Crystl – Data privacy

Data privacy

1. General information

1.1 As the operator of the App Crystl (the "App"), Uranos GmbH (hereinafter referred to as "Uranos" or "we") takes the protection of personal data very seriously. We treat personal data confidentially, in accordance with the statutory data protection regulations and on the basis of this Privacy Policy. The legal basis can be found particularly in the General Data Protection Regulation (GDPR), the Telecommunications and Telemedia Data Protection Act (TDDSG) and the Federal Data Protection Act (BDSG). The App is a self-awareness and personal development platform where recommendations from various facets of life are offered to the user, who has downloaded the App and agreed to the terms and conditions governing the use of the app (hereinafter referred to as the "App Contract"). As the App is currently in development, some of the functions as referenced in this Privacy Policy may only be introduced at a later stage, which is indicated by the phrase: "if available". The following functions are offered in the App:
• Accessing the App
• Use of the App
• Creation of a user account,
• Contract conclusion (if available),
• Subscription to the e-mail newsletter on the App (if available).

1.2 When you use the App, various personal data is processed depending on the type and scope of use. Personal data is information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly (e.g. by reference to an online identifier).

1.3 This Privacy Policy informs you in accordance with Art. 12 et seq. GDPR about the processing of your personal data when you use the App. In particular, it explains what personal data we collect and what we use it for. It also informs you how and for what purpose this is done and on what legal basis.

1.4 This Privacy Policy expressly refers to the App-specific data processing processes as described under 1.1 when you visit the App. Separate privacy policies apply to other data processing by us.

2. Controller

2.1 According to the GDPR, the controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

2.2 The controller for the data processing processes covered by this Privacy Policy is:

Uranos GmbH
Bahrenfelder Str. 19
22765 Hamburg
E-Mail: info@uranos.io

3. Data Protection Officer

3.1 We have appointed a data protection officer for our company. You can reach him at:

Uranos GmbH
Maximilian Fernau
Bahrenfelder Str. 19
22765 Hamburg
E-Mail: maximilian.fernau@uranos.io

4. Purposes and legal bases of data processing

4.1 Downloading the App When you download the App, certain necessary information is sent to the chosen app store (such as Google Play or Apple App Store). This information may include your username, email address, account customer number, download time, payment details, and device identification number. The processing of this data is solely handled by the respective app store and is not within our control.

4.2 Accessing and visiting the App - server log files For the purpose of the technical provision of the App, it is necessary for us to process certain information automatically transmitted by your device so that the App can be displayed on your device and you can use the App. This data (the "Access Data") is automatically collected each time you visit the App and automatically stored in so-called server log files. These are

a) Device type and version
b) Operating system used
c) Device from which the access is made (referrer URL)
d) Host name of the accessing device
e) Date and time of access
f) IP address of the requesting device

The processing of the aforementioned Access Data is necessary for technical reasons
(1) in order to provide you with the service and features,
(2) to improve the functions and performance features of the App,
(3) to prevent misuse and malfunctions and
(4) t ensure system security. This also applies to the processing of your IP address, which is necessary and, under further conditions, can at least theoretically enable an assignment to your person. In addition to the aforementioned purposes, we use server log files exclusively for the needs-based design and optimization of the App purely statistically and without drawing any conclusions about your person. This data is not merged with other data sources, nor is it analyzed for marketing purposes. If available, when visiting the App to find out about our services, which require the execution of a separate agreement, the basis for the temporary storage of Access Data is Art. 6 (1) sentence 1 lit. b GDPR (legal basis), which permits the processing of data for the performance of a contract or for the implementation of pre-contractual measures. If and as far as it is necessary for the performance of the App Contract, Art. 6 (1) sentence 1 lit. b GDPR (legal basis) serves as the legal basis. Otherwise, Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis for the temporary storage of the Access Data. Our legitimate interest is to be able to provide you with a technically functioning and user-friendly App and to ensure the security of our systems. The storage period and deletion of your Access Data are governed by Section 8 of this Privacy Policy. Your IP address will be stored on our web server for a maximum of 7 days for IT security purposes.

