Privacy policy

We, Oxolo GmbH, Bleichenbrücke 10, 20354 Hamburg, Germany, (hereinafter also referred to as "Oxolo"), develop and operate the mobile application Oxolo (hereinafter referred to as "App"). We would be pleased if you (hereinafter also referred to as "User") use our App. In this regard, the protection of your privacy is of particular concern to us.

With the following privacy policy ("Privacy Policy"), we would like to inform you about how we collect, process and store your personal data in connection with the App and explain why we need this data, how and to what extent we process the data and how we secure your data.

1. DATA PROTECTION PRINCIPLES AND SCOPE

Oxolo will process all personal information collected or received from you or third par- ties solely in accordance with applicable data protection laws. Accordingly, the high level of data protection under the General Data Protection Regulation (Datenschutz- grundverordnung, "GDPR") and the German Federal Data Protection Act (Bun- desdatenschutzgesetz) applies.

This Privacy Policy is addressed to all Users of the App. Certain Oxolo Services, such as the website, are excluded from the scope of application if they have a different pri- vacy policy.

Also excluded from the scope of application are services of third parties to which the App possibly refers to by links. Oxolo neither assumes responsibility for their content nor for compliance with data protection regulations by these third parties, unless other- wise stated in the privacy policy of the linked content. This applies, for instance, to links to an app marketplace, where our App can be downloaded ("App Shop"), or to social networks such as Facebook or Twitter. The User will find information on the handling and protection of the User's personal data on these platforms in the privacy policy of the respective platform.

2. CONTROLLERSHIP

Oxolo is the controller for the processing of personal data within the scope of using the App. We can be contacted at:

Oxolo GmbH

Heiko Hubertz

Bleichenbrücke 10

20354 Hamburg

Phone: +49 40 228 529 48

Email: datenschutz@oxolo.com

3. DATA PROCESSING WHEN USING THE APP

Within the scope of installation and use of the App, registration as well as the purchase and use of chargeable additional functions in the App ("In-App Subscription"), various types of data are processed, some of which are provided by you, the User, and some of which are collected through or when using the services.

3.1 Downloading of the App

When downloading our App, the operator of the App Shop through which the App is made available (for example Apple, Inc. for the App Store and Google LLC for the Google Play Store) collects personal data required for the download. This data includes in particular your name, your email address and your postal code, time of download, the IP address and the individual device identification number of your end device (so- called IMEI), as well as your payment information, if applicable. This collection and processing of your personal data is, however, basically carried out solely by the respec- tive App Shop operator without our participation in the data processing or our ability to influence it. In this respect, the data protection regulations of the operator of the App Shop have priority. We process the personal data provided by the App Shop operator only to the extent necessary for the download and provision of the App. If we process personal data in the course of installation, this is done on the basis of the contract for the download and use of the App that you have concluded, in accordance with Art. 6 (1) Sent. 1 lit. b) GDPR.

3.2 Data Processing in the Context of Using the App (Basic Functions)

When starting and each time the App is used, Oxolo automatically saves the following data: IP address, a Device ID assigned to your end device and possibly the scope and contract term of currently active In-App purchases. This data processing is necessary to provide the App and its basic functionality. The data processing is thus carried out to fulfil the contract for the use of the App in accordance with Art. 6 (1) Sent. 1 lit. b) GDPR.

When registering, the User also provides Oxolo with data in accordance with the regis- tration form. The creation and use of the profile serves to identify the User and is nec- essary for the provision of the App's functions, such as the storage of the User's own character. The processing of the registration data is therefore required for the initiation and fulfillment of the contract for the use of the App in accordance with Art. 6 (1) Sent. 1 lit. b) GDPR.

3.2 Data Processing in the Context of Using the App (Basic Functions)

When starting and each time the App is used, Oxolo automatically saves the following data: IP address, a Device ID assigned to your end device and possibly the scope and contract term of currently active In-App purchases. This data processing is necessary to provide the App and its basic functionality. The data processing is thus carried out to fulfil the contract for the use of the App in accordance with Art. 6 (1) Sent. 1 lit. b) GDPR.

When registering, the User also provides Oxolo with data in accordance with the regis- tration form. The creation and use of the profile serves to identify the User and is nec- essary for the provision of the App's functions, such as the storage of the User's own character. The processing of the registration data is therefore required for the initiation and fulfillment of the contract for the use of the App in accordance with Art. 6 (1) Sent. 1 lit. b) GDPR.

