Last updated: May 11, 2026
Who we are
Fablum is developed and published by Mad Bunnies (eenmanszaak), Kometenstraat, 1223 CM Hilversum, The Netherlands. KvK: 42018802.
We are the data controller responsible for your data when you use the Fablum app, except for the personal data Apple and Google process to handle your in-app purchase, where Apple and Google act as independent controllers (see “In-app purchases” below).
We are not required to appoint a Data Protection Officer under GDPR Art. 37, as we do not carry out large-scale processing, systematic monitoring, or processing of special categories of data.
For any privacy-related questions, contact us at support@madbunnies.dev.
Scope
This policy applies to the Fablum app distributed through the Apple App Store and Google Play. It does not apply to third-party websites, services, or platforms you may access through links within the app, nor to the payment and account services operated by Apple or Google when you purchase the optional in-app unlock. Those services have their own privacy policies and we are not responsible for their practices.
Data we collect
Fablum uses two Firebase services provided by Google Ireland Limited: Firebase Crashlytics (crash reporting) and Firebase Performance Monitoring (app performance monitoring). Together, these services help us detect bugs and identify performance bottlenecks so we can keep the app running smoothly.
Separately, when you make or restore the optional in-app purchase, the app receives a small set of purchase-related identifiers from Apple StoreKit or Google Play Billing in order to grant you the unlock. That data and the role of Apple and Google are described in the “In-app purchases” section below.
Crash data (Firebase Crashlytics)
When a crash occurs, Crashlytics automatically collects the following diagnostic data:
- Crashlytics installation UUID — a randomly generated per-installation identifier used to deduplicate crash reports
- Crash traces and stack traces — technical logs describing the state of the app at the time of the crash
- Device metadata — device model, CPU architecture, operating system name and version, available RAM and disk space, screen orientation, and whether the device is jailbroken or rooted
- App metadata — app version, build number, bundle identifier, and whether the app was in the foreground or background
- Timestamp of the crash event
- IP address — transmitted to Google’s servers as part of the network connection when crash data is sent; not stored by Firebase Crashlytics but processed transiently during delivery
If a crash happens during a purchase or restore call, the technical error code returned by Apple or Google may appear in the crash log. These codes do not contain payment card details, billing addresses, account email addresses, or any other directly identifying information.
Performance data (Firebase Performance Monitoring)
During normal app use, Firebase Performance Monitoring automatically collects the following data:
- Firebase installation ID — a per-installation identifier used to associate performance events with a single app installation
- Performance traces — timing data for app startup, screen rendering (including slow and frozen frames), and any custom-defined code paths
- HTTP/S network request metrics — URL patterns (without query parameters or request/response bodies), HTTP method, response status code, payload size, and response time
- Device metadata — device model, operating system name and version, available RAM, and carrier information
- App metadata — app version, build number, bundle identifier, and foreground/background state
- Timestamp of each performance event
- IP address — transmitted to Google’s servers as part of the network connection; not stored by Firebase Performance Monitoring but processed transiently during delivery
Unlike crash data, performance data is collected continuously while the app is in use, not only when something goes wrong.
Personal data classification
Under many applicable data protection laws, the Crashlytics installation UUID, the Firebase installation ID, the IP address, and purchase-related identifiers issued by Apple or Google are classified as personal data because they are identifiers capable of singling out a device or a transaction. We treat them accordingly throughout this policy.
We do not collect your name, email address, phone number, physical address, payment card or bank details, billing address, location data, reading habits, book content, or any other information that directly identifies you. We do not have user accounts. We do not use analytics, advertising SDKs, or tracking technologies of any kind. Firebase Performance Monitoring measures only technical performance metrics — it does not track your behavior, your reading activity, or how you use the app.
In-app purchases
Fablum is free to download. It includes one optional one-time in-app purchase (“Fablum Unlimited”) that removes the 5-book limit on the number of books you can add to your library. The purchase is processed entirely by Apple (on iOS) or Google (on Android). We do not operate any payment infrastructure of our own and never receive your payment card details, billing address, or the email address associated with your Apple ID or Google account.