4.3 Use of the App You can enter, manage and edit various information, tasks and activities. The App also requires the following permissions: a) Internet access: This is required to save your entries on your servers. b) Camera access: This is needed so that you can take photos of yourself for using it as a profile image. Location access: This is to provide more relevant information based on user location. c) App Transparency Tracking (ATT): This is needed to provide personalized content to the user. If and as far as it is necessary for the performance of the App Contract, Art. 6 (1) sentence 1 lit. b GDPR (legal basis) serves as the legal basis. Otherwise, Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis for the processing of the data. Our legitimate interest is to be able to provide you with a technically functioning and user-friendly App and to ensure the security of our systems. The storage period and deletion of your contract data are governed by Section 8 of this Privacy Policy.

4.4 Use of cookies and associated functions/technologies We use so-called cookies in the App. Cookies serve to make our offer more user-friendly, effective and secure. We use cookies, among other things, to recognize you when you log in again and to personalize advertisement according to your interests.. Cookies are small text files that are stored on your device. A cookie contains a characteristic string of characters that enables your device to be uniquely identified when you return to the App. When you access the App for the first time, you are presented with a consent prompt detailing the data tracking within the App. You have the option to either accept or decline your consent. If you grant your consent, we enable tacking through AWS Analytics. The data tracked includes IOS type, user ID, Email (if provided), user interactions within the App and user location (country code). If you decline your consent, no data is being tracked through AWS Analytics. If you decline your consent, only data that is absolutely necessary for providing the App is tracked through [● ]. This data includes Email, user ID, user quiz results (if applicable) and user milieu details. If you decline your consent, the functionality and/or full availability of the App may be restricted. If you grant your consent, the setting of the cookies and the corresponding data processing is carried out on the basis of your consent in accordance with Section 25 (1) TTDSG and Art. 6 (1) sentence 1 lit. a GDPR (legal basis). Otherwise, the setting of the cookies and the corresponding data processing is carried out on the basis of Section 25 (2) TTDSG; and/or on the basis of Art. 6 (1) sentence 1 lit. f GDPR (legal basis) to safeguard our legitimate interests. Our legitimate interests in this regard include providing you with a technically optimized, user-friendly and tailored App and to ensure the security of our systems. You can revoke any consent you have given us at any time.

4.5 Creation of a user account and login When you create a user account or register, we utilize your access credentials (such as email address and password) to authorize your access and oversee your user account ("mandatory data"). Fields marked with an asterisk during registration are mandatory and necessary for finalizing the App Contract. Failure to provide this data will prevent the creation of a user account. Additionally, you have the option to provide additional voluntary information during the registration process, such as an internet address or nickname. The mandatory information is used to authenticate your login and address password reset requests. We process the information provided during registration or login to (1) confirm your eligibility to manage the user account, (2) enforce the terms of use for the app and any related rights and obligations and (3) communicate with you regarding technical or legal matters, updates, security notifications, or other messages pertinent to managing your user account. Voluntary information is utilized to display within the app according to your settings and make it accessible to other app users upon your request. If and as far as it is necessary for the performance of the App Contract, Art. 6 (1) sentence 1 lit. b GDPR (legal basis) serves as the legal basis. Otherwise, Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis for the processing of the data. Our legitimate interest is to ensure the functionality and fault-free operation of the App. The storage period and deletion of your contract data are governed by Section 8 of this Privacy Policy.

