Vario One App Privacy Policy

This privacy policy describes what personal data the Vario One mobile app (iOS and Android) processes, which third-party services are integrated, and how your rights are protected.

A separate privacy policy for the website is available at vario-one.com/en/datenschutz.

1. Data Controller

The party responsible for data processing in the app is:

Leobalo GmbH
Tino Volbracht
Schwester-Jovita-Str. 15
64625 Bensheim, Germany
Email:

2. Data Processed on Your Device

2.1 Location Data (GPS)

During a flight, the app continuously reads your position (latitude, longitude, GPS altitude, speed, heading) from your device's location service. This data is used for:

  • Live display of position, altitude, speed and heading
  • Flight track recording (IGC and GPX files)
  • Wind and thermal calculations
  • Optional: transmission to SafeSky (see section 5.3)
  • Optional: synchronisation with the backend (see section 4)

Recording also runs in the background with the screen off (foreground service) so your flight isn't interrupted when the phone is in your pocket. GPS altitude is corrected to mean-sea-level altitude using the EGM96 geoid model — this calculation happens locally on your device.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Without location access, the core function of the app (flight recording) cannot be provided.

2.2 Sensor Data (Barometer, Accelerometer, Magnetometer)

If your device has the corresponding sensors, the app reads:

  • Barometric pressure → for precise altitude and climb-rate (vario) calculation
  • Accelerometer → for takeoff/landing detection and stability filters
  • Magnetometer → for the compass display

This data stays on your device and is not transmitted to third parties or our backend.

2.3 Bluetooth Connection to External Devices

If you pair an external BLE variometer (BlueFly, SkyDrop, XCTracer or similar), the app communicates with the device via Bluetooth Low Energy. Transmitted data includes vario readings, altitude and possibly device configuration. No MAC address or device identifier is stored beyond the app session; pairing information stays in your device's system Bluetooth stack.

2.4 Locally Stored Flight Recordings

When you end a flight, the app writes the following files into the app's own private storage area (not publicly accessible):

  • IGC file — standardised flight format of the Fédération Aéronautique Internationale, containing GPS trace, timestamps and (if available) barometric altitude; signed with an Ed25519 G-record
  • GPX file — generic GPS-track format
  • Flight log statistics — metadata such as date, duration, max altitude, max speed, max climb rate

This data remains local until you actively delete it or uninstall the app. With cloud synchronisation enabled, it is additionally transferred to the backend (section 4).

3. Account and Subscription

3.1 Login (Email + Password)

When you register for an account, we store your email address and a cryptographic hash of your password (never plaintext) in our backend. Login uses JSON Web Tokens (JWT) valid for 90 days. Apple Sign-In is supported on iOS and transmits only a pseudonymous Apple identifier plus optionally your email.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3.2 Pilot Profile (Optional)

In the settings you can voluntarily enter pilot name, glider model and class. These details are embedded into IGC files as header data (this is the standard in air-sports) and optionally synchronised with our backend.

3.3 Subscription via Google Play Billing / Apple In-App Purchase

Premium subscriptions are processed via your device's app store:

  • Android: Google Play Billing. Google processes your payment details; we receive only a subscription token, which we forward to our backend to verify your premium status.
  • iOS: Apple In-App Purchase. Apple processes your payment details; we receive only a receipt validation about subscription status.

We do not store any credit-card data or other payment methods.

4. Cloud Synchronisation and Backend

If you enable cloud sync in the settings, the following data is transmitted to our backend (https://api.vario-one.com):

  • Flight metadata (start, end, duration, max altitude, speed, climb rate)
  • IGC and GPX files
  • Pilot profile data (if entered)

Server location: Our backend runs on servers hosted by Hetzner Online GmbH in Germany. Connections are exclusively encrypted via HTTPS (TLS 1.2+).

Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Cloud sync is opt-in — the app also works fully offline.

5. Third-Party Services in the App

5.1 Map Tiles: Mapbox and Google Maps

For map rendering the app uses the Mapbox SDK (Mapbox Inc., USA — certified under the EU-US Data Privacy Framework) and, on Android, optionally Google Maps (Google LLC, USA). When map tiles are loaded, your IP address is transmitted to the respective servers; user-tracking telemetry is not enabled.

Mapbox privacy policy: mapbox.com/legal/privacy

Legal basis: legitimate interest in providing functional maps (Art. 6(1)(f) GDPR).

5.2 Google Play Billing / Apple In-App Purchase

See section 3.3. Both services are certified under the EU-US Data Privacy Framework.

5.3 SafeSky (Optional, With Your Consent)

SafeSky (SafeSky SRL, Belgium) is a real-time air-traffic awareness network. The app can RECEIVE SafeSky data to show nearby traffic — only your position is sent as an HTTP request, without persistent identification.

Optionally, you can enable in the app settings that your own position is transmitted to SafeSky (so others can see you). This feature is explicitly opt-in and can be deactivated at any time. When enabled, GPS position, altitude, heading, speed and a randomly generated pilot identifier are transmitted to SafeSky servers (located in the EU).

Legal basis: consent (Art. 6(1)(a) GDPR). SafeSky privacy policy: safesky.app/privacy

5.4 Flight Upload to Competition Portals (XContest, DHV-XC)

At your explicit request the app can upload a flight to competition portals:

  • XContest (XContest s.r.o., Czech Republic): Upload transmits the IGC file, your XContest username and the password you provide
  • DHV-XC (Deutscher Hängegleiterverband e. V., Germany): Upload transmits the IGC file and your DHV credentials

These transfers only occur when you explicitly trigger them. Credentials are stored encrypted in the Android Keystore (or iOS Keychain) on your device.

Legal basis: consent (Art. 6(1)(a) GDPR).

5.5 Wind Stations via Holfuy

To show current wind data the app queries publicly accessible wind stations through the Holfuy API (Holfuy SK s.r.o., Slovakia). Only your position is transmitted; no user identification takes place.

6. Permissions Requested by the App

The app requests the following permissions. Before each system dialog, an explanatory in-app screen appears:

  • Location (foreground + background) — for GPS tracking during the flight
  • Notifications — for landing detection, flight status and traffic alerts
  • Bluetooth (scan + connect) — only if you pair an external BLE variometer
  • Battery-optimization exemption — so recording isn't interrupted mid-flight

You can revoke any permission in your device's system settings at any time. Restricted permissions result in restricted functionality (e.g. no GPS tracking without location permission).

7. Data Retention and Deletion

  • Locally stored flights: remain until you uninstall the app or manually delete them.
  • Cloud-synchronised flights: stored as long as your account exists. You can delete individual flights in the app or have your account fully removed (by email to ).
  • Account data: retained until account deletion. Deleting your account also removes all linked cloud flights.
  • Authentication token: valid for 90 days, after which a manual re-login is required.

8. Your Rights

Under GDPR you have the following rights regarding your personal data:

  • Right to information (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR) — including account deletion with all data
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR) — you can export all your flights as IGC/GPX
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (e.g. SafeSky position broadcasting) — at any time in the app settings or by email

9. Contact for Data-Protection Inquiries

For questions about data protection, to exercise your rights, or for account deletion:

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data-protection supervisory authority about the processing of your personal data. The competent authority for us is the supervisory authority of the German state of Hesse.

Last updated: May 2026 (Beta version — will undergo legal review before public release)