Notes on data protection

The following information on data protection explains the type, scope and purpose of the collection and use of personal data when using this app, as well as your rights.

I. Controller responsible for data processing (hereinafter: "we")

Lukas Sontheim

Luitharz 5a

87509 Immenstadt

E-mail: info@luxxel.de

Phone: +491756805445

Further details can be found in our provider identification

IMPRINT

II Personal data, purposes of their processing and legal bases

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the identity of that natural person.

Personal data is processed in our app if this is necessary for the following purposes:

● at your request and with your consent (legal basis: Article 6(1)(1)(a) of the General Data Protection Regulation - hereinafter: GDPR),

for the functionality and use of the app (legal basis: Article 6(1)(1)(b) GDPR),

● to protect our interest in improving the user experience, promoting our and other services and/or maintaining the security of use (legal basis: Article 6(1)(1)(f) GDPR),

for the use of the services offered in the app and for pre-contractual measures, in particular for your inquiries (legal basis: Article 6(1)(1)(a) and/or Article 6(1)(1)(b) GDPR),

● for the conclusion and performance of a contract (legal basis: point (b) of the first subparagraph of Article 6(1) GDPR) and/or

● to fulfill a legal obligation to which we are subject (such as tax or data protection requirements and retention obligations, legal basis: Article 6 (1) (1) (c) GDPR)

Further details on the processing of data can be found below under the corresponding headings:

1. access data / server log files

When an app is downloaded, required information is transferred to the respective app store, in particular the user name, email address, customer number at the app store and the individual device ID. We have no influence on this data processing. The operator of the respective app store is responsible for this. We process the data required to download the app to your device.

When using an app, we process the following data to enable the usability of the functions provided and to ensure the security and stability of the app:

-          IP address of the user

-          Date and time of the request

-          Content of the request

-          Access status/HTTP status code

-          Amount of data transferred in each case

-          Operating system of the user

The temporary processing of this data by the system is necessary to enable delivery of the app content to your end device. In particular, the IP address must be processed for this purpose. This data is not merged with other data sources. The information is used exclusively to control our own traffic and to maintain the technical operation of the servers and the network as well as to prevent misuse. The legal basis for this is point (f) of the first subparagraph of Article 6(1) GDPR.

2. cookies and other technologies

In particular, our app uses cookies or other technologies that are absolutely necessary or such as functional cookies so that we can provide you with the app and its functions, Section 25(2)(2) of the Telecommunications Telemedia Data Protection Act (TTDSG), Article 6(1)(1)(f) GDPR.

Insofar as you give your consent for optional services that are not required, the legal basis is Section 25 (1) TTDSG, Article 6 (1) (1) (a) GDPR (consent). You can obtain further information on this and on the cookies and services used at any time from the consent management tool we use and revoke your consent freely and without detriment at any time with effect for the future. Please note, however, that our app will not always function as intended without the cookies and services used.

3. contact via e-mail or other means

If you send us inquiries via email or form entries or by other means, your details, including the data you provide there (such as: name, email address, message), will be processed for the purpose of processing the inquiry and, if necessary, in the event of follow-up questions. The legal basis for this is point (b) of the first subparagraph of Article 6(1) GDPR.

4. integration of services and content from third parties

It may happen that third-party content and services are integrated or loaded within our app. This always assumes that the providers of this content are aware of the user's IP address.

We partially integrate the following services and content from third parties, for which you can also view additional service providers and information in our consent tool at any time and revoke your consent:

Consent manager

We use Google's consent management tool to manage any consents you may have given. Google is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and companies affiliated with Google. For users who have their habitual residence in the European Economic Area or Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, EU is the responsible controller for Google services. Google Ireland Limited is therefore the company affiliated with Google LLC whose services are integrated and must also comply with the GDPR.

The following categories of data may be processed to verify your consent: Timestamp, IP address, user agent, language, time zone.

The legal basis is our legitimate interest in the consent management option, Article 6(1)(1)(f) GDPR; furthermore, in the case of your consent, Article 6(1)(1)(a) GDPR. In addition, there is a legal obligation for consent management and verifiability, Article 6(1)(1)(c) GDPR, Article 5 GDPR; Section 25 TTDSG.

