We analyse the app to record any potential violations and generate a technical report on that.
The user sends a message to the company responsible for the app and demands they remedy the violations (attaching the technical report).
If that doesn't help after some time (1 month? 3 months?), we give the user two options on how to proceed:
If they want to submit a formal complaint, they need to prove that they are personally affected. For that, we will provide instructions on how to collect a list of DNS hostnames that the app has contacted on their device (see #8). They can then submit that in conjunction with our technical report.
If they don't want to analyse their own device, they can instead only use our technical report to informally ask the authority to start their own investigation.
This is the flow we currently have in mind: