PLEASE READ THE PRIVACY POLICY CAREFULLY BEFORE USING THE SERVICES OF MOBILE HEALTHCARE SOLUTIONS GMBH. The protection of your privacy and your personal (within the meaning of Article 4(1) of the General Data Protection Regulation (EU) 2016/679 (hereinafter the „GDPR“)) and other data is one of the most important concerns of Mobile Healthcare Solutions GmbH (hereinafter „us“, „our“, „ours“, „our“ and „we“). It is crucial for us that our customers (hereinafter referred to as „users“) feel secure when using our products and services. When using „Ovuly“ via the (mobile application (hereinafter the „Ovuly App“) or via our web-based application (hereinafter the „Web Integration“) and when accessing our internet presence ovuly-app.com (hereinafter the „Website“) and using any other products and/or services offered by us (the Website is referred to as the „Services“), you will be asked for your confirmation and, if applicable, your consent to the processing operations described herein. 1 Who we are This Privacy Policy applies to all personal data processed by Mobile Healthcare Solutions GmbH (HRB 178152, Hamburg Local Court), Röntgenstraße 24, 22335 Hamburg, Germany, in its capacity as controller for all processing operations in connection with the Services (pursuant to Article 4(7) GDPR). Questions, comments and requests regarding our privacy policy can be sent to us at any time using the contact form. You can reach our data protection officer at hello@ovuly-app.com. 2 General overview of data processing in connection with our services Before using our services, you must confirm to us that you have carefully read the Privacy Policy and consent to Ovuly analyzing your personal data submitted to us for the purpose of analysis. This Section 2 provides you with a general overview of the data processing operations in connection with our Services. You will find a detailed description of our data processing operations in Section 3 below on the individual data processing operations and in Sections 4 to 9 on our Cookie and Tracking Policy (Section 4), the storage location of your personal data (Section 5), the conditions for disclosure of your personal data (Section 6), the retention of data (section 7), your rights as a data subject (section 8), and our change policy (section 9). Information you provide to us: We collect and process personal data that we ask you to provide when you complete forms on our website, apply for an advertised position with us or otherwise contact us; register to use our services, subscribe to our newsletter, receive promotional emails or other promotional materials; use our services; report a problem with our Services; or participate in surveys or otherwise provide feedback that we have created for research and optimization purposes (although your participation and feedback in each case is voluntary and you do not have to provide any responses if you do not wish to do so). The information we may ask you to provide includes, in particular, your name, your gender, your date of birth, your period data such as the start of your cycle, cycle length, period length and regularity of your cycle, your e-mail address, your telephone number and other information to verify your identity. Information we collect about you: We collect the following data each time you visit and use our services, but we will never use this data to identify you: Usage Data: technical information about your device, including device-specific details such as hardware model, operating system version and product identification number, and mobile network information; details of your visits, including the UniformResourceLocatorsClickstream („URLClickstream“) to, through and from our Services (including date and time); Analytics data: Your IP address and operating system and browser; information about the AppStore from which you downloaded our Ovuly app; duration of your visit to certain subpages and information about your interaction with the subpages (e.g. scrolling, finger movements, clicks and mouse movements). The use of our services on behalf of third parties is only permitted with the prior and unambiguous consent of the persons whose data you transmit to us. By way of explanation, references to „your data“ in this privacy policy also include the data of other persons that you provide or have provided to us. Our website may contain links to third party sites. If you follow a link to any such site, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or their processing of your personal data. Please check their policies before you submit your personal data to them. 3 Specific processing activities, nature and purpose of use 3.1 When you use our website Categories of data: IP address of the requesting device, date and time of your access, name and URL of the requested file, previously visited website („referrer URL“), browser used and, if applicable, the operating system of your device and the identity of your provider. Purpose of processing: We use the data listed here to enable you to access our website, to ensure a smooth Internet connection to our website and its ease of use, to analyze the security and stability of the system and for other administrative purposes. Legal basis: Legitimate interests (Article 6 (1)(f) GDPR). Our legitimate interest is based on the data collection purposes listed under the heading „Purpose of processing“. Under no circumstances do we use the data collected to establish your identity. You are not obliged to provide the above-mentioned personal data. However, access to our website is not possible without providing this personal data. Storage period: Your data will be deleted after 15 days, provided that no security-relevant events (such as a DDoS attack) prevent this. However, if such an event occurs, the log files are stored on the server until after the event and its complete resolution. 