3.3 Data Processing in the Context of Communication and Interaction with a Simu- lated Character

When using the App, further personal data of the User may be processed. This includes all data and content that the User transmits to Oxolo as part of the communication and interaction with a simulated character (using a so-called "Chatbot"), for example in chats, telephone calls, video calls or other functions of the App ("Content Data"). The processing of such data is necessary for the communication and interaction of the Chat- bot with the User, such as for generating a response. It is required for the fulfilment of the contract on the use of the App and the provision of services with regard to any In- App Subscriptions of the User in accordance with Art. 6 (1) Sent. 1 lit. b) GDPR.

The Content Data will be stored under a pseudonym and encrypted as long as the User maintains a user profile with Oxolo and can be retrieved and processed by the Chatbot. This is a necessary prerequisite for the Chatbot to "remember" previous conversations with the User and to be able to retrieve them at a later time. These processing opera- tions are also necessary for the provision of services pursuant to Art. 6 (1) Sent. 1 lit. b) GDPR. The Content Data is stored exclusively in encrypted form and is not transmitted to third parties.

During communication and interaction with the Chatbot, Oxolo may also collect and process other data related to the use of the App (Wi-Fi and Bluetooth connections, GPS location data, WLAN signal information). In the future, the processing of this data will be used to determine the location and environment of the User while using the App. In your interest, this will enable the Chatbot to adapt the communication behaviour to the location or the number of people in the immediate vicinity of the User and to generate an authentic course of conversation. This allows the Chatbot to react to selected loca- tions or the time of use, for instance, in order to provide you with special functionalities.

The processing of data in connection with Wi-Fi and Bluetooth connections as well as GPS location data is only carried out with the consent of the User in accordance with Art. 6 (1) Sent. 1 lit. a) GDPR. Such consent can be freely revoked at any time with effect for the future.

3.4 Creation of a User Personality File

A part of the Content Data can be combined under a pseudonym and encrypted in a personality profile of the User. When creating a profile, the App assigns individual Con- tent Data to certain predefined interest categories (e.g. "football fan", "book lover"). In addition, the App can assign certain predefined characteristics to a User based on us- age behaviour (e.g. "User prefers short / detailed answers", "User likes / dislikes jokes"), which can be relevant for the communication with the Chatbot. Based on the User's classification into such predefined parameters, the Chatbot can suggest suitable topics for communication with the User or communicate with the User in a specific way.

On the basis of the personality profile, no decisions are made that go beyond the mere communication and interaction of the Chatbot with the User. In particular will there be no automated decision-making pursuant to Art. 22 GDPR.

The personality profile is used to tailor the future communication and interaction of the Chatbot with the individual User. A Chatbot should recall previous conversations with the User and enable an organic course of conversation. This is a necessary prerequi- site for the creation of a communication experience that is as authentic as possible. Thus, this processing is required for the fulfilment of the contract on the use of the App and the provision of services with regard to any In-App Subscriptions of the User pur- suant to Art. 6 (1) Sent. 1 lit. b) GDPR.

3.5 Conclusion of In-App Subscriptions

To acquire the further functionalities of the App, the conclusion of In-App Subscriptions is required. In this context and for the related payment processing, the entry of bank data or other payment-relevant data (e.g. credit card) is required. In addition, when you conclude In-App Subscriptions, the Device ID of your end device and the type, scope and expiry date of the contract term of the subscription selected by the User are pro- cessed. This aforementioned information is collected and processed together with the necessary usage data in accordance with the above paragraphs for the purpose of payment processing. For payment processing Oxolo uses services which are provided for this purpose by the operator of the App Shop (that is Apple, Inc. for the App Store and Google LLC. for the Google Play Store). The use of these services is mandatorily required by the App Shop operator in order for us to be allowed to offer the App in the respective App Shop and also serves to enable the User to make a simple and smooth payment transaction. The App Shop operator also uses payment service providers to process the payment and transfers the aforementioned data to such a payment service provider (e.g. bank, other credit institution, credit card company) as far as this is nec- essary for the proper fulfillment of the contract. This data processing in connection with the purchase of an In-App Subscription via the more extensive functionalities is carried out for the conclusion and processing of the contract concerning the subscribed App functions and thus on the basis of Art. 6 (1) Sent. 1 lit. b) GDPR.

