Upcoming Privacy Policy Datapods App

This Privacy Policy for the Datapods App takes effect on 1st March 2025.

1. Preamble

Welcome to the Datapods App! We consider the protection of your data and your privacy to be of the utmost importance. If you have any questions, be sure to let us know. Have fun scrolling!

2. Privacy Policy App Introduction

According to Art. 4 No. 1 GDPR, personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly. Further information on this can be found in Art. 4 No. 1 GDPR.

This privacy policy can be accessed, saved and printed at datapods.app.

Insofar as we cite our legitimate interest or a legitimate interest of a third party (Art. 6 para. 1 lit. f) GDPR) as the legal basis for the processing of personal data, you have the right to object in accordance with Art. 21 GDPR:

In accordance with Art. 21 GDPR, you have the right to object to the processing of personal data at any time. We will then no longer process the personal data for the purposes of direct marketing or related profiling.

We will also not process your personal data for other purposes following an objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims (see, for example, Art. 21 para. 1 GDPR, so-called “limited right to object”). In this case, you must provide reasons for the objection that arise from your particular situation.

You can also object to the processing of your personal data for reasons arising from your particular situation, for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR, unless the processing is necessary for the performance of a task carried out in the public interest (see Art. 21 para. 6 GDPR).

We will also inform you separately about your right to object in the individual sections (e.g. by stating: “You have the right to object”), if this right exists. There you will also find further information on exercising your right to object.

In order to keep the following privacy policy concise, we provide links at various points to information and data protection notices on external websites. We make every effort to keep the links that we list in this privacy policy up to date. Nevertheless, due to the constant updating of the websites, it cannot be ruled out that links may not function correctly. If you notice such a link, we would be pleased if you let us know so that we can update the link.

3. Who is responsible for processing my personal data and how can I contact the data protection officer?

You can contact our data protection officer by email at finn@datapods.app.

The controller within the meaning of Art. 4 No. 7 GDPR for the processing of personal data is:

Datapods GmbH

Kölnstraße 179b 53111 Bonn

E-mail: kontakt@datapods.app

represented by: Jakob Endler, Lukas Stein, Finn Rübo, David Goldschmidt.

4. What categories of data do we process as Datapods and where do they come from?

We process your personal data (e.g. from your requests submitted to us, such as downloading our application) in connection with the delivery of Datapods services. The extent to which we collect, process and use this data depends on the services provided by Datapods. This is usually the following data in particular:

• First name and surname,
• date of birth,
• place of birth,
• e-mail addresses,
• postal address,
• cell phone number,
• nationality,
• IP address.

When processing your personal data, we differentiate between personal data that we collect directly from you and personal data that we receive from other sources.

4.1 Personal data that we collect directly from you

We collect the personal data that you provide to us when downloading our application (“Datapods App”) or when using Datapods, as well as master data that is transmitted via interfaces of the companies for which we offer a portability or download function. We also collect personal data that we request from you for the proper delivery of Datapods. Please refrain from transmitting your data if you do not agree to it being processed. In this case, no further processing will take place.

4.2 Personal data that we receive from other sources

We use data collected by third party companies for data processing that we receive via portability and download functions of respective companies. This data is transferred to servers in Amsterdam, Netherlands, where it is categorized and encrypted. The encrypted data is stored in our database operated by Supabase (data center in Frankfurt, Germany). We have concluded order processing contracts with the operators of these data centers. Your third-party user data is encrypted at rest with AES-256 and stored in our databases on Supabase servers that are certified according to SOC2 type 2. During transmission, the data is encrypted using TLS. Sensitive information such as access tokens and keys are encrypted at the application level before they are stored in the database.

4.2.1 Google

The transfer of personal data from Google, takes place by means of your authentication via your Google account.

Methode 1

After successful authentication, exports of Google data can be carried out via Google Takeout and stored in your Google Drive. We access your Google Maps, Chrome and YouTube data. This data is encrypted by us and used for further analysis and visualization.

