Privacy Policy of the App "Oxolo"

We, Oxolo GmbH, Bleichenbrücke 10, 20354 Hamburg, Germany, (hereinafter also referred to as "Oxolo"), develop and operate the mobile application Oxolo (hereinafter referred to as "App"). We would be pleased if you (hereinafter also referred to as "User") use our App. In this regard, the protection of your privacy is of particular concern to us.

With the following privacy policy ("Privacy Policy"), we would like to inform you about how we collect, process and store your personal data in connection with the App and explain why we need this data, how and to what extent we process the data and how we secure your data.

1. Data protection

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations and this data protection information.

This data protection notice applies to the processing of personal data by us on our Website ("Website"). They explain the type, purpose and scope of data processing within the framework of the Website.

We would like to point out that data transmission over the Internet may have security gaps. It is not possible to completely protect data from access by third parties.

2. Controller and Data Protection Officer

"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Controller:

Oxolo GmbH

Bleichenbrücke 10

20354 Hamburg

Email: info@oxolo.com

Data Protection Officer

Dr. Christian Rauda

Attorney and board-certified specialist information technology law

GRAEF Rechtsanwälte Digital PartG mbB

Jungfrauenthal 8

20149 Hamburg

Germany

Email: privacy@oxolo.com

Phone: + 49 40 80 6000 9-0

3. General information on data processing

a. Scope of the processing of personal data

As a matter of principle, we collect and use personal data of our users only to the extent necessary to provide our content and our services. The collection and use of personal data of our users is regularly only carried out with the consent of the user. An exception is made in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal regulations.

b. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations which are necessary to carry out pre-contractual measures.

Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

c. Data deletion and storage period

The personal data of the user will be deleted or blocked as soon as the purpose of the storage no longer applies. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU ordinances, laws or other regulations to which the person responsible is subject. Data will also be blocked or deleted when a storage period prescribed by the above-mentioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.

4. Provision of the Website and creation of log files

Whenever our Website is accessed, our system automatically collects data and information from the computer system of the calling computer.

The data is stored in the log files of our system. This data is only needed for the analysis of possible errors. The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR. The temporary storage of the IP address by the system is necessary to enable the Website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the Website. In addition, the data serves us to optimize the Website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context and no conclusions are drawn about your person. The collection of data for the provision of the Website and the storage of the data in log files is absolutely necessary for the operation of the Website. Consequently, there is no possibility of objection on the part of the use

5. Contact

You can contact us via our contact-form, by e-mail or letter. Your details from the inquiry, including the contact details you provide there, will be stored by us solely for the purpose of processing the inquiry and in the event of follow-up questions. The data will not be passed on to third parties in this context.

The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR. Our interest in answering your inquiry outweighs your interest; since you are writing to us, an answer is also in your interest and you are aware that we must process your data in order to answer your inquiry.

If the e-mail contact aims at the conclusion of a contract, the legal basis for processing is Art. 6 para. 1 lit. b GDPR.

The data will be deleted as soon as they are no longer required for the purpose of their collection. This is the case when the respective conversation with the user has ended. The conversation is terminated when it can be concluded from the circumstances that the matter in question has been finally clarified.

6. Use of cookies

a. Cookies required for operation

We use so-called session or flash cookies on our Website. Cookies are text files that are stored in or by the Internet browser on the user's computer system. When a user visits a Website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified the next time the Website is accessed. Some functions of our Website cannot be offered without the use of cookies. For these it is necessary that the browser is recognized even after a page change. The user data collected with technically necessary cookies is not used to determine the identity of the user or to create user profiles. The legal basis for the processing of personal data by means of technically necessary cookies is Art. 6 para. 1 lit. f GDPR.

7. Third-party cookies and analysis tools

If you access our services, your behavior can be statistically evaluated with the help of certain analysis tools and analyzed for advertising and market research purposes or to improve our services. When using such tools, we ensure that the legal regulations are observed. When using external service providers, we ensure through appropriate contracts with the service providers that the data processing complies with German and European data protection standards. We use the following tools to analyze user behavior:

Google Analytics

Our Website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called "cookies". These are text files which are stored on your computer and which enable an analysis of your use of the application. The information generated by a cookie about your use of this application is usually transferred to a Google server in the USA and stored there. Google has concluded EU standard contract clauses with its group companies in the USA and thus offers sufficient guarantees for appropriate data protection within the meaning of Art. 46 GDPR.

