Privacy Policy for the content and functions of the NearMeNow App
(hereinafter “Services”)

Status: March 2026

Introduction
Privacy policies are often difficult to read. We understand that. And we want to do it differently. We want to provide users with an easy-to-understand explanation of how we process personal data. For this purpose, we structure our privacy policy clearly for users and show users for each topic area whether and how we process users’ personal data.

In this privacy policy, we explain to users whether and how we process personal data. In doing so, we present to users all processing activities carried out by us, by third-party services commissioned or integrated by us, or by other third parties acting on our behalf within the scope of the use of our App, our social media profiles and the functions available there (hereinafter collectively referred to as “Services”).

Table of Contents
Our privacy policy is structured as follows

1. General – Short introduction to the subject of the privacy policy, the controller and the data protection officer

2. General information on data processing – Information on what personal data is, the legal basis on which we process it or also share it with third parties

3. Data subject rights – Information on user rights, including the right of access, deletion or objection to our data processing

4. Information on the cookies and other technologies used – Information on the use of cookies and other technologies with or by means of which we process users’ personal data

5. Data processing in connection with the use of our Services – Information on our data processing within our Services themselves

6. Communication Services – Information on services for communication as well as the corresponding processing of personal data

7. Provision of our Services – Information on hosting service providers and the services used by them

8. Tracking & Tools – Information on services by means of which we provide our Services to users and by means of which we analyze the use of our Services

9. Transactional Emails – Information on the integration of mailing service providers with which we implement transactional mailings

10. Newsletter – Information on the integration of newsletter services through which we provide users with regular information about our services
    
    
    

1. General
The protection of personal data and privacy is extremely important to us. Therefore, we want to provide users with comprehensive transparency regarding the processing of personal data (GDPR) as well as the storage of information on the user’s device (TDDDG). Because only if the processing of personal data and information is understandable for users as data subjects are they sufficiently informed about the scope, purposes and benefits of the processing.

This privacy policy applies to all processing of personal data carried out by us as well as to the storage of information on end devices. It therefore applies both within the scope of providing services in our Services and within external online presences, such as our social media profiles.

The controller within the meaning of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other data protection regulations is

NearMeNow UG (haftungsbeschränkt)
Schmiedekamp 14
23816 Leezen
Germany

support@nearmenowapp.com
+49 177 3728041

Hereinafter referred to as the “Controller” or “we”.

2. General Information on Data Processing
First of all, we would like to provide users with introductory information about what the protection of personal data means, what personal data is, how we process it and which security measures we implement in this context.

Introduction – A few words about the NearMeNow App
NearMeNow is a digital platform and mobile app that helps users discover local offers, events and activities in their area. At the same time, NearMeNow provides local businesses, clubs and organizations with a SaaS tool for digital visibility and for publishing content such as events, activities or offers.

2.1 Processing of Personal Data
Personal data (hereinafter also referred to as “data”) is individual information relating to the personal or factual circumstances of an identified or identifiable natural person.

Individual information relating to personal or factual circumstances includes, for example, the following data, whereby it is clarified that not all of this data must necessarily be processed through our Services:

• Personal data – name, age, marital status, date of birth
• Communication data – address, telephone number, email address
• Account data – bank account number, credit card number
• Geodata – IP address & location data
• Health data – health condition, illnesses

The “processing” of personal data includes, for example, the following measures:

• Collection – the collection of data through contact forms, via email or through processes and services used by us
• Transmission – the transfer of data to our service providers, integrated services or other third parties
• Storage – the storage of data in our databases or on our servers
• Modification – the modification of data due to changes in name, place of residence or information within our Services
• Deletion – the deletion of data when we are no longer authorized to process it

2.2 Legal Basis for the Processing of Personal Data
We process personal data only within legally permissible limits. The law itself obliges us to do so. In particular the GDPR. According to this, we are required to always base data processing activities on a legal basis. These legal bases are defined in Art. 6 para. 1 GDPR. In the following we list all legal bases on which we rely when processing personal data.

• Consent – Art. 6 para. 1 lit. a GDPR: Data processing takes place if users have actively consented to this processing after receiving sufficient information about its scope and purposes, for example by means of an “opt-in”. If users withdraw their consent or have not granted it, we will not (or no longer) process users’ data for purposes that require consent.

• Consent for minors – Art. 8 para. 1 sentence 2 GDPR in conjunction with Art. 6 para. 1 lit. a or in conjunction with Art. 9 para. 2 lit. a GDPR: The processing of data of minor children (under the age of 16) takes place if legal guardians have actively consented to this processing after receiving sufficient information about its scope and purposes from us, for example by means of an “opt-in”. If the consent has been withdrawn, we will not (or no longer) process the data for purposes that require consent.

