Privacy Policy for App Wallet

German

Introduction

With the following data protection declaration, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both in the context of the provision of our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "Online Offer").

The terms used are not gender specific.

As of 1. September 2022

Content Overview

• Introduction
• .Controller
• Overview of the processing operations
• Relevant legal bases
• Security measures
• Transmission of personal data
• Use of cookies
• Provision of online service and web hosting
• Registration, login and user account
• Contact and inquiry management
• Web analytics, monitoring and optimization
• Plugins and embedded features and content
• Data subject rights
Definitions of Terms

Responsible

Jan Schüttken

Stuttgart, Germany

develop@jan-schuettken.de

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed

• Inventory Data.
• Contact Data.
• Content Data.
• Use Data.
• Meta/Communication Data.

Categories of Data Subjects

• Communication Partners.
• User.

Purposes of processing

• Provision of contractual services and customer service.
• Contact requests and communication.
• Security measures.
• Reach measurement.
• Tracking.
• Managing and responding to requests.
• Server monitoring and error detection.
• Firewall.
• Feedback.
• Profiles with user-related information.
• Providing our online service and user experience.
• Information technology infrastructure.

Relevant legal bases

The following is an overview of the legal bases of the GDPR, on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, should more specific legal bases be decisive in individual cases, we will inform you of these in the data protection declaration.

• Consent (Art. 6 (1) p. 1 lit. a) DSGVO) - The data subject has given his consent to the processing of personal data concerning him for a specific purpose or purposes.
• Contractual performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO) - Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject.
• Rightful interests (Art. 6 (1) p. 1 lit. f) DSGVO) - Processing is necessary for the purposes of the legitimate interests of the controller or a third party, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.

Security Measures

We take appropriate technical and organizational measures in accordance with the law, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the various probabilities of occurrence and the level of risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input of, transfer of, safeguarding of availability of and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data compromise. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software as well as procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

SSL encryption (https): To protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transmission of personal data

In the course of our processing of personal data, it may happen that the data is transmitted to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Use of cookies

Cookies are small text files, or other memory notes that store information on end devices and read information from the end devices. E.g. to store the login status in a user account, a shopping cart content in an e-shop, the content accessed or used functions of an online offer. Cookies can further be used for various purposes, e.g. for purposes of functionality, security and comfort of online offers as well as the creation of analyses of visitor flows.

Notes on consent: We use cookies in accordance with the law. Therefore, we obtain prior consent from users, except where it is not required by law. In particular, consent is not required if the storage and reading of information, including cookies, are absolutely necessary to provide the user with a telemedia service (i.e. our online offer) expressly requested by them. The revocable consent is clearly communicated to the users and contains the information about the respective cookie use.

Notes on legal bases under data protection law: On which legal basis under data protection law we process the personal data of users using cookies depends on whether we ask users for consent. If users consent, the legal basis for the processing of your data is the declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in a business operation of our online offer and improvement of its usability) or, if this is done in the context of the fulfillment of our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. For what purposes the cookies are processed by us, we clarify in the course of this privacy policy or in the context of our consent and processing processes.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his terminal device (e.g. browser or mobile application.
• Permanent cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke the consents they have given at any time and also file an objection to processing in accordance with the legal requirements in Art. 21 DSGVO. Users can also declare their objection via their browser settings, e.g. by deactivating the use of cookies (although this may also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Further notes on processing processes, procedures and services:

• Processing of cookie data based on consent: We use a cookie consent management procedure, in the context of which the consent of users to the use of cookies, or the processing and providers mentioned in the cookie consent management procedure can be obtained and managed and revoked by users. Here, the declaration of consent is stored in order not to have to repeat its query and to be able to prove the consent in accordance with the legal obligation. The storage can take place on the server side and/or in a cookie (so-called opt-in cookie, or with the help of comparable technologies), in order to be able to assign the consent to a user or their device. Subject to individual information on the providers of cookie management services, the following information applies: The duration of the storage of consent can be up to two years. Here, a pseudonymous user identifier is formed and stored with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers) as well as the browser, system and end device used.