Google processes the following cookies:

Name of the cookie: _ga

Recipient (of the data passed on by the cookie): Google Analytics

Purpose of the cookie: Registers a unique ID that is used to generate statistical information about how the visitor uses the site.

Storage period of the cookie: 2 years

Name of the cookie: _ga_KMMQR34MH0

Recipient (of the data passed on by the cookie): Google Analytics

Purpose of the cookie: Registers a unique ID that is used to generate statistical information about how the visitor uses the site.

Storage period of the cookie: 2 years

The storage of Google Analytics cookies and the use of this analysis tool is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time by The legality of the data processing procedures already carried out remains unaffected by the revocation.

You should note, however, that we cannot guarantee data protection and data security for transmissions outside our sphere of influence, such as within your mobile phone network. We can, thus, not exclude the possibility that data transmission over the In- ternet (e.g. when communicating by email) may nevertheless have security gaps. Therefore, please use additional security measures as far as possible, e.g. encrypted communication connections and up-to-date protection software for your end devices.

We use the "Google Tag Manager" to integrate and manage Google's analysis and marketing services into our Website.

You can prevent the collection of the data generated by the cookie and related to your use of the Website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

User and event-level data stored at Google that is linked to cookies, usage IDs (e.g. User ID) or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymized or deleted after 14 months. You can see the details of this under the following link: https://support.google.com/analytics/answer/7667196?hl=de

8. Google Firebase

We use the Firebase technology from Google, (“Google”), operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Firebase is part of the Google Cloud Platform and offers further services in addition to a real-time database

We use the data processing with the purpose of providing a functional Website that corresponds to the state of the art. With the data, which is evaluated anonymously, we obtain the necessary information that enables us to offer an appealing design of our content.

The data processing is based on Art. 6 para. 1 lit. f) GDPR (legitimate interest). We have a legitimate interest in providing a functioning and optimized Website that provides a certain level of comfort and technology. This interest outweighs your interest in anonymous use.

Google Firebase uses servers located in the EU for these services wherever possible. However, it cannot be ruled out that data may also be transferred to the USA. Google has concluded EU standard contract clauses with its group companies in the USA and thus offers sufficient guarantees for appropriate data protection within the meaning of Art. 46 para. 1, para. 2 lit. c GDPR.

9. Cloudflare

On the basis of our legitimate interests (interest in optimization and economic operation of our online-service in accordance with Art. 6 para. 1 let. f GDPR) we use services of Cloudflare Inc. Commented [GRAEF11]: Which of the firebase services are used?(“Cloudflare”), 101 Townsend St, San Francisco, CA 94107. Cloudflare processes the data in the USA on the basis of EU Standard Contractual Clauses and thus offers sufficient guarantees within the meaning of Art. 46 para. 1, para. 2 lit. c GDPR.

Cloudflare offers server infrastructure which enables a faster and safer access to data because of the proximity the user. Cloudflare’s main task is to forward data to the user. Which data will be forwarded depends on our use of Cloudflare’s services as well as the user’s request.

Further information about Cloudflare can be found here: . Questions about Cloudflare’s use of data can be asked here: .

Cloudflare’s services are provided as commissioned data processing, please address us if you would like to object to the use of the data. We notify you that in the case of an objection you might not be able to use our Website anymore.

10. Social Media Links

We maintain an online presence on social networks and platforms to communicate with clients, interested parties, and users who are active on those networks, and to be able to inform clients, interested parties, and users of our services.

Our Website therefore links to the website of Instagram (“Instagram”), operated by Instagram Inc., 1 Hacker Way, Menlo Park, CA, 94025, U.S.A. or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Otherwise no data are exchanged with Instagram on our Website.

Our Website also links to the website of YouTube (“YouTube”), operated by Google LLC, D/B/A YouTube, 901 Cherry Ave., San Bruno, CA 94066, USA, or, if you reside in the EU, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Otherwise, no data are exchanged with YouTube on our Website.

Our Website also links to the website of Facebook (“Facebook”), operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, U.S.A., or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Otherwise, no data are exchanged with Facebook on our Website.

Our Website also links to the website of LinkedIn (“LinkedIn”), operated by LinkedIn Corp., 1000 West Maude Avenue, Sunnyvale, CA 94085, USA, or, if you reside in the EU, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Otherwise, no data are exchanged with LinekdIn on our Website.

