
iPIN2 is designed as a local password manager. The following data is stored exclusively locally on your device and is not transmitted to Ibilities Inc. or any third party:
- Vault contents: usernames, passwords, URLs, notes, categories, attachments
- Vault labels and organizational structures you create
- Master password (never stored or transmitted in plain text; only a cryptographic key is used to encrypt/decrypt the local vault)
- App settings, layout, and display preferences
Ibilities Inc. has no access to this data at any time.
2.2 Optional synchronization between your devices
iPIN2 offers two optional synchronization mechanisms that you activate yourself:
a) AirSync (Wi‑Fi based direct connection)
Vault data is transmitted end‑to‑end encrypted directly between your devices on the same Wi‑Fi network. There is no transmission over the internet and no storage on servers — neither at Ibilities Inc. nor at any third party.
b) iCloud Sync (Apple devices only)
If you enable iCloud Sync, your vault data is stored doubly encrypted in your personal iCloud account at Apple Inc. — first by iPIN2 (client‑side), and additionally by Apple's iCloud encryption. Apple is the controller for the iCloud storage. Ibilities Inc. has no access to your iCloud data. Apple's privacy terms apply additionally: https://www.apple.com/legal/privacy/
2.3 Data related to app purchases and licensing
iOS / iPadOS / macOS / Android: Purchases and in‑app purchases are processed exclusively through the Apple App Store or Google Play. Payment data is processed by Apple or Google; Ibilities Inc. does not receive any payment data, only anonymized or pseudonymized purchase confirmations.
Windows (Microsoft Store): The sale of the Windows version and payment processing are handled by Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA under the "Stripe Managed Payments" service. Stripe acts as the Merchant of Record vis‑à‑vis the end customer and is responsible, on its own account, for the collection and remittance of all applicable sales/value‑added taxes. Ibilities Inc. supplies the software to Stripe; the end‑customer contractual relationship is between Stripe and the buyer. During a purchase, Stripe processes the following data under its own responsibility: name, email address, payment method details, billing address, amount. From Stripe, Ibilities Inc. receives only the transaction ID, the purchase confirmation, and — for support and receipt purposes — the buyer's email address. Stripe's privacy terms apply additionally: https://stripe.com/privacy
2.4 Data collected by the stores
Apple, Google, and Microsoft collect data independently as part of app distribution (e.g., crash reports, device/installation IDs, anonymous usage statistics). This data is collected under the responsibility of the respective store operator. Ibilities Inc. receives at most aggregated, non‑personal analytics. The privacy terms of the respective providers apply:
- Apple: https://www.apple.com/legal/privacy/
- Google: https://policies.google.com/privacy
- Microsoft: https://privacy.microsoft.com/privacystatement
2.5 Data when contacting support
To handle support requests we use Atlassian Cloud services (in particular Jira Service Management). The EU contracting party for Atlassian Cloud is Atlassian B.V., Hoogoorddreef 5, 1101 BA Amsterdam, Netherlands.
You can reach us through two channels:
- Email at support@ibilities.com — incoming emails are automatically converted into tickets in our ticketing system
- Help desk portal: https://ibilities.atlassian.net/servicedesk/customer/portals
When handling your request we process at least:
- your email address
- the content of your message (including any voluntary information such as name, device/version details, screenshots)
- timestamps and status history of the ticket
Hosting region: The ticket data is hosted exclusively in the Atlassian data center in Frankfurt am Main, Germany. No transfer to Atlassian locations outside the EU takes place.
A data processing agreement pursuant to Art. 28 GDPR is in place with Atlassian (Atlassian Data Processing Addendum, https://www.atlassian.com/legal/data-processing-addendum).
Legal basis: Art. 6 (1) (b) GDPR (pre‑contractual/contractual measures) or Art. 6 (1) (f) GDPR (legitimate interest in efficient support handling). Retention period: see Section 6.
2.6 Data when visiting the website https://ipin2.de
The website is hosted by STRATO GmbH, Otto‑Ostrowski‑Straße 7, 10249 Berlin, Germany. When you visit the website, technically necessary server logs are generated (IP address, date/time, page accessed, user agent), which are deleted after 30 days. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in IT security and stable operation).
Cookies and similar technologies are addressed in our separate cookie policy: https://ipin2.de/en/cookies-policy/ (see also Section 8).
3. Legal Bases for Processing
We process personal data exclusively on the basis of the GDPR. Depending on the processing situation, the following legal bases apply:
a) Performance of a contract (Art. 6 (1) (b) GDPR)
Provision of app functions, processing of purchases through Stripe (Windows) or the respective app stores, handling of support requests.
b) Consent (Art. 6 (1) (a) GDPR)
Activation of the optional sync functions (AirSync, iCloud Sync) takes place only if you actively enable them. You can withdraw your consent at any time by disabling the respective sync.
c) Legitimate interests (Art. 6 (1) (f) GDPR)
Server logs of the website (30 days) for the purpose of IT security, abuse prevention, and stability; efficient handling of support requests; if applicable, aggregated store analytics for product improvement. Our legitimate interest: secure, stable operation of website and app as well as timely customer service.
d) Legal obligation (Art. 6 (1) (c) GDPR)
Retention of invoice and payment data in the context of commercial and tax law obligations (see Section 6 — Retention).