• Consent for special categories – Art. 9 para. 2 lit. a GDPR: Data processing involving special categories of personal data, such as health data or political opinions (see also Art. 9 para. 1 GDPR), takes place if users have actively consented to this processing after receiving sufficient information about its scope and purposes from us, for example by means of an “opt-in”. If users withdraw their consent or have not granted it, we will not (or no longer) process users’ data for purposes that require consent.

• For the performance of a contract – Art. 6 para. 1 lit. b GDPR: Data processing takes place if it is necessary for the performance of a contract between us or for the implementation of pre-contractual measures. If processing is no longer necessary for the performance of the contract, we will no longer process users’ personal data.

• Fulfillment of a legal obligation – Art. 6 para. 1 lit. c GDPR: Data processing takes place if such processing is necessary for compliance with a legal obligation to which we as the controller are subject.

• Legitimate interest – Art. 6 para. 1 lit. f GDPR: Data processing takes place if it is necessary for the purposes of legitimate interests pursued by us and if the interests or fundamental rights and freedoms of users requiring protection of personal data do not override those interests.

Personal data is processed by us only for clearly defined purposes (Art. 5 para. 1 lit. b GDPR). As soon as the purpose of processing ceases to apply, users’ personal data will be deleted or protected by technical and organizational measures (e.g. by pseudonymization).

The same applies after the expiry of a prescribed storage period, except in cases where further storage is necessary for the conclusion or fulfillment of a contract. In addition, there may be a legal obligation to store data for a longer period or to transfer it to third parties (in particular to law enforcement authorities). In other cases, the storage period and type of data collected as well as the type of data processing depend on which functions users use in individual cases. We are also happy to provide users with information in individual cases in accordance with Art. 15 GDPR.

2.3 These Data Categories We Process
Data categories include in particular the following data:

• Master data (e.g. names, addresses, dates of birth),
• Contact data (e.g. email addresses, telephone numbers, messenger services),
• Content data (e.g. text entries, photographs, videos, content of documents/files),
• Contract data (e.g. subject matter of the contract, contract duration, customer category),
• Payment data (e.g. bank details, payment history, use of other payment service providers),
• Usage data (e.g. history within our Services, use of certain content, access times),
• Connection data (e.g. device information, IP addresses, URL referrer).

2.4 These Security Measures We Implement
In accordance with the legal requirements and taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of individuals, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include in particular ensuring that users’ data is stored and processed confidentially, with integrity and with permanent availability. Furthermore, controls of access to data as well as access, entry, transfer, availability security and separation of data from other natural persons are among the security measures we have implemented. In addition, we have established procedures that ensure the exercise of data subject rights (see Section 3), the deletion of data and responses in the event of risks to users’ data. Furthermore, we already consider the protection of personal data during the development of our software and through procedures that correspond to the principle of data protection by design and by default.

2.5 How We Transfer or Disclose Personal Data to Third Parties
As part of our processing activities involving personal data, it may occur that this data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. These third parties may include, for example, payment institutions within the scope of payment transactions, service providers entrusted with IT tasks or providers of services and content that we have integrated into our Services. If we transfer or disclose users’ personal data to third parties, we comply with the legal requirements and in particular conclude appropriate contracts or agreements with the recipients of the data that serve to protect the data.

2.6 How Transfers to Third Countries Take Place
If this privacy policy indicates that we transfer users’ personal data to a third country, meaning a country outside the EU or the EEA, the following applies. A transfer to a third country takes place only in accordance with the legal requirements. We ensure that we have a contractual or legal authorization for the transfer and processing of data in the respective third country. In addition, we only allow users’ data to be processed by service providers in third countries that, in our view, have a recognized level of data protection. This means, for example, that there is an adequacy decision between the EU and the country to which we transfer users’ personal data. An “adequacy decision” is a decision adopted by the European Commission in accordance with Art. 45 GDPR determining that a third country (i.e. a country not bound by the GDPR) or an international organization ensures an adequate level of protection for personal data. Alternatively, for example if there is no adequacy decision, a transfer to a third country takes place only if contractual obligations exist between us and the service provider in the third country through so-called standard contractual clauses of the European Commission and additional technical security measures have been implemented that ensure an adequate level of protection equivalent to that in the EU, or if the service provider in the third country can demonstrate data protection certifications and users’ data is processed only in accordance with internal data protection regulations (Art. 44 to 49 GDPR. Information page of the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de).