When you buy or restore the unlock, the app receives the following data from Apple StoreKit or Google Play Billing for the sole purpose of verifying your entitlement on your device:
- Transaction or order identifier — issued by Apple or Google to identify the purchase
- Product identifier — a fixed string identifying the unlock (
fablum_lifetime_unlock_03052026) - Purchase timestamp
- Receipt or purchase token — a signed payload Apple or Google issues to prove the purchase is genuine
- Purchase state — whether the purchase is owned, refunded, or pending
This information is processed locally on your device to grant the unlock. It is not transmitted to any server we control (we do not operate any), it is not linked to any user account because Fablum does not have accounts, and it is not used for any purpose other than determining whether the unlock is active.
Apple and Google as independent controllers
For the payment transaction itself, Apple Distribution International Limited (Hollyhill Industrial Estate, Hollyhill, Cork T23 YK84, Ireland) and Google Commerce Limited (Gordon House, Barrow Street, Dublin 4, Ireland — for EU/EEA/UK users; Google LLC for other regions) act as the sellers of record and as independent data controllers for the personal data they collect to process your purchase. That data includes, depending on the platform, your Apple ID or Google account identifier, payment method details, billing address, country of taxation, and purchase history within their own systems. We have no contractual relationship with you for the payment itself and no access to that data. Their processing is governed by their own privacy policies and terms:
- Apple Privacy Policy and Apple Media Services Terms
- Google Privacy Policy and Google Play Terms of Service
Family Sharing and Family Library
The unlock is a non-consumable in-app purchase. If you choose to share Fablum Unlimited through Apple Family Sharing or Google Play Family Library, Apple or Google may make the entitlement available to other members of your family group. The app determines entitlement from the receipt or purchase token issued to the device on which it is running; we do not identify family members, sharing relationships, or family-group structure. Sharing is governed by Apple’s and Google’s own terms.
Third-party catalog connections
Fablum includes a built-in book catalog provided by Project Gutenberg (gutenberg.org). When you browse or download books from this catalog, your device connects directly to Project Gutenberg’s servers, which are located in the United States. This means your IP address and standard HTTP request data (such as the request URL and User-Agent header) are transmitted to those servers as part of the connection.
This data transmission is necessary to provide the catalog and download functionality you request (GDPR Art. 6(1)(b)). We do not control how Project Gutenberg processes the data it receives. We do not receive, store, or have access to any data exchanged between your device and Project Gutenberg’s servers.
Data that stays on your device
Your books, reading progress, bookmarks, highlights, library organization, preferences, and the local record of your unlock entitlement (a flag indicating whether Fablum Unlimited is active on this device) are stored exclusively on your device. We have no access to this data and never transmit it to our servers or to any third party.
Purpose and legal basis for processing
We process crash data and performance data solely to maintain and improve the stability and responsiveness of Fablum. We have a legitimate interest in ensuring the app works reliably and performs well for all users. The processing is limited to technical diagnostic data — crash reports when the app fails, and performance metrics during normal use — does not involve behavioral profiling or tracking, and has minimal impact on your privacy.
We process purchase-related identifiers (transaction or order ID, product ID, timestamp, receipt or purchase token, purchase state) only to deliver the digital content you have asked us to deliver: enabling the Fablum Unlimited feature on your device after a successful purchase or restore. The legal basis is contract performance.
The specific legal basis depends on the law applicable to you:
| Jurisdiction | Law | Basis — crash and performance data | Basis — purchase data |
|---|---|---|---|
| EU/EEA | GDPR Art. 6(1)(f) — legitimate interest | Maintaining app stability, fixing bugs, and improving performance | GDPR Art. 6(1)(b) — performance of a contract with you to deliver the unlock |
| United Kingdom | UK GDPR Art. 6(1)(f) — legitimate interest | Same as above | UK GDPR Art. 6(1)(b) — performance of a contract |
| Brazil | LGPD Art. 10 — legitimate interest | Same | LGPD Art. 7(V) — performance of a contract |
| Thailand | PDPA Sec. 24(5) — legitimate interest | Same | PDPA Sec. 24(3) — necessary for performance of a contract |
| South Korea | PIPA Art. 15(1)(6) — legitimate interest | Transfer details in sections below | PIPA Art. 15(1)(4) — necessary to perform a contract |
| Canada | PIPEDA — implied consent | This policy serves as notice | PIPEDA — implied consent through purchase |
| Singapore | PDPA — statutory exception | Business improvement (2021 amendments) | PDPA — necessary for the conclusion or performance of a contract |
| USA — California | CalOPPA — disclosure | CCPA/CPRA: threshold-dependent | CCPA/CPRA: threshold-dependent; receipt data is not sold or shared |
| Other | — | Consent (may be withdrawn at any time; requires uninstalling the app) | Performance of the purchase contract you initiated |
Providing your data
You are not required by law or by contract to provide any data to us. Crash data is collected automatically by Firebase Crashlytics when a crash occurs, and performance data is collected automatically by Firebase Performance Monitoring during normal app use. There is no way to opt out of this data collection while using the app. If you do not wish to share this data, you may uninstall the app. Neither crash reporting nor performance monitoring affects the core functionality of Fablum — both are used solely to help us improve the app’s stability and responsiveness.
