Privacy Policy

Last updated October 4th, 2024.

Privacy Policy

1. Information on the Collection of Personal Data and Contact Details of the Controller 1.1 We are pleased that you are using our application (hereinafter “App”). Below we inform you about the handling of your personal data when using our App. Personal data is all data by which you can be personally identified. 1.2 The controller for data processing in relation to this App in terms of the General Data Protection Regulation (GDPR) is David Schlauch, PNLP (owner: David Schlauch), Abtwilerstraße 11, 87776 Sontheim, Germany, Tel.: 015154879029, Email: [email protected]. The controller for the processing of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data. 1.3 For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to the controller), this App uses SSL or TLS encryption. You can recognize an encrypted connection by the string “https://” and the lock icon in your browser line.

2. Use of Single Sign-On Procedures Google Sign-In On our website, we provide a single sign-on function of the following provider: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland In addition to a transmission of data to the aforementioned provider location, data can also be transmitted to: Google LLC, USA If you have an account with the provider, you can use those account details to create a user account or to register on our website. When you visit this page, a direct connection between your browser and the provider’s servers can be established via this login function, even if you do not have an account with the provider or are not logged into such an account. The provider thus receives the information that you have visited our page. The information collected in this way (possibly including your IP address) is transmitted directly from your browser to a server of the provider and stored there. However, the information is not used to personally identify you and is not shared with third parties. These data processing operations are carried out according to Art. 6 Para. 1 lit. f GDPR on the basis of our legitimate interest in a user-friendly and interactive design of our online presence. If you use the login button to register on our website with your account data from the provider, the provider will only transmit the general and publicly accessible information stored in your account (user ID, name, address, email address, age, and gender) to us based on your explicit consent according to Art. 6 Para. 1 lit. a GDPR. We store and use the data transmitted by the provider to set up a user account with the necessary data (title, first name, last name, address data, country, email address, date of birth) if you have released this information to the provider. Conversely, data (e.g., information about your surfing or purchasing behavior) can be transferred from us to your account with the provider based on your consent. The granted consent can be revoked at any time with effect for the future against us. For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection based on a decision of adequacy by the European Commission.

3. Log Files When Using Our Mobile App When you download our mobile app from an app store, the required information is transmitted to the app store, in particular, user name, email address, and customer number of your account, time of download, payment information, and the individual device identifier. We have no control over this data collection and are not responsible for it. We only process the data to the extent necessary for downloading the mobile app to your mobile device. When using our mobile app, we collect the personal data described below to enable the comfortable use of the functions. If you wish to use our mobile app, we collect the following data, which is technically necessary for us to offer you the features of our mobile app and to ensure stability and security:

• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request
• Access status/http status code
• Volume of data sent in bytes
• Source/reference from which you reached the page
• Browser used
• Language and version of the browser software
• Operating system used and its interface
• Used IP address (if applicable: in anonymized form) The processing is carried out according to Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our app. The data is not passed on or used in any other way. However, we reserve the right to subsequently check the aforementioned log files if concrete evidence indicates illegal use. Furthermore, we need your unique device number (IMEI = International Mobile Equipment Identity), unique subscriber number (IMSI = International MobileSubscriber Identity), mobile phone number (MSISDN), possibly MAC address for Wi-Fi use, and the name of your mobile device.

4. Hosting & Content Delivery Network 4.1 Firebase Cloud Storage We use the web hosting service “Firebase Cloud Storage” of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) for hosting and displaying the App contents on the basis of processing on our behalf. All data collected on our website is processed on Google’s servers. As part of the aforementioned services, data may also be processed on behalf of Google LLC in the USA. We have entered into a data processing agreement with Google for the use of Firebase, obligating Google to protect the data of our site visitors and not to disclose it to third parties. For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection based on a decision of adequacy by the European Commission. Further information on Google’s privacy policy regarding Firebase can be found on the following website: https://firebase.google.com/support/privacy Further processing on other servers than the aforementioned ones by Google only takes place within the framework communicated below. 4.2 Google Cloud CDN We use a Content Delivery Network of the following provider: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland This service enables us to deliver large media files such as graphics, page content, or scripts faster through a network of regionally distributed servers. The processing is carried out to maintain our legitimate interest in improving the stability and functionality of our website according to Art. 6 Para. 1 lit. f GDPR. Data can also be transferred to: Google LLC, USA We have concluded a data processing agreement with the provider, which ensures the protection of the data of our site visitors and prohibits unauthorized disclosure to third parties. For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection based on a decision of adequacy by the European Commission.

