Privacy Policy for the M.T.O. Tamarkoz® App
Using our mobile app
Last Updated: July 5, 2023
I. Information on the processing of personal data
(1) In addition to our online service, we also provide you with a mobile app (“M.T.O. Tamarkoz® App") that you can download onto your mobile device. In the following we inform you about the collection of personal data when using M.T.O. Tamarkoz App. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.
(2) Data controller is according to Article 7 (7) of the European Data Protection Regulation (“GDPR”)
M.T.O. Tamarkoz® Association
PO Box 73288,
Davis,
CA 95617, U.S.
info@tamarkozapp.com
For our imprint see https://tamarkozapp.com/web/imprint
The internal Contact for Data Protection can be reached under the above stated address or via privacy@tamarkozapp.com.
(3) When you contact us by e-mail or via a contact form, we will store your e-mail address and, if you have provided it, also your name and telephone number in order to answer your questions. The data collected in this context will be deleted after storing it is no longer necessary. Do statutory obligations apply, the data will not be deleted but the processing will be restricted. Please refer to our deletion information below for further information.
(4) For some processing activities it might be useful to assign external service providers for individual functions of our offer or use your data for advertising purposes. If we decide to do so, we will inform you below in detail about the respective processes. We will also specify the criteria for the retention period.
II. Processing of personal data when using our mobile app
(1) Download and deletion of your personal data
When the M.T.O. Tamarkoz App is downloaded, the required information is transmitted to the App Store, in particular username, e-mail address, time of download and the individual device code number. We have no influence on this data collection and are not responsible for it. We process the data only to the extent necessary for downloading M.T.O. Tamarkoz App to your mobile device. This processing takes place on the basis of your consent pursuant to Article 6 (1) sentence 1 lit. a GDPR.
To delete your account and data, you may use the delete button on the App under “Settings” and “Account Information” in the menu. The delete button will delete your account permanently and your request will be processed within 30 days. Your personal data as mentioned in this Privacy Policy, along with your subscription and favorites will be permanently deleted and no partial refund of your subscription will be provided. Once your account is deleted, it cannot be restored or undone. We will also delete the personal data with our third-party vendors to the extent we are provided permission by them to delete your data. Please contact our third-party vendors for any further information on deleting your personal data. Deinstallation of the App does not delete your personal data stored with the App. You must delete your account for your personal data to be deleted.
(2) Use of data for M.T.O. Tamarkoz App
In order to provide you meditation exercises that serve your individual preferences the best and being aware of your privacy needs, we do not track your health data and limiting the data processing to data categories that are relevant for your meditation experience. Therefore, we record only basic user interaction inside the M.T.O. Tamarkoz App, for example, what exercises are your favorites, what categories/exercises you are searching for within the M.T.O. Tamarkoz App and your reporting dates. Furthermore, when you are performing an exercise, we store data about the date and time, it’s duration, amount of repetitions, it’s associated category and the degree of severity. When you decide to report your mood (e.g. happy, sad), we record your report and the date and time of its submission. This processing is carried out on the legal basis of consent pursuant to Article 6 (1) sentence 1 lit. a GDPR. When you use Tamarkoz Live, we store the voice and video data, as well as the messaging and images data. This processing is carried out on the legal basis of consent pursuant to Article 6 (1) sentence 1 lit. a GDPR.
(3) Collection of log file data
When using M.T.O. Tamarkoz App, we collect the following log file data:
- IP address
- User Name
- Sign-up type (email, mobile)
- Device ID
- Date and time of request
- Content of request (concrete page, concrete API endpoint)
- Access status/HTTP status code
- Device Access Token
- Amount of data transferred in each case
- Terminal equipment from which the request comes
- User agent
- Login limit
- Operating system and its interface
- Country ID
- Language and version of the user agent.
From a technical point of view, this data is absolutely necessary for us in order to offer the various functions of M.T.O. Tamarkoz App and to guarantee the stability and security of M.T.O. Tamarkoz App, as well as to enable comfortable use of the functions. This processing purpose also represents the legitimate interest, which according to Article 6 (1) Sentence 1 lit. f GDPR is the legal basis for data processing.
IP addresses in log files are deleted upon deletion of the personal data.