Within the framework of the so-called “Data Privacy Framework” (“DPF”), the European Commission has recognized the level of data protection for certain companies in the USA as adequate within the meaning of the adequacy decision of 10 July 2023. Users can find a list of certified companies as well as further information on the DPF on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). Within this privacy policy we inform users which services used by us are certified under the Data Privacy Framework.

2.7 Deletion of Data
The data processed by us will be deleted in accordance with the legal requirements as soon as the consents permitting processing are withdrawn or other permissions cease to apply (e.g. if the purpose of processing this data no longer applies or it is no longer required for the purpose). If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.

Within the framework of this privacy policy, we may also inform users about the deletion and retention of data that apply specifically to the respective processing processes.

2.8 Storage of and Access to Data on the User’s Device
If we do not obtain users’ consent for this, the storage of or access to information on the user’s device takes place in accordance with § 25 para. 2 no. 2 of the German Telecommunications and Digital Services Data Protection Act (TDDDG), as the storage of and access to this information is absolutely necessary to provide the desired functions of our Services. If we obtain consent for this, the legal basis is § 25 para. 1 TDDDG. Our Services use cookies, tokens or other technologies that may be stored on end devices and without which the provision of our Services would not be possible.

Cookies, tokens or other technologies are generally text files that are stored on the user’s device and can be read by us and third parties when accessing our Services. Many of the aforementioned technologies contain their own ID. Such an ID is a unique identifier of the technology used. Users consist of a string of characters by means of which websites and servers can assign the respective internet browser or the respective service or device in which cookies, tokens or other technologies have been stored. This allows website operators and analytics services to identify users as users and distinguish them from others.

2.9 Access and Device Settings
To make full use of our Services, users should make certain settings on their device, for example grant access permissions to our Services. When using our Services for the first time or when using a specific function, users will be asked for the corresponding permissions that they can grant to us and our Services. The mentioned data will be processed by us for the following purposes:

The data processing activities listed in Section 2.9.1 are necessary in order to provide users with the full functionality of our Services and thus to fulfill our contract with users. The legal basis for the data processing for the aforementioned purposes is therefore Art. 6 para. 1 sentence 1 lit. b GDPR.

The data processing activities listed in Section 2.9.2 are necessary in order to correctly check and apply permissions, functionalities and security settings for the use of our Services. The legal basis for the data processing for the aforementioned purposes is therefore Art. 6 para. 1 sentence 1 lit. f GDPR, our legitimate interest. We have a legitimate interest in verifying that our Services are displayed correctly and are used by users in an authorized manner.

2.9.1 Full Functionality of our Services

Camera
To take pictures, access to the device’s system camera is required.

Microphone
In particular to enable our speech recognition, transcription and matching function, access to the device microphone is required.

Photo / Video Gallery
To upload a message including a photo or video directly from the device gallery to our Services, access to the photo/video gallery is required.

Location / Geo-Localisation
In order to display and offer up-to-date and relevant regional information and services to users, we require the current location.

2.9.2 Security Requirements

Network Access & Network Connections
Network access is required because our Services can only be used in online mode.

Device Status
For some of our security checks we require access to the device status.

2.10 Data Processing on Behalf
If we use external service providers to process data, they are carefully selected and commissioned by us. If the services provided by these service providers constitute data processing within the meaning of Art. 28 GDPR, the service providers are bound by our instructions and are regularly monitored. Our data processing agreements comply with the strict requirements of Art. 28 GDPR as well as with the requirements of the German data protection authorities.


3. Data Subject Rights

If personal data of our users is processed, they are data subjects within the meaning of the GDPR and users are entitled to the following rights vis-à-vis the controller:

3.1 Right of Access

Users may request confirmation from the controller as to whether personal data concerning them is being processed by us.

If such processing exists, users may request the following information from the controller:

• the purposes for which the personal data is processed;

• the categories of personal data that are processed;

• the recipients or categories of recipients to whom the personal data concerning users has been or will be disclosed;

• the planned duration of the storage of the personal data concerning users or, if specific information on this is not possible, criteria used to determine the storage period;

• the existence of a right to rectification or deletion of the personal data concerning users, a right to restriction of processing by the controller or a right to object to such processing;

• the existence of a right to lodge a complaint with a supervisory authority;

• all available information on the origin of the data if the personal data is not collected from the data subject;

• the existence of automated decision-making including profiling pursuant to Art. 22 para. 1 and 4 GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the intended consequences of such processing for the data subject.