Provision of the online offer and web hosting

We process the users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or terminal device.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.e.g. device information, IP addresses); content data (e.g. entries in online forms).
• Data subjects: users (e.g..E.g. website visitors, users of online services).
• Purposes of processing: provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).); Security measures; Server monitoring and error detection; Firewall.
• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further notes on processing operations, procedures and services:

• Provision online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called "web hoster"); Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
• Hetzner: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Website: https://www.hetzner.com; Privacy Policy: https://www.hetzner.com/de/rechtliches/datenschutz; Contract: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
• Sucuri: Firewall and security and error detection capabilities; Service provider: Sucuri LLC., Parent company: GoDaddy Media Temple, Inc. d/b/a Sucuri, 6060 Center Dr. Suite 500, Los Angeles CA 90045, USA; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Privacy statement: https://sucuri.net/privacy.

Registration, login and user account

Users can create a user account. As part of the registration process, users are provided with the required mandatory data and processed for the purposes of providing the user account based on contractual obligation fulfillment. The processed data includes in particular the login information (username, password and an email address).

When using our registration and login functions and the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against abuse and other unauthorized use. In principle, this data is not passed on to third parties, unless it is necessary for the pursuit of our claims or there is a legal obligation to do so.

Users can be notified by email of events relevant to their user account, such as technical changes.

• Types of data processed: Inventory data (e.g., names, addresses); Contact data (e.g., e-mail, phone numbers); Content data (e.g..e.g. entries in online forms); meta/communication data (e.g. device information, IP addresses).
• Persons concerned: users (e.g..For example, website visitors, users of online services).
• Purposes of processing: Providing contractual services and customer service; security measures; managing and responding to requests; providing our online offer and user experience.
• Legal basis: Contract performance and pre-contractual requests (Art. 6 para 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para 1 p. 1 lit. f) DSGVO).

Further notes on processing operations, procedures and services:

• Registration with pseudonyms: Users may use pseudonyms as user names instead of plain names; Legal basis: Contract performance and pre-contractual requests (Art. 6 para 1 p. 1 lit. b) DSGVO).
• Deletion of data after termination: When users have terminated their user account, their data with regard to the user account will be deleted, subject to any legal permission, obligation or consent of the users; Legal basis: Contractual performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO).
• No obligation to retain data: It is incumbent on users to save their data in the event of termination before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract; Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).

Contact and inquiry management

When contacting us (eg.e.g. by contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

The answering of contact inquiries as well as the administration of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer (pre)contractual inquiries and otherwise on the basis of legitimate interests in answering inquiries and maintaining user or business relationships.

• Types of data processed: Contact data (e.g. e-mail, phone numbers); Content data (e.g. input in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses.e.g. device information, IP addresses).
• Data subjects: communication partners.
• Purposes of processing: contact requests and communication; managing and responding to requests; feedback (e.g..e.g. collecting feedback via online form); provision of our online offer and user experience; provision of contractual services and customer service.
• Legal basis: Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further notes on processing operations, procedures and services:

• Contact form: When users contact us via our contact form, e-mail or other communication channels, we process the data communicated to us in this context to process the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships, insofar as this is necessary for their fulfillment and otherwise on the basis of our legitimate interests and the interests of the communication partners in responding to the requests and our legal retention obligations; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para 1 p. 1 lit. b) DSGVO), Legitimate Interests (Art. 6 para 1 p. 1 lit. f) DSGVO).

Web analytics, monitoring and optimization

Web analytics (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can recognize, for example, at what time our online offer or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas require optimization.