3.2 When creating a user account or creating a new profile Categories of data: Email address and password, account ID, device identifier, profile name, your name, your gender, your date of birth, your period data such as the start of your cycle, cycle length, period length and regularity of your cycle, your e-mail address, your telephone number and other information to verify your identity, as well as the date, time and place of your registration. Purpose of processing: We use the above data to provide you with a user account and access to our wellness product. We use the general information about your health for the basic medical history. Access to our wellness product is not possible without this (required) data. When using our wellness product via a web integration, we are entitled, with your consent, to disclose pseudonymized user data (but no personal data) to the host of the respective web integration. Legal basis: Performance of a contract pursuant to Article 6 (1)(b) GDPR or your consent pursuant to Article 9 (2)(a) GDPR for the processing of your data. Storage period: We process your data for the above-mentioned purposes until you delete your account or request deletion. If your user account is inactive for more than 24 months, we will contact you and ask you whether you wish to continue using our wellness product. If your account remains inactive for a further 3 months, we will delete it. In the event of a request for deletion, we will delete your account within one month and your data will be deleted or irreversibly anonymized (so that no conclusions can be drawn about a specific natural person). In addition, we retain your data (see section 7 for further information) for purposes such as the assertion, exercise and defense of legal claims and compliance with high quality and safety standards, in particular with regard to post-market surveillance; however, the processing of your data is limited to these purposes. 3.3 Profile Categories of data: Your height, gender, activity level, weight, and goals. Purpose of processing: This feature allows you to create a comprehensive profile to manage your preferences in our wellness product. However, we do not process any data that you enter to create your profile for the purposes of the assessment in section 3.5 below. Legal basis: Consent (Article 9 (2)(a) GDPR). You can withdraw/cancel your consent at any time. Storage period: Your data will be stored until the purpose for which it was originally collected no longer applies. The storage period of your data for this purpose is limited to the duration of processing in accordance with section 3.2. 3.4 Login with Facebook/Apple Categories of data: FacebookID, Apple user ID, email address (if you allow Facebook to share it), date and time of login. Purpose of processing: If you decide to use and log in via Facebook or Apple, Facebook or Apple will, with your consent, send us the data listed here to complete your user data within the Ovuly app and to verify your identity. Please note that Facebook or Apple may also process your data (FacebookID, AppleID, metadata, Ovuly app processes and messages and device properties) when you log in via Facebook or Apple. We are not responsible for data processing by Facebook and Apple; you can find out more about this in Facebook’s privacy policy and Apple’s privacy policy. Legal basis: Legitimate interests (Article 6 (1)(f) GDPR). Our legitimate interest is to enable users who do not have an email account or who wish to log in with their Facebook or Apple account instead to use our services or to fulfill a contract (Article 6 (1)(b) GDPR or consent pursuant to Article 6 (1)(a) GDPR). Storage duration: The storage duration of your data for this purpose is limited to the duration of the processing in accordance with section 3.2. The data processed by Facebook and Apple, over which we have no control if you log in via Facebook or Apple, may remain on the Facebook or Apple servers. If you delete your Facebook account or decide not to continue using Apple devices and still wish to use the Ovuly app, you will be redirected to log in with an email address or another log-in procedure. 3.5 Creation of a case Categories of data: ProfileID, profile name (if applicable) and associated personal data required for the assessment, such as your name, your gender, your date of birth, your period data such as the start of your cycle, cycle length, period length and regularity of your cycle, your e-mail address, your telephone number, geographical location, time and date of assessment. Purpose of processing: Evaluation with the help of our wellness product, in particular naming possible foods for improving well-being. Legal basis: Performance of a contract pursuant to Article 6(1)(b) GDPR or your consent pursuant to Article 9(2)(a) GDPR for the processing of your health data. You can withdraw/revoke your consent at any time, but you will not be able to use our wellness product without your consent (i.e. an assessment cannot be made). Storage duration: The storage duration of your data for this purpose is generally limited to the duration of the processing according to section 3.2. In addition, you can request the deletion of a case or delete the case yourself. We will then delete or irreversibly anonymize your case data within one month (so that no conclusions can be drawn about a specific natural person). Although we will continue to retain some of your data (see section 7 for further information), we will not process it for any other purposes. 