Privacy Policy for our website RabbitCloud.com and web application RabbitCloud

When you access our website, that is, if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you would like to view our website, we collect the following data, which is technically necessary for us to display our website to you. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f GDPR:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred in each case
• Website from which the request comes
• Browser
• Operating system and its interface
• Language and version of the browser software

Hosting We use various hosting/cloud service providers for our website.

DigitalOceans, 251 Little Falls Drive, Wilmington, 19808, USA. Further information on data processing can be found here: https://www.digitalocean.com/legal/data-processing-agreement

Vultr, 319 Clematis Street - Suite 900, West Palm Beach, FL 33401. Further information can be found here: https://www.vultr.com/legal/international-privacy/

Raidboxes GmbH, Hafenstraße 32, 48153 Münster. Further information on data processing can be found here: https://raidboxes.io/legal/privacy/

Scaleway, 8 rue de la Ville l’Evêque, 75008 Paris, France. Further information on data processing can be found here: https://www.scaleway.com/en/privacy-policy/

Exoscale, Boulevard de Grancy 19A, 1006 – Lausanne, Switzerland. Further information on data processing can be found here: https://www.exoscale.com/privacy/

These service providers act as processors on our behalf. The processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR, in not having to maintain our own servers. The server locations are Germany, France, and Switzerland.

It is possible that data may also be transferred to the USA. According to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. Data transfers to the USA are therefore based on the Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, alternatively you can request these documents from us using the contact details provided in section 1.

We also use fonts from Google Fonts on our website. We have installed the Google Web Fonts locally. As a result, no connection or data transmission to Google servers or to the USA takes place.

This website uses cookies in part. Cookies do not cause any damage to your device and do not contain viruses. Cookies are used to make our service more user-friendly, effective, and secure. Cookies are small text files that are stored on your device and saved by your browser.

A distinction is made between session cookies, which are deleted immediately after you close your browser, and persistent cookies, which are deleted only after a certain period of time.

In addition to cookies, similar technologies (such as tracking pixels, web beacons, etc.) may also be used. In connection with cookies and similar technologies, further processing such as marketing, analysis/tracking, etc. may also occur. The same statements regarding cookies also apply to similar technologies and the other related processing activities.

With the help of cookies, we can, for example, measure the reach of our services and tailor them to your interests, thereby optimizing our offering and our marketing measures.

To manage the cookies used and related consents, we use a consent tool. Details on the cookies we use (purpose, storage duration, external service providers, etc.) and the consent tool can be found in the consent tool we provide.

We use Cookieyes, CookieYes Limited
3 Warren Yard Warren Park, Wolverton Mill, Milton Keynes, United Kingdom, MK12 5NW.
Information on data processing by Cookieyes can be found here:
https://www.cookieyes.com/privacy-policy/

Storing and retrieving information through cookies on end devices is generally only permitted with your prior consent. An exception applies where storage and retrieval are necessary for the operation and functionality of the website. This includes, for example, the display of the shopping cart (also for future visits), or the maintenance of system security. Consent is not required for cookies that are necessary for the operation of the website/online shop. With regard to this data processing, there is also no right of withdrawal.

If personal data is processed by individual cookies we use, processing is carried out in accordance with Art. 6(1)(b) GDPR for the performance of the contract, or in accordance with Art. 6(1)(a) GDPR if consent has been given, or in accordance with Art. 6(1)(f) GDPR to protect our legitimate interests in the best possible functionality of the website as well as a customer-friendly and effective design of the site visit.

Consent granted for the use of cookies also applies to the use of similar technologies and related processing activities.

If you refuse your consent to the use of cookies or otherwise prevent their storage, the proper functioning of our online services may be impaired.