• users have the right to request information as to whether the personal data concerning them is transferred to a third country or to an international organization. In this context, users may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

3.2 Right to Rectification
Users have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning them is inaccurate or incomplete. The controller must carry out the rectification without undue delay.

3.3 Right to Restriction of Processing
Under the following conditions, users may request the restriction of the processing of personal data concerning them:

• if users contest the accuracy of the personal data concerning them for a period enabling the controller to verify the accuracy of the personal data;

• the processing is unlawful and users oppose the deletion of the personal data and instead request the restriction of the use of the personal data;

• the controller no longer needs the personal data for the purposes of processing, but users require it for the establishment, exercise or defense of legal claims, or

• if users have objected to processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate grounds of the controller override the grounds of the users.

• where the processing of personal data concerning users has been restricted, such data may, apart from storage, only be processed with consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, users will be informed by the controller before the restriction is lifted.

3.4 Right to Erasure

3.4.1. Users may request that the controller erase personal data concerning them without undue delay, and the controller is obliged to erase such data without undue delay where one of the following grounds applies:

• the personal data concerning users is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

• users withdraw consent on which the processing was based according to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing.

• users object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or users object to the processing pursuant to Art. 21 para. 2 GDPR.

• the personal data concerning users has been unlawfully processed.

• the erasure of the personal data concerning users is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.

• the personal data concerning users was collected in relation to offered information society services pursuant to Art. 8 para. 1 GDPR.

3.4.2. If the controller has made the personal data concerning users public and is obliged pursuant to Art. 17 para. 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that users as data subjects have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.

3.4.3. The right to erasure does not apply insofar as processing is necessary

• for exercising the right of freedom of expression and information;

• for compliance with a legal obligation which requires processing under Union law or the law of the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or

• for the establishment, exercise or defense of legal claims.

3.5 Right to Notification
If users have exercised the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning users has been disclosed, unless this proves impossible or involves disproportionate effort.

Users have the right vis-à-vis the controller to be informed about those recipients.

3.6 Right to Data Portability
Users have the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used and machine-readable format. Furthermore, users have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and the processing is carried out by automated means.

In exercising this right, users also have the right to have the personal data concerning them transmitted directly from one controller to another controller, where technically feasible. The freedoms and rights of other persons may not be adversely affected by this.

The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

3.7 Right to Object
Users have the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on those provisions.

The controller will no longer process the personal data concerning users unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of our users, or the processing serves the establishment, exercise or defense of legal claims.

If the personal data concerning users is processed for direct marketing purposes, users have the right to object at any time to the processing of personal data concerning them for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

If users object to processing for direct marketing purposes, the personal data concerning users will no longer be processed for those purposes.

In the context of the use of information society services – notwithstanding Directive 2002/58/EC – users have the possibility to exercise their right to object by automated means using technical specifications.

3.8 Right to Withdraw Consent under Data Protection Law
Users have the right to withdraw their consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Processing remains lawful until withdrawal – the withdrawal therefore only takes effect for processing after receipt of the withdrawal. Users may declare the withdrawal informally by post or email. Personal data will then no longer be processed, subject to authorization by another legal basis. If this is not the case, users’ data must be deleted without undue delay after the withdrawal in accordance with Art. 17 para. 2 GDPR. The right to withdraw consent subject to the above-mentioned conditions is guaranteed.

The withdrawal must be addressed to:

NearMeNow UG (haftungsbeschränkt)
Schmiedekamp 14
23816 Leezen
Germany

support@nearmenowapp.com
+49 177 3728041

3.9 Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, users have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, place of work or place of the alleged infringement, if users consider that the processing of personal data concerning them infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

3.10 Automated Individual Decision-Making Including Profiling
Automated individual decision-making including profiling does not take place.

3.11 Notification Obligations of the Controller
If the personal data of users has been disclosed to other recipients (third parties) on a legal basis, we will communicate any rectification, erasure or restriction of processing of personal data to those recipients (Art. 16, Art. 17 para. 1 and Art. 18 GDPR). The obligation to notify does not apply if this proves impossible or involves disproportionate effort. Furthermore, we will inform users about the recipients upon request.

4. Information on the Cookies and Other Technologies Used

We use cookies or other technologies to provide our services, analyze them, and conduct marketing using the evaluated data. Cookies are, for example, small text files that contain data from visited websites or domains and are stored on a device (computer, tablet, or smartphone). When users access a website, the cookie stored on a device sends information to the party that placed the cookie.

