1. Data Controller
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:
Marian Kulisch
Green Quest powered by CursusX
Republic of Korea
Email: contact@cursusx.de
A full postal address will be provided upon legitimate request.
This Privacy Policy applies to the services encirkl (available at encirkl.de / encirkl.com) and Berlin Green Quest, which are operated on the CursusX technical platform.
2. Overview of Data Processing
Our Core Principle: Privacy by Design. We do not store individual movement profiles. Location data is processed exclusively for real-time loop validation and is subsequently aggregated into anonymised area data (polygons). Individual GPS traces are not stored permanently.
2.1 Which services does this policy cover?
- encirkl: Urban loyalty programme — loop validation, badge system, wallet card, partner benefits
- Berlin Green Quest: Gamification for climate action — climate territories, green labels, CO₂ visualisation, team loops
- CursusX Platform: Technical infrastructure — GPS validation, NFC waypoints, app delivery, partner API
3. Types of Data Collected
3.1 Usage Data (collected automatically)
| Data Category | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Device ID (pseudonymised) | Session management, badge assignment | Art. 6(1)(b) GDPR (performance of contract) | Until account / app deletion |
| Browser and device type | App optimisation, compatibility checks | Art. 6(1)(f) GDPR (legitimate interest) | 90 days |
| IP address (truncated) | Security, abuse prevention | Art. 6(1)(f) GDPR | 7 days |
3.2 Location Data (GPS)
Particularly sensitive processing: Location data is only collected when you actively start a loop. Collection is based exclusively on your explicit consent (Art. 6(1)(a) GDPR). You can revoke location access at any time in your device settings.
| Data Category | Purpose | Processing |
|---|---|---|
| GPS coordinates during a loop | Real-time validation: distance, speed, continuity of the walking route | Processed in real time by the CursusX engine; then aggregated into an anonymous polygon (area data) |
| Loop completion (area/polygon) | Badge award, climate territory assignment, CO₂ calculation | Stored permanently as anonymised area data; no inference to individual route possible |
| NFC scan events | Physical proof at waypoints | Timestamp + location of the NFC point; linked to session, not to person |
3.3 Voluntarily Provided Data
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Name / display name | Display on wallet card, leaderboards, personalised badges | Art. 6(1)(a) GDPR (consent) |
| Photo uploads (photo walks) | Community gallery, GPS-validated submission | Art. 6(1)(a) GDPR |
| Green labels (tree markings) | Citizen-driven urban green data, tree watering reports | Art. 6(1)(a) GDPR |
| Team membership | Team loops, collaborative badges | Art. 6(1)(b) GDPR |
| Invitation links | Community growth (anchor point badge) | Art. 6(1)(a) GDPR |
3.4 Data from Website Contact Forms
On encirkl.de and encirkl.com we offer four contact forms, each opened as a modal: beta sign-up, partner inquiry, cities & funding conversation, and general contact. Submission only happens when you actively send the form.
| Form | Fields collected | Purpose | Legal basis |
|---|---|---|---|
| Beta sign-up | First name, Google account email, optional message | Activating your Google account for the closed Play Store beta | Art. 6(1)(b) GDPR (pre-contractual measures) |
| Partner inquiry | First and last name, email, company, partner type, message | Processing your partner inquiry | Art. 6(1)(b) GDPR |
| Cities / funding conversation | First and last name, email, organisation, role, message | Scheduling a conversation and clarifying pilot projects | Art. 6(1)(b) GDPR |
| General contact | First and last name, email, subject, message | Responding to your inquiry | Art. 6(1)(a)/(f) GDPR (consent / legitimate interest) |
Two additional fields are submitted automatically: the form type (form_type) and the originating page URL (page_uri) — used only to route the inquiry.
Transmission: The data is sent via an encrypted HTTPS connection to our email endpoint at https://cursusx.de/email/ and delivered as email to contact@cursusx.de. The recipient and controller is the operator named in §1.
Fallback on transmission error: If the request fails (e.g. network error), your local email client is automatically opened with the entered data as a draft addressed to contact@cursusx.de. You then decide whether to send the email.
Retention: Data is retained for as long as necessary to process your inquiry and any follow-up questions, but no longer than 24 months after the last contact. Statutory retention obligations (e.g. commercial or tax law) remain unaffected.