The data we use for further analysis and thus process and store is:

• the browsing data, in particular the URL, the icon and title and the client ID, page transition as well as the time of access,
• the location data, in particular latitude and longitude as well as the time of the location retrieval,
• YouTube history, in particular video title, video URL, channel name, channel URL, advertisements played and time of access.

Methode 2

After successful authentication, exports of Google data can be carried out via the Google Data Portability API. We access your Google Maps, Chrome-, Play and MyActivity data. This data is encrypted by us and used for further analysis and visualization.

The data we use for further analysis and thus process and store is:

• the browsing data, in particular the URL, the icon and title and the client ID, page transition as well as the time of access of webpages in the past,
• the maps data, in particular your pinned trips and your electric vehicle profile,
• the my activity data, in particular your Maps activity, your My Ad Center activity, your Google Search activity, your Shopping activity and your YouTube activity including time of access,
• the play data, in particular information about your devices with Google Play Store installed, your Google Play Store Grouping tags created by app developers, your Google Play Store app installations, your Google Play Store downloads, including books, games, and apps, information about your Google Play Store promotions, your Google Play Store purchases, your Google Play Store redemption activities, your Google Play Store subscriptions.

The use of information received from the Data Portability API adheres to the Data Portability API user data and developer policy, including the Limited Use Requirements.

Security of your Google data

This data is used within the Datapods application exclusively for visualization purposes. Your Google user data will never be passed on to third parties (except to sub-processors as stated in this declaration) without your consent.

To verify the security of the Datapods app to Google, Datapods has passed the Cloud Application Security Assessment (CASA).

4.2.2 Meta

The transfer of personal data from Meta, takes place by means of your authentication via your account for the respective Meta service.

Instagram

After successful authentication, exports of Instagram data can be carried out via the Download Your Information function (DYI) stored in your Google Drive. We access the information about your activity, personal information, connections, logged information, security and login information, apps and websites off Instagram, preferences and ads information. This data is encrypted by us and used for further analysis and visualization.

The data that we use for further analysis and thus process and store is:

• the activity data, in particular likes,
• the profile data, personal information, device information and information about you,
• the connections data, in particular the followers and following data,
• the logged data, in particular link history, past Instagram insights and last searches,
• the app and website data outside of Instagram,
• the ads information, in particular the advertisements and companies on Instagram, advertising activity and advertisements and topics.

4.2.3 Apple

The transfer of personal data from Apple, takes place by means of your authentication via your Apple account.

After successful authentication, exports of Apple data can be carried out via the Apple Account Data Transfer API. We access your App Install and Push Notifications Activity data and App Store Information. This data is encrypted by us and used for further analysis and visualization.

The data we use for further analysis and thus process and store is:

• the App Install Activity, in particular data related to your installation of any application in iOS, such as "first time install", "re-install", "auto update", etc.,
• the Push Notifications Activity, in particular data on your user experience impression and click data associated with your push notifications for various services across iOS, macOS, iPadOS, and tvOS.,
• the App Store Information, in particular your App Store Click Activity, Apple ID Device Information, Pre-order History, Report a Problem Refund and Dispute History, Review Profile, Reviews, Store Redownload and Update History, Store Transaction History - Free Apps, Store Transaction History, Subscription Click Activity, Subscription History, Votes,

The use of information received from the Apple Account Data Transfer API adheres to the Apple Account Data Transfer API user data and developer policy.

4.2.4 Data rentention

This data is made available for the duration of your use of the Datapods App and deleted if you so wish or if you permanently delete your Datapods account.

5. Who has access to my personal data?

Our systems are developed according to the principles of privacy by design. We ensure that our employees only have access to the personal data that is absolutely necessary to provide our services. Our employees generally do not have access rights to your personal data that is processed in the Datapods App and allows identification (such as personal details, third-party company data or usage data). The only exceptions are developers who work on the database as part of the tasks listed below ("Authorized Personnel"). All available data is stored in encrypted form in our Supabase database (data center in Frankfurt, Germany).