4. SUPPORT REQUESTS AND OTHER CONTACTS

If you contact us (e.g. by email), the information you provide in the contact form, includ- ing the contact data provided there, will be processed for the purpose of processing your request and handling it, including investigating and eliminating any problems in the App and in the event of follow-up questions. We process this data in accordance with Art. 6 (1) Sent. 1 lit. b) GDPR, as far as you contact us within the framework of an existing contract for the use of the App or for the purpose of initiating such a contractual relationship. Otherwise, this storage and use of the data takes place on the basis of Art. 6 (1) Sent. 1 lit. f) GDPR, whereby our legitimate interest is the careful processing of your respective request and the solution of any technical problems.

Oxolo also uses the content from your contact to improve the App and other Oxolo products and services, especially if you give us feedback on our App or our offers. However, Oxolo will only use the content of your contact for these purposes and will ensure that no personal data relating to you is collected and that personal data related to the content of the request is removed or anonymised so that the processed content no longer relates to any particular person. This processing of the contents of a contact including the removal of the personal reference is based on Art. 6 (1) Sent. 1 lit. f) GDPR. Our legitimate interest here is to consider and implement the wishes or ideas of our Users for the design of our offer as far as possible, in order to be able to provide the most comfortable, user-friendly offer.

5. ERROR REPORTING AND USAGE ANALYSIS VIA FIREBASE

5.1 The App implements functions of the Firebase service, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

5.2 Data on the general use of the App is collected and evaluated via the Firebase service. In addition, reports on errors and crashes that occur in the App are generated to ana- lyse and resolve these errors and crashes. For these purposes, information on whether and how you use certain parts of the App, together with a IP address of your terminal device, as well as technical data on your end device (manufacturer, operating system version, device type, model, display size), the language set and the country from which you use the App, is collected. To generate error reports, details of the error that oc- curred and information about the App (installed App version, subscription booked) are also collected and processed, but only if such an error occurs when you use the App. Google evaluates such data on our behalf and compiles aggregated reports for us. We use these reports to gain insight into the general use of the App as well as into the errors that have occurred, in order to use this information to improve the content and functions of the App and, in particular, to eliminate existing errors and problems.

5.3 Google may also transmit the aforementioned data collected via the Firebase service to servers operated by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043 USA ("Google LLC") in the USA and evaluate it there. We would like to point out that the transmission of data to servers in the USA used by Google LLC may involve additional risks, for instance the enforcement of your rights to this data may be more difficult. You can find further information on the transfer of data to the USA in Google's privacy policy. There you will also find additional information about the scope of data processing by Google and how Google handles personal data. For Google's privacy policy, please visit https://policies.google.com/privacy

5.4 The data processing for error analysis and error reporting is based on Art. 6 (1) Sent. 1 lit. f) GDPR. Our legitimate interest is to ensure that the App runs properly and without errors, for which purpose we must quickly identify and analyse any errors that occur. For this purpose we need information about the error and the technical circum- stances and actions when using the App under which the error occurred. We have also concluded a corresponding data processing agreement with Google in accordance with Art. 28 GDPR. Accordingly, Google will only process the data collected in this context in accordance with our instructions for this purpose. Hence this forwarding of data to Google is based on Art. 28 GDPR.

5.5 Otherwise, we use Firebase for the general usage evaluation described above only if you have given your consent to do so. The legal basis for data processing in this context is thus Art. 6 (1) Sent. 1 lit. a) GDPR. You may revoke your consent at any time with effect for the future.

6. MARKETING ANALYSIS VIA APPSFLYER

6.1 The App implements functions of the AppsFlyer service, which is provided by AppsFlyer Ltd, 14 Maskit St. Herzliya, Israel ("AppsFlyer").

6.2Oxolo uses the AppsFlyer service to compile statistics and to analyse how Users react to advertisements and other marketing activities of Oxolo. For this purpose, the IP ad- dress of your end device, additional information to identify the end device, browser or application used (such as advertising IDs), technical data about your end device (such as manufacturer, operating system version, device type, model, display size, Wi-Fi sta- tus, time and time zone) and information about your interaction with an advertisement or other marketing activities of Oxolo (such as clicks on an advertisement, target group of the advertisement, type of advertisement, website or application in which the adver- tisement was placed, URL of the referring website, download and installation of the App, completion of In-App Subscriptions) is collected and processed. AppsFlyer eval- uates such data on our behalf and compiles aggregated reports for us. These reports enable us to analyse the success of our marketing activities.