4.1 How We Use Cookies and Other Technologies
We want users to be able to make an informed decision for or against the use of cookies and other technologies that are not strictly required for the technical characteristics of the services. Therefore, in cases where we use cookies and other technologies that require consent, users are given the opportunity—upon their first visit to our services and permanently thereafter via the relevant settings—to choose which cookies and other technologies they allow as part of a voluntary decision. It always applies that functional cookies and other technologies are mandatory for visiting our services and are therefore already enabled through our default settings. Statistics and marketing cookies and other technologies are optional. Users may allow them by consenting to the placement of these cookies and other technologies in the consent banner. Alternatively, users may reject statistics and marketing cookies and other technologies.

4.2 Storage Duration of Cookies and Other Technologies
Unless we explicitly provide users with information about the storage duration of cookies and other technologies (for example within the consent banner), users may assume that the storage duration may be up to two years. If cookies and other technologies have been set based on consent, users have the possibility at any time to withdraw the consent granted or to object to the processing of data through cookies or technologies (collectively referred to as “opt-out”).

4.3 Types of Cookies and Other Technologies
In substance, we distinguish between:

• Functional Cookies / Technologies: These are required for the basic technical functions of the services. They enable, for example, secure login and the storage of progress during ordering processes. They also enable us, for example, to store login data, shopping cart contents, and ensure the consistent display of page content.

• Statistics Cookies / Technologies: These allow us to analyze the services so that we can measure and improve their performance. Users can change their personal statistics settings by clicking the corresponding opt-out link.

• Marketing Cookies / Technologies: These are used by us to present users with advertising that may be relevant to their interests. They enable, for example, the sharing of pages via social networks and the writing of comments. Offers that may correspond to users’ interests are also displayed. Users can change their personal marketing settings by clicking the corresponding opt-out link.

4.4 Consent Management
We use a consent management tool (hereinafter also referred to as the “Consent Tool”) as part of the tracking and analysis activities within our services. The Consent Tool collects log file and consent data. The Consent Tool enables us to inform users about consent for certain tags in our services and to obtain, manage, and document this consent. In this context, we process the following data: (1) consent data (anonymized log data (Consent ID, Processor ID, Controller ID), consent status, timestamp), (2) device data (including shortened IP addresses (IP v4, IP v6), device information, timestamp), (3) user data (including email, ID, browser information, setting IDs, changelog). The Consent ID (which contains the data mentioned above) and the consent status including timestamp are stored in the browser’s local storage and simultaneously on the cloud servers used by us. Further processing only takes place if users submit a request for access to information or withdraw their consent. The legal basis for processing personal data by means of the Consent Tool as described here results from our legitimate interest as well as from compliance with legal obligations and therefore from Art. 6 (1) lit. f and c GDPR. Through the Consent Tool, we aim to comply with legal requirements relating to data protection and tracking and thereby ensure that the functioning of our information technology systems is legally compliant and user-oriented.

5. Data Processing in Connection with the Use of Our Services
The use of our services with all their functions involves the processing of personal data. We explain to users here how this takes place in detail.

App via App Stores
Our services are available through third-party distribution platforms, so-called app stores (Google Play Store and Apple Store). Downloading the app may require prior registration with the respective app store and the installation of the app store software. We have no influence on the collection, processing, and use of personal data in connection with a registration and the provision of downloads in the respective app store and the app store software. The responsible entity in this respect is solely the operator of the respective app store. If necessary, please inform users directly with the respective app store provider.

5.1 Informational Use of Our Services
The purely informational access to our services requires the processing of the following personal data and information: device type and device version, operating system used, the IP address of the device with which users access our services, as well as the time at which our services are accessed. All this information is automatically transmitted by a device unless users have configured their device in such a way that the transmission of information is suppressed.

These personal data are processed for the purpose of ensuring the functionality and optimization of our services, as well as for ensuring the security of our information technology systems. These purposes also represent legitimate interests pursuant to Art. 6 (1) lit. f GDPR, and therefore the processing is carried out on this legal basis.

5.2 Use With or After Registration

5.2.1 Registration
Beyond the purely informational use of our services, users have the option to register for our services and use our full offering. In this context, we process in particular master data and contact data such as the name, email address, and password. In addition, connection data such as the date, device information, and IP address are automatically processed.

Some processing steps may also be carried out by third-party providers. The data processing by third parties takes place under the conditions of the respective applicable privacy policies. In the case of data processing with third parties, this may constitute processing on behalf within the meaning of Art. 28 GDPR. This is subject to strict legal requirements, which we comply with as part of our contractual agreements with our processors.