(4) Newsletter via ActiveCampaign
You have on our website the opportunity to subscribe to our complimentary newsletter. For sending the newsletter, we require the following data at the time of registration:
- E-mail address
- Name
- IP address
- Subscription type
Additionally, we process your IP address, date and time of your registration. Further data will not be processed during the registration process. Besides, we integrated so-called "web-beacons" in our e-mail newsletter. These are pixel-sized image files which record when and how often the newsletter is opened, how many times the e-mail is viewed, time of retrieval, e-mail client used by the recipient, your IP address and if you clicked on certain elements included in the newsletter (e.g. buttons or links). The name of the image file is individualized for each newsletter recipient by attaching a unique ID. This enables us to register which ID belongs to which e-mail address and serves to determine which newsletter recipient has just opened or is reading the e-mail. As part of the registration process, we need to obtain your consent, so we are allowed to process your personal data regarding the dispatch of the Newsletter. Before giving your consent, a reference will appear to this privacy policy.
For dispatching our Newsletter we use a service offered by the ActiveCampaign, LLC, 1 N Dearborn St., 5th Floor Chicago, Illinois 60602 ("ActiveCampaign") which acts as a processor on our behalf. Personal data you have provided by registering to the Newsletter. The data you have provided through the newsletter registration (e-mail address, if applicable name, IP address, date and time of your registration) will be transmitted to and stored on a server operated by ActiveCampaign and exclusively be used for dispatching the newsletter to you. Your data will not be transferred to third parties. The collected data will not be synchronized with other data we collected through other components implemented on our Website. ActiveCampaign is certified under the Standard Contractual Clauses. For more information about how ActiveCampaign protects your privacy, see: https://www.activecampaign.com/legal/privacy-policy.
We process your personal data after gaining your consent for the Newsletter according to Art. 6 (1) phrase 1 lit. a GDPR. Your e-mail address is processed for sending you the newsletter. We check the e-mail address you have provided to ensure that you are in fact the actual owner or that the owner of the e-mail address has given his/her consent to receive the newsletter. We process your IP address, the date and time of your registration for our security in the event that a third party registers on our Website without your knowledge or misuses your personal data. The web-beacons enable us to recognize when an e-mail was opened and which link the recipient followed. We use this information to constantly improve our newsletter and to adapt it to your personal wishes and needs.
Your personal data will be deleted when it is not necessary anymore to achieve the purpose for which it has been collected. When you have canceled your subscription, your name, IP and e-mail address will be restricted, and no newsletter will be sent to you anymore. However, we store the data collected during the registration process after you have withdrawn your consent on the basis of Article 6 (1) phrase 1 lit. f GDPR, so we are able to prove in a legal dispute that you registered to our newsletter. This represents also our legitimate interest in storing the data. Your data will be deleted after three years from the end of the year in which you have withdrawn your consent. The data collected by using web-beacons will be deleted immediately after you have withdrawn your consent.
You can withdraw your given consent in accordance with Art. 7 GDPR at any time by unsubscribing from the Newsletter. You can cancel your subscription by clicking on the "Unsubscribe" link integrated with each newsletter. This does not affect the legality of the processing carried out on the basis of the given consent until you have declared your withdrawal. In the event of withdrawal, your personal data will no longer be processed and deleted immediately.
(5) Sending e-mails to customers via Google G Suite
We use G Suite, a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (“G Suite”), which acts as a processor on our behalf. We use this service to send Newsletter as described above, from our domain name to you. For this, Google receives your first and surname, subscription type of the newsletter and email address.
We process your personal data after gaining your consent for the Newsletter according to Art. 6 (1) phrase 1 lit. a GDPR. The purpose of transmitting your data to G Suite is to send you the correct newsletter type to your e-mail address. Google is certified under the Standard Contractual Clauses. For more information about how Zapier protects your privacy, see: https://policies.google.com/.
Your personal data will be deleted when it is not necessary anymore to achieve the purpose for which it has been collected. This will be the reason when you have canceled your subscription, in which case your name and e-mail address will be deleted immediately.
You can withdraw your given consent in accordance with Art. 7 GDPR at any time by unsubscribing from the Newsletter. You can cancel your subscription by clicking on the "Unsubscribe" link integrated with each newsletter. This does not affect the legality of the processing carried out on the basis of the given consent until you have declared your withdrawal. In the event of withdrawal, your personal data will no longer be processed and deleted immediately.
(6) Automated workflow for dispatching the Newsletter by using Zapier
We use Zapier, a service of Zapier, Inc., 548 Market, San Francisco, California 94104 (“Zapier”), which acts as a processor on our behalf. We use this service for automating processes between ActiveCampaign and G Suite regarding the dispatch of our Newsletter. For this, Zapier receives your first and surname, subscription type of the newsletter and e-mail address.