3.6 Analysis of case information to ensure high quality and safety standards of our analysis and recommendations Categories of data: AccountID (if applicable), ProfileID (if applicable), CaseID, time and date of assessment, geographical location of the case, data provided for a case (personal data required for the assessment, such as age, gender, pre-existing conditions, diets, allergies, pregnancy status and relevant medical history), feedback, results of the assessment and data about software and hardware (e.g. version numbers, operating system and device identifier). Purpose of processing: To ensure the highest quality and safety standards for our wellness product, it is necessary to check the quality of the results of our assessments (hereinafter the „Analysis“). The Safety and Quality Assurance staff (hereinafter the „Experts“) use pseudonymized and, where applicable, aggregated data to evaluate the results of our assessments and identify any need for improvement to ensure that our Wellness Product meets the highest quality and safety standards. Basis: The processing is necessary for compliance with the mandatory quality and safety requirements of our wellness product. The application is carried out in accordance with the highest quality and safety standards of our wellness product. Storage period: We process your data for as long as it is required for the above-mentioned purpose. The storage period of your data for this purpose corresponds to our obligation to fulfill the applicable requirements for the quality and security of our app. 3.7 Assessing your eligibility for and inviting you to participate in clinical trials and referring you to healthcare services for further diagnosis Categories of data: Email address, account ID, profile name, Your name, your gender, your date of birth, your period data such as the start of your cycle, cycle length, period length and regularity of your cycle, your e-mail address, your telephone number and other information to verify your identity, time and date of assessment and any other data you have provided to us. Purpose of processing: We use the above data to assess your eligibility for clinical trials and to invite you to participate in our research partners‘ clinical trials that may be of interest to you and/or to refer you to healthcare services for follow-up diagnostics. For the avoidance of doubt, we will not disclose any personal data to our research partners without your consent and your participation in clinical trials and use of recommended healthcare services will be on a voluntary basis and subject to your prior consent. Legal basis: Your consent (Article 6 (1)(a) and Article 9 (2)(a) GDPR) to the mandatory processing of your data for the above-mentioned purposes if you participate in a clinical trial. You can withdraw/revoke your consent at any time (for further information on your rights as a data subject, please refer to section 8 below). Storage duration: The storage duration of your data for this purpose is limited to the duration of the processing according to section 3.2. If you request the deletion of a specific case or delete a specific case independently in the app, your case data will no longer be used for this purpose. 3.8 Use of health data for statistical and research purposes Categories of data: AccountID (if applicable), CaseID, ProfileID (if applicable), age, gender, goals, geographic location, risk factors, diet type, results of assessments, such as possible causes of symptoms, as well as medical history, allergies, time and date of assessment and other relevant and similar health data that you may have provided to us. Purpose of processing: We process pseudonymized data to compile aggregate statistics on the geographical spread of certain types of symptoms and diseases. We may make such statistics available to our partners and users, but always on an irrevocably anonymized basis. Legal basis: The processing is necessary for statistical purposes and, without exception, we provide our partners with anonymized and summarized statistics from which no conclusions can be drawn about the identity of a natural person (Article 9 (2)(j) GDPR; Section 27 (1) BDSG). Our legitimate interest in processing data for these purposes is the advancement of research in line with our corporate objectives, which also reflects the public’s interest in improving healthcare, in particular by studying the incidence and characteristics of diseases. For reasons arising from your particular situation, you can object to the processing of your personal data at any time. Please address your objection to us (further information on your right to object can be found in section 8 below). Storage period: The data on the basis of which we compile the statistics will be stored for the processing period in accordance with section 3.2. If you request the deletion of a specific case or delete a specific case independently in the app, your case data will no longer be used for this purpose. The statistics are anonymous. 3.9 Use of health data for public health purposes Categories of data: AccountID (if applicable), profile name (if applicable), caseID, device identifier, age, gender, geographic location, risk factors, results of assessments, such as possible causes of symptoms, as well as medical history, allergies, time and date of assessment and other relevant and similar health data you may have provided to us. Purpose of processing: We process pseudonymized data for public health purposes (in accordance with recital 54 of the GDPR), such as analyzing case data with regard to public health trends, rare diseases and threats, and possible opportunities to improve public health, e.g. based on findings about the frequency and concomitant symptoms of certain diseases and certain aspects of the assessments. We may make the results available to our partners on the basis of summary statistics, e.g. in the public health and science community, but always on an irrevocably anonymized basis. Legal basis: Processing is necessary for reasons of public interest in the area of public health (Article 9 (2)(i) GDPR, Section 22 (1) No. 1 (c) BDSG). Our legitimate interest in data processing for these purposes is to promote public health by protecting against serious cross-border threats to health. You can object to the processing of your personal data at any time on grounds relating to your particular situation. Please address your objection to us (further information on your right to object can be found in section 8 below). Storage period: The pseudonymized data on the basis of which we compile the statistics is stored for the processing period in accordance with section 3.2. If you request the deletion of a specific case or delete a specific case independently in the app, your case data will no longer be used for this purpose. 