The use of our services during or after successful registration and login and the associated data processing operations may differ from purely informational use. The collection of this data associated with a profile is carried out for the purpose of verifying the status and fulfilling our contractual obligations towards users. These are legitimate purposes pursuant to Art. 6 (1) lit. b GDPR. If consent is necessary for a processing activity, we will obtain this at the appropriate point (for example via the opt-in option within a consent banner when first using our services). For further questions, users are welcome to contact us within the framework of their right of access pursuant to Art. 15 (1) GDPR.

5.2.2 Creation and Use of a User Account
Users may create a user account within our services in order to use our services and their functions. When users do so, the personal data provided there are transmitted to us by the device and stored in our information technology systems. In addition, the IP address and the time of registration are stored.

When users log into their user account, our service stores tokens on the device to allow them to remain logged in—even if they reload our services in the meantime. By creating a user account, users can make use of the functions of our services.

The processing operations associated with the creation of a user account serve the purpose of enabling the assignment of future usage activities and allowing users to access the full offering of our services. When ordering products or booking services, the processing of data also serves the performance of the contract and is therefore purpose-bound and necessary pursuant to Art. 6 (1) lit. b GDPR.

The storage of the IP address and the time of registration is necessary to ensure the security of our information technology systems. This also constitutes our legitimate interest, which means that the processing is also lawful pursuant to Art. 6 (1) lit. f GDPR.

The storage of personal data entered by users takes place until the deletion of this data within the user account or at the latest until the complete deletion of the user account with us. Notwithstanding this, we process certain personal data of users only if we have a legal or contractual authorization to do so. This is the case, for example, if we are permitted to retain contract or payment data even after deletion of the user account for billing or other reasons necessary for the proper execution of our contractual relationship.

5.2.3 Additional Information for the User Account
After registering and logging into our services, users have the option to voluntarily provide additional information about themselves and their personal data. This information includes further master data such as, in particular, uploading a profile picture, providing the date of birth or year of birth, specifying a place of residence, indicating personal interests, or assigning a username that differs from a natural name. We process this data as part of the completion of the user account and, if applicable, for our community functions.

The use of the aforementioned functions is an essential component of our services; therefore, the processing of data serves the performance of the contract and is thus purpose-bound and necessary pursuant to Art. 6 (1) lit. b GDPR.

5.3 Functions of Our Services
Depending on registration or purely informational use of our services, users have access to the functions of our services. These include, in particular, the possibility of booking activities offered by our partners. We provide all of these functions so that users can utilize the full scope of our services—depending on the selected model—and so that we can achieve the best possible result for them in the context of using our services.

We only forward the data entered by users to authorized third parties, such as the specifically selected partner, and process them in order to fulfill the contractual relationships entered into with users, in particular for the fulfillment of the user agreement that users have concluded by using our services. The legal basis for the processing of data therefore results from Art. 6 (1) lit. b GDPR.

6. Communication Services

6.1 Contact Form / Contact via Email
We process the personal data of users that users provide to us as part of contacting us for the purpose of responding to an inquiry, an email, or a request for a callback. The categories of data processed include master data, contact data, content data, if applicable usage data, connection data, and if applicable contract data. In individual cases, we may pass this data on to affiliated companies or to third parties who are contractually authorized to process this data for the handling of orders and bookings. The legal basis for processing depends on the purpose of the contact request. By submitting an inquiry through the contact form or by contacting us via email, users indicate that they wish to receive answers or information on specific topics. For this purpose, users also provide their data. We respond to an inquiry as requested and process user data for this purpose. Therefore, the authorization to process data is based on Art. 6 (1) lit. b GDPR, as we process it in order to respond to an inquiry and thereby to fulfill the contract in this regard.

6.2 Feedback Form
We process the personal data of users that users provide to us as part of submitting feedback for the purpose of implementing that feedback, for example to improve our services. The categories of data processed include master data, contact data, content data, if applicable usage data, connection data, and if applicable contract data. In individual cases, we may pass this data on to affiliated companies or third parties whom we use to improve our services. The legal basis for processing depends on the purpose of the feedback submission. By submitting feedback, users indicate that they wish, for example, improvements to functions of our services. We record this information and process user data for this purpose. Therefore, the authorization to process data is based on Art. 6 (1) lit. b GDPR for the fulfillment of the contract.

6.3 Ratings & Reviews
We process the personal data of users that users provide as part of submitting ratings and reviews in order to display ratings and reviews within our services. The categories of data processed include master data, contact data, content data, if applicable usage data, and connection data. As a rule, we do not pass this data on to third parties; however, it may generally be publicly visible within our services to third parties. The legal basis for processing depends on the purpose of the rating or review. By submitting a rating or review, users share certain experiences, circumstances, or impressions that they have gained while using our services. We record this information in order to make it accessible to the affected persons or to the general public. The possibility to submit ratings and reviews is an essential component of our services. Therefore, the authorization to process data is based on Art. 6 (1) lit. b GDPR for the fulfillment of the contract.