You can prevent the storage of cookies by adjusting your browser settings accordingly. Depending on the browser you use, you can find more information here:

Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Chrome: https://support.google.com/chrome/answer/95647?hl=en
Internet Explorer / Edge: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
Safari: https://support.apple.com/en-us/guide/safari/sfri11471/mac

You can also find further opt-out options here: https://www.youronlinechoices.eu/, https://youradchoices.ca/en/tools, https://optout.aboutads.info/, https://optout.networkadvertising.org/?c=1

You can also enable the "Do-Not-Track" function in your browser. For information on the "Do-Not-Track" setting, see: Firefox: https://support.mozilla.org/en-US/kb/how-do-i-turn-do-not-track-feature
Chrome: https://support.google.com/chrome/answer/2790761?hl=en
Internet Explorer / Edge: https://support.microsoft.com/en-us/help/17288/windows-internet-explorer-11-use-do-not-track
To prevent cross-site tracking in Safari, use the following link: https://support.apple.com/en-us/guide/safari/sfri40732/12.0/mac

If you have given your consent to the use of cookies, you can manage your settings in our consent tool. (Cookie Settings)

Google Tag Manager, Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland. The Tag Manager is a management tool that does not set or store cookies itself. The Tag Manager manages the tags that are set by other tracking tools. Through the Tag Manager, these tags are forwarded to the respective tool in anonymized form. Therefore, the tool providers used only access these anonymized tags from the Tag Manager. Legal basis: Your consent pursuant to Art 6 para. 1 lit a GDPR and Art 6 para. 1 lit. f GDPR. Data transfer to the USA is therefore carried out on the basis of the Standard Contractual Clauses pursuant to Art. 46 para.2 lit. c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or alternatively, you can request these documents from us using the contact options provided in section 1. For detailed information on the use of cookies, please see here URL of the consent tool.

Facebook Pixel & Facebook Conversion API; Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are residing in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). Website: https://www.facebook.com/business/help/744354708981227?id=2469097953376494 Further information on data processing by Facebook: https://www.facebook.com/business/help/1474662202748341?id=2469097953376494&locale=de_DE, https://de-de.facebook.com/privacy/explanation, https://de-de.facebook.com/policies/cookies/ Legal basis: Your consent pursuant to Art 6 para. 1 lit a GDPR and Art 6 para. 1 lit f GDPR. Data is transferred to the USA. Data transfer to the USA is therefore carried out on the basis of the Standard Contractual Clauses pursuant to Art. 46 para.2 lit. c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or alternatively, you can request these documents from us using the contact options provided in section 1.

Hotjar, Hotjar Limited (Level 2 St. Julian’s Business Centre 3, Elia Zamnit Street, St. Julian’s, STJ 1000, Malta). The server location is Ireland. More information about data processing by Hotjar: https://www.hotjar.com/legal/policies/privacy/ Legal basis: Your consent pursuant to Art 6 para. 1 lit a GDPR and Art 6 para. 1 lit f GDPR.

ActiveCampaign, 1 North Dearborn St, 5th Floor, Chicago, IL 60602. More information about data processing by ActiveCampaign: https://www.activecampaign.com/legal/privacy-policy Legal basis: Your consent pursuant to Art 6 para. 1 lit a GDPR and Art 6 para. 1 lit f GDPR. Data transfer to the USA is therefore carried out on the basis of the Standard Contractual Clauses pursuant to Art. 46 para.2 lit. c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or alternatively, you can request these documents from us using the contact options provided in section 1.

Google Analytics & Google Ads, Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland. More information about data processing by Google Analytics/Google Ads: https://support.google.com/analytics/answer/6004245?hl=de Legal basis: Your consent pursuant to Art 6 para. 1 lit a GDPR and Art 6 para. 1 lit f GDPR. Data transfer to the USA is therefore carried out on the basis of the Standard Contractual Clauses pursuant to Art. 46 para.2 lit. c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or alternatively, you can request these documents from us using the contact options provided in section 1.

You can permanently opt out of cross-device remarketing/targeting by disabling personalized ads in your Google Account; to do so, follow this link: https://www.google.com/settings/ads/onweb/

We have enabled the "IP anonymization" function. This means that your IP address will be shortened by Google within member states of the European Union or in other states that are party to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website and this app, Google will process this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.