There are some exceptions to this principle of privacy by design in which Authorized Personnel may access your personal data:

• Support requests: if you contact our support, it may be necessary for Authorized Personnel to access your personal data to help you resolve issues.
• Explicit consent: If you provide us with personal data within the Datapods App with explicit consent, e.g. to optimize our data analysis or to improve our services.
• Regulatory requirements: Where we are required to do so by law or regulation, for example as part of requirements to combat money laundering or terrorist financing.
• Contract processing: To ensure the proper processing of the services of the Datapods App, Authorized Personnel may access the personal data required to carry out the process (e.g. pseudonymization key or order status).
• Data Monetization Platform: If you agree to pass on your data to cooperation partners via the Datapods App, it may be necessary for Datapods to access your data in order to process the transfer. The data will only be passed on to third parties in pseudonymized and aggregated form if you have expressly concluded a user agreement with us for participation in the data marketing platform.
• Further development and maintenance: To be able to continuously offer the services of the Datapods App, to improve them and to be able to develop and offer new functions.
• Beta test: If you are a participant in our beta test, it may be necessary for the purposes of the beta test for Datapods employees to have unencrypted access to your personal data. There is a separate consent for this as part of the beta test user agreement, which must be explicitly agreed to in order to participate in the beta test.

6. What is the purpose and the legal basis of processing my personal data?

6.1 To fulfill our contractual obligations, Art. 6 para. 1 lit. b) GDPR.

We collect your personal data in order to provide our Datapods App at your request, with which you can download, manage and visualize your personal data from various companies. The applicable legal basis is Art. 6 para. 1 lit. b) GDPR, which permits the processing necessary for the performance of a contract or in order to take steps prior to entering into a contract.

This data is collected:

• to provide a mobile application with which you can log into your user accounts of third party companies and retrieve data from them via dedicated APIs, e.g. Google Takeout,
• for the automated creation of categorizations and analyses based on the provided third party user account data (e.g. Chrome history, YouTube history, location data),
• to visualize and analyze your data within the Datapods App,
• to answer queries relating to the provision of the Datapods App,
• to manage and analyze your data and to improve the services we offer,
• to conclude and manage a data monetisation agreement with Datapods,
• for forwarding to service providers for the purpose of carrying out an identity check in compliance with money laundering regulations, if necessary,
• to fulfill regulatory requirements to which we are subject to, in particular to combat money laundering and terrorist financing.

If necessary, we process your personal data at your request for the purpose of arranging, fulfilling and/or terminating a contract to be concluded with us or subsequently concluded or another contract to which you are a party (see User Agreement for the Datapods App). In particular, we create a file for your identification when you contact us for the purpose of providing the contractually agreed service. In order to fulfill the contract, we also create needs analyses, manage and service your contract or improve these processes.

6.2 To fulfill our legal obligations, Art 6 para. 1 lit. c) GDPR.

We may collect and process your personal data in order to comply with legal obligations to which we are subject. This includes, for example, compliance with regulatory requirements or legal requirements that apply to the performance of our services.

6.3 To protect our legitimate interests and the interests of other controllers or third parties in data processing, Art. 6 para. 1 lit. f) GDPR.

We process your personal data to protect our legitimate interests where this is necessary. This includes:

• the improvement and further development of our app and services,
• carrying out security analyses to ensure the security of your data
• processing support requests and ensuring the proper operation of the app
• the sending of advertising information, unless you have objected to this
• conducting market and opinion research in order to better adapt our services to the needs of our users
• the assertion and defense of legal claims.

6.4 To process your data based on your consent, Art 6 para. 1 lit. a) GDPR.

If you have given us your explicit consent, we will process your personal data for specific purposes agreed by you. These may include the following:

• the forwarding of promotional information, e.g. by email,
• the optimization of our analyses, such as the improved visualization of your data
• participation in the Datapods Datadividend, where your data can be shared with cooperation partners in a pseudonymized and aggregated manner.