Our Website also links to the website of Twitter (“Twitter”), operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, U.S.A. or, if you reside in the EU, Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland. Otherwise, no data are exchanged with Twitter on our Website

When you access the aforementioned networks or platforms, the terms and conditions and data processing policies of the companies that operate those networks or platforms will apply. Unless otherwise provided in our data privacy policy, we will process data of users if they communicate with us through social networks or platforms, e.g., if they post on our Facebook pages, or send us messages.

11. Rights of the data subject

If your personal information is processed, you have the following rights.

a) Right of access

You have the right to obtain from us confirmation as to whether or not personal information concerning you are being processed, and, where that is the case, access to the personal data and the following information:

(1) the purposes of the processing;

(2) the categories of personal data concerned;

(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(4) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(5) the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal information or to object to such processing;

(6) the right to lodge a complaint with a supervisory authority;

(7) where the personal data are not collected from you, any available information as to their source;

(8) the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.

b) Right of rectification

You have the right to obtain from us within undue delay the rectification of inaccurate or incomplete personal information. Taking into account the purposes of the processing, you shall have the right to have incomplete pers

c) Right to restriction of processing

You shall have the right to obtain from us restriction of processing where one of the following applies:

(1) the accuracy of the personal data is contested by yourself, for a period enabling us to verify the accuracy of the personal data;

(2) the processing is unlawful and the data subject opposes the erasure of the personal information and requests the restriction of their use instead;

(3) we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(4) You have objected to processing pursuant to Art. 21 para. 1 pending the verification whether the legitimate grounds override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. If you have obtained restriction of processing pursuant to the above, you shall be informed by us before the restriction of processing is lifted.

d) Right to erasure (‘right to be forgotten’)

You shall have the right to obtain from us the erasure of personal information concerning without undue delay and we shall have the obligation to erase personal information without undue delay where one of the following grounds applies:

(1) the personal information is no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(2) you withdraw consent on which the processing is based according to Art. 6 para.1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing;

(3) you object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para 2 GDPR;

(4) the personal information has been unlawfully processed;

(5) the personal information has to be erased for compliance with a legal obligation in the European Union

(6) the personal information has been collected in relation to the offer of information society services referred to in Article 8 para.1.

Where we have made the personal information public and is obliged pursuant to the above to erase the personal information, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. The right to erasure shall not apply to the extent that processing is necessary:

(1) for exercising the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing by the European Union or for the performance of a task carried out in the public interest

(3) for reasons of public interest relating to public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the DPA;

(4) for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to make it impossible or seriously impede the attainment of the objectives of such processing, or

(5) for the establishment, exercise or defence of legal claims.

e) Notification regarding rectification or erasure of personal data or restriction of processing

We shall communicate any rectification or erasure of personal data or restriction of processing carried to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request it.

f) Right to data portability

You have the right to receive the personal information, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal information have been provided, where:

(1) the processing is based on consent pursuant to Art. 6 para 1 lit. a or Art. 6 para 1 lit. b or Art. 2 para 2 lit. a

(2) the processing is carried out by automated means.

The right shall not adversely affect the rights and freedoms of others. In exercising your right to data portability you shall have the right to have the personal information transmitted directly from one controller to another, where technically feasible. The exercise of this right shall be without prejudice to the right of erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

g) Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 para. 1 lit e) or lit. f). We shall no longer process the personal information unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal information is processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal information shall no longer be processed for such purposes. At the latest at the time of the first communication with you, the right referred to above shall be explicitly brought to your attention shall be presented clearly and separately from any other information. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise his or her right to object by automated means using technical specifications.

h) Right to revoke the declaration of consent

You have the right to revoke your data protection declaration of consent at any time. Revocation of your consent does not affect the legality of the processing that has taken place on the basis of your consent until revocation.

i) Automated individual decision-making

The you shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you This shall not apply if the decision:

(1) is necessary for entering into, or performance of, a contract between you and us

(2) is authorised by European Union law and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3) is based on your explicit consent.

j) Right of complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the European Member State where you reside, work or suspect of infringement, if you believe that the processing of personal information concerning you is not in compliance with GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

Sign up for the Tipy newsletter

I would like to receive information about Tipy and the services and related offers by Tipy at regular intervals via e-mail. I would like to be informed about developments and news on new products and the company of Tipy. I can revoke my consent at any time with effect for the future. Further information can be found in our Privacy Policy.