If you contact us (by phone, contact form, email, messenger services, or via social media), we require your personal data (name, contact details such as phone number or email address) in order to process your inquiry or request. The processing of your personal data is carried out on the basis of Art. 6 (1) (b) GDPR. This personal data may be stored in a CRM system (“Customer-Relationship-Management System”) or comparable systems for managing inquiries. This allows us to efficiently organize incoming contacts. The processing of your personal data in this context is based on Art. 6 (1) (f) GDPR. We delete the data when it is no longer necessary or – in the case of statutory retention obligations – restrict processing. We review the necessity every six months.

WhatsApp Business We use the instant messaging service WhatsApp for communication with customers and third parties. The provider is WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We use the WhatsApp Business version. Communication takes place via end-to-end encryption (peer-to-peer). This prevents third parties or WhatsApp itself from accessing the content of the communication. However, WhatsApp does have access to the following data:

• Sender
• Recipient
• Time

According to WhatsApp, it shares personal data of its users with its US-based parent company Facebook. The transfer of data to the USA is based on the standard contractual clauses of the EU Commission, which WhatsApp has recognized: https://www.whatsapp.com/legal/business-data-transfer-addendum. More information about WhatsApp's data processing can be found at: https://www.whatsapp.com/legal/#privacy-policy. The use of WhatsApp is based on our legitimate interest in simple and effective communication with customers and third parties in accordance with Art. 6 (1) (f) GDPR and on your explicit consent in accordance with Art. 6 (1) (a) GDPR. If corresponding consent is requested, data processing will be carried out exclusively on the basis of this consent. This consent can be revoked at any time with effect for the future. We have configured our WhatsApp accounts so that there is no automatic synchronization with the address book on the smartphones in use.

Upvoty We use the software "Upvoty" from Upvoty, Hurksestraat 19, 5652 AH, Eindhoven, Netherlands. Upvoty is a software program that allows for the collection and management of customer feedback. The use of this software serves the purpose of improving our offer and better meeting customer needs. We collect the comments and feedback of our users via a widget in our app and website. The following data is usually collected:

• IP address
• Browser identifier
• Customer number
• Email address
• Content of the feedback message

The legal basis for processing is your explicit consent, Art. 6 (1) (a) GDPR. More information on data processing by Upvoty can be found here: https://www.upvoty.com/gdpr/

We process your customer and contact data as well as your contract history in order to provide you with information about our company, our services, and products. This is done to improve and develop our services and products and to offer you personalized communication with tailored offers and products. The legal basis for this processing is Article 6(1)(f) GDPR.

This is an integrated software solution that covers various aspects of our online marketing, including:

• Email marketing
• Chat function, messaging services
• Reporting (e.g., traffic sources, accesses, etc.)
• Contact management (e.g., user segmentation & CRM)
• Contact forms
• Push notifications

The contents of our website are stored on servers of our service provider. They may be used by us to contact visitors to our website and to determine which of our company's services are of interest to you. We use all collected information exclusively to optimize our marketing measures.

We use various service providers for our online marketing based on our interest in optimizing our marketing activities and improving the quality of our services on the website. The legal basis for the use of these services is therefore Article 6(1)(f) GDPR.

Postmark is a service provided by ActiveCampaign; ActiveCampaign, 1 North Dearborn St, 5th Floor, Chicago, IL 60602. There is a transfer of data to the USA. According to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. The transfer of data to the USA therefore takes place on the basis of the Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. The Standard Contractual Clauses can be accessed at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or alternatively, you can also request these documents from us using the contact options provided in section 1. Further information on data processing by ActiveCampaign: https://www.activecampaign.com/legal/privacy-policy Further information on data processing by Postmark: https://postmarkapp.com/eu-privacy#gdpr

Crisp IM, 2 boulevard de Launay in Nantes, 44100 France. More information on data processing: https://crisp.chat/de/privacy/

On our website, you have the option to sign up for our free newsletter. When registering, we store your email address and your name.

For activating the newsletter, we use the so-called double opt-in procedure. This means that after your registration, we will send an email to the provided email address in which we ask you to confirm that you wish to receive messages. Additionally, we log the IP addresses you used and the times of your registration and confirmation. The purpose of this procedure is to provide proof of your registration and, if necessary, to clarify possible misuse of your personal data.