5. Contacting Us When contacting us (e.g., via contact form or email), personal data is collected. Which data is collected in the case of a contact form can be seen from the respective contact form in the App. This data is stored and used exclusively for the purpose of responding to your request or for establishing contact and the associated technical administration. The legal basis for processing this data is our legitimate interest in answering your request according to Art. 6 Para. 1 lit. f GDPR. If your contact is aimed at concluding a contract, then an additional legal basis for the processing is Art. 6 Para. 1 lit. b GDPR. Your data will be deleted after final processing of your inquiry; this is the case if it can be inferred from the circumstances that the matter in question has been conclusively resolved and provided that there are no legal storage obligations to the contrary.

6. Data Processing for Opening a Customer Account According to Art. 6 Para. 1 lit. b GDPR, personal data continues to be collected and processed if you provide it to us for the execution of a contract or when opening a customer account. Which data is collected can be seen from the respective input forms. Deleting your customer account is possible at any time and can be done by a message to the above address of the controller. We store and use the data provided by you for contract processing. After complete processing of the contract or deletion of your customer account, your data will be blocked with regard to tax and commercial retention periods and deleted after the expiry of these periods, unless you have expressly consented to further use of your data or a legally permitted further data use was reserved by our side, about which we will inform you accordingly below.

7. Data Processing for Contract Execution For the execution of contracts concluded via the App, we work with the following service providers who assist us wholly or partly in the execution of concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information. The personal data collected by us will be passed on to the transport company commissioned with the delivery within the scope of contract processing, insofar as this is necessary for the delivery of the goods. Your payment data will be passed on to the commissioned credit institution as part of the payment processing, if this is necessary for payment handling. If payment service providers are used, we explicitly inform you about this below. The legal basis for the transfer of data is Art. 6 Para. 1 lit. b GDPR.

[Note: The continuation regarding app registration, push notifications, online marketing, tools, and rights of the data subject, as well as the duration of storage of personal data, is based on the provided content and would follow similar translations and adaptations to align with GDPR and relevant legal frameworks.]

8. Registration in the App You can register in our app by providing personal data. The personal data processed for registration is determined by the input mask used for registration. We use the so-called double opt-in procedure for registration, i.e., your registration is only completed if you have previously confirmed your registration via a confirmation email sent to you for this purpose by clicking on the link contained therein. If your confirmation is not received within 24 hours, your registration will be automatically deleted from our database. The provision of the aforementioned data is mandatory, all other information you can provide voluntarily by using our portal. If you use our app, we store your data necessary for the fulfillment of the contract, possibly including details on the method of payment, until you finally delete your access. Furthermore, we store the voluntary data you provide for the time of your use of the portal, unless you delete it beforehand. You can manage and change all information in the protected customer area. The legal basis is Art. 6 Para. 1 lit. f GDPR. Additionally, we store all content published by you (such as public posts, pinboard entries, guestbook entries, etc.) to operate the app. We have a legitimate interest in providing the app with the complete User-Generated Content. The legal basis for this is Art. 6 Para. 1 lit. f GDPR. If you delete your account, your statements, especially in the forums, remain visible to all readers, but your account can no longer be accessed. All other data will be deleted in this case.

9. Sending of Push Notifications You can sign up to receive our push notifications. Through our push notifications, you will regularly receive information about our services. For registration, you need to confirm the receipt of notifications or allow it in your device settings. This process is documented and stored. This includes storing the time of registration and your device identification. The collection of this data is necessary so we can show the push notifications to you and, in case of misuse, to be able to trace the processes and therefore serves our legal protection. The processing of this data is based on Art. 6 Para. 1 lit. a GDPR. You can revoke your consent to the storage and use of your personal data to receive our push notifications and the described statistical collection at any time with effect for the future. For the purpose of revoking consent, you can adjust the corresponding setting for receiving push notifications in your device settings of the app. Your data will be deleted as soon as it is no longer required for the purpose of its collection. Thus, your data will be stored as long as the subscription to our push notifications is active.

