Legal
Privacy Policy
Last updated: July 2026
Thank you for your interest in pingmigo.app. Protecting your personal data is important to us. Below we provide detailed information on how we handle your data in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Controller
The controller within the meaning of data protection law, in particular the GDPR, is:
The CodeCave GmbH
Alfred-Nobel-Str. 2950226 Frechen
Germany
Represented by the Managing Directors Aleksandar Jovanović and Tilman Kieselbach
Phone: +49 152 04943138
Email: info@thecodecave.de
We have not appointed a data protection officer, as we are not legally required to do so. If you have any questions about data protection, please contact the email address above.
2. General information on data processing
We generally process the personal data of our users only to the extent necessary to provide a functional website as well as our content and services. As a rule, processing takes place only with the user's consent or in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
Legal bases for processing
- Art. 6 (1) (a) GDPR serves as the legal basis where we obtain consent for processing operations.
- Art. 6 (1) (b) GDPR is the legal basis where processing is necessary for the performance of a contract or pre-contractual measures.
- Art. 6 (1) (c) GDPR applies where we are subject to a legal obligation (e.g. tax retention obligations).
- Art. 6 (1) (f) GDPR is the legal basis where processing is necessary to safeguard a legitimate interest and the interests, fundamental rights, and freedoms of the data subject do not override it.
Storage period and deletion
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage beyond this may occur if provided for by European or national legislation to which the controller is subject. In particular, the commercial and tax retention periods apply (generally 6 or 10 years).
3. Provision of the website and server log files
Our website and dashboard are hosted by Cloudflare, Inc.(Cloudflare Pages and Workers). Each time the site is accessed, Cloudflare, as a processor, automatically collects information transmitted by your browser in so-called server log files. These are in particular:
- IP address of the requesting device (shortened/pseudonymized)
- Date and time of access
- Name and URL of the retrieved file
- Website from which access is made (referrer URL)
- Browser used and, if applicable, your computer's operating system
Processing takes place to ensure a smooth connection setup, comfortable use, to evaluate system security and stability, and for further administrative purposes. The legal basis is our legitimate interest in the technically error-free presentation and security of our website (Art. 6 (1) (f) GDPR).
Cloudflare may also transfer data to the USA. This is based on the European Commission's standard contractual clauses. We have concluded a data processing agreement (Art. 28 GDPR) with Cloudflare. Further information can be found athttps://www.cloudflare.com/privacypolicy/.
4. Cookies and local storage
We do not use tracking cookies on our marketing website (pingmigo.app). Within our logged-in area (dashboard) we use technically necessary cookies or comparable technologies (e.g. local storage) to maintain the login (session) and provide basic functions. This data is strictly necessary for the operation of the service; the legal basis is Art. 6 (1) (b) and (f) GDPR and § 25 (2) TDDDG.
5. Registration and user account
To use our service, you can create a user account. In doing so, we process the data you provide, in particular your email address and a password (stored only as a salted hash), any display name, and information about your organization. Authentication is handled via the self-hosted library "better-auth".
The legal basis is Art. 6 (1) (b) GDPR, as the processing is necessary for the performance of the usage contract. Account data is stored for the duration of the user account's existence and removed after its deletion, unless statutory retention obligations apply.
6. Operation of the service and content data
pingmigo.app enables your AI agents (e.g. via the Model Context Protocol) to send progress, questions, and results to your devices. In doing so, we process and store exclusively the content transmitted by you or your agents, in particular:
- Content of threads, messages, and activities (incl. checklists)
- Optional information on agent, model, and host/device name
- Timestamps and status of the respective processes
pingmigo.app does not connect to your code repositories and does not scan them. Only the data actively transmitted by the agent is stored. Processing of this data takes place to provide the contractually agreed service (Art. 6 (1) (b) GDPR).
Application data is stored via the backend service Convex(Convex, Inc., USA) as a processor. This may involve a transfer to the USA, which is safeguarded on the basis of the EU standard contractual clauses. A data processing agreement pursuant to Art. 28 GDPR is in place.