4.6 Contract conclusion - use of the App shop (if available) If you make use of our services via the App, we process the necessary data that we will request from you for these purposes. You can choose whether you would like to shop with us without registering (i.e. without opening a customer account) or whether you would like to open a personal customer account as part of your order. In this case, you can benefit from the following advantages:

- Order history
- Personal notepad
- Personal wish list
- Newsletter management
- Special and discount campaigns

In both cases, we process order and payment data, in particular:

a) First and last name
b) Company
c) Address (delivery and billing address)
d) Sales tax ID
e) Various telephone numbers and fax number
f) E-mail address
g) Bank details
Voluntary information is marked accordingly within the query form. The basis for the processing of the aforementioned contract data is Art. 6 (1) sentence 1 lit. b GDPR (legal basis), which permits the processing of data for the performance of a contract or for the implementation of pre-contractual measures. The storage period and deletion of your contract data are governed by Section 8 of this Privacy Policy.

4.7 Newsletter (if available) a) Newsletter subscription If you have expressly consented, we will use your e-mail address to send you our newsletter on a regular basis. To receive the newsletter, it is sufficient to provide an e-mail address; the provision of further information is voluntary. We use the so-called double opt-in procedure, which means that after registration you will be asked by e-mail to confirm that you wish to receive the newsletter. If you do not confirm, we will delete your request after 14 days. Should you wish to receive our newsletter at a later date, you will have to register again and confirm your registration separately. In any case, we store your IP address and the times of registration and confirmation, which we receive during registration and confirmation, in order to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data. The legal basis in this case is Art. 6 (1) sentence 1 lit. a GDPR. b) Deregistration You can unsubscribe at any time, regardless of whether the sending of the newsletter is based on consent or legal permission, for example via a link at the end of each newsletter. Alternatively, you can also send your unsubscribe request to us at any time using the contact details provided above. You will not incur any costs other than the transmission costs according to the basic rates of your communications service provider. The storage period and deletion of your consent-based data are generally governed by Section 8 of this Privacy Policy. If you unsubscribe from the newsletter, the data you provided when registering for the newsletter will be deleted. However, this does not affect data that we have stored for other purposes.

4.8 Compliance with legal regulations We also process your personal data in order to fulfill legal obligations that may apply to us in connection with our business activities. These include, in particular, retention periods under commercial, trade or tax law. We process your personal data in accordance with Art. 6 (1) sentence 1 lit. c GDPR (legal basis) to fulfill a legal obligation to which we are subject.

4.9 Law enforcement We also process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary for the prevention or prosecution of criminal offenses. We process your personal data to protect our legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f GDPR (legal basis), insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal offenses (legitimate interest).

5. Consent-based data processing

5.1 In the above mentioned cases data processing is justified through consent and if you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent.

5.2 The legal basis in this case is Art. 6 (1) sentence 1 lit. a GDPR.

5.3 Consent that has been granted can be revoked at any time. Please note that the revocation is only effective for the future and processing up to that point is not affected.

6. Recipients of data Service providers may receive data to fulfill our contractual and legal obligations or to exercise our rights. Depending on the case, the recipients receive your personal data as processors and are then strictly bound by our instructions when handling your personal data; in other cases they act as controllers. These recipients include the following categories in particular: a) Newsletter provider (if available) b) Hosting provider App Analysis – AWS Amplify c) Payment (if available) d) Other recipients may be our consultants in legal or tax matters, whereby these recipients are generally already obliged to maintain special confidentiality and secrecy due to their professional status.

7. Data transfer to third countries

7.1 If necessary for our purposes, we may also transfer your data to recipients outside the European Economic Area ("Third Countries"). This is particularly the case in the context of contract processing or due to legal regulations.

7.2 We only transfer your data to recipients in Third Countries in accordance with the provisions of Chapter 5 of the GDPR, i.e. if it is ensured that the EU Commission has established an adequate level of data protection within the meaning of Art. 45 (1) GDPR or that appropriate safeguards within the meaning of Art. 46 (2) and (3) GDPR have been implemented or an exception pursuant to Art. 1 GDPR has been established or appropriate safeguards within the meaning of Art. 46 (2) and (3) GDPR have been implemented or an exception pursuant to Art. 49 GDPR exists and there are no overriding interests worthy of protection against the transfer of the data.