4. Recipients of Personal Data / Processors
We disclose personal data only to the following recipients, to the extent necessary for the provision of the app and related services:
a) App store operators (independent controllers)
- Apple Inc. (USA) — distribution iOS/iPadOS/macOS, in‑app purchases, iCloud Sync
- Google LLC (USA) — distribution Android, in‑app purchases
- Microsoft Corporation (USA) — distribution Windows, Microsoft Store
These providers collect data independently as part of app distribution and act as their own controllers, not as our processors.
b) Seller and payment service provider (Windows purchases)
Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA — acts as the Merchant of Record (independent controller) for the sale of the Windows version under the "Stripe Managed Payments" service and handles the collection and remittance of taxes worldwide. Privacy terms: https://stripe.com/privacy
c) Hosting (website and email)
STRATO GmbH, Otto‑Ostrowski‑Straße 7, 10249 Berlin, Germany — hosting of https://ipin2.de and the @ibilities.com email mailboxes. A data processing agreement pursuant to Art. 28 GDPR is in place (last updated August 3, 2025). Privacy terms: https://www.strato.de/datenschutz/
d) Authorities
Personal data may be transmitted to competent authorities on the basis of legal obligations (e.g., tax authorities, law enforcement). Such transmission only takes place where legally required.
e) Support ticketing system
Atlassian B.V., Hoogoorddreef 5, 1101 BA Amsterdam, Netherlands (EU contracting party for Atlassian Cloud). Hosting of the support ticketing system Jira Service Management and other Atlassian Cloud services in the Europe region (Frankfurt am Main, Germany). A DPA pursuant to Art. 28 GDPR is in place (Atlassian DPA). Privacy terms: https://www.atlassian.com/legal/privacy-policy
Your vault data is not disclosed to any third party at any time — it either does not leave your device at all (local mode, AirSync), or is stored exclusively encrypted in your personal iCloud (iCloud Sync), to which Ibilities Inc. has no access.
5. Transfer of Data to Third Countries (USA)
Ibilities Inc. is based in the USA. Several of our processors and business partners (Apple, Google, Microsoft, Stripe) are also based in the USA. Personal data is therefore transferred to a third country within the meaning of the GDPR.
Legal bases for the transfer:
a) EU‑US Data Privacy Framework (DPF)
For transfers to Apple Inc., Google LLC, Microsoft Corporation, and Stripe, Inc., we rely on the adequacy decision of the EU Commission of July 10, 2023 (EU‑US Data Privacy Framework). The aforementioned companies are certified under the DPF. You can verify the current certification status here: https://www.dataprivacyframework.gov/list
b) Transfer to Ibilities Inc. (USA)
For transfers to Ibilities Inc. (e.g., for internal accounting), we rely on:
- your explicit consent (Art. 49 (1) (a) GDPR), or
- the necessity for the performance of a contract (Art. 49 (1) (b) GDPR).
In addition, we implement technical and organizational measures (encryption in transit and at rest) to ensure an adequate level of protection.
Risks in third countries:
We point out that the USA generally does not provide a level of data protection comparable to the GDPR, and US authorities may, under certain conditions, gain access to data stored with US providers. Full enforcement of your data subject rights against US providers may be impeded.
What this means for your vault data:
Your vault data stored in iPIN2 does not leave your device or your local network in local‑use or AirSync mode. With iCloud Sync, vault data is transmitted exclusively to Apple Inc. — where the DPF applies and the data is additionally encrypted client‑side by iPIN2, so that Apple itself has no content access.
6. Retention Periods
We store personal data only for as long as is necessary for the respective purposes or as required by legal retention obligations:
| Data category | Retention period | Basis |
|---|---|---|
| Vault data (local on your device) | until deleted by you or until the app is uninstalled | you control this data yourself |
| Vault data in iCloud Sync (if enabled) | until you disable sync or delete the data in iCloud | you control this data yourself |
| Vault data via AirSync | not stored (only transient transmission on the local Wi‑Fi) | — |
| Support correspondence | up to 3 years after the request is closed | enforcement/defense of legal claims, legitimate interest (Art. 6 (1) (f)) |
| Payment data (Stripe Windows purchases) | 10 years after the end of the calendar year of the transaction | Art. 6 (1) (c) GDPR in conjunction with § 147 AO / § 257 HGB and, where applicable, US tax law |
| Server logs of ipin2.de | 30 days | legitimate interest (IT security) |
| Cookies | as per the separate cookie policy | depends on the respective cookie |
Once the respective retention period expires, the data is deleted or anonymized.