The data transfer to the USA is based on an adequacy decision and subsequently on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de

The company is certified in accordance with the "EU-US Data Privacy Framework", see for further information below separately on the subject of third country transfers.

Google Firebase

We use Google Firebase for statistical purposes and for development and test procedures, for example to test and optimize different versions of our app or its components. Firebase is Google's software development kit (SDK) and analysis tool for apps.

For these purposes, Google provides us with such services. This is the Google Firebase tool, which includes the products Firebase Crashlytics and Firebase Performance as well as Cloud. Google Firebase does not collect any data without your consent.

Firebase Crashlytics: With Firebase Crashlytics, crash reports are created and analyzed in the event of crashes in order to improve the stability of the app.

Firebase Performance: Firebase Performance is used to create and analyze reports on the network behavior of the app in order to improve the stability of the infrastructure. Only the network behavior between the app and its own endpoints accessible via the Internet is considered.

Firebase Cloud: Cloud Storage for Firebase is a powerful object storage service designed for Google scale. The Firebase SDKs for Cloud Storage provide security for file uploads and downloads for Firebase apps, regardless of network quality.

The following data is recorded depending on use:

Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), the transmission speed per IP mask, which resources are accessed by which IP masks, which process an IP mask carried out before encountering an error.

We would like to point out that Firebase is set so that the IP addresses are not stored completely, but 2 bytes are masked (pseudonymization of the IP address, so-called "IP masking"). Your IP address is recorded by Google in masked form, so that no assignment to the calling device is possible.

The processing of users' personal data enables us to analyze the user behavior of our app users. By analyzing the data obtained, we are able to compile information about the use of the individual components of our app. The services are used to further develop the infrastructure of the app in a user-oriented manner and, depending on your consent, for advertising by the partners you have allowed.

The legal basis for the processing of users' personal data is point (a) of the first subparagraph of Article 6(1) GDPR (consent).

Data is deleted as soon as it is no longer required for our recording purposes. The generated statistics and underlying data are not deleted. The cookies have a maximum storage period of 14 months.

The data transfer to the USA is based on an adequacy decision and subsequently on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de

The company is certified in accordance with the "EU-US Data Privacy Framework", see for further information below separately on the subject of third country transfers.

Google gstatic.com and API

To reduce bandwidth usage and increase network performance for the end user, we use gstatic, APIs from Google, see above. This is a domain used by Google to offload static content to another domain name. This is used to process: Images, CSS. CSS, Cascading Style Sheets is a style sheet language for electronic documents and, together with HTML and JavaScript, one of the core languages of the World Wide Web.

The legal basis is point (a) of the first subparagraph of Article 6(1) GDPR (consent).

The data transfer to the USA is based on an adequacy decision and subsequently on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de

The company is certified in accordance with the "EU-US Data Privacy Framework", see for further information below separately on the subject of third country transfers.

Google AdMob

Our app uses Google AdMob to display advertisements within the app (https://support.google.com/admob/topic/10078980?hl=de&ref_topic=9758170&sjid=9210129694506938696-EU ). Google may use the advertising ID of your device, as well as cookies and/or similar technologies, to collect personal data for the purpose of generating and displaying personalized advertising. You can find more detailed information about which data is collected by Google and how it is processed here: https://www.google.com/policies/technologies/ads

Google's full privacy policy can be found here: https://www.google.com/policies/privacy/

The data transfer to the USA is based on an adequacy decision and subsequently on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de

The company is certified in accordance with the "EU-US Data Privacy Framework", see for further information below separately on the subject of third country transfers.