6.4 Reporting Illegal Content pursuant to the Digital Services Act
We process the data of our users that are provided to us by users as part of reporting illegal content. The processed data may fall into all data categories listed in section 2.3. We process this data in order to examine the reported content for its illegality and to derive resulting legal obligations, such as blocking, deletion, or criminal prosecution. The legal basis for processing data that has been transmitted to us as part of reports of illegal content follows from Art. 6 (1) lit. c GDPR. Under the provisions of the EU Digital Services Act, we are legally obligated to review illegal content and take appropriate measures based on it.

7. Hosting

7.1 Provision of Our Services
In order to provide our services to users, we use the services of the hosting providers listed below. Our services are accessed via the servers of these hosting providers. For these purposes, we make use of infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services of the web hosting providers.

The processed data include all data that users enter within the scope of using and communicating in connection with their visit to our services or that are collected from users in this context (e.g., IP address). Our legal basis for using hosting providers to provide our services results from Art. 6 (1) lit. f GDPR (legitimate interest).

7.2 Collection of Access Data and Log Files
We ourselves (or the hosting providers) collect data for each access to the server (server log files). The server log files may include the address and name of the retrieved services and files, date and time of access, transmitted data volumes, notification of successful retrieval, device type including version, operating system, referrer URL (the previously visited page), and generally IP addresses as well as the requesting provider.

The server log files may be used, on the one hand, for security purposes, for example to prevent server overload (particularly in the case of abusive attacks, so-called DDoS attacks), and on the other hand to ensure the utilization and stability of the servers. Our legal basis for using a hosting provider to collect access data and log files results from Art. 6 (1) lit. f GDPR (legitimate interest).

The hosting provider we use is the following:

Microsoft Azure
Microsoft Datacenter Netherlands B.V.
Evert van de Beekstraat 354
1118 CZ Schiphol (Amsterdam)
Netherlands

8. Tracking & Tools

To ensure smooth technical operation and an optimal user-friendly use of our services, we use the following services:

Mixpanel
We use Mixpanel for the purpose of statistical evaluation of the use of our services. Mixpanel creates pseudonymized user profiles based on usage behavior within our services and tracks the corresponding movements and actions that users perform within our services. The processed data include usage data and connection data. The recipient of the data is Mixpanel Inc., 405 Howard St., Flr 2, San Francisco, CA 94105, USA (as joint controller, Art. 26 GDPR).

The transfer of data to the USA takes place on the basis of a data processing agreement concluded with Mixpanel and in accordance with standard contractual clauses agreed with Mixpanel and other security measures permitted under the GDPR that ensure the security of the processing of personal data at a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF).

The legal basis for the use of Mixpanel is consent (e.g., via an opt-in in the consent banner), provided that users have granted us such consent when visiting our services, and therefore results from Art. 6 (1) lit. a GDPR. Based on consent, cookies or similar (text) files are stored on the user’s device and personal data are read through them. If users have not granted consent to the use of Mixpanel (no opt-in in the consent banner or withdrawal of consent), we do not (or no longer) use Mixpanel when users visit our services.

Amplitude
We use Amplitude for the purpose of statistical evaluation of the use of our services. Amplitude enables us to evaluate user movements within our services, in particular which functions are used, how users navigate through our services, and where drop-offs occur. This allows us to technically optimize our services and make them more user-friendly. For this purpose, Amplitude creates pseudonymized user profiles based on usage behavior within our services and tracks the corresponding movements and actions that users perform within our services.

The processed data include usage data and connection data. The recipient of the data is Amplitude, Inc., 631 Howard Street, Floor 5, San Francisco, CA 94105, USA (as joint controller, Art. 26 GDPR).

The transfer of data to the USA takes place on the basis of a data processing agreement concluded with Amplitude and in accordance with standard contractual clauses agreed with Amplitude and other security measures permitted under the GDPR that ensure the security of the processing of personal data at a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF).

The legal basis for the use of Amplitude is consent (e.g., via an opt-in in the consent banner), provided that users have granted us such consent when visiting our services, and therefore results from Art. 6 (1) lit. a GDPR. Based on consent, cookies or similar (text) files are stored on the user’s device and personal data are read through them. If users have not granted consent to the use of Amplitude (no opt-in in the consent banner or withdrawal of consent), we do not (or no longer) use Amplitude when users visit our services.