7. Rights of Data Subjects
Insofar as we process your personal data, you have the following rights against Ibilities Inc. The contact point for all requests is our EU Representative.
a) Right of access (Art. 15 GDPR)
You can request information about whether and which personal data we process about you.
b) Right to rectification (Art. 16 GDPR)
You can request the rectification of inaccurate or the completion of incomplete personal data.
c) Right to erasure (Art. 17 GDPR)
You can request the deletion of your data, unless statutory retention obligations or other overriding reasons apply.
d) Right to restriction of processing (Art. 18 GDPR)
You can request that the processing of your data be restricted.
e) Right to data portability (Art. 20 GDPR)
You have the right to receive the data you have provided in a structured, commonly used, and machine‑readable format.
f) Right to object (Art. 21 GDPR)
Insofar as we process data on the basis of legitimate interests, you can object to such processing at any time.
g) Withdrawal of consent (Art. 7 (3) GDPR)
Insofar as processing is based on your consent (e.g., iCloud Sync, AirSync), you can withdraw your consent at any time with future effect — by disabling the respective sync mechanism in the app settings or by notifying us at support@ibilities.com.
h) Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority. For users in Germany, the responsible authority is usually the respective state data protection authority; given the seat of our EU Representative in Frankfurt, in particular:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 31 63, 65021 Wiesbaden, Germany
Phone: +49 611 1408‑0
Email: poststelle@datenschutz.hessen.de
Web: https://datenschutz.hessen.de
Special case iCloud Sync:
If you have enabled the optional iCloud Sync, your vault data is stored in your personal iCloud account at Apple Inc. Ibilities Inc. has no access to this data and can neither view nor delete it. Please direct requests for access, rectification, deletion, or portability of this data directly to Apple Inc. — the corresponding functions can be found at https://privacy.apple.com and in your iCloud settings.
Exercising your rights:
For all data protection matters, please contact our EU Representative (Frank Möller, Max‑Beckmann‑Straße 20, 60599 Frankfurt, Germany) or directly at support@ibilities.com. We respond without undue delay, at the latest within one month of receiving your request. For complex requests this period may be extended by up to two additional months, of which we will inform you in good time.
In case of justified doubts about your identity, we may request additional information to confirm it.
8. Tracking and Cookies
8.1 In the iPIN2 app
The iPIN2 app uses no tracking mechanisms of its own, no analytics SDK, no advertising trackers. Any crash and usage data is collected exclusively by the respective app store on its own responsibility (cf. Section 2.4).
8.2 On the website ipin2.de
We use the following cookies and external resources on the website:
Strictly necessary cookies (no consent required, § 25 (2) (2) TTDSG)
| Name | Provider | Purpose | Storage duration |
|---|---|---|---|
wp-wpml_current_language |
ipin2.de (first‑party, WPML plugin) | Stores the user's selected language version of the website | Session |
Logging mechanisms used
The plugin "Limit Login Attempts Reloaded" logs IP addresses of failed login attempts in the admin area to prevent brute‑force attacks. Storage duration: 30 days. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in IT security).
Web fonts (locally hosted)
Fonts are served locally from our server at STRATO GmbH. There is no transmission to Google or other third parties.
8.3 Consent Management
To manage the cookies and similar technologies used (tracking pixels, web beacons, etc.) and the related consents, we use the consent tool "Real Cookie Banner" by devowl.io GmbH, Tannet 13, 94539 Grafling, Germany.
Details on how "Real Cookie Banner" works can be found at: https://devowl.io/rcb/data-processing/
The legal basis for the processing of personal data in this context are Art. 6 (1) (c) GDPR (compliance with the legal obligation to obtain effective consents) and Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest is the proper management of the cookies used and the related consents.
The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide the personal data. If you do not provide the personal data, we will not be able to manage your consents.
You can withdraw your consent at any time by recalling the cookie banner via the fingerprint icon on every page of the website and adjusting your choices.
Detailed information about our use of cookies can be found in our separate cookie policy: https://ipin2.de/en/cookies-policy/
9. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy in order to adapt it to changes in the legal situation, changes to our products or services, or changes in data processing. However, this applies only to declarations regarding data processing. Insofar as consents from users are required or parts of the Privacy Policy contain provisions of the contractual relationship with users, changes will only be made with the users' consent.
The current version of this Privacy Policy is always available at https://ipin2.de/de/privacy-policy/ (German version) and https://ipin2.de/en/privacy-policy/ (English version).
10. Contact and Right to Complain
Contact for data protection matters
For requests for information, exercise of your rights (cf. Section 7), or general questions about data protection, you can reach us as follows:
Directly at Ibilities Inc. (controller):
Ibilities Inc.
8583 10TH St N, Apt C
St. Petersburg, FL 33702, USA
Email: support@ibilities.com
EU Representative pursuant to Art. 27 GDPR:
Frank Möller
Max‑Beckmann‑Straße 20
60599 Frankfurt am Main, Germany
Email: support@ibilities.com
Both addresses are equally authorized to handle your requests. For users in the EU we recommend contacting our EU Representative.
Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. Due to the seat of our EU Representative in Frankfurt am Main, the following authority is in particular responsible for complaints against Ibilities Inc.:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 31 63, 65021 Wiesbaden, Germany
Phone: +49 611 1408‑0
Email: poststelle@datenschutz.hessen.de
Web: https://datenschutz.hessen.de