The newsletter is sent based on the recipient’s consent, Art. 6 (1) 1 lit. a GDPR, or, if consent is not required, based on our legitimate interest in direct marketing, Art. 6 (1) 1 lit. f GDPR, insofar as this is legally permitted, for example, in the case of advertising to existing customers.

We use ActiveCampaign, 1 North Dearborn St, 5th Floor, Chicago, IL 60602, for sending our newsletters. Data is transferred to the USA. According to the European Court of Justice, there is currently no adequate level of data protection for data transfers to the USA. Data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR. The standard contractual clauses can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or alternatively, you can request these documents from us using the contact details provided in section 1. Further information about data processing by ActiveCampaign: https://www.activecampaign.com/legal/privacy-policy

The use of the mailing service provider, the performance of statistical surveys and analyses, as well as the recording of the registration process, are carried out on the basis of our legitimate interests according to Art. 6 para. 1 lit. f GDPR. As a rule, there is no disclosure of personal data collected within the scope of the respective newsletter service to third parties.

We process your data in this context as long as you are our user or you object to this data processing.

Revocation

You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare the revocation by clicking on the link provided in each newsletter email, by emailing info@rabbitcloud.com, or by sending a message to the contact details specified under section 1.

In addition to our website, we are also active on various social media platforms. When you visit our social media presences, certain information about you is processed. If you are logged into your own user account when visiting our presence on the respective social network, the data collected in this context will be directly assigned to your existing account.

It is possible that your personal data is collected even if you are not logged in or do not have an account with the respective social media portal. In such cases, this data collection may occur, for example, through cookies stored on your device or by collecting your IP address.

Social networks store the data they collect about you as user profiles and may use them for purposes of analysis, advertising, and market research.

When you visit our social media presence, we process data about your actions and interactions with our social media presence and your publicly visible profile data (e.g., your name and profile picture). Which personal data from your profile is publicly visible depends on the settings you have made in your social media account.

The purpose of our data processing on our social media presences is to inform customers about offers, products, and company news, as well as to interact with visitors of the social media presences, answer questions, etc. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Data processing is carried out in the interest of our public relations and communication.

When you visit one of our social media presences (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered by this visit. This means that you can exercise your rights (information, correction, deletion, restriction of processing, data portability, and complaint) in principle both against us and against the operator of the respective social media platform.

Please note that despite the joint responsibility with the social media platform operators, we do not have full influence on the data processing operations there. Our possibilities depend largely on the corporate policy of the respective provider.

The data directly collected by us via our social media presence will be deleted by us as soon as the purpose for storing it ceases to apply, you request us to delete it, you revoke your consent to storage, or the purpose for data storage ceases, unless statutory retention requirements apply.

For information on the storage duration of your data on the social media platforms, please refer to the privacy policies of the respective platform operators.

Facebook We have a profile on Facebook. The provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. We have entered into a joint processing agreement (Controller Addendum) with Facebook pursuant to Art 26 GDPR. This agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook profile. You can view the agreement at the following link: https://rabbitcloud.com/de/www.facebook.com/legal/terms/page_controller_addendum. You can adjust your advertising settings independently in your user account. To do so, click the following link and log in: https://rabbitcloud.com/de/www.facebook.com/settings. There is a transfer of data to the USA. According to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. Data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR. The standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; alternatively, you can request these documents from us using the contact options specified in section 1. For further details on data processing, please refer to Facebook's privacy policy: https://rabbitcloud.com/de/www.facebook.com/about/privacy/

YouTube We use the YouTube video platform, operated by YouTube, LLC, 901 Cherry Ave. San Bruno, CA 94066, USA (“YouTube”), which is a subsidiary of Google. YouTube is a platform that enables the playback of audio and video files.

We have embedded YouTube videos in our pages.

When you access such a page from us, the embedded YouTube player connects to YouTube so that the video or audio file can be transferred and played. In this process, personal data is also transferred to YouTube as the controller. We have no influence on the processing of this data by YouTube.