7. Will my data be shared with third parties?

Your data will not be passed on to third parties unless you conclude a user agreement with us for participation in the Datapods Data Monetization Platform that goes beyond the User Agreement for the Datapods App.

8. Which companies do we contact to import the personal data in the Datapods App?

In order to import your personal data from companies into the Datapods App and display it there, we have to contact the relevant companies directly or via you. Depending on the company, data is processed by us for authentication and other purposes. Providing your personal data is neither legally nor contractually required. However, if you do not provide it, you will not be able to use the main functions of our app.

We contact the following companies to provide the functions of the Datapods app:

8.1 Google

Google collects a range of data when you log into your account via our app. This may include, for example, unique identifiers, the type and settings of the browser, the type and settings of the device, the operating system, mobile network information such as the name of the mobile network provider and the telephone number as well as the version number of the app. In addition, Google may collect data about the interaction of your apps, browsers and devices with its services. This includes the IP address, crash reports, system activity and the date, time and referral URL of your request.

8.2 Meta

Meta collects a range of data when you log into your account via our app. This may include, for example, unique identifiers, the type and settings of the browser, the type and settings of the device, the operating system, mobile network information such as the name of the mobile network provider and the telephone number as well as the version number of the app. In addition, Google may collect data about the interaction of your apps, browsers and devices with its services. This includes the IP address, crash reports, system activity and the date, time and referral URL of your request.

9. Which third-party providers do we use to provide functions in the Datapods App?

In order to make the Datapods App and its functions available to you, we use the services of various third-party providers to whom we transfer certain personal data. Providing your personal data is neither legally nor contractually required. However, if you do not provide it, you will not be able to use certain essential functions of our app.

We use the following third-party providers provide the functions of the Datapods App:

9.1 Supabase

Supabase is operated by Supabase, Inc, a Delaware corporation headquartered at 970 Toa Payoh North #07-04, Singapore 318992.

9.1.1 Description and scope of data processing

Supabase serves us as a database solution for storing and managing the data you enter in the app. Personal data may be stored, in particular registration data (such as first and last name, e-mail addresses, cell phone number, date and place of birth, postal address) and the data generated through the use of the app. This information is stored on servers in the EU (data center in Frankfurt, Germany) and secured using modern encryption methods.

Supabase does not rule out the possibility that personal data may also be processed on servers in the USA and Singapore. Supabase is not certified in accordance with the EU-US Data Privacy Framework. However, a data processing annex has been concluded with Supabase as part of a data processing agreement that contains the standard clauses of the European Commission, with which Supabase is obliged to process personal data in compliance with the GDPR and to guarantee the same for its sub-processors.

Further information on data processing by Supabase can be found in Supabase's privacy policy. Supabase states that it uses these sub-processors.

Personal data is stored for as long as it is required to fulfill the purpose of processing. Once it is no longer required, the data will be deleted, provided there are no statutory retention obligations.

9.1.2 Purpose of processing

The purpose of this processing is to provide the functionalities of our app and to enable the correct display of our app on your device as part of your user agreement with Datapods.

9.1.3 Data rentention

Personal data is stored for as long as it is necessary to fulfill the purpose of processing. Once this is no longer necessary, the data is deleted, provided there are no statutory retention obligations.

9.1.4 Right to object

You have the right to object to the processing of your data. You can inform us of your objection at any time (e.g. by e-mail to kontakt@datapods.app).

9.2 Google Cloud

Google Cloud is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

9.2.1 Description and scope of data processing

Google Cloud is used by us to process and store data that is generated as part of the process of downloading and making data available to companies. Personal data may be stored, in particular registration data (such as name, e-mail address) and the data retrieved by the requested companies. This data is processed on servers in the EU (data centers in Amsterdam, Netherlands).

Further information on data processing by Google Cloud can be found in Google's privacy policy. According to its own information, Google Cloud uses these sub-processors.

9.2.2 Purpose of processing

The purpose of this processing is to provide the functionalities of our app and to enable the correct display of our app on your device as part of your user agreement with Datapods.