10. Tools and Miscellaneous Firebase Crashlytics We use “Firebase Crashlytics”, a service of Google Ireland Ltd., Google Building Gordon House, Barrow Street, Dublin 4, Ireland, for the creation of anonymized crash reports to improve the stability and reliability of our app. Only based on your explicit consent according to Art. 6 Para. 1 lit. a GDPR, anonymous information is transmitted to Google’s servers in case of an app crash (state of the app at the time of the crash, installation UUID, crash trace, manufacturer and operating system of the phone, last log messages). Transmissions to Google LLC in the USA are also possible. This information does not contain any personal data. When using an iOS-based device, you can grant consent in the app settings or after a crash. When using an Android-based device, there is an option during setup to generally agree to the transmission of crash notifications to Google and app developers. You can revoke your consent at any time by

• disabling the “Crash reports” function in the app settings on iOS
• adjusting the system settings on Android. Open the app settings, select “Google” and then in the top-right three-dot menu select “Usage & Diagnosis”. Here, you can disable the sending of the respective data. Further information on data protection can be found in the privacy notices of Firebase Crashlytics at https://firebase.google.com/support/privacy

11. Rights of the Data Subject 11.1 The applicable data protection law grants you comprehensive rights of data subjects (rights of access and intervention) with regard to the processing of your personal data, about which we inform you below:

• Right of access by the data subject according to Art. 15 GDPR: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information specified in Art. 15 GDPR.
• Right to rectification according to Art. 16 GDPR: You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
• Right to erasure (‘right to be forgotten’) according to Art. 17 GDPR: You have the right to obtain the erasure of personal data concerning you under the conditions of Art. 17 Para. 1 GDPR. However, this right does not apply in particular if the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims.
• Right to restriction of processing according to Art. 18 GDPR: You have the right to obtain restriction of processing of your personal data as long as the accuracy of the data contested by you is being verified, if you refuse the deletion of your data because of unlawful data processing and instead request the restriction of the use of your data, if you need your data for the establishment, exercise or defence of legal claims after we no longer need this data after achieving the purpose, or if you have lodged an objection based on your particular situation as long as it is not yet clear whether our legitimate reasons prevail.
• Right to be informed according to Art. 19 GDPR: If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed about these recipients.
• Right to data portability according to Art. 20 GDPR: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format or to request the transfer to another controller, insofar as this is technically feasible.
• Right to withdraw consent given according to Art. 7 Para. 3 GDPR: You have the right to withdraw consent to the processing of data at any time with effect for the future. In the event of withdrawal, we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint according to Art. 77 GDPR: If you consider that the processing of personal data relating to you infringes GDPR, you have - notwithstanding any other administrative or judicial remedy - the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. 11.2 RIGHT TO OBJECT IF, IN THE CONTEXT OF A BALANCING OF INTERESTS, WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF OUR PREDOMINANT LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION. IF YOU MAKE USE OF YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, FURTHER PROCESSING IS RESERVED IF WE CAN PROVE COMPELLING REASONS WORTHY OF PROTECTION FOR THE PROCESSING THAT OUTWEIGH YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ASSERTION, EXERCISE OR DEFENCE OF LEGAL CLAIMS. IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING. YOU CAN EXERCISE THE OBJECTION AS DESCRIBED ABOVE. IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.

12. Duration of Storage of Personal Data The duration of the storage of personal data is determined by the respective legal basis, the purpose of processing, and - if relevant - additionally by the respective legal retention period (e.g., commercial and tax retention periods). If personal data is processed based on an express consent according to Art. 6 Para. 1 lit. a GDPR, this data is stored until the data subject revokes their consent.

If there are statutory retention periods for data that is processed within the scope of legal or legal-like obligations based on Art. 6 Para. 1 lit. b GDPR, this data is routinely deleted after the retention periods expire, provided it is no longer required for the fulfillment or initiation of a contract and/or there is no longer any legitimate interest in its further storage on our part.

When processing personal data based on Art. 6 Para. 1 lit. f GDPR, this data is stored until the data subject exercises their right to object according to Art. 21 Para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing is for the establishment, exercise, or defense of legal claims.

In the case of processing personal data for direct marketing purposes on the basis of Art. 6 Para. 1 lit. f GDPR, this data will be stored until the data subject exercises their right to object according to Art. 21 Para. 2 GDPR.

Unless otherwise noted in the other information in this declaration about specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.