The processing of the data is carried out based on your express consent pursuant to Art. 6 para. 1 lit. a GDPR. If you do not give your consent, the content on our pages cannot be displayed in full.

As YouTube is a subsidiary of Google, Google's privacy policy applies: https://policies.google.com/privacy?hl=de.

There is a transfer of data to the USA. Data transfer to the USA therefore takes place on the basis of the standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR: https://policies.google.com/privacy/frameworks?hl=de.

The standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; alternatively, you can request these documents from us using the contact options specified in section 1.

4.1 When downloading the app, the respective app store provider collects personal data, including:

• Username
• Email address
• Customer number
• Time of download
• Payment information (if applicable)
• Device-specific identifier

For information on the purposes and scope of data processing, please refer to the provider’s privacy policy: Google Play Store (Android): Google LLC., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA: https://policies.google.com/privacy?hl=en&gl=de

AppStore (iOS): Apple Inc., One Apple Park Way, Cupertino, California, USA, 95014: https://www.apple.com/legal/privacy/

AppGallery (Huawei): AppGallery is a service of Aspiegel SE, a subsidiary of Huawei based in Ireland; 40 Mespil Rd, Ballsbridge, Dublin, D04 C2N4, Ireland https://consumer.huawei.com/minisite/cloudservice/AppGallery-web/common/b0/latest/privacy-statement-de-de.htm

You can register directly in the app or via our website. For both types of registration, we store the following data:

• First name/Last name
• Email address
• Password
• Club/Association
• Language
• Postal code/City/Address
• Phone number
• Signature

These required personal data are mandatory, and without them we cannot provide you access to the app. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR.

Optionally, you can add a profile picture to your profile. This is not required for using the app. Since the data collection is voluntary, reference is made to Art. 6 para. 1 sentence 1 lit. a GDPR. You can remove your picture from your profile at any time.

Hosting

The data collected here is stored on the servers of various hosting providers.

DigitalOceans, 251 Little Falls Drive, Wilmington, 19808, USA. Further information about data processing can be found here: https://www.digitalocean.com/legal/data-processing-agreement

Vultr, 319 Clematis Street - Suite 900, West Palm Beach, FL 33401. More information can be found here: https://www.vultr.com/legal/international-privacy/

Raidboxes GmbH, Hafenstraße 32, 48153 Münster. Further information about data processing can be found here: https://raidboxes.io/legal/privacy/

Scaleway, 8 rue de la Ville l’Evêque, 75008 Paris, France. Further information about data processing can be found here: https://www.scaleway.com/en/privacy-policy/

Exoscale, Boulevard de Grancy 19A, 1006 – Lausanne, Switzerland. Further information about data processing can be found here: https://www.exoscale.com/privacy/

These service providers act as processors on our behalf. The processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR to avoid maintaining our own servers. Server locations are Germany, France, and Switzerland.

It is possible that data is also transferred to the USA. According to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. Data transfer to the USA is therefore based on the Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR. The Standard Contractual Clauses can be accessed at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, or alternatively, you can request these documents from us using the contact details provided in section 1.

When opening and using the app, we also store the following personal data:

• Device type
• Operating system
• IP address
• Language settings
• Device ID
• Cookie data
• Mobile application ID
• Location data

The app requires access to the camera. Photos and videos are only taken if you activate the camera function of the app. The processing of data related to this is carried out with your consent and is therefore based on Art. 6 para. 1 sentence 1 lit. a GDPR.

We send push notifications to our users. On the one hand, to notify about an expected birth and other breeding-related events. On the other hand, to inform about news, updates, features, and special offers.

The following data is stored about your device:

• Device type
• Operating system
• IP address
• Language settings
• Usage data
• Language
• Country

For sending push notifications, we use the provider OneSignal, 2850 S Delaware St # 201, San Mateo, CA 94403. This involves data transfer to the USA. Data transfer to the USA is carried out on the basis of the Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. Alternatively, you can request these documents from us using the contact details provided in Section 1.

