1. General Information and Principles of Data Processing

We are pleased that you are using our app. The protection of your privacy and the protection of your personal data, so-called personal data, when using our app is an important concern for us.

Personal data according to Art. 4 No. 1 GDPR is any information relating to an identified or identifiable natural person. This includes, for example, information such as your first and last name, your address, your telephone number, your email address, but also your IP address.

Data that cannot be linked to you, for example through anonymization, is not personal data. Processing (e.g., collection, storage, retrieval, consultation, use, transmission, deletion, or destruction) according to Art. 4 No. 2 GDPR always requires a legal basis or your consent. Processed personal data must be deleted as soon as the purpose of processing has been achieved and there are no longer any statutory retention obligations to be observed.

Here you will find information about the handling of your personal data when using our app. To provide the functions and services of the app, it is necessary for us to collect personal data about you.

We also explain to you the type and scope of the respective data processing, the purpose and the corresponding legal basis, and the respective storage period.

This privacy policy applies only to this app. It does not apply to other websites or apps to which we merely refer via hyperlink. We cannot assume responsibility for the confidential handling of your personal data on third-party websites or apps, as we have no influence on whether these companies comply with data protection regulations. Please inform yourself directly on these websites or apps about how these companies handle your personal data.

2. Data Controller

The entity responsible for processing personal data in connection with the use of the app is: Veluma UG (haftungsbeschränkt), Cosimastr. 121, 81925 Munich, Germany. Phone number: +49 176 20527107, Email: privacy@veluma.me

3. Provision and Use of the App / Server Log Files

a) Type and Scope of Data Processing

When you use this app, we collect technically necessary data via server log files that are automatically transmitted to our server, including:

• IP address

• Date and time of the request

• Name and URL of the retrieved file

• Website from which access was made (referrer URL)

• Access status/HTTP status code

• Browser type

• Language and version of the browser software

• Operating system

b) Purpose and Legal Basis

This processing is technically necessary to display our app to you. We also use the data to ensure the security and stability of our app.

The legal basis for this processing is Art. 6 para. 1 lit. f) GDPR. The processing of the aforementioned data is necessary for the provision of an app and thus serves to protect a legitimate interest of our company.

c) Storage Period

The aforementioned personal data will be deleted as soon as it is no longer required to display the app. The collection of data for the provision of the app and the storage of data in log files is absolutely necessary for the operation of the app. Consequently, there is no possibility for the user to object in this respect. Further storage may occur in individual cases if this is legally required.

Xano (Backend Infrastructure)

We use the services of Xano for our server and database infrastructure. Xano is located in Frankfurt, Germany. Via Xano, we process various personal data, including your email address, the language per profile, the age of individual profiles, the number of generated stories and discoveries, the number of created profiles and their linkage, the designation of relatives (e.g., "Grandma", "Sister"), the name of pets (e.g., "Bello the dog"), the generated story texts, as well as purchase transactions and coin balances. The data flow includes all app functions that communicate with the Xano server in Frankfurt and the user's mobile device. Further information on data protection at Xano can be found at https://legal.xano.com/privacy-notice

Microsoft Azure and Foundry for Discovery Function (Image Analysis)

For Discovery image analysis, we use the services of Microsoft Azure and Foundry in conjunction with the OpenAI LLM. The location of this infrastructure is in Frankfurt, Germany (EU region). OpenAI does not receive any data, as the model runs exclusively on the Microsoft infrastructure. Microsoft Azure and Foundry do not train their models with our prompts, as explained at https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/openai/data-privacy?view=foundry-classic&tabs=azure-portal. The processed data includes photos that the user takes independently. The data flow is from the photo via Xano to Microsoft Azure/Foundry (EU), back to the analysis result, then back to Xano, and finally to the user's mobile device. The Discovery explanations are not stored and are only temporarily available on the mobile device. Further information on data protection at Microsoft Azure can be found at www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Microsoft Azure and Foundry for Text-to-Audio Function (TTS)