Purchase data is processed only if you choose to buy or restore the optional Fablum Unlimited unlock. You can use the free version of Fablum without ever sharing any purchase-related data with us.
Third parties involved
Firebase Crashlytics and Firebase Performance Monitoring: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) processes crash data and performance data on our behalf. Google Ireland Limited acts as a data processor (or service provider, where that term applies) and is contractually bound by the Firebase Data Processing Terms not to use this data for its own purposes. Google Ireland Limited may use sub-processors, including Google LLC infrastructure in the United States, subject to the safeguards described below. For details on how Google handles data, see Google’s privacy policy and Firebase’s privacy and security documentation.
Apple StoreKit / Apple Media Services: Apple Distribution International Limited (and its affiliates) handles the payment, billing, fraud prevention, and tax reporting for Fablum Unlimited on iOS. Apple acts as an independent controller for that processing — not as our processor — and is the seller of record for the transaction.
Google Play Billing: Google Commerce Limited (for EU/EEA/UK users) or Google LLC (for other regions) handles the payment, billing, fraud prevention, and tax reporting for Fablum Unlimited on Android. Google acts as an independent controller for that processing — not as our processor — and is the seller of record for the transaction.
Project Gutenberg: When you use the built-in catalog, your device connects directly to servers operated by Project Gutenberg (gutenberg.org) in the United States. Project Gutenberg is an independent third party — we have no contractual relationship with them and no control over their data practices.
International data transfers
While our contractual data processor is Google Ireland Limited (an entity within the EEA), crash data and performance data may be transferred to and processed on Google infrastructure in the United States or other countries outside your jurisdiction.
When you make an in-app purchase, Apple or Google may also transfer purchase-related personal data they hold about you to other countries in line with their own privacy policies. We have no control over those transfers.
These transfers are protected by appropriate safeguards, including:
- EU/EEA and UK: Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, as applicable under Google’s Data Processing Terms; Apple’s and Google’s own EEA/UK transfer mechanisms for purchase data.
- South Korea: Overseas transfer disclosures under PIPA Art. 28-2 — crash data and performance data are transferred to Google Ireland Limited (and its sub-processors, including Google LLC in the United States) for the purpose of crash report and performance data processing and storage, as described in this policy. Purchase data transferred by Apple or Google is governed by their respective overseas-transfer disclosures.
- Other jurisdictions: Contractual protections under the Firebase Data Processing Terms; Apple’s and Google’s own contractual safeguards for purchase data.
Fablum is available worldwide through the Apple App Store and Google Play. We do not specifically target users in jurisdictions that require data localization (such as Russia or China) and do not maintain local data storage infrastructure in those countries. Users in such jurisdictions should be aware that all crash, performance, and purchase data is processed outside their country as described above.
Data retention
Crash reports, including the Crashlytics installation UUID, are retained by Firebase for 90 days before deletion from live and backup systems begins. Performance data, including the Firebase installation ID, is retained by Firebase for 90 days on the same schedule. IP addresses are not stored by either Firebase Crashlytics or Firebase Performance Monitoring. Aggregated, de-identified statistics (such as crash counts per app version or average startup times) may persist beyond this period but contain no identifiers.
