Privacy Statement

Privacy Policy for Cosmy's Online Offering

We as the provider of the Cosmy app (hereinafter also "App") and the associated internet offering at http://www.cosmy.com/ (also "Internet Offering") are responsible in the sense of the applicable data protection law, in particular the General Data Protection Regulation ("GDPR"), for the processing of personal data of the user ("You") of the Apps and the Internet Offering.

Personal data is defined in the GDPR as all information relating to an identified or identifiable natural person.

In the following, we will inform you clearly within the framework of our information obligations (Art. 13 et seq. GDPR) about which personal data is processed when using our Apps and our Internet Offering and on what legal basis this happens. You will also receive information about your rights vis-à-vis us and vis-à-vis the competent supervisory authority.

1. Contact details

Responsible for data processing is Joyride GmbH, Bartenbacher Str. 4, 73033 Göppingen, E-Mail: privacy@cosmy.com.

We have appointed a data protection officer, whom you can reach for data protection requests of all kinds at Data Protection Officer c/o Joyride GmbH, Bartenbacher Str. 4, 73033 Göppingen, E-Mail: privacy@cosmy.com.

The data protection supervisory authority responsible for our company headquarters is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, reachable at https://www.baden-wuerttemberg.datenschutz.de/ and by e-mail at poststelle@lfdi.bwl.de. Further contact details for the data protection supervisory authorities of other federal states can be found at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

2. Data transfers to third countries

If personal data is transferred to one or more states outside the scope of the GDPR ("Third Country") when using our App or our Internet Offering, we will inform you separately about this in this privacy policy. Any transfer to third countries takes place within the framework of the legal requirements. In the case of data transfer to the United States of America, this means that the requirements of the applicable adequacy decision of the EU Commission are observed.

3. Use of our Internet Offering

When using our Internet Offering, different data processing may occur depending on the type of use.

a) Hosting

Our Internet Offering is operated on the servers of the CDN provider Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter "Webflow"). This means that the data we collect when you visit our Internet Offering may also be processed and stored in the USA.

The legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. f GDPR, as it is our legitimate interest to use the services of a professional provider for the secure and efficient provision of our website.

We have concluded an order processing agreement with Webflow in accordance with Art. 28 GDPR.

If a data transfer to the USA takes place, the level of data protection is ensured by an adequacy decision of the EU Commission, whereby Webflow is certified under the EU-U.S. Data Privacy Framework: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TT9jAAG&status=Active.

‍b) Informational Use

When you access our Internet Offering, our web servers automatically collect general information that is technically necessary for the presentation of the Internet Offering. This includes the web browser used, the operating system used, the domain name of your Internet Service Provider, the IP address of the terminal device you are using, the website from which you visit us, the pages of our Internet Offering you visit, and the date and duration of your visit.

We are not able to use this data to identify you. This information is only statistically evaluated by us to improve the functionality of our Internet Offering. The legal basis for this data processing is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Insofar as we ask for your consent, the data processing is based on consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. Your consent can be revoked at any time.

c) Special forms of use

Special forms of use of our Internet Offering may lead to us processing further personal data from you.

d) Contacting us

You have the possibility to contact us by e-mail, by phone or via our contact form. Your personal data transmitted in this way will be stored by us. The data will be processed exclusively to process your contact. The legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process the data for the processing and answering of your inquiry. The data will be stored until it is no longer required for the purpose of the conversation with you and the matter of your contact has been fully clarified.

Another legal basis for our processing is, for example, if you have expressly consented to the processing of your data when using our contact form, your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your given consent at any time.

If your contact aims at concluding a contract with us, the additional legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. b GDPR. This data will be stored for as long as it is necessary for the performance of the contract or pre-contractual measures. Beyond that, we only store your data to comply with legal obligations (e.g. tax obligations) (Art. 6 para. 1 sentence 1 lit. c GDPR).

In addition to the data you voluntarily provide us with, we may receive the time (date and time) of the transmission of your data to us, as well as your IP address. The processing of this data corresponds to our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) to ensure the security of our systems and to counteract misuse. This data, which we additionally collect during your contact, will be deleted as soon as it is no longer needed, at the latest when the matter of your contact has been fully clarified.

A comparison of data communicated by us in the course of a contact with other data collected from you only takes place if you have given us your express consent to do so. This consent can be revoked at any time. You can inform us at any time that we should delete the data communicated in the course of the conversation. In this case, all personal data of the conversation will be deleted, as far as permissible, and a continuation of the conversation is not possible.

e) Third-party tools

Our Internet Offering uses functions offered by service providers commissioned by us. If personal data is processed by the service provider on our behalf within the framework of these functionalities, we have concluded an order processing agreement with this service provider in accordance with Art. 28 GDPR. This means that the service provider only processes personal data whose processing is necessary for the functionality offered by them, and that we ensure through legal, technical and organizational measures as well as regular controls that the manner of this data processing complies with the legal requirements. In particular, our service providers are not permitted to pass on personal data processed by them in this context or to use it for other purposes, e.g. their own commercial purposes.