3.10 Monitoring and improving the safety of our wellness product Categories of data: Symptoms of your illness, possible causes of your symptoms, account ID (if applicable), profile name (if applicable), age, gender, geographical location (country), IP address, device identifier, events during the use of the Wellness Product, in particular started and completed assessments. Purpose of processing: We use a limited amount of usage data (possibly together with personal health data) to check user-friendliness, to identify possible malfunctions, incorrect assessments or any problems with availability and user-friendliness. For example, if you indicate after completing an assessment that it was not helpful due to an incorrect result, our experts can review the assessment based on your information and decide whether a change could increase security. This is based on our post-market surveillance obligation. Storage period: Your data will be stored for the purposes listed above for as long as is necessary to meet the quality and safety standards of our wellness product. 3.11 Sharing limited information and increasing the reach of Ovuly Categories of data: ID of advertisers, download and installation of the Ovuly app on your mobile device and how you found out about us (e.g. via social media or in an online article), whether your registration and creation of a new case with us was successful and your rating of our Ovuly app in the various AppStores, geographical location, time and date. Purpose of processing: When you use the Ovuly app, we use information to understand how people become aware of Ovuly online. This allows us to share the right information with you and other potential users. For example, if you have already downloaded the Ovuly app, you will no longer receive online advertising prompts to download the app. This information also gives us insights into how we can increase the reach of the Ovuly app, which could benefit from Ovuly’s expertise. However, we only use pseudonymized data collected by our processor Adjust GmbH (located at Saarbrücker Straße 38a in 10405 Berlin). We will never pass on your personal health data to advertisers or third parties for this purpose. Legal basis: Consent (Article 6 (1)(a) GDPR). Storage period: Your data will be stored until the purpose for which it was originally collected no longer applies. However, we delete the data listed here after 45 days at the latest. 3.12 Monitoring the proper use, functioning, maintenance and improvement of the services and associated emails Categories of data: Device identifier, IP address, operating system and type of your browser, duration of your visit to certain subpages as well as information about your interaction with the subpages (e.g. scrolling, finger movements, clicks and mouse movements), geographical location, time and date as well as processes during the use of the wellness product, in particular started and completed reviews. Purpose of processing: We use a limited amount of usage data (but without personal health data) to ensure the proper use, functioning, maintenance and improvement of our services in the interests of all users. Legal basis: Legitimate interests (Article 6 (1)(f) GDPR). Our legitimate interests are based on the above-mentioned purposes. However, we will never use the data collected to identify you. We process the information about your interaction with the subpages when you use our services or receive emails from us in order to both ensure correct receipt and to be able to assess and continuously improve our services. For reasons arising from your particular situation, you can object to the processing of your personal data at any time. Please address your objection to us (further information on your right to object can be found in section 8 below). Storage period: Your data will be deleted after 15 days, provided that no security-relevant events (such as a DDoS attack) prevent this. However, if such an event occurs, the server log files are stored until after the event and its complete resolution. 3.13 Direct advertising of our own similar products and services Categories of data: Email address, profile name, preferred gender. Purpose of processing: To receive direct marketing (about products and services) and survey announcements that we believe may be of interest to you. You can change your marketing preferences at any time by using the link at the bottom of each marketing email or by sending us a request here. Legal basis: Legitimate interests (Article 6 (1)(f) GDPR). Storage period: The storage period of your data for this purpose is limited to the duration of processing in accordance with section 3.2. 