7.3 We use the EU Commission's standard contractual clauses for the transfer of personal data to third countries (SCC) to ensure an appropriate level of protection for the recipient of the data.

7.4 We may transfer your data to the following third countries and implement the listed suitable or appropriate safeguards to protect your rights to ensure your protection there: You have the option of accessing the SCC via the link provided or requesting a copy from the data protection officer.

8. Duration of data processing and deletion

8.1 We initially process your personal data for the duration for which the respective processing purpose - see above - requires corresponding processing.

8.2 Insofar as the processing is carried out for the performance of a contract, the processing period also includes the periods of initiation of a contract (pre-contractual legal relationship) and the performance of a contract (including any subsequent claims).

8.3 Insofar as the processing is carried out to safeguard our legitimate interests, the processing period includes the period until the processing purposes pursued are achieved.

8.4 If the processing is based on your consent, the processing period covers the period from the time you give your consent until the time you withdraw your consent or until the time the processing covered by the consent is completed.

8.5 In this respect, we would like to point out that even in the event of withdrawal of consent, further processing may be possible on the basis of other legal bases (Art. 17 (1) lit. b) GDPR).

8.6 Even if the primary processing purposes have been achieved, further processing of your personal data may take place, in particular if this is necessary to fulfill a legal obligation and/or to protect our rights. This includes the following purposes in particular: a) Fulfillment of statutory retention obligations, e.g. arising from the German Commercial Code (HGB) (Sec. 238, 257 (4) HGB) and the German Fiscal Code (AO) (Sec. 147 (3), (4) AO). The retention and documentation periods specified there are up to ten years. b) Preservation of evidence, taking into account the statute of limitations. According to Sec. 194 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

9. External Web-Links

In addition, we also make available various external web-links, including social media and video platforms. However, none of these services are integrated directly into the App. Rather, various services are only linked in the App. We would like to clarify that the terms and conditions and the privacy policy of the respective service providers and platforms apply regarding the use and data processing and that we are not responsible for any data which you may share with the provider of the services available under the external link.

10. Rights of data subjects

10.1 Right to information: You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to obtain access to the personal data concerning you and the information pursuant to Art. 15 (1) lit. a-h GDPR. Where personal data concerning you are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer. Subject to the conditions set out in Art. 15 GDPR, you have the right to receive a copy of the personal data concerning you undergoing processing.

10.2 Right to rectification: Right to rectification: You have the right to obtain from us without undue delay the rectification of personal data concerning you if it is inaccurate. Taking into account the purposes of the processing, you have the right to have incomplete personal data concerning you completed, including by means of providing a supplementary statement.

10.3 Right to erasure: You have the right to obtain from us the erasure of personal data concerning you without undue delay if one of the grounds listed in Art. 17 GDPR applies, e.g. if the data have been unlawfully processed.

10.4 Right to restriction of processing: Subject to the conditions set out in Art. 18 GDPR, you have the right to obtain from us restriction of processing.

10.5 Right to data portability: Subject to the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us. In exercising your right to data portability, you have the right to have the personal data concerning you transmitted directly from us to another controller, where technically feasible.

10.6 Right to withdraw consent: If the data processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent, you can also chose, inter alia, the contact channel that you used when giving your consent.

10.7 Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

11. Right of objection

11.1 Subject to the conditions set out in Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on lit. (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

11.2 Subject to the conditions set out in Art. 21 GDPR, where personal data concerning you are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR you, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you.

12. Obligation to provide data

12.1 In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make the App available to you without restriction.

12.2 Personal data that we do not necessarily require for the above-mentioned processing purposes is marked accordingly as voluntary information.

13. Automated decision-making/profiling

We do not use automated decision-making or profiling (an automated analysis of your personal circumstances).

14. Validity and amendment of this Privacy Policy

This Privacy Policy is currently valid and effective as of 19.05.2024

14.1 Due to the further development of the App or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy. In this case, we will update this Privacy Policy accordingly on the App.