Note: this is a rough translation of our German privacy policy.

1 Introduction

A trustful and secure handling of your personal data is very important to us. In accordance with the requirements of the General Data Protection Regulation of the Regulation 2016/679 of the European Parliament, this privacy statement explains at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679 which personal data we and the third-party processors we commission collect, process, how the data is protected and what lawful options you have. We try to make this privacy statement in simple terms and as reader-friendly as possible. However, if you have any questions, please feel free to contact the responsible party mentioned below.

2 Contact details of the responsible person

If you have any queries regarding data protection, you are most welcome to contact us by sending an email to privacy@edutapps.de. The contact details of the responsible party are:

Edutapps GmbH
c/o Factory Works GmbH
Rheinsberger Str. 76 / 77
10115 Berlin
privacy@edutapps.de
Responsible person: Lars Melchior
+49 160 9464 6121
Imprint: https://maphi.app/de/legal-notice
E-mail: datenschutz@edutapps.de

3 General information

This privacy policy applies to all personal data (such as name, email, postal address, IP, ... ) within the meaning of Art. 4 No. 1 DSGVO, which are collected by the following services provided by Edutapps GmbH:

• The iOS and Android app Maphi
• The websites hosted by Edutapps on the following domains, as well as the associated subdomains.
  • edutapps.com
  • edutapps.com
  • maphi.app
• Our social media presence
• Our email and telephone communications For the lawful processing of personal data, we rely on Art. 6(1) of the DSGVO according to DSGVO (https://dsgvo-gesetz.de/art-6-dsgvo/) . Particularly relevant for us are:
• Art. 6(1) lit. a (consent): you have given us your consent to process your data.
• Art. 6 (1) (b) (necessity): The processing of the data is necessary for the performance of a contract concerning you.
• Art. 6(1) lit. c (Legal obligation): Processing is necessary for compliance with our legal obligations.
• Art. 6(1) lit. f (Legitimate interest): Processing is necessary to protect our, or third parties', legitimate interests and your interests, fundamental rights or freedoms do not override these. We reserve the right to refer to separate privacy statements in individual services, which will then replace this one.

4 Your rights

Article 13 of the GDPR grants European users a number of rights. To this end, you can contact us at any time at the address listed in this Privacy Policy under "Contact details of the controller".

• Right to information according to Art. 15 DSGVO - the right to receive information free of charge about whether and which of your data is being processed. You have the right to be informed about the purpose of the processing, origin and nature of the data, storage period, use of profiling, security measures for storage, as well as forwarding to third countries.
• Right to rectification under Art. 16 GDPR - the right to rectify incorrect personal data held about you.
• Right to erasure under Art. 17 DSGVO -- the right to have your personal data held by us erased.
• Right to restriction of processing under Art. 18 DSGVO -- the right to request the suspension of the processing of all your personal data temporarily or permanently.
• Right to data portability under Art. 19 DSGVO -- the right to request a copy of your personal data in electronic format and to transfer it to another service.
• Right to object in specific cases under Art. 21 DSGVO -- the right to object to the processing of your personal data by us, which, once enforced, will entail a change in the processing by us.
• Under Art. 22 DSGVO -- the right not to be subject to automated decision-making.
• The right to object to the use of your personal data for direct marketing.
• You may object if the processing of your data is based on public interest, exercise of official authority underArticle 6(1)(e) or legitimate interest under Article 6(1)(f). If you believe that we are using your data unlawfully, you have the right to complain to a supervisory authority. The contact details of the supervisory authority responsible for us are:

Data Protection Authority Berlin

State Commissioner for Data Protection: Maja Smoltczyk
Friedrichstrasse 219, 10969 Berlin
Phone: 030/138 89-0
E-mail address: mailbox@datenschutz-berlin.de
Website: https://www.datenschutz-berlin.de/?tid=311883560

Data Protection Authority Austria

Https://www.dsb.gv.at

5 Data transmission / transfer to third countries

We try to rely on domestic services whenever possible. However, to provide the services, we also rely on selected external service providers in third countries. For example, our apps are distributed via services of US companies (Google, Apple), or a login via Facebook is enabled. In the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. The data may not be processed anonymously by US services, stored, linked to existing user accounts and shared with US authorities, for example. In the further course of this declaration, we point out which data collected by us is affected. We currently work with the following service providers:

• Alphabet Inc (Google) -- Play Store, Google Analytics, Ad Mob.
• Apple -- App Store, Search Ads
• Facebook -- Social Login and Fan Page Google, Apple and Facebook each refer to the standard contractual clauses Arg 46. para 2 and 3 DSGVO provided by the EU Commission as the basis for data transfer to the USA, which oblige them to provide suitable guarantees in order to nevertheless meet the processing and storage of their data in accordance with European security standards.

Unless required by law or court order, we will not disclose any data to third parties.

6 Data protection

Personal data is protected by us through various measures.

6.1 Organizational measures

We only collect personal data that we need. The collected data will be pseudonymized by us if possible. Data that we no longer need to provide our services will be deleted, unless we are required by law to store it (for example, in the context of our accounting). We also take care not to carelessly give unauthorized persons access to our infrastructure. For example, by leaving our laptops open.

6.2 Technical measures

In addition, we always take appropriate technical measures to protect the data we collect. This means, for example, the use of secure passwords and up-to-date encryption techniques for both transmission (TLS, HTTPS) and storage (for example, of passwords). The data collection section goes into more detail about the specific protection mechanisms.

7 Data acquisition

7.1 Contact requests

If you contact us via email, phone, or the contact function on the website, your request, including your resulting personal data (name, phone number, request...) will be stored and processed by us for the purpose of communication with customers and business partners. Depending on the means of communication, their data will be processed on our laptop / email server / smartphone and telephone provider for the immediate processing of the business case. We store the data until you request us to delete it, revoke your consent to store it, or the purpose of the data storage no longer applies. We do not share this data without consent unless we are required to do so by law. Please note that in the case of contact requests via Facebook, your data will be processed by Facebook and may be transferred to the USA, where the European Court of Justice has ruled that there is no adequate level of protection. Therefore, please refer to our information in section 5 "Transfer to third countries".

The processing of your data is based on the following legal grounds

• Art 6 para. 1 DSGVO a: You give us your consent to process your data for the processing of the business transaction
• Art 6 para 1 DSGVO b: The processing is necessary for the performance of a contract. For example, to be able to reply to you.
• Art 6 para. 1 DSGVO f: With our desire to process your requests professionally and quickly, there is a legitimate interest on our part to process their data in the context of processing the business case, if this is technically necessary (such as for the use of email and telephone).

7.2 Newsletter

If you subscribe to the newsletter on our website, your email address, the IP address used for registration, as well as for confirmation of the data protection condition and the respective access times are stored on our web server (see section 7.5 Web hosting) in order to be able to deliver said newsletter to you. The data will be stored by us as long as they are necessary for the fulfillment of the service, so generally until you unsubscribe from the newsletter, or the newsletter is discontinued. You can object to the collection of this data at any time and delete your data by unsubscribing from the newsletter. The processing of your data is based on the legal bases

• Art 6 para. 1 DSGVO a: You give us consent to process your data for the processing of the business case.
• Art 6 Abs.1 DSGVO b: The processing is necessary for the performance of a contract.
• Art 6 Abs. 1 DSGVO f: With our desire to write as interesting, target-oriented newsletters as possible, there is a legitimate interest on our part to process their data in the context of the processing of the business case, if this is technically necessary (such as to send the emails).

7.3 Links

If you use the external links that are included in our websites, this privacy policy does not extend to these links. We make every effort to ensure that the providers of the linked sites also comply with data protection standards, but we have no direct influence on the content of and compliance with their data protection statements. Therefore, please inform yourself in the privacy policy of the respective third party provider.

7.4 Cookies

Our website only uses cookies, which are technically necessary. A cookie is a file that is stored on your device and transmitted to our services with each request in order to track usage over multiple sessions. Cookies are used by us, for example, to save the language set, to save the opt-in choice when objecting to data recording, or to save the login status. We, on the other hand, do not use cookies to track our visitors or to store personal data, such as the name of the user.