Further information on data processing by OneSignal: https://onesignal.com/privacy

Push notifications are only sent to you with your consent; the legal basis is Art. 6 (1) lit. a GDPR. The legal basis for collecting data such as timestamp, push token, and device ID is Art. 6 (1) lit. b GDPR.

For Android (version 5.1 and lower): https://support.google.com/googleplay/answer/6014972?p=app_permissions&rd=1&hl=en For Android (version 6.0 and higher): https://support.google.com/googleplay/answer/6270602?hl=en For iOS: https://www.apple.com/privacy/manage-your-privacy/ For Huawei: https://consumer.huawei.com/de/support/content/de-de15769098/

You have the option to share a rabbit profile with information about rabbit breeds/colors, weight, etc. with other users of the app on the marketplace via your app profile, or through our social media presences. This processing is carried out based on your explicit consent, Art. 6 para. 1 lit. a GDPR.

You can upload your own photos. The app requires permission to access images you have already created. This processing is based on your explicit consent, Art. 6(1)(a) GDPR.

The personal data collected here comes both from the information depicted in the images and from the metadata of the images. You can delete the data collected here at any time yourself. The lawfulness of data processing carried out up to that point remains unaffected. Please note that while other users with whom you share your photos cannot create copies of these images and we technically prevent the redistribution of your images, it cannot be fully excluded that other reproductions may occur (e.g., screenshots).

If you choose payment by bank transfer and direct debit, we will store your name and your bank account details.

The processing, collection, and storage of data related to electronic payments is carried out by our payment service provider, Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland ("Stripe"). Through Stripe, it is possible to offer various payment methods, such as credit card payments or direct debit.

With each payment transaction, Stripe receives data required for processing electronic payments, such as the information you provide during the order process along with details about your order (name, address, account number, bank code, potentially credit card number, invoice amount, currency, and transaction number). The processing of your data by Stripe is necessary for payment processing and, therefore, for fulfilling the contract. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR. This data will be deleted after the statutory retention periods expire. Stripe processes your personal data on our behalf and according to our instructions as a so-called data processor in accordance with Art. 28 GDPR.

The service provider we use in this context, Stripe, which processes personal data for us on our behalf and in accordance with our instructions as a data processor pursuant to Art. 28 GDPR, transfers data to group companies in the USA. The level of data protection in the USA is considered inadequate by the European Commission. Therefore, data transfer to the USA takes place on the basis of the Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR. The Standard Contractual Clauses can be accessed at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE, or alternatively, you can request these documents from us using the contact details provided in section 2.

For further information about data processing by Stripe, please refer to https://stripe.com/at/privacy?tid=311853917

When paying via PayPal, the collection, processing, and storage of electronic payment data is carried out by our partner PayPal (PayPal (Europe) S.à r. l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449, Luxembourg). If you wish to pay via PayPal, you must be registered with PayPal or register first and authorize yourself using your login credentials. The payment transaction will be carried out automatically by PayPal immediately after confirmation of the payment instruction. Further information will be provided during the ordering process. For every payment transaction, PayPal receives data needed to process the electronic payment, such as title, gender, first name, last name, company, address, postal code, city, country, customer number, email, or type of payment. These data are collected directly from you by PayPal and processed by PayPal for payment processing purposes. Disclosure of your data to PayPal is made in accordance with Art. 6 para. 1 lit. b GDPR. Further information on data protection can be found in PayPal's privacy policy: https://www.paypal.com/de/legalhub/paypal/privacy-full. You may object to the processing of your data by PayPal at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for contractual payment processing or if statutory retention obligations exist.

We use the payment provider GoCardless Ltd, Sutton Yard, 65 Goswell Road, London, EC1V 7EN, Great Britain. Due to the United Kingdom's withdrawal from the EU, the European Commission has decided, based on Article 45 of the GDPR, that the UK provides an adequate level of protection. Data transfers are carried out on the basis of this adequacy decision: https://ec.europa.eu/commission/presscorner/detail/de/ip_21_3183

Data is collected via the Google Firebase application integrated into the app. We use Google Firebase Analytics for this purpose. Firebase is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, based on a data processing agreement. The data collected here is stored in the Google Cloud (BigQuery). Storage takes place on a server located in Frankfurt.