4. Wallet Card and App
encirkl is delivered as a native app via the Google Play Store and the Apple App Store. The wallet card is stored locally on your device (Apple Wallet / Google Wallet). The following data is stored on your device:
- Display name (if provided)
- Badge status and unlocked badges
- Current partner benefit status
The wallet card communicates with the server via the CursusX API to update badge status in real time and to unlock partner benefits. This communication is encrypted (TLS).
5. Data Sharing with Partners
5.1 Anonymised Movement Reports
Anchor Partners (Tier 1) may receive anonymised, aggregated movement reports. These contain exclusively area data (polygons) and frequency counts — never individual routes, location histories, or personal data.
5.2 Badge Status to Route Partners
When you redeem a partner benefit (e.g. a discount at a route partner), your current badge status is transmitted to the partner's point-of-sale system via the CursusX API. Only the following data is transmitted:
- Badge status level (e.g. "City Walker")
- Eligibility for the specific benefit (yes/no)
No names, location data, movement history, or other personal data is transmitted to partners.
5.3 Green Labels and Urban Green Data
Green labels (markings placed at trees and green spaces) may be shared in anonymised form with mission partners such as Insel Projekt Berlin or the city administration to support urban green maintenance. It is not possible to trace the marking back to the individual who placed it.
6. Cookies and Local Storage
We use only technically necessary storage mechanisms — no marketing cookies, no tracking pixels, no third-party profiling.
6.1 In the App
- Local cache: For offline capability of the app
- Session token: For assigning active loops (temporary)
- Wallet data: Local storage of badge status on your device
6.2 On the website (encirkl.de / encirkl.com)
- Browser localStorage
encirkl-theme: Stores only your light/dark mode preference (values:auto,light,dark). This information stays 100 % on your device, is never transmitted to our server, and contains no personal data. You can remove the entry at any time via your browser's developer tools or by clearing the website's site data. - No cookies: The website sets no cookies — neither first-party nor third-party.
6.3 Plausible Analytics
For anonymous analysis of website usage we use Plausible Analytics — a privacy-friendly analytics tool based in the EU. Plausible uses no cookies, stores no personal data, and is fully GDPR-compliant. Only aggregated data is collected (e.g. page views, referrers, device type). We additionally track the FormSubmit event with the form type (beta/partner/cities/contact) as an anonymised conversion metric — without content or identifiers. Individual user identification is not possible. More information: plausible.io/data-policy.
6.4 Self-hosted fonts
The typefaces Roca Two and Nunito are served locally from our server. No connection is made to Google Fonts, Adobe Typekit or other third-party providers — your browser does not contact external font CDNs.
7. Hosting and Data Processing
The technical infrastructure (CursusX platform) is hosted on servers within the European Union. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with the hosting provider.
Hosting provider: Servers within the EU. Details available upon request at contact@cursusx.de.
8. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): You may request information about which data we process about you.
- Right to rectification (Art. 16): You may request the correction of inaccurate data.
- Right to erasure (Art. 17): You may request the deletion of your data, provided no statutory retention obligations apply.
- Right to restriction of processing (Art. 18): You may request the restriction of the processing of your data.
- Right to data portability (Art. 20): You may receive your data in a structured, commonly used format.
- Right to object (Art. 21): You may object to the processing of your data based on Art. 6(1)(f) GDPR.
- Right to withdraw consent (Art. 7(3)): You may withdraw any consent given (particularly for location data and photo uploads) at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
To exercise your rights, please contact: contact@cursusx.de
Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. As the Services are primarily aimed at users in Germany, any German state data protection authority has jurisdiction. For users based in Berlin, this is:
Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59–61, 10555 Berlin
www.datenschutz-berlin.de
9. Use by Minors
encirkl and Berlin Green Quest are intended for users aged 16 and older. We do not knowingly collect personal data from persons under 16 without parental consent. If we become aware that such data has been processed, we will delete it without delay. Parents or guardians can contact us at any time at contact@cursusx.de.
10. Security of Data Processing
We employ technical and organisational measures to protect your data against accidental or deliberate manipulation, loss, destruction, or unauthorised access. These include TLS encryption (HTTPS) on all websites, access controls on the CursusX platform, local processing of location data on the device, and self-hosting of fonts. Our security measures are continuously improved in line with technological development.
11. Updates to this Privacy Policy
We reserve the right to amend this Privacy Policy so that it always complies with current legal requirements or to implement changes to our services in the Privacy Policy. The new Privacy Policy will then apply to your next visit. Status: May 2026.