3.14 Optimization of our advertising measures Categories of data: Device identifier, IP address, operating system and type of your browser, duration of your visit to certain subpages and information about your interaction with the subpages (e.g. scrolling, finger movements, clicks and mouse movements) as well as geographical location, time and date. Purpose of processing: We use a limited amount of usage data (but without personal health data) to track your interaction with certain subpages and to analyze this data to optimize our advertising measures. Legal basis: Consent (Article 6 (1)(a) GDPR). You can adjust your tracking settings at any time in the privacy settings of the Ovuly app or send us a message here. Storage period: Your data will be stored until the purpose for which it was originally collected no longer applies or until you withdraw your consent. The storage period of your data for this purpose is limited to the duration of processing in accordance with section 3.2. We delete the data processed for tracking purposes after 45 days at the latest. 3.15 Feedback and surveys Categories of data: Feedback with some personal data, e-mail address (voluntary information) and case data (only if you have provided us with your e-mail address and created an account with us, which allows us to identify you, but only for the following purposes). Purpose of processing: We use your voluntary feedback to determine how satisfied you are with our products and services and to evaluate your experience with our products and services in general. This is necessary so that we can further optimize your user experience and better meet your needs. We may also use your voluntary feedback to meet the high quality and safety standards for our wellness product in accordance with section 3.5 above. Legal basis: Our legitimate interest (Article 6 (1)(f) GDPR) in improving your user experience and our consideration of your needs. Under no circumstances will we use the data collected to identify you. Storage period: Your data will be stored until the purpose for which it was originally collected no longer applies. The storage period of your data for this purpose is limited to the duration of the processing in accordance with section 3.2. 3.16 Web-based tool for registration and results Categories of data: Account ID, name, address, date of birth, gender at birth, email address and test results. Purpose of processing: We process your data in order to submit your registration and provide you with the test results. In addition, we use the data listed here to provide you with a user account. Legal basis: Performance of a contract (Article 6 (1)(b) GDPR/consent pursuant to Article 9 (2)(a) GDPR). You can withdraw/cancel your consent at any time, but you will not be able to use the registration and results tool without your consent. Storage period: We process your data for the above-mentioned purposes until you delete or request to delete your account. If your user account is inactive for more than 24 months, we will contact you and ask you whether you wish to continue using our registration and results tool. If your account remains inactive for a further 3 months, we will delete it. In the event of a request for deletion, we will delete your account within one month and your data will be deleted or irreversibly anonymized (so that no conclusions can be drawn about a specific natural person). In addition, we retain your data (see section 7 for further information) for the assertion, exercise and defense of legal claims, for example; however, the processing of your data is limited to these purposes. 3.17 Applications for job advertisements Categories of data: First name, last name, e-mail address, telephone number, geographical location (city), CV, LinkedIn profile (optional), time and date of your application. Purpose of processing: If you apply via our website, we process the data listed here in order to check your suitability for the position (or other vacancies in our company) and to handle the application process. Legal basis: Implementation of pre-contractual measures taken at your request (Article 6 (1)(b) GDPR). Storage period: The data of rejected applicants will be deleted after 6 months. However, if you have consented to the further storage of your personal data, we will then add your data to our applicant pool. The data will be deleted 2 years after this time. If you are offered a position as part of the application process, the data from the data system will be transferred to the information system of our HR department. 4 Cookies and tracking on our website Our website uses so-called cookies. These are text files that are stored either in or by your internet browser on your device (computer, tablet or phone). We use the term „cookies“ to refer to all tools that collect data on our website (e.g. IP addresses, location and time of visits). However, your data collected in this way is pseudonymized and stored separately from your other personal data. This type of processing is carried out on the basis of applicable law and on the basis of your consent insofar as this is required by law. For more information about the cookies we use, the purposes of the cookies we use and how to manage your cookie settings, please refer to our Cookie Policy. 