We use Google Analytics Firebase to collect general data about the usage of the app, to analyze app usage, and to optimize user guidance. We collect and store the following data: frequency of page views, search terms, use of website features, and duration of visits.

A detailed description of the collected and processed information can be found here: https://firebase.google.com/support/privacy#data_processing_information

The legal basis for the use of the Google Analytics for Firebase service is your consent according to Art. 6 para. 1 lit. a GDPR and our legitimate interest, Art. 6 para. 1 lit. f GDPR.

It cannot be ruled out that data may also be transferred to the USA. The transfer of data to the USA is therefore based on the standard contractual clauses according to Art. 46 para. 2 lit. c GDPR. The standard contractual clauses can be accessed at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. Alternatively, you can also request these documents from us using the contact details provided in section 1.

You can withdraw your consent at any time in the app settings under "Settings -> Privacy".

Our app also uses technology from Sentry, Functional Software Inc., 132 Hawthorne Street, San Francisco, California 94107, for crash analysis. Information about the device used and the usage of our app is collected (e.g. timestamps when the app was started and when the crash occurred) to enable us to diagnose and resolve issues. This personal data is not merged with your other profile information. Chat messages are excluded from this and are not sent with crash reports. We collect this data and transmit it to Sentry in the USA for analysis purposes. On our behalf, Sentry evaluates the data in connection with our app's crashes. The processing of this data is necessary for us to further improve the stability and security of the app and is based on Art. 6 para. 1 sentence 1 lit. f GDPR.

The level of data protection in the USA is considered inadequate by the European Commission. Therefore, data transfer to the USA is based on the Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; alternatively, you can request these documents from us using the contact options provided in Section 1. We have concluded a data processing agreement with Sentry. For more information, please visit: https://sentry.io/legal/dpa/.

Our app uses the Facebook Software Development Kit (SDK). The provider is Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA ("Facebook"). The following data is used:

• App ID
• App version
• App start time

The Facebook SDK enables us to improve the advertising effectiveness of mobile app campaigns run via Facebook and to tailor them for better user experience. Among other things, we can measure the success of advertising campaigns or analyze the user behavior of our app users. Only these pseudonymized data are transmitted to Facebook, which includes the Advertising ID provided by the device's operating system. The legal basis is Art. 6 (1) f GDPR (our legitimate interest in analyzing user behavior to carry out personalized advertising campaigns) or Art. 6 (1) a GDPR (consent you have given). Data is transferred to the USA. The transfer of data to the USA is based on the Standard Contractual Clauses pursuant to Art. 46 (2) c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. Alternatively, you can request these documents from us using the contact details provided in section 1.

We use Revenuecat, 633 Tavara St. Suite 101, San Francisco, CA 94116, USA, for analyzing in-app purchases. Revenuecat notifies us when a purchase has taken place. This allows us to know when to unlock the app for which user. The legal basis is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in ensuring the smooth functioning of the app. Data is transferred to the USA. The data transfer to the USA is therefore based on the Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR. The Standard Contractual Clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; alternatively, you can also request these documents from us using the contact details provided in section 1. You can find more information about data processing here: https://www.revenuecat.com/privacy/

We use the cloud-based service UxCam provided by UXCam Inc., 6250 Cypress Avenue, El Cerrito, CA 94530, USA, to analyze user behavior and improve our app. We have entered into the Standard Contractual Clauses with UXCam in accordance with Art. 46 para. 2 lit. c GDPR. For more information on this and on data processing, see: https://uxcam.com/privacy-policy/

Usage profiles can be created from the collected data under a pseudonym. This mainly includes activity monitoring, behavior analysis, screen performance, data export, offline recording, graphical visualization, and reporting.

When using the UXCam SDK, the following data is collected from the end user's device:

• Consistent random pseudo-ID for each end user
• Device details: type, version, model, operating system (OS)
• Geographical location (country only)
• Device time zone
• Screens visited by the end user (as integrated)
• Session (app opening times) with the end user's activity
• Interaction patterns of the end user in the app (screen actions, gestures: taps, scrolls)
• Personal data to the extent that we permit its transmission.