7.5 Server / Web Hosting

Both our apps and our websites access backend servers in the background. For the provision of our service, optimization of the infrastructure and optimization of system security, accesses are recorded and temporarily logged in log files. The data is used exclusively to provide the service, optimize the infrastructure and system security. IP addresses are only evaluated in the event of attacks on the infrastructure. Logged data is kept for up to one month. The logged data includes:

• the requested URL
• the amount of data transferred
• the IP address of the requesting device
• the time of access
• the browser / operating system used Our IT infrastructure relies on servers and web hosting provided by Netcup GmbH from Nuremberg, Germany. You can find out more about the data processed by using Netcup in Netcup's privacy policy at https://www.netcup.de/kontakt/datenschutzerklaerung.php. There is an order data processing contract between Edutapps GmbH and Netcup, which obliges Netcup to handle the data responsibly. The processing of your data is based on the following legal grounds
• Art 6 para. 1 DSGVO f: (Legitimate Interest). For the provision of our services and for the optimization of our infrastructure and system security, the cooperation with a hosting service and the logging and processing of the aforementioned data is absolutely necessary.

7.6 Firebase

7.6.1 Login

Login on our websites and in our apps can be either EMail+Password or via a social login from the following third party providers:

• Google
• Apple
• Facebook Authentication via social login takes place via OAuth2. When using the social login, only the basic data released by the user is recorded (the displayed username) in addition to the corresponding profile ID. The profile ID is transferred to the login service provided by Firebase and used to identify you as authorized to access your profile on Firebase, or to create a new profile for you. Your Profile ID will not be shared with any other third parties. This procedure is necessary to enable a repeated login to the Apps and thus to provide, for example, access to the data you entered in the App in the past (such as formulas). The processing of your data is based on the legal grounds
• Art 6 (1) DSGVO a: You give consent to the processing of your data to identify you as authorized to access your account on file with us.
• Art 6 para 1 DSGVO b: The processing is necessary for the performance of a contract. Without login, essential parts of our apps do not work. Without identifying you, it is not possible for us, for example, to store the data you entered in the apps and continue to grant access.

7.6.1.1 Login with Facebook

If you register with the Login with Facebook function in Maphi, data is transferred to Facebook for the purpose of authentication. You will be redirected to Facebook. Facebook creates cookies that are used for authentication and track your activity. If you do not want this, choose one of the other login methods. You can learn more about what data is processed by Facebook in the privacy policy of Facebook https://de-de.facebook.com/policy.php. Please also note your privacy settings on Facebook at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. Please note that Facebook may transfer your data to the USA, where the European Court of Justice has ruled that there is no adequate level of protection. Therefore, please refer to our information in section 5 "Transfer to third countries".

The processing of your data is based on the following legal grounds

• Art 6 para.1 DSGVO b: The processing is necessary for the performance of a contract. Without transferring your data to Facebook, we cannot authenticate it via your Facebook account.

7.6.1.2 Login with Google

If you register with the Login with Google function in Maphi, data from you will be transferred to Google. If you do not want this, choose one of the other login methods. You can find out more about what data is processed by Google in Google's privacy policy https://policies.google.com/privacy. Please note that Google may transfer your data to the USA, where the European Court of Justice has ruled that there is no adequate level of protection. Therefore, please refer to our information in section 5 "Transfer to third countries".

The processing of your data is based on the following legal grounds

• Art 6 para.1 DSGVO b: The processing is necessary for the performance of a contract. Without transferring your data to Google, we cannot authenticate you with your Google account.

7.6.1.3 Login with EMail + Password

The Login with EMail + Password function is provided by Firebase and thus ultimately also by Google. When you create an account or log in, an account managed on Firebase is created with a unique account ID. You can learn more about what data is processed by Google in the privacy policy of Google https://policies.google.com/privacy. Please note that Google may transfer your data to third countries, where the European Court of Justice has ruled that there is no adequate level of protection. Therefore, please refer to our information in section 5 "Transfer to third countries".

The processing of your data is based on the following legal grounds

• Art 6 para.1 DSGVO b: The processing is necessary for the performance of a contract. Without transferring your data to Google, we cannot authenticate them with their Google account.