6.3 AppsFlyer may also transmit the aforementioned data collected via the Firebase ser- vice to servers operated by AppsFlyer Inc., 100 First St. San Francisco, CA, 94105, in the USA and evaluate it there. We would like to point out that the transmission of data to servers in the USA used by AppsFlyer Inc. may involve additional risks, for instance the enforcement of your rights to this data may be more difficult. You can find further information on the transfer of data to the USA in AppsFlyer's privacy policy. There you will also find additional information about the scope of data processing by AppsFlyer and how AppsFlyer handles personal data. For AppsFlyer's privacy policy, please visit https://www.appsflyer.com/services-privacy-policy/

6.4 We only use AppsFlyer for the above-mentioned analysis of our marketing activities if you have given your consent to do so. The legal basis for data processing in this context is thus Art. 6 (1) Sent. 1 lit. a) GDPR. You may revoke your consent at any time with effect for the future.

7. FACEBOOK LOGIN FUNCTION

7.1 You can also register and create a profile by entering the access data of your Facebook user account (so-called "Facebook Login") if you express your consent to this by click- ing the corresponding button for connecting to Facebook. The Facebook Login function is offered by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dub- lin 2, Ireland. The access data of your Facebook account will be sent directly to Face- book. We do not have access to your access data. After verification of the access data, Facebook only informs us about the following data from your Facebook user account: the registered name, your profile picture, email address, the language you have set and the country from which you are using the App. Oxolo receives and uses this afore- mentioned data to set up your profile in the App and link it to your Facebook user ac- count.

7.2 By using the Facebook Login function, Facebook receives the information that you have created a profile for the App and can link this information to your Facebook user ac- count. The above data can also be transmitted by Facebook to the servers of Facebook Inc. operated in the USA. For further information on Facebook's handling of your per- sonal data, please refer to the privacy policy of Facebook at https://www.face- book.com/privacy/explanation.

7.3 The legal basis for data processing within the scope of the Facebook Login function is your consent (Art. 6 (1) Sent. 1 lit. a) GDPR) which you give when calling up the Face- book Login function and subsequently entering your access data to your Facebook user account. You may revoke your consent to the use of the Facebook Login function at any time with effect for the future..

8. GOOGLE LOGIN

8.1 You can also register and create a profile by entering the access data of your Google user account (so-called "Google Login") if you express your consent to this by clicking the corresponding button for connecting to Google. The Google Login function is of- fered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The access data of your Google user account will be sent directly to Google. We do not have access to your access data. After verification of the access data, Google only informs us about the following data from your Google user account: the name, your profile picture and the email address. Oxolo receives and uses this aforementioned data to set up your profile in the App and link it to your Google user account.

8.2 By using the Google Login function, Google receives the information that you have created a profile for the App and can link this information to your Google user account. For further information on Google's handling of your personal data, please refer to the privacy policy of Google at https://policies.google.com/privacy?hl=de#infosharing.

8.3 The legal basis for data processing within the scope of the Google Login function is your consent (Art. 6 (1) Sent. 1 lit. a) GDPR) which you give when calling up the Google Login function and subsequently entering your access data to your Google user account. You may revoke your consent to the use of the Google Login function at any time with effect for the future.

8.4 For the transmission of data by Google to servers operated by Google LLC in the USA, the statements made in Clause 5.3 above apply accordingly.

9. DATA STORAGE PERIOD AND ERASURE

We process the User's personal data for as long as is necessary to achieve the pur- poses of the processing, or as required by a legal obligation to retain the data, or for as long as other reasons justify retention in accordance with Art. 17 (3) GDPR. Subse- quently, the data will be deleted in accordance with the statutory provisions. However, we retain data that we store for legal reasons for as long as this is legally required. After the expiry of a statutory retention period, the data is deleted immediately, unless there are other reasons for deletion within the meaning of Art. 17 (3) GDPR.

10. DATA SECURITY

Oxolo takes appropriate technical and organisational security measures in accordance with legal requirements, in particular to protect against unauthorised access to and un- authorised modification, publication or destruction of data. In particular is that data transmitted to Oxolo and stored by Oxolo in encrypted form only.