5 Where we store your personal data The personal data collected from you is stored within the European Union on cloud servers of Amazon Web Services EMEA S.A.R.L. (hereinafter „AWS“) with a branch in Luxembourg and on cloud servers of Google Commerce Limited (hereinafter „GCL“), a company incorporated under the laws of Ireland with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. However, the data collected may be processed by processors outside the European Economic Area (previously and hereinafter referred to as „EEA“) on the basis of any data processing agreements, insofar as the additional requirements for the processing of personal data in third countries pursuant to Article 44 et seq. GDPR are met (e.g. if the subcontractor is able to provide appropriate safeguards pursuant to Article 46 GDPR, in particular standard data protection clauses, binding corporate rules, approved codes of conduct or derogations for specific cases pursuant to Article 49 GDPR) and the additional measures to be ensured on a case-by-case basis are taken. Sensitive data is transmitted between your browser and our website in encrypted form. Transport Layer Security („TLS“) is used for this. When transmitting sensitive data, you should always ensure that your browser can check our certificate. Please address any concerns regarding the guarantees for the transfer of your personal data outside the EEA directly to us. 6 Disclosure of your personal data 6.1 We engage technical service providers to operate and maintain our services. These service providers then act as processors within the meaning of the GDPR on the basis of data processing agreements. A complete list of the processors we use strictly in accordance with Section 3 above can be found here. We only commission service providers who process personal data outside the EEA (or in so-called „third countries“) if a decision on appropriateness has been made by the European Commission or if suitable guarantees are in place for the respective third country. Your personal data may only be transferred to third parties for the purposes listed below. Legal basis: The legal basis for the transfer and processing of your personal data by the processor corresponds to the legal basis of our role as controller within the meaning of the GDPR (always in accordance with section 3 above). 6.2 If we sell or buy companies or shares in companies, we may disclose your personal data to the future seller or buyer. Legal basis: Our legitimate interest (Article 6 (1)(f) GDPR) in the sale of our business or our shares or – if provided for by law – your consent (Article 9 (2)(a) GDPR) to the processing of special categories of data, i.e. your personal health data. 6.3 If our company or significant parts of our company are acquired by a third party, the personal data of our users will be one of the transferred assets. Legal basis: Our legitimate interest (Article 6 (1)(f) GDPR) in the sale of our company or our shares or – if provided for by law – your consent (Article 9 (2)(a) GDPR) to the processing of special categories of data, i.e. your personal health data. 6.4 European Union law or the law of a Member State of the EU may require us to disclose or share personal data. Legal basis: Compliance with a legal obligation (Article 6 (1)© GDPR). 6.5 If you have given us your express consent, we will transfer certain data to organizations involved in clinical trials or other research projects. Legal basis: Consent (Article 9 (2)(a) GDPR). 7. duration of storage of your personal data We will retain your personal data for as long as necessary or for as long as required by law or other regulatory requirements, but always in accordance with the principle of data minimization. The exact retention period for each type of processing is set out in section 3 above. If your personal data is used for more than one purpose, we will retain it until the longest retention period expires, but we will stop using the data as soon as the shortest retention period expires (in line with the principle of purpose limitation). We restrict access to your personal data to persons who need this data for the respective purposes. The principle of completeness and confidentiality always applies. After the processing of your data for the purposes set out in section 3 is no longer necessary or your account with us has been deleted (see section 3.2), we will store and retain some of your data securely and separately in accordance with legal retention periods and reasonable operational requirements. We store invoice data in accordance with the retention periods of six and ten years under commercial and tax law (Section 147 AO, Section 257 HGB). We retain data relating to post-marketing surveillance (including health data) in accordance with the retention period under applicable law. We retain data in connection with your use of our services (including health data) for a period of three or ten years, depending on operational requirements, in order to be able to assert, exercise and defend against legal claims. If the purpose for processing personal data no longer applies, the data concerned will either be irreversibly anonymized (and stored in anonymized form) or securely deleted. 8 Your rights as a data subject Under the GDPR, you have various rights (listed below) in relation to your personal data. You can exercise your rights by sending us a message via the contact form and selecting the option „Exercise my data protection rights“. Verification: We have taken a number of steps to verify the authenticity of your request. For example, we ask you to send us a confirmation from the e-mail address that you have stored in your account with us. This way we know that you are the owner of this e-mail address. However, if you have not provided an e-mail address, we may ask you for proof of identity. The right to withdraw consent: If the processing of your data is based on your prior consent, you have the right to withdraw it here at any time. However, exercising your right to withdraw consent will not affect the lawfulness of processing based on consent before its withdrawal. Right to object: You have the right to object under the conditions set out in Article 21 GDPR. You can find more detailed information on this below: – The right to object to processing based on legitimate interests: As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1)(e) or (f) GDPR, including profiling based on those provisions. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. – The right to object to processing for statistical purposes: If we process your personal data for statistical purposes in accordance with Article 9 (2)(j) GDPR or Section 27 (1) BDSG, you have the right to object to this processing at any time on grounds relating to your particular situation. We will then no longer process the personal data for the respective purposes, unless the processing is absolutely necessary for the performance of tasks in the public interest or the cessation of such processing would be likely to render impossible or seriously impair the fulfillment of statistical purposes and the continuation of the processing would therefore be essential for the fulfillment of statistical purposes. – The right to object to the processing of personal data for public health purposes: If we process your personal data for public health purposes within the meaning of Article 9 (2)(i) GDPR or Section 22 (1) No. 1 (c) BDSG, you have the right to object to this processing at any time on grounds relating to your particular situation. We will then no longer process the personal data for this purpose, unless the processing is absolutely necessary for the performance of tasks in the public interest or the cessation of such processing would be likely to render impossible or seriously impair the performance of public health purposes and the continuation of the processing would therefore be essential for the performance of public health purposes. – The right to object to direct marketing: Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. We will then no longer process your personal data for this purpose. To exercise your rights of objection in this regard, reply by email to the direct marketing email you have received from us or contact us at any time. Right of access: As a data subject, you have a right of access under the conditions of Article 15 of the GDPR. More precisely, this means that you have the right to request confirmation from us as to whether or not personal data concerning you is being processed by us. If this is the case, you also have a right of access to this personal data and to the information listed in Article 15 (1) GDPR. This includes information about the purposes of the processing, the categories of personal data being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed. Right to erasure („right to be forgotten“): Under the conditions of Article 17 of the GDPR, you as the data subject have the right to erasure („right to be forgotten“). This means that you generally have the right to request that we erase personal data concerning you without undue delay and that we are then obliged to erase personal data without undue delay if one of the grounds specified in Article 17 (1) GDPR applies. You can exercise this right at any time by deleting your account in the Ovuly app. If we have made your personal data public and we are obliged to delete it, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process your personal data that you have requested them to delete all links to this personal data or copies or replications of this personal data (Article 17 (2) GDPR). The right to erasure („right to be forgotten“) does not apply on the basis of the exception if the processing is necessary for one of the reasons stated in Article 17 (3) GDPR. This is the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims (Article 17 (3) (b) and (e) GDPR). Right to restriction of processing: As the data subject, you have the right to obtain from us restriction of processing where one of the conditions listed in Article 18 GDPR applies. If one of the conditions listed in Article 18 (1) GDPR is met, you can therefore request that we restrict the processing of your personal data. This is the case, for example, if you dispute the accuracy of your personal data. In such a case, processing will be restricted for a period enabling us to verify the accuracy of the personal data (Article 18 (1)(a) GDPR). „Restriction of processing“ means the marking of stored personal data with the aim of restricting its future processing (Article 4 (3) GDPR). Right to data portability: Under the conditions described in Article 20 GDPR, you as the data subject have the right to the portability of your personal data. This means that you generally have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us, where the processing is based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR) or on a contract (pursuant to Article 6(1)(b) GDPR) and the processing is carried out by automated means (Article 20(1) GDPR). In exercising your right to data portability, you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible (Article 20 (2) GDPR). Right to rectification: Under the conditions set out in Article 16 GDPR, you as the data subject have the right to rectification. In particular, you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you and the completion of incomplete personal data. Right to lodge a complaint: As a data subject, you have the right to lodge a complaint with a supervisory authority under the conditions set out in Article 77 GDPR. The supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, address: Friedrichstr. 219, 10969 Berlin; Tel.: 030 13889-0; EMail: mailbox@datenschutz-berlin.de. If you ask us to delete or no longer process your personal data, this means that you will no longer be able to use our services or at least those sub-services that require the processing of the data to be deleted in accordance with your wishes. As a result, you may no longer have access to our services. 9. changes to this privacy policy Any changes we make to this Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email, in the Ovuly app or by other available means. We therefore recommend that you check this page regularly and keep up to date with the way in which we process your data.