For text-to-audio conversion (TTS), we use the services of Microsoft Azure and Foundry in conjunction with the OpenAI LLM. This function is only available on US servers, which is why the infrastructure is located in the USA. Here too, OpenAI does not receive any data, as the model runs exclusively on the Microsoft Azure infrastructure. The processed data includes the text of the story or discovery to be narrated. No images from the discovery are processed, only the text explanation. In individual cases, personal data could be processed if the user submits photos of personal information for the discovery. The data flow is from the generated text to Microsoft Azure and Foundry (US) for text-to-audio conversion, then to the audio file, then to the Xano server (EU), and finally to the user's mobile device. Microsoft Azure and Foundry do not train their models with our prompts, as explained at https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/openai/data-privacy?view=foundry-classic&tabs=azure-portal. Further information on data protection at Microsoft Azure and Foundry can be found at www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

4. Data Collection for Pre-contractual Measures and Contract Fulfillment

a) Type and Scope of Data Processing

In the pre-contractual area and upon conclusion of a contract, we collect personal data about you. This concerns, for example, first and last name, address, email address, telephone number, or bank details.

b) Purpose and Legal Basis of Data Processing

We collect and process this data exclusively for the purpose of contract performance or fulfillment of pre-contractual obligations.

The legal basis for this is Art. 6 para. 1 lit. b) GDPR. If there is also consent from you, an additional legal basis is Art. 6 para. 1 lit. a) GDPR.

c) Storage Period

The data will be deleted as soon as it is no longer required for the purpose of its processing.

In addition, there may be statutory retention obligations, for example commercial or tax retention obligations under the German Commercial Code (HGB) or the Fiscal Code (AO). If such retention obligations exist, we will block or delete your data at the end of these retention obligations.

5. Data Transmission

We only pass on your personal data to third parties if:

a) You have given your express consent in accordance with Art. 6 para. 1 lit. a) GDPR.

b) This is legally permissible and necessary in accordance with Art. 6 para. 1 lit. b) GDPR for the fulfillment of a contractual relationship with you or the implementation of pre-contractual measures.

c) There is a legal obligation to pass on the data in accordance with Art. 6 para. 1 lit. c) GDPR. We are legally obliged to transmit data to state authorities, e.g., tax authorities, social security institutions, health insurance companies, supervisory authorities, and law enforcement agencies.

d) The disclosure is necessary in accordance with Art. 6 para. 1 lit. f) GDPR to protect legitimate business interests, as well as to assert, exercise, or defend legal claims, and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data.

e) We use external service providers, so-called data processors, in accordance with Art. 28 GDPR in processing, who have been obligated to handle your data with care.

We employ such service providers in the areas of:

• IT infrastructure

• Server infrastructure

• AI models

• Payment processors

When transmitting to external entities in third countries, i.e., outside the EU or EEA, we ensure that these entities treat your personal data with the same care as within the EU or EEA. We only transmit personal data to third countries for which the EU Commission has confirmed an adequate level of protection or when we ensure the careful handling of personal data through contractual agreements or other appropriate guarantees.

6. RevenueCat (Payment Processing)

For payment processing, we use the services of RevenueCat. RevenueCat is located in the USA and is responsible for payment processing for iOS and Android as well as subscription management. Via RevenueCat, we process data such as purchase transactions and history, login information, operating system, location (country), subscription management status including renewals and cancellations, as well as anonymized user IDs. The data flow is from the Apple/Google App Store via RevenueCat to Xano and finally to the Veluma app. Further information on data protection at RevenueCat can be found at www.revenuecat.com/dpa

7. Data Security and Security Measures

We employ technical and organizational security measures to protect your data managed by us against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures are continuously improved in accordance with technological developments.

Access to your data is only possible for a limited group of people and only occurs within the scope of activities necessary to fulfill contractual services.

8. Tracking and Analysis Tools

We currently do not use any tracking or analysis tools in our app. Should this change in the future, we will update this privacy policy accordingly and inform you.

9. Changes to the Privacy Policy

We reserve the right to update this declaration as necessary at any time. The current version of the privacy policy can be viewed in the app. Please inform yourself regularly about the applicable data protection regulations.

10. Rights of Data Subjects

You have the following rights:

• Right to information about your data stored with us

• Right to rectification of incorrect personal data

• Right to deletion of your data stored with us, provided that no legal retention obligations prevent this

• Right to restriction of processing of your personal data

• Right to data portability

• Right to object to the processing of your personal data

To exercise your rights, you can contact the data controller specified above at any time.