You should note, however, that we cannot guarantee data protection and data security for transmissions outside our sphere of influence, such as within your mobile phone network. We can, thus, not exclude the possibility that data transmission over the In- ternet (e.g. when communicating by email) may nevertheless have security gaps. Therefore, please use additional security measures as far as possible, e.g. encrypted communication connections and up-to-date protection software for your end devices.

11. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

Personal data will only be passed on to third parties - unless otherwise stated in this Privacy Policy - without the explicit consent of the User if this is necessary for Oxolo to provide its services (e.g. for the technical provision of the offer or for payment pro- cessing). Accordingly, data is transferred to such service providers (such as technical service providers) in order to protect our legitimate interests in accordance with Art. 6 (1) Sent. 1 lit. f) GDPR, namely in order to be actually able to provide our App and the associated services for retrieval.

If we pass on data to service providers within the scope of our processing, we and our service providers strictly observe the requirements of the GDPR. Oxolo will of course ensure that the respective service provider has taken appropriate technical and organ- isational measures to ensure the security of the data before passing on the User's per- sonal data. The transmission of data is limited to the minimum necessary for the pur- pose of processing.

If we commission third parties to process data on the basis of a so-called data pro- cessing agreement, we do so on the basis of Art. 28 GDPR.

Otherwise Oxolo will not pass on the User's personal data to third parties, unless the User has expressly consented to the transfer (Art. 6 (1) Sent. 1 lit. a) GDPR) and Oxolo is neither entitled nor obliged to transfer the data due to legal regulations or court or- ders. In the latter case, Oxolo will transfer the data in order to fulfil a legal obligation according to Art. 6 (1) Sent. 1 lit. c) GDPR.

If data is transferred to a third country by Oxolo or a third party and the EU Commission has determined in an adequacy decision that this third country offers an adequate level of protection, the data transfer to this third country is based on Art. 45 GDPR. If the EU Commission has not issued such an adequacy decision for a third country to which data are transferred, the transfer to this third country is carried out on the basis of ap- propriate guarantees pursuant to Art. 46 GDPR which Oxolo or the third party has pro- vided. The above information on data transfer to third countries applies only unless otherwise stated elsewhere in this Privacy Policy or in the third party's privacy policy.

12. USER RIGHTS

12.1 Right to Object

The User has the right to object at any time, for reasons arising from its particular situ- ation, to data processing based on Art. 6 (1) Sent. 1 lit. f) GDPR, unless Oxolo can prove compelling reasons worthy of protection which outweigh the interests of the User, or the processing serves to assert, exercise or defend legal claims. The User may ob- ject to data processing for the purpose of direct marketing at any time without having to furnish special reasons for doing so.

12.2 Right to Information

The User has the right to obtain free of charge written or electronic information from Oxolo about the User's personal data stored by Oxolo, the purposes of the processing, its origin, the transfer to which recipients or categories of recipients, the storage period and the data subject rights available to the User.

12.3 Right to Rectification, Deletion and/or Restriction of Data

The user also has the right to demand at any time the rectification of inaccurate data, the deletion and/or, under the legal conditions, the restriction of the processing of the personal data stored about this User. The right to erasure exists only to the extent that Oxolo is not legally required to retain the data or if there are no other reasons within the meaning of Art. 17 (3) GDPR that prevent the erasure. Insofar as this includes per- sonal data that is necessary for the provision of services to the User, the erasure or restriction of the processing of this data can only take place when the User no longer uses the Oxolo services.

12.4 Right to Data Portability

Insofar as the User provides data concerning the User itself and Oxolo processes this data on the basis of the User's consent or for the purpose of fulfilling the contract, the User may request that Oxolo provide this data in a structured, common, machine-read- able format or that Oxolo transfer this data to another responsible party, insofar as this is technically possible (so-called right to data portability).

12.5 Right to Withdraw a Consent

All consents to the use of personal data declared by the User can be freely revoked by the User at any time with effect for the future.

12.6 Right to Lodge a Complaint with a Supervisory Authority

The User may also lodge a complaint with a supervisory authority against a data pro- cessing which in its opinion violates the statutory provisions.

13. CHANGES TO THIS PRIVACY POLICY

Oxolo reserves the right to change this Privacy Policy at any time, and Oxolo will always comply with the legal requirements of data protection. Therefore, Oxolo recommends that Users regularly review the current Privacy Policy. Oxolo will inform Users in ad- vance of any further data processing.