We have utilized the options offered by UxCam to mask text content and personal data. The data collected with UXCam technologies will not be used to personally identify app users without the explicit separate consent of the individual, and will not be combined with personal data about the bearer of the pseudonym. Processing is based on Art. 6 para. 1 lit. f) GDPR, our legitimate interest in analyzing usage behavior in order to continuously improve our app. You may object to the collection and storage of data at any time with effect for the future using the contact details specified in Section 1 or by email to info@rabbitcloud.com.

To fulfill our contractual obligations, we rely on the services of carefully selected third parties who process the data on our behalf. These are processors with whom we have entered into an agreement in accordance with Art. 28 GDPR. Furthermore, we ensure in advance that our processors comply with all data protection regulations, so your data is always secure.

We process your personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) only if it is necessary to fulfill our (pre-)contractual obligations (according to Art. 6 para. 1 lit. b GDPR), based on your consent (according to Art. 6 para. 1 lit. a GDPR), due to a legal obligation (according to Art. 6 para. 1 lit. c GDPR), or on the basis of our legitimate interests (according to Art. 6 para. 1 lit. f GDPR). The same applies to processing by third parties on our behalf, the disclosure of your personal data to third parties, as well as its transfer to third parties.

Subject to legal or contractual permissions, we only process or have data processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means, for example, that processing is carried out on the basis of special guarantees, such as an officially recognized level of data protection equivalent to that of the EU, or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

In addition to the system-side deletion of your data described above, your data may also be deleted if you actively delete your account. Furthermore, your account may be deactivated and subsequently deleted if you do not use it for an extended period of time and, based on our experience, we can no longer reasonably expect that you will use it again.

The data we collect here is used to generate a personalized and tailored offer for you. However, this does not constitute automated decision-making according to Art. 22 GDPR, as it does not produce any legal effect concerning you. Nevertheless, we aim to inform you about this as transparently as possible.

You have the right to:

1. Request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you may request information about the purposes of the processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
2. Request the immediate correction of inaccurate or completion of your personal data stored by us in accordance with Art. 16 GDPR;
3. Request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless processing is required to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims;
4. Request the restriction of processing of your personal data in accordance with Art. 18 GDPR, if the accuracy of the data is contested by you, the processing is unlawful but you refuse erasure and we no longer need the data, but you require it for the establishment, exercise or defense of legal claims or you have objected to processing pursuant to Art. 21 GDPR;
5. Receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or request the transfer to another controller in accordance with Art. 20 GDPR;
6. Lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. In general, you may contact the supervisory authority at your usual place of residence or workplace or at our company headquarters for this purpose.

Revocation of Granted Consents

If we process your personal data based on consent you have given in accordance with Art. 6 (1) lit. a GDPR, you have the right to revoke any consent given to us in accordance with Art. 7 (3) GDPR with effect for the future. If you wish to exercise your right of revocation, you can notify us by email at info@rabbitcloud.com. Alternatively, you may also use the contact details listed above under section 1.

Objection to Processing Based on Legitimate Interest

If we process your personal data on the basis of our legitimate interests in accordance with Art. 6 (1) lit. f GDPR, you have the right, pursuant to Art. 21 GDPR, to object to the processing of your personal data, provided there are reasons arising from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without the need to specify a particular situation. If you wish to exercise your right to object, you can notify us by email at info@rabbitcloud.com. Alternatively, you may also use the contact details listed above under section 1.

We take organizational, contractual, and technical security measures in accordance with the state of the art to ensure compliance with data protection laws and to protect the data we process against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Security measures include, in particular, the encrypted transmission of data between your browser and our server.

We reserve the right to change our privacy policy if this becomes necessary due to new technologies or changes in our data processing procedures, or to adapt it to changes in the applicable legal requirements. However, this only applies to this privacy policy. If we process your personal data based on your consent or if parts of the privacy policy contain provisions regarding our contractual relationship with you, any such changes will only be made with your consent.

You can view the current version of our privacy policy at https://rabbitcloud.com/privacy.