9.2.3 Data rentention

Personal data is stored for as long as it is necessary to fulfill the purpose of processing. Once this is no longer necessary, the data is deleted, provided there are no statutory retention obligations.

9.2.4 Right to object

You have the right to object to the processing of your data. You can inform us of your objection at any time (e.g. by e-mail to kontakt@datapods.app).

9.3 Firebase Cloud Messaging

Firebase Cloud Messaging (FCM) is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

9.3.1 Description and scope of data processing

Firebase Cloud Messaging is used to send push notifications to your device to inform you about relevant events in the app. Personal data such as device and app instance IDs may be processed in order to deliver the messages in a targeted manner. This data is stored on Google servers, whereby Google is obliged to use the standard contractual clauses for the transfer of personal data to third countries for each transfer of personal data to a third country, which also apply to Google as a sub-processor of Datapods.

Further information on data processing by Firebase Cloud Messaging can be found in Google's privacy policy. Firebase Cloud Messaging states that it uses these sub-processors.

9.3.2 Purpose of processing

The purpose of this processing is to provide the functionalities of our app and to enable the correct display of our app on your device as part of your user agreement with Datapods.

9.3.3 Data rentention

Personal data is stored for as long as it is necessary to fulfill the purpose of processing. Once this is no longer necessary, the data is deleted, provided there are no statutory retention obligations.

9.3.4 Right to object

You have the right to object to the processing of your data. You can inform us of your objection at any time (e.g. by e-mail to kontakt@datapods.app).

9.4 Twilio

Twilio is operated by Twilio Inc, 101 Spear Street, 5th Floor, San Francisco, CA 94105, USA.

9.4.1 Description and scope of data processing

Twilio is used to deliver SMS messages, for example to verify your telephone number or to send important notifications. Personal data such as your telephone number and the content of the messages sent may be processed. This data is stored on Twilio servers in Ireland.

Further information on data processing by Twilio can be found in Twilio's privacy policy. According to its own information, Twilio uses these sub-processors.

9.4.2 Purpose of processing

The purpose of this processing is to provide the functionalities of our app as part of your user agreement with Datapods.

9.4.3 Data rentention

Personal data is stored for as long as it is necessary to fulfill the purpose of processing. Once this is no longer necessary, the data is deleted, provided there are no statutory retention obligations.

9.4.4 Right to object

You have the right to object to the processing of your data. You can inform us of your objection at any time (e.g. by e-mail to kontakt@datapods.app).

9.5 Resend

Resend is operated by Resend, Inc, 2261 Market Street #5039, San Francisco, CA 94114, USA.

9.5.1 Description and scope of data processing

Resend is used to deliver e-mail notifications, for example to confirm your e-mail address or to send important messages. Personal data such as your e-mail address and the content of the messages sent may be processed. This data is stored on Resend's servers.

Resend transfers and processes personal data to servers in the USA. Resend is not certified under the EU-US Data Privacy Framework. However, a data processing annex has been concluded with Resend as part of a data processing agreement that contains the standard clauses of the European Commission, with which Resend undertakes to process personal data in compliance with the GDPR and to guarantee this for its sub-processors as well.

Further information on data processing by Resend can be found in Resend's privacy policy. According to its own information, Resend uses these sub-processors.

9.5.2 Purpose of processing

The purpose of this processing is to provide the functionalities of our app as part of your user agreement with Datapods.

9.5.3 Data rentention

Personal data is stored for as long as it is necessary to fulfill the purpose of processing. Once this is no longer necessary, the data is deleted, provided there are no statutory retention obligations.

9.5.4 Right to object

You have the right to object to the processing of your data. You can inform us of your objection at any time (e.g. by e-mail to kontakt@datapods.app).

10. What other data is collected by using third party providers to improve Datapods?

To further improve the Datapods App for you, we use third-party providers to help us understand which functions you use and how you use them. This allows us to better plan new features and improve existing features for you. Providing your personal data is neither legally nor contractually required. However, if you do not provide it, you will not be able to use certain functions of our app.