9. Transactional Mailings

For administrative processes, for confirming actions, and as part of our non-promotional customer communication, we send transactional notifications (hereinafter “Transactional Mailings”) to users. Our Transactional Mailings contain important administrative information regarding our services.

For the management of our Transactional Mailings as well as for the creation and sending of Transactional Mailings, we use the transactional mail services listed below. When users retrieve Transactional Mailings, technical information such as information about the browser and system, as well as an IP address and the time of retrieval, may be collected. This information is used to technically track interaction with our Transactional Mailings based on technical data or the target groups and their reading behavior.

The legal basis for the use of Transactional Mailings is Art. 6 (1) lit. b GDPR, as the information contained in the Transactional Mailings enables us to fulfill our contractual obligations toward users. If we use the services of third-party providers for this purpose, the legal basis is Art. 6 (1) lit. f GDPR. We have a legitimate interest in standardizing and centrally managing the sending of Transactional Mailings. In doing so, the interests of users in the most data-minimizing processing possible are not unduly affected.

If providers transfer data to a third country (e.g., the USA), this occurs only in individual cases on the basis of a data processing agreement concluded with them and in accordance with standard contractual clauses agreed with them and other safeguards permitted under the GDPR that ensure the security of the processing of personal data at a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF).

Provider of the Transactional Mail Services Used by Us

OneSignal
OneSignal, Inc.
2194 Esperanca Avenue
Santa Clara
CA 95054
USA
https://onesignal.com/privacy_policy

10. Newsletter Distribution

With consent (usually by subscribing), we send newsletters, emails, and other electronic notifications (hereinafter “Newsletter”) to users. Our newsletters generally contain technical, commercial, and promotional information about our services.

For the management of our newsletter subscribers as well as for the creation and sending of newsletters, we use the newsletter services listed below. To subscribe to our newsletter, it is generally sufficient for users to provide an email address.

Subscription to our newsletter always takes place via a so-called double opt-in procedure. After registering for our newsletter, users receive an email asking them to confirm their subscription by clicking on a confirmation link. This confirmation is necessary to prevent someone else from registering an email address for a newsletter without authorization.

We log newsletter subscriptions in order to be able to prove the registration process in accordance with legal requirements. For this purpose, we store the time of subscription and confirmation as well as an IP address. Changes to the data stored with the mailing service provider are also logged.

Users may unsubscribe from our newsletter at any time. To do so, users simply click the “Unsubscribe” button contained in the footer of each newsletter. If users unsubscribe from our newsletter, an email address may be stored for up to three years based on our legitimate interests before we delete it, so that we can prove previously given consent.

If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.

Our newsletters may contain a so-called “web beacon.” A web beacon is a pixel-sized file that is retrieved from our server (or from the server of the mailing service provider if one is used) when the newsletter is opened. As part of this retrieval, technical information such as information about the browser and system, as well as an IP address and the time of retrieval, are initially collected.

This information is used for the technical improvement of our newsletter based on technical data or the target groups and their reading behavior, based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked.

For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor, if used, that of the mailing service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The evaluation of newsletters and the measurement of their success take place—subject to explicit consent of the users—on the basis of our legitimate interests for the purpose of using a user-friendly and secure newsletter system that serves both our business interests and the expectations of users.

The legal basis for sending newsletters and thus also for the use of web beacons is consent, provided that users have granted this consent by subscribing to the newsletter, and therefore results from Art. 6 (1) lit. a GDPR. If users have not granted consent to receive newsletters, we do not send newsletters to users (or no longer). Consequently, the use of web beacons also does not occur.

If we use the services of third-party providers for this purpose, the legal basis is Art. 6 (1) lit. f GDPR. We have a legitimate interest in standardizing and centrally managing the sending of newsletters. In doing so, the interests of users in the most data-minimizing processing possible are not unduly affected.

If providers transfer data to a third country (e.g., the USA), this occurs only in individual cases on the basis of a data processing agreement concluded with them and in accordance with standard contractual clauses agreed with them and other safeguards permitted under the GDPR that ensure the security of the processing of personal data at a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF).

Provider of the Newsletter Services Used by Us

OneSignal
OneSignal, Inc.
2194 Esperanca Avenue
Santa Clara
CA 95054
USA
https://onesignal.com/privacy_policy

11. Final Provisions

In the event of discrepancies or interpretation issues between different language versions of this document, the German version of the document shall prevail.

Status: March 2026


With friendly support from
https://www.derstartupanwalt.de/