7. Push notifications
A core part of our service is sending push notifications to your registered devices (web browser as well as iOS/Android app). For this purpose, we process device-specific push tokens. Technical delivery takes place via the push services of the device manufacturers:
- Apple Push Notification service (APNs) by Apple Inc. for iOS devices
- Firebase Cloud Messaging (FCM) by Google Ireland Ltd. or Google LLC for Android and web push
The push token and the notification content are transmitted to the respective service. The legal basis is the performance of the contract (Art. 6 (1) (b) GDPR), as the sending of notifications constitutes the main service. You can deactivate the receipt of notifications at any time in the settings of your device or your account. This may also involve a data transfer to the USA, which is safeguarded by standard contractual clauses.
8. Payment processing
For paid plans we use the payment service provider Stripe(Stripe Payments Europe, Ltd., Ireland, and Stripe, Inc., USA). When you subscribe to a paid plan, the data required for payment processing (e.g. name, email address, payment details) is transmitted directly to Stripe and processed there. We do not receive or store your full payment data (e.g. credit card number); we only store a pseudonymous customer and subscription identifier as well as the payment status.
The legal basis is the performance of the contract (Art. 6 (1) (b) GDPR) and the fulfillment of legal obligations (Art. 6 (1) (c) GDPR). Stripe's privacy information can be found athttps://stripe.com/privacy.
9. Web analytics (Rybbit)
To statistically evaluate the use of our marketing website, we useRybbit, a self-hosted, privacy-friendly analytics software. Rybbit works without cookies and refrains from processing personal data in a way that would allow the identification of individual visitors. Aggregated metrics such as page views, referrers, approximate region of origin, and the browser type used are collected. IP addresses are not stored permanently.
The legal basis is our legitimate interest in the needs-based design and statistical optimization of our offering (Art. 6 (1) (f) GDPR). As processing takes place without cookies and without identifying individuals, no consent is required.
10. Product analytics in the dashboard and app (PostHog)
Within our logged-in dashboard and our mobile app, we usePostHog for product analytics in order to improve features and detect errors. We use the EU instance of PostHog (PostHog, operated in the European Union, eu.i.posthog.com), so that the data is processed within the EU. Event and usage data (e.g. viewed screens, triggered actions, device type) is collected in connection with a pseudonymous identifier.
The legal basis is our legitimate interest in improving and securing our service (Art. 6 (1) (f) GDPR). Our marketing website (pingmigo.app) does not use PostHog.
11. Contacting us
If you contact us by email, we process the data you provide (in particular email address and message content) solely to process your request. The legal basis is our legitimate interest in responding to your request (Art. 6 (1) (f) GDPR) or, if the request is aimed at concluding a contract, Art. 6 (1) (b) GDPR. We delete this data as soon as storage is no longer necessary, or restrict processing if statutory retention obligations exist.
12. Data transfer to third countries
As described in this policy, we partly use service providers based in a third country (in particular the USA) or that process data there (including Cloudflare, Convex, Stripe, Apple, Google). A transfer only takes place if an adequate level of data protection is guaranteed. We ensure this in particular by concluding the European Commission's standard contractual clauses (Art. 46 GDPR) and – where applicable – through certification under the EU-US Data Privacy Framework.
13. Your rights as a data subject
Under the GDPR, you have in particular the following rights:
- Access (Art. 15 GDPR) to the data stored about you;
- Rectification (Art. 16 GDPR) of incorrect or incomplete data;
- Erasure (Art. 17 GDPR) of your data;
- Restriction of processing (Art. 18 GDPR);
- Data portability (Art. 20 GDPR) in a structured, commonly used, and machine-readable format;
- Objection (Art. 21 GDPR) to processing, see the separate note below;
- Withdrawal of consent (Art. 7 (3) GDPR) with effect for the future.
To exercise your rights, an informal message toinfo@thecodecave.de is sufficient.
Right to object
Insofar as we process your personal data on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, you have the right to object to this processing at any time for reasons arising from your particular situation.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen).
14. Data security
Within the website visit we use the widely used TLS (Transport Layer Security) procedure in combination with the highest level of encryption supported by your browser. In addition, we take appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons.
15. Validity and changes to this privacy policy
This privacy policy is currently valid. Due to the further development of our website and offerings or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. The current version can be accessed on this page at any time.
This English text is provided for your convenience. In case of any discrepancy, the German original (Datenschutzerklärung) prevails.