We use the following third-party providers to improve the Datapods App:

10.1 PostHog

PostHog is operated by PostHog Inc, 965 Mission Street, San Francisco, CA 94103, USA.

10.1.1 Description and scope of data processing

PostHog records and reflects your behavior in our app. The storage of this data is limited in time and is used exclusively to improve our service based on your needs. This allows personal data to be stored and evaluated - in particular the user's activity (which subpages have been visited, which elements have been clicked on), device and browser information (in particular the IP address and operating system) and a tracking code (pseudonymized user ID). The information collected in this way is transmitted by PostHog to a server in Germany and stored there.

Further information on the processing of data by PostHog can be found in PostHog's privacy policy. According to its own information, PostHog uses these sub-processors.

10.1.2 Purpose of processing

The purpose of this processing is to improve the functionality of our app.

10.1.3 Data rentention

The personal data in the form of session recordings are deleted or anonymized after 3 months. The user's activities are stored pseudonymously for as long as they are required to fulfill the purpose of processing, but for a maximum of one year.

10.1.4 Right to object

You have the right to object to the processing of your data. You can inform us of your objection at any time (e.g. by e-mail to kontakt@datapods.app).

11. For how long will my data be stored?

We only process personal data for as long as is necessary to fulfill our contractual and legal obligations. For example, data processing is necessary for the performance and execution of the contract, including the defense and enforcement of civil law claims within the relevant limitation periods. The limitation periods can be up to three years due to sections 195 et seq. of the German Civil Code, the limitation periods can be up to thirty years; the regular limitation period is three years. In addition, the retention obligations under tax law, commercial law, tax law and other statutory retention obligations must be observed. The retention/documentation periods stipulated there are six to ten years plus the limitation period for assessment of a further four years. In order not to violate legal regulations or lose the opportunity to enforce a claim or defend ourselves against such a claim, we reserve the right to delete the data only after the last period that legitimizes the data storage has expired.

12. Can I object to the processing of my personal data?

If we process your data for legitimate interests, you can object to this processing on grounds relating to your particular situation. You have the right to object to the processing of your personal data for direct marketing purposes without giving reasons; this also applies to profiling insofar as it is associated with such direct marketing. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims.

To object to the processing of your data, you can permanently and irrevocably delete your account within the Datapods app at any time. You can also contact us by email using the contact details provided above to revoke your consent.

13. Where can I lodge a complaint?

If you are of the opinion that the processing of your personal data by us is unlawful or that we are violating data protection law for other reasons, you can complain to the supervisory authority responsible for us:

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information

P.O. Box 20 04 44, 40102 Düsseldorf, Germany

Telephone: 0211/38424-0

Fax: 0211/38424-10

E-mail: poststelle@ldi.nrw.de

14. Am I obliged to provide my data?

We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this is the case for the products we offer, you will be informed of this separately.

15. What are my rights as a data subject?

You have the right to:

• to request information as to whether and, if so, which personal data concerning you is being processed, Art. 15 GDPR;
• to request the rectification of inaccurate personal data or the completion of incomplete personal data, Art. 16 GDPR;
• to obtain from us the erasure of personal data concerning you without undue delay, provided that the conditions set out in Art. 17 GDPR are met;
• to demand the restriction of the processing of your personal data, insofar as Art. 18 GDPR provides for this;
• to receive the personal data concerning you in a format that meets the requirements of Art. 20 para. 1 GDPR;
• to data portability under the conditions set out in Art. 20 para. 1 lit. a, b GDPR;
• not to be subject to a decision based solely on automated processing – including profiling – if a decision has only been made in an automated process and this decision significantly affects you. In the event of a rejection, the decision will be reviewed manually by us after you have informed us of your considerations and objections to the decision made in the automated process and requested the manual review, Art. 22 para. 1, 3 GDPR. In addition, you are entitled to view the criteria for the decision.

For requests of this kind, please contact kontakt@datapods.app. Please note that we must ensure that we are actually dealing with the data subject for such requests.

Automated decision-making does not take place in our app.