Social Media

We use social media platforms to safeguard our legitimate interest in presenting and advertising our services and products and ourselves there, Article 6(1)(1)(f) GDPR; the legal basis for the data processing of the respective social media platform providers can be found in the data protection information linked below:

Discord:

 Discord Inc, 444 De Haro Street #200, San Francisco, CA 94107, USA; Discord Netherlands B.V., Schiphol Boulevard 195, 1118 BG Schiphol, Netherlands;

Data protection information: https://support.discord.com/hc/de/sections/115000344951-Datenschutz-und-Richtlinien

Terms of use: https://discord.com/terms

Instagram:

Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;

Data protection information: https://www.facebook.com/help/instagram/155833707900388 and:https://privacycenter.instagram.com/policy;

Terms of use: https://help.instagram.com/581066165581870?helpref=faq_content

Imprint: https://help.instagram.com/581066165581870/

Adequacy decision; standard data protection contractual clauses (guaranteeing the level of data protection for processing in third countries): https://privacycenter.instagram.com/policies/data_privacy_framework/

https://www.facebook.com/help/instagram/272603474673152

Further information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data and https://www.facebook.com/legal/terms/page_controller_addendum

X (formerly Twitter):

Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

Imprint: https://legal.twitter.com/de/imprint /

Data protection: https://twitter.com/de/privacy

Adequacy decision; standard data protection clauses (guaranteeing the level of data protection for processing in third countries): https://twitter.com/de/privacy#x-privacy-6

If you click on a social media icon on our site, you will leave our app and a connection to these third-party providers will be established. In this respect, we refer you to the data protection information provided there. Please note that data may be processed outside the European Union, see also our information under third country transfers. This may give rise to risks, e.g. because it could make it more difficult to enforce users' rights. If you wish to assert your rights as a data subject, the most effective way to do so is to contact the respective platform provider. However, if you wish to assert rights in relation to our profiles, you can of course also contact us.

In-app purchases

You can make in-app purchases in our app. For this purpose, we use the service of RevenueCat Inc, 1032 E Brandon Blvd #3003 Brandin, FL 33511, USA. Standard contractual clauses are used for third country transfers (revenuecat.com/dpa). Data protection: https://www.revenuecat.com/privacy/

In this regard, we refer you to the information on data protection and the GTC there. The selected payment service receives the information that you provide during the payment process. The payment service provider is responsible for data processing in the context of payment processing.

The legal basis is point (b) of the first subparagraph of Article 6(1) GDPR (pre-contractual measures, performance of a contract) and points (f) and (c) of the first subparagraph of Article 6(1) GDPR (legitimate interest and legal obligations to provide evidence). We fulfill a contract with you and have a legitimate interest in being able to offer you effective, widespread and secure payment options and modern in-app purchase functionality via the payment functionalities, Article 6 (1) (1) (f) GDPR.

We ourselves receive information so that we can record, confirm and execute your order via our platform, see above. Your data will be stored by us until payment processing has been completed, taking into account any statutory retention obligations. This also includes the period required for the processing of refunds, receivables management and fraud prevention.

5. app registration - user account - account - driver profile

Our app is a companion app for the Formula 1 video game called "Formula Game Companion". The app is primarily used to record statistics from competitions or races. In short, a race takes place within a league, someone enters the result into the app and the application uses it to create rankings and statistics. Using an invitation code, other people can also join the league and view the statistics.

To use the app, it is necessary to create a user account (registration). We process the personal data you provide in order to provide you with user access and to fulfill a contract with you. In particular, we process the following data

-          User name

-          E-mail address

-          password

Your e-mail address and password are used for authentication. The user name can be transmitted to other app users if they have joined the same league. In addition, the user name may be displayed in abbreviated form if a user shares a vehicle setup publicly.

Authentication is realized via Google Firebase (see above). Our database is based on Google Firebase Firestore (see above).

Riders can be created within a league, where they have the option to voluntarily enter their date of birth, a biography and links to social media. Other members of a league can then view these.

In addition, your user name and email address are used to provide you with a personalized app experience and to communicate with you (see above).

You can delete your user account at any time within the app.

The legal basis is point (b) of the first subparagraph of Article 6(1) GDPR (pre-contractual measures, performance of a contract) and points (f) and (c) of the first subparagraph of Article 6(1) GDPR (legitimate interest and legal obligations to provide evidence). We fulfill a contract with you and have a legitimate interest in being able to offer you modern app functionality via the app functionalities, Article 6 paragraph 1 subparagraph 1 letter f GDPR.

III Recipients of personal data and third country transfers

Personal data is disclosed to the following categories of recipients:

Our employees and our processors to the extent necessary, in particular the hosting provider of our web version of our app, which also hosts the graphics used in the app, namely Infomaniak Network AG, Rue Eugène Marziano 25, 1227 Les Acacias (GE) Switzerland, and, if applicable, its respective sub-processors, depending on the service you use, and, when using the website, possibly individual named service providers, see above II. The app backup is located in the Google Cloud from Google, see above.