We process your personal data after gaining your consent for the Newsletter according to Art. 6 (1) phrase 1 lit. a GDPR. The purpose of using Zapier as a transmission channel to transfer your data from ActiveCampaign to G Suite is to ensure an effective and time-saving procedure that is less prone to errors due to automatization. Zapier is certified under the Standard Contractual Clauses. For more information about how Zapier protects your privacy, see: https://zapier.com/privacy.
Your personal data will be deleted when it is not necessary anymore to achieve the purpose for which it has been collected. This will be the reason when you have canceled your subscription, in which case your name and e-mail address will be deleted immediately.
You can withdraw your given consent in accordance with Art. 7 GDPR at any time by unsubscribing from the Newsletter. You can cancel your subscription by clicking on the "Unsubscribe" link integrated with each newsletter. This does not affect the legality of the processing carried out on the basis of the given consent until you have declared your withdrawal. In the event of withdrawal, your personal data will no longer be processed and deleted immediately.
(7) Amazon Cloud Front
We use the Amazon CloudFront service, operated by Amazon Web Services, Inc. Box 81226, Seattle, WA 98108-1226 (“Amazon”), to provide static and dynamic content more quickly to you. In addition to the date and time of your visit, the URL of the Web page you are visiting, and your IP address are transferred to Amazon servers in the USA. Amazon is certified under the Standard Contractual Clauses. Our purpose for using the service lies in streaming/downloading exercises on the Tamarkoz App with less interruption as possible. This constitutes also our legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.
How long your IP address is stored by Amazon is neither known to us nor can we influence this process. For further information on the use of your personal data and setting options to protect your privacy, please refer to the Amazon privacy policy at https://aws.amazon.com/de/privacy/?nc1=f_pr. You have the possibility to object to the processing of your personal data in accordance to Article 21 GDPR at any time. We are still allowed to process the personal data if we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
(8) Vimeo
Our website uses video components from Vimeo, LLC, headquartered at 555 West 18th Street, New York, New York 10011, USA, hereinafter referred to as "Vimeo". When you visit one of our subpages that embedded a Vimeo video, you connect to a server in the USA used by Vimeo to display the video. During this process, personal information is transmitted to the Vimeo server, such as your IP address, the URL of the subpage, and the time and date the subpage was accessed. If you are logged in to your Vimeo account at the time the Vimeo video is played, your usage behavior will relate to your personal Vimeo profile. Vimeo is certified under the Standard Contractual Clauses. For more information about how Vimeo protects your privacy, see: https://vimeo.com/privacy.
The legal basis for the use of Vimeo components is Art. 6 (1) phrase 1 lit. f GDPR. Your personal data will be processed in order to make the respective video uploaded to Vimeo accessible to you. This is also our legitimate interest in processing your personal data. We do not know how long your personal data collected by Vimeo is stored, nor can we influence this. However, if you do not want Vimeo to associate the data collected through our website directly with your Vimeo account, you can log out of your account before you watch the video. You can also completely prevent the use of the Vimeo plugin by using add-ons for your browser, e.g. the script blocker "NoScript" (http://noscript.net/).”
(9) Installation ID and push notifications
Furthermore, when M.T.O. Tamarkoz App is started for the first time, we assign a unique installation ID for each installation. It does not contain any personal data. If you delete M.T.O. Tamarkoz App and then reinstall it, a new installation ID will be assigned. When M.T.O. Tamarkoz App starts on the mobile device, a connection to a server can be established in order to send push notifications from the admin panel to the the respective device that the ID got assigned to.
We use Google Firebase, a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, to provide you with such push notifications after you consented according to Article 6 (1) Sentence 1 lit. a GDPR to receive them.
(10) Application of Stripe as a payment service provider
We are using the payment service provider Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA (“Stripe”), for online payment matters. When you execute payments, Stripe will collect according to its own Privacy Policy your payment method information (such as credit or debit card number, or bank account information), purchase amount, date of purchase, your name, email, billing or shipping address and in some cases your transaction history to authenticate you.
Stripe may also share your personal information with service providers, subcontractors or other affiliates to the extent necessary to fulfill the contractual obligations of your order or to process the personal information on behalf of Stripe. You will find an overview of these third parties under the following link: https://stripe.com/sub-processors/legal
The legal basis for the data processing is Article 6 (1) Sentence 1 lit. b GDPR.
The processing of your personal data is necessary for the processing of your order with the payment method selected by you, in particular for the confirmation of your identity as well as for the administration of your payment. Stripe will use your data as long as it is providing its services to you, for more detailed information, see the Privacy Policy of Stripe under https://stripe.com/privacy.
We may retain Personal Data after we cease providing Services to you, even if you close your Stripe account, to the extent necessary to comply with our legal and regulatory obligations, and for the purpose of fraud monitoring, detection and prevention.
(11) Payment for In-App-Purchases
If you make an In-App purchase on an Apple device, the transaction and payment will be made solely between you and the Apple App Store based on the terms and conditions and privacy policy applicable to that device, which can be found at https://www.apple.com/legal/internet-services/itunes/us/terms.html and https://www.apple.com/legal/privacy/en-ww/.
If you make an in-app purchase on an Android device from the Google Play Store, the transaction and payment will be made solely between you and the Google Play Store, subject to the terms and conditions and privacy policy of the Google Play Store, which can be found at https://play.google.com/about/play-terms/index.html and https://policies.google.com/privacy.
(12) Log-in through Facebook and Google
While logging in with your Facebook or Google account, we process your name, e-mail-address, profile picture and phone number on the basis of your consent Article 6 (1) Sentence 1 lit. a GDPR. We are using the profile picture you are using for the respective network also as profile picture to individualize your account in the M.T.O. Tamarkoz App. The other data is constantly processed because it is necessary for the use of M.T.O. Tamarkoz App that you are logged in. In case you want to withdraw your consent being logged in with your Facebook or Google account, you need to sign up with your e-mail-address or phone number, because otherwise we are not able to give you access to our app. We use Google Firebase, a service of Google Inc., for giving you the opportunity to log in with your Google account.
(13) Google Analytics
We use Google Analytics and Google Firebase, both services of Google Inc., to analyse the general use of the M.T.O. Tamarkoz App., in particular, app installs/uninstalls, category activities, exercise activities, FAQ activities, start of a session, number of shares. Your IP address does not get tracked during these activities. Google compiles and submits a report about the general usage of the M.T.O. Tamarkoz App and we use this information to continuously improve our service and increase the user-friendliness of the M.T.O. Tamarkoz App. The reports we receive do not contain personal data. We process the information according to Art. 6 (1) Sentence 1 lit. f GDPR.
Google is certified under the Standard Contractual Clauses.
(14) Google reCAPTCHA: SPAM Protection
We may use third-party Service Providers to provide better improvement of our Service. This type of service analyzes the traffic of the website, potentially containing Users' Personal Data, with the purpose of filtering it from parts of traffic, messages and content that are recognized as SPAM.
Google reCAPTCHA (Google LLC) is a SPAM protection service provided by Google LLC. The reCAPTCHA service may collect information from you and from your device for security purposes. The use of reCAPTCHA is subject to the Google privacy policy (https://policies.google.com/privacy) and terms of use (https://policies.google.com/terms).
(15) SendGrid
We use SendGrid, a service of SendGrid, Inc., 1801 California Street, Suite 500, Denver, Colorado 80202, as service provider to send you information via email regarding administrative issues, code verification, welcome notification and account updates. Additionally, we send you further information about our products and services we are offering in the M.T.O. Tamarkoz App or related products and services offered by M.T.O. Tamarkoz Association to keep you informed about various possibilities to improve your wellbeing. in order to help you to get used to the functions of the M.T.O. Tamarkoz App without any problems. For this, we process your account data, in particular, your name and email address according to Art. 6 (1) Sentence 1 lit. f GDPR. You have the right to object to this data processing by sending an email to info@tamarkozapp.com or sending us a request by using the “contact us” option integrated in the M.T.O. Tamarkoz App which you can find in the menu under “settings”, SendGrid is certified under the Standard Contractual Clauses.
(16) Twilio
We use Twilio, a service of Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA, 94105, USA, for sending you an SMS when you signup with your phone number. The processing of your phone number by Twilio is based on your consent according to Article 6 (1) Sentence 1 lit. a GDPR. You may withdraw your consent any time by sending an email to info@tamarkozapp.com or sending us a request by using the “contact us” option integrated in the M.T.O. Tamarkoz App which you can find in the menu under “settings”,
Twilio is certified under the Standard Contractual Clauses.
(17) Agora
Agora Lab, Inc. (together with its parent companies, subsidiaries and affiliates, hereinafter “Agora”) is a global voice and live interactive streaming platform headquartered in 2804 Mission College Blvd, Suite 201, Santa Clara, California, 95054, USA