Purchase-related identifiers received from Apple StoreKit or Google Play Billing are retained on your device for as long as the app is installed, so the unlock continues to apply across launches. The same data is retained by Apple or Google in their own systems under their own retention policies.
We do not operate our own servers for Fablum and do not retain crash, performance, or purchase data outside of Firebase and your device. If you contact us by email, we retain your correspondence (including your email address) for as long as necessary to resolve your inquiry and comply with legal obligations.
Deleting your data
You can request deletion of crash data and performance data associated with your device by contacting us at support@madbunnies.dev. We will process your request and instruct Google to delete the relevant data from both Firebase Crashlytics and Firebase Performance Monitoring.
You can also reset your Crashlytics installation UUID and Firebase installation ID at any time by reinstalling the app, which severs the link between future data and past data. Reinstalling will also clear the local copy of the unlock receipt; you can recover it at any time using the “Restore Purchases” function in Fablum’s settings, which re-fetches the receipt from Apple or Google.
For deletion of the purchase data Apple or Google retain (such as your purchase history within the App Store or Play Store), please contact Apple or Google directly using the controls in their privacy and account settings — that data is not held by us.
Automated decision-making
We do not use automated decision-making or profiling based on your personal data.
Children’s privacy
Fablum is not directed at children. We do not knowingly collect personal data from children as defined under applicable laws (under 13 in the United States under COPPA, under 16 in the EU under GDPR, under 18 in South Africa under POPIA and in India under DPDPA).
If you believe that a child has used the app and you would like data associated with their device removed, please contact us and we will delete it promptly. Purchases made on a child’s device are governed by Apple’s and Google’s family-account, parental-approval, and refund mechanisms.
Your rights
Depending on where you live, you may have some or all of the following rights with respect to the data we process:
- Access — request confirmation of whether we process your data and obtain a copy (GDPR Art. 15, CCPA, LGPD, POPIA, DPDPA, APPI, PDPA Thailand, PDPA Singapore, PIPEDA)
- Correction — request correction of inaccurate data (GDPR Art. 16, LGPD, POPIA, DPDPA, PDPA Thailand, PIPEDA)
- Deletion — request erasure of your data (GDPR Art. 17, CCPA, LGPD, POPIA, DPDPA, PIPL, PDPA Thailand, PDPA Singapore)
- Restriction — request that we limit processing of your data (GDPR Art. 18, LGPD)
- Portability — receive your data in a structured, machine-readable format (GDPR Art. 20, LGPD, DPDPA)
- Objection — object to processing based on legitimate interest (GDPR Art. 21, LGPD, PDPA Thailand)
- Withdraw consent — where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing (GDPR Art. 7, LGPD, PIPL, DPDPA)
- Non-discrimination — not be treated differently for exercising your rights (CCPA, LGPD)
- Complaint — lodge a complaint with your local data protection authority (see below)
Because we collect only minimal technical data tied to random installation identifiers (not to your name or account), we may be unable to verify your identity or locate your specific data without additional information. In such cases, we will work with you in good faith to fulfil your request to the extent possible.
To exercise rights with respect to the personal data Apple or Google process for your purchase (Apple ID, account email, payment details, billing address, purchase history within their systems), please contact Apple or Google directly using the privacy controls in their respective accounts.
To exercise any of these rights against us, email us at support@madbunnies.dev.
Withdrawing consent
Where our processing of your data is based on consent, you may withdraw that consent at any time by uninstalling the app, which stops all future crash and performance data collection and resets the Crashlytics installation UUID and Firebase installation ID. You may also contact us at support@madbunnies.dev to request deletion of previously collected data.
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, and does not undo a completed in-app purchase, which is governed by Apple’s or Google’s refund mechanisms and the consumer-rights provisions in our Terms of Use.
Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top of this page and notify you through the app or other appropriate means where a material change affects how your data is processed.
Complaints
If you are not satisfied with how we handle your data or respond to your request, you have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), Hoge Nieuwstraat 8, 2514 EL Den Haag, The Netherlands. For UK residents, contact the Information Commissioner’s Office. For EU/EEA residents in other member states, a list of supervisory authorities is available at edpb.europa.eu.
Contact
For any questions, concerns, or requests related to this policy or your data, reach out at support@madbunnies.dev.