Links to Social Networks

Our Internet Offering includes links to the social networks Facebook, Tiktok, YouTube, LinkedIn and Instagram. These are merely graphics with a link that redirects you to the corresponding social network when you click on the graphic. If you do not click on the link, we do not transmit any personal data to the corresponding social network. However, if you click on the link and are redirected to the corresponding social network, the processing of personal data there takes place outside our Internet Offering.

4. Download of our App

You can download our App from an app store of your choice (Apple App Store or Google Play Store, hereinafter "Store") to a suitable terminal device (hereinafter generally "Smartphone"). When you download one of our Apps to your smartphone, the necessary information, i.e. in particular your Store username, e-mail address and customer number of your account, time of download, payment information and the individual device identifier, are transferred to the respective Store. We have no influence on this data collection and are not responsible for it. We only process this data insofar as it is necessary for downloading the app to your smartphone. This data is not stored by us beyond that.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. f GDPR, as it is our legitimate interest to enable you to download and install the App by processing the data required for this.

5. Use of our App

a) Hosting

Our App is operated on the servers of Zurkuhl GmbH, Fester Straße 54, 40882 Ratingen, Germany (hereinafter "Zurkuhl"). This means that the data we collect during the general use of one of our Apps is initially stored in Germany and thus within the EU.

The legal basis for this processing of your personal data is Art. 6 para. 1 sentence 1 lit. f GDPR, as it is our legitimate interest to use the services of a professional provider for the secure and efficient provision of our App.

We have concluded an order processing agreement with Zurkuhl in accordance with Art. 28 GDPR.

At this point, we would like to transparently point out that we cannot map certain functionalities of our App and in particular the personalized advertising measures, which primarily finance the App you use in individual cases, on Zurkuhl's servers, but are dependent on the tools, services and advertising networks of third-party providers for this. These providers are often located in third countries (e.g. the United States of America), so that data transfers to third countries typically occur in this context. Further information on these data processing and transfers can be found in the following sections.

b) General information on the use of our App

An internet connection is established during the use of our App. In this process, we collect and process many different personal data, in particular data that you actively enter (e.g. place of birth, date of birth) as well as data that arises during the targeted use of the individual app functions (e.g. interaction with the chatbot, start of a session).

The processing of this personal data is technically necessary to comfortably provide you with the functions of the App you are using in the individual case, as exemplified above and many others, and to ensure the stability and security of our information technology systems.

The following possibly personal data are processed at the start of a session:

  • IP address
  • Smartphone model
  • Operating system version
  • Device ID
  • Date and time of session start
  • Time zone difference to Greenwich Mean Time (GMT)
  • Assignment to your user account, if such exists

In the event that you use further functions of our App, the personal data required for the function you have chosen will be processed in addition to the aforementioned data, such as:

  • Date and time of interaction
  • Time zone difference to Greenwich Mean Time (GMT)
  • The message content when interacting with the chatbot
  • Data on created relationships
  • The purchased product in the case of an in-app purchase

The specific personal data thus transparently result from your respective interaction with the respective App.

An assignment of such data to your person is generally possible. However, we only store this data temporarily. As soon as the data is no longer required for the aforementioned purposes, we delete it immediately. The storage period therefore depends on the category of data. Registration data and data on purchases are stored for the duration of the registration. Data on messages are stored for 6 months.

In general, we delete your personal data immediately from our live system when you delete your user account with us. After deleting the user account, we only store pseudonymous data for statistical evaluation of app usage, detached from individual users, and data that we need to comply with our legal obligations (e.g. tax obligations).

The processing of this data is necessary for the provision of our App with its various, modern functions. The legal basis is therefore our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. For individual functions, we may rely on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. Insofar as we have contractually committed ourselves to providing the App to you, the legal basis for data processing for which we do not obtain consent is the performance of the contract pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR.

The storage of data due to our legal obligations is based on Art. 6 para. 1 sentence 1 lit. c GDPR.

c) Registration for the App

To use our App, you must register as a user within the App you are using in the individual case. For this, you must provide us with the following information:

  • Connection to Social Login (Apple Login, Google Login)
  • Desired username
  • Gender identity
  • Date of birth
  • Place of birth
  • Place of residence
  • Relationship status

We process this data for the purpose of providing the functions associated with your account, i.e. for the performance of a contract with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR. In addition, the relevant information is required to fulfill the main function of the respective App, to network users with similar interests. This suggestion function requires a minimum amount of information to be provided by users. A further legal basis is therefore our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

When logging in via a social login using an existing Google or Apple account, we process the email address you have stored with Google or Apple. In this case, Google or Apple receives the information that you have registered or logged in to our App. It is possible that Google or Apple in this context processes further personal data, for example about your smartphone, as part of a usage profile and uses this, for example, for advertising or market research purposes. You have a right to object to this, which you must exercise vis-à-vis Google or Apple.

d) App Permissions

For the use of individual functions of our App, it is necessary to grant the App you are using in the individual case certain permissions. If you do not wish to grant these permissions, you cannot use the corresponding functions.