In addition to web analytics, we may also use testing procedures, for example, to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e. data summarized for a usage process, can be created for these purposes and information can be stored in a browser or in a terminal device and read from it. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If users have agreed to the collection of their location data to us or to the providers of the services we use, location data may also be processed.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

• Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses.e.g. device information, IP addresses).
• Data subjects: users (e.g. website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); profiling with user-related information (creation of user profiles); tracking (e.g. interest/behavior-based profiling, use of cookies); provision of our online offer and user friendliness.
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO).

Further notes on processing processes, procedures and services:

• Google Analytics: web analytics, reach measurement, and user flow measurement; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO); Website: https://marketingplatform.google.com/intl/en/about/analytics/; privacy policy: https://policies.google.com/privacy; contract: https://business.safety.google/adsprocessorterms; Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://business.safety.google/adsprocessorterms; Opposition (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad Display Settings: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (Types of processing as well as data processed).

Plugins and embedded functions as well as content

We include in our online offer functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus required for the presentation of these contents or functions. We strive to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.

• Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses.e.g. device information, IP addresses).
• Data subjects: users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; provision of contractual services and customer service.
• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).

Further notes on processing processes, procedures and services:

• Google Maps: We integrate the maps of the service "Google Maps" of the provider Google. The processed data may include, in particular, IP addresses and location data of users, which, however, are not collected without their consent (usually executed as part of the settings of their mobile devices); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Website: https://cloud.google.com/maps-platform; Privacy Policy: https://policies.google.com/privacy; Opplicability (Opt-Out): Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad Display Settings: https://adssettings.google.com/authenticated.

Rights of data subjects

As data subjects, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 DSGVO:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.
• Right of withdrawal in the case of consent: You have the right to withdraw any consent you have given at any time.
• Right of access: You have the right to request confirmation as to whether data in question is processed and to information about this data, as well as further information and copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with the law, to request that the data concerning you be completed or that inaccurate data concerning you be rectified.
• Right to erasure and restriction of processing: You have, in accordance with the law, the right to request that data concerning you be erased without undue delay, or alternatively, in accordance with the law, to request restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you, which you have provided to us, in a structured, common and machine-readable format in accordance with the legal requirements, or to demand its transfer to another responsible party.
• Complaint to supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the requirements of the GDPR.

Definitions of terms

This section provides you with an overview of the terms used in this privacy statement. Many of the terms are taken from the law and defined primarily in Article 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to aid understanding. The terms are sorted alphabetically.

• Firewall: A firewall is a security system that protects a computer network or an individual computer from unwanted network access.
• Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); a natural person is regarded as identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or a user name.e.g. cookie) or to one or more special characteristics that are an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Profiles with user-related information: The processing of "profiles with user-related information", or "profiles" for short, includes any type of automated processing of personal data that consists of using such personal data to identify certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior and interests, such as.e.g., interaction with websites and their content, etc.) to analyze, evaluate or, to predict (e.g., interests in certain content or products, click behavior on a website or location). For profiling purposes, cookies and web beacons are often used.
• Range measurement: Range measurement (also known as web analytics) is used to evaluate the flow of visitors to an online offer and may include the behavior or interests of visitors in certain information, such as content of web pages. With the help of reach analysis, website owners can see, for example, at what time visitors visit their website and what content they are interested in. This enables them, for example, to better adapt the content of the website to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more precise analyses of the use of an online offer.
• Server monitoring and error detection: With the help of server monitoring and error detection, we ensure the availability and integrity of our online offer and use the processed data to technically optimize our online offer. Performance, utilization and comparable technical values are processed, which provide information about the stability and any anomalies of our online offer. In the event of errors and conspicuousness, individual requests from the users of our online offer are recorded in order to identify and eliminate sources of problems.
• Tracking: We speak of "tracking" when the behavior of users can be traced across several online offers. As a rule, with regard to the online offers used, behavioral and interest information is stored in cookies or on servers of the providers of the tracking technologies (so-called profiling). This information can subsequently be used, for example, to display advertisements to users that are likely to correspond to their interests.
• Controller: The "controller" is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data, whether collecting, evaluating, storing, transmitting or deleting.