7.6.2 Real-Time Database

Data entered by you in the Apps is linked to your generated Firebase profile and stored on the infrastructure provided by Google's Firebase via the Real-Time Database. This enables us to provide you with the data concerning you in the app after login. Such as the formulas and solutions you have entered in the past. Please note that Google may transfer your data to the USA. Therefore, please note our information from section 5 "Transfer to third countries".

The processing of your data is based on the following legal grounds

• Art 6 para.1 DSGVO b: The processing is necessary for the performance of a contract. Without access to the usage data concerning you, essential parts of our apps will not function. For example, it is not possible for us to store the data you entered in the apps and continue to grant access.

7.7 Analytics

In order to improve our offers and tailor them to the needs of our customers, it is essential to understand the way users behave within our offers. To this end, we use third-party analytics tools in our apps to capture user behavior. These tools collect data, which is stored, processed and visually prepared for us by the respective provider. We use this data to learn, for example, which features are used particularly heavily by our users and which may be too hidden, how many of our users return regularly, or how we can carry out marketing measures in a more targeted and cost-effective manner. User profiles may also be created for the purpose of evaluating the data. The processing of your data is based on the legal grounds

• Art 6 para. 1 DSGVO a: You give us consent to process your data for the processing of the business case.
• Art 6 Abs.1 DSGVO f: The necessity of these analyses for the improvement and safeguarding of our offers creates a Legitimate Interest on our part.

The processing of the analysis tools requires their consent. You can revoke your consent in the apps in the settings at any time.

6.7.1 Google Analytics

We use the market standard Google Analytics, or Google Analytics for Firebase, to collect and analyze usage data. Google Ireland Limited is responsible for this service in Europe. The tool collects access statistics and usage data within the apps. This includes, for example, the access duration, which user element is clicked on in the app or which language is set, but also device information and their pseudonymized IP addresses. In principle, however, no data such as name, age, gender or contact data is collected for analysis purposes. More specific functions for recording personal data (demographics, user IDs, replicating client IDs across devices, remarketing features, ... ) are disabled by us. Please note that Google may transfer your data to the USA, where the European Court of Justice has ruled that there is no adequate level of protection. Therefore, please note our information in section 5 "Transfer to third countries". Google refers to the standard contractual clauses Arg 46 (2) and (3) DSGVO provided by the EU Commission as the basis for the data transfer to the USA, which obliges Google to comply with European security standards when processing and storing your data.

Google's infrastructure for processing and storing your data is distributed worldwide https://www.google.com/about/datacenters/inside/locations, also to ensure high data availability. Your data is deleted by default after 14 months when Analytics is used. For more information on how and what data is collected and processed through the use of Google Analytics and Firebase, please see the Google Ads Privacy Policy https://business.safety.google/adsprocessorterms/ and the Firebase Data Policy https://policies.google.com/privacy?hl=en-US. Edutapps has entered into a direct customer agreement with Google and has accepted the data processing addendum therein. You can find more information about this at https://support.google.com/analytics/answer/3379636.

7.8 Advertising

Parts of our offer are financed by advertising.

7.8.1 Google Admob

We provide Google with advertising space within our app via the Google service Admob. In order to avoid displaying non-relevant and annoying advertising, we also rely on direct advertising in this process. In order to find out which advertisements are relevant for the respective user, Admob collects and processes personal data and thus also conducts profiling, if necessary. We are only permitted to do this with your consent. The processing of your data is based on the following legal grounds

• Art 6 (1) DSGVO a: The use of personal data for direct marketing purposes is dependent on your explicit consent. You can revoke this at any time in the settings of our apps.
• Art 6 (1) DSGVO f: There is a legitimate interest on our part to optimize the content of our app to enable an optimal user experience. This also includes avoiding the display of non-relevant advertising.

7.8.2 Right to object to direct advertising.

You have the right to object to the use of your personal data for direct advertising. You will find a corresponding option for this in the settings of our apps.

8 Conclusion

We are always working to improve our products and to be able to offer new products. In this context, we reserve the right to adapt this privacy policy to the changing requirements, as well as the legal requirements.

State

November 2021