Furthermore, the personal data concerning you will not be passed on to third parties without your express consent, unless we are legally obliged to do so or the passing on of data is absolutely necessary for the execution of a contractual relationship.

We process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) if it is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. The same applies to the processing by third parties on our behalf, the disclosure of personal data to third parties and their transfer to third parties. Furthermore, service providers who process personal data on our behalf in a third country are only used if an "adequacy decision" of the European Commission (Article 45 GDPR) exists for this third country, "appropriate safeguards" (Article 46 GDPR), "standard data protection clauses" (Article 46(2)(c) GDPR) have been agreed and/or "internal data protection rules" (Article 47 GDPR) are in place at the recipient. General information on the adequacy decisions can be found at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en , in relation to US tools: www.dataprivacyframework.gov, on appropriate safeguards as internal rules at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en , on standard data protection clauses at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_de. For further information, please contact us.

IV. Duration of storage

We delete personal data once the purpose has been achieved and the legal basis no longer applies, or if there is no obligation to retain the data.

Stored server log files and IP addresses are automatically deleted after 7 days at the latest.

Session cookies are automatically deleted at the end of the session. Other cookies are stored on your end device and you have control over the use and deletion of cookies.

We process personal data from your inquiries by email or other means until your inquiry has been fully processed and dealt with. After that, the data will be deleted if there is no legal obligation to retain it, for example data protection and documentation obligations under Article 5 (2) GDPR. Please note that due to a legal transaction with you, certain data may be subject to retention obligations under commercial and tax law of at least six (Section 257 HGB) or ten (Section 147 AO) years, which may also apply to the content of contact requests and emails. For example, personal data collected by us is generally stored after the end of a contractual relationship until the end of the statutory three-year limitation period (Section 195 BGB) (safeguarding legitimate interests: Defense and enforcement of claims, Article 6 paragraph 1 subparagraph 1 letter f GDPR).

In all other respects - including with regard to all tools used and the previous employee - it is checked on an annual basis [A9] whether data can be deleted. This is the case if the purpose of processing and the requirements of the legal basis for processing no longer apply and there is no longer a legal obligation to retain the data, there is no legitimate interest in defending and enforcing claims, Article 6(1)(1)(f) GDPR, and you have not consented to any further storage in accordance with Article 6(1)(1)(a) GDPR.

V. Provision of personal data and rights of data subjects

You are not legally obliged to provide personal data. However, the provision of personal data may be necessary for the conclusion of a contract or for functions of the app. If you do not provide it, it may not be possible to offer a contract or a function of the app.

There is no automated decision-making in the app; profiling does not take place in our app.

The rights of data subjects arise in particular from Articles 15 to 23 and Article 77 GDPR and from Sections 32 to 37 of the new Federal Data Protection Act.

You have the right vis-à-vis us with regard to the personal data concerning you, if the legal requirements are met, to

-          Information, Article 15 GDPR,

-          Rectification, Article 16 GDPR,

-          Erasure, Article 17 GDPR,

-          Restriction of processing, Article 18 GDPR,

-          Portability, Article 20 GDPR.

If you have given your consent to the processing of personal data, you have the right of

Revocation, Article 7 GDPR,

with effect for the future. The legality of the processing carried out on the basis of the consent until the revocation remains unaffected.

You also have the right to object to the processing of your personal data.

Objection, Article 21 GDPR

see further information under VI.

Please address all inquiries, requests and notifications to us, see above under I.

If you believe that the processing of your personal data violates data protection law, you always have the right to object.

Right to complain

with the competent supervisory authority, see Article 77 GDPR. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The contact details of the data protection officers in the federal states, the supervisory authorities for the non-public sector, broadcasting, the churches, in Europe and in other countries as well as the Virtual Data Protection Office can be found there: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

VI Information on the right to object pursuant to Article 21 GDPR

Version: 1.0

Status: 07.05.2024

Prepared by ITMR Attorneys at Law

https://www.itmr-legal.de/