  • If you wish to automatically fill in your place of birth or residence, you can share your location for this purpose. The exact location is not permanently stored.
  • You can allow the App to send you notifications, for example, to be informed about your daily horoscope.

The legal basis for the processing of personal data following these permissions is in each case the performance of a contract pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR. The legal basis for subsequent access to information on your terminal device and storage of information on your terminal device following the granting of permission is § 25 para. 2 no. 2 TTDSG.

You are free to grant and revoke the corresponding permissions to the App at any time. The mere granting of permissions does not permanently store any additional personal data. Rather, the use of the respective functions by you is decisive.

e) Use with consent to measure advertising performance

We use the analysis service Appsflyer in our App, operated by AppsFlyer Ltd., Maskit 14 Hertzliya, Israel. Appsflyer enables us to measure the effectiveness of our advertising measures and to understand how users install and use our App (so-called "attribution"). Pseudonymous data about the use of the App (e.g. installation source, interactions within the App, technical device information) may be processed.

The processing takes place only if you have expressly consented to it (Art. 6 para. 1 lit. a GDPR). You can voluntarily give or refuse your consent at any time, without affecting the use of the App.

You can revoke your consent at any time with effect for the future in the data protection settings of the App. After a revocation, no further data will be transmitted to Appsflyer.

Appsflyer may also process data in countries outside the EU/EEA (in particular in Israel and the USA). For Israel, an adequacy decision of the EU Commission exists; for other transfers, appropriate safeguards according to Art. 46 GDPR (e.g. standard contractual clauses) exist. Further information can be found in Appsflyer's privacy policy at:

https://www.appsflyer.com/legal/services-privacy-policy/

f) Further functionalities

Our App has further functions that are intended to make use safer and more pleasant and serve to expand and improve our offering.

If personal data is processed on our behalf by the service provider in this respect, we have concluded an order processing agreement with this service provider in accordance with Art. 28 GDPR. This means that the service provider only processes personal data whose processing is necessary for the functionality offered by them, and that we ensure through legal, technical and organizational measures as well as regular reviews that the manner of this data processing complies with the legal requirements.

Sentry

We use the software Sentry for monitoring the stability and for error analysis of our App. Sentry helps us to identify and fix technical problems (e.g. crashes, performance problems or unexpected program errors) in order to continuously improve the functionality and security of our App.

All data incurred in this process is processed exclusively on our own servers and not passed on to third parties.

In the course of error detection, technical information about the terminal device used, the operating system, the app version as well as times and circumstances of the occurrence of an error can be processed. This data is pseudonymized as far as possible and not used to identify individual users.

The processing is based on Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in error analysis, stability assurance and improvement of the technical reliability of our App.

The collected data is only stored for as long as it is necessary for the analysis and rectification of the respective error, and then deleted.

Zendesk

Zendesk is a customer service platform from the provider Zendesk Inc., 989 Market St, San Francisco, CA 94103, United States of America. The use of Zendesk helps us to handle customer service inquiries more effectively.

The legal basis for data processing within the framework of Zendesk is Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to use specialized software for the efficient processing of customer service inquiries and to be able to answer you as quickly and precisely as possible in this way.

More information on data processing when using Zendesk can be found at https://www.zendesk.de/trust-center/#privacy.

6. Your Rights

As a data subject affected by the processing of personal data, both in relation to the App(s) you use and in relation to our Internet Offering, you have the following rights vis-à-vis us as the controller:

  • Right to information, i.e. the right to request confirmation from us as to whether we process your personal data, and if so, to request further information, in particular about the purposes of processing, categories of personal data, recipients or categories of recipients and the storage period.
  • Right to rectification, i.e. the right that we immediately rectify or complete data that we have stored about you in the event of errors or incompleteness.
  • Right to restriction of processing, i.e. the right, under certain conditions, to request that we restrict the processing of your personal data, for example during an ongoing review of the accuracy of this data.
  • Right to erasure, i.e. the right to request that we immediately erase your personal data in certain situations, for example if we have processed your data unlawfully, the purpose for data processing no longer exists or you have revoked your consent to processing, provided that data processing cannot be based on other legal bases in this case.
  • Right to notification, i.e. the right that we, unless impossible or disproportionately expensive, inform all recipients to whom we have disclosed your personal data of any rectification, erasure or restriction of processing.
  • Right to data portability, i.e. the right, under certain conditions, to receive the data provided to us in a structured, common and machine-readable format, as well as the right to have this data transmitted to another controller.
  • Right to object, i.e. the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data which is based on a legitimate interest of the controller or the performance of a task in the public interest by the controller.
  • Right to withdraw consent, i.e. the right to withdraw your consent at any time for the future. The withdrawal of consent does not retroactively invalidate the lawfulness of processing.
  • Right to lodge a complaint, i.e. the right to lodge a complaint with a supervisory authority, without prejudice to other legal remedies, concerning a processing of your personal data which you believe violates the GDPR, which can be asserted in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

You can assert these rights against us by using the contact options listed at the beginning.

If you have further questions about the content of this privacy policy, about our handling of your data or about other data protection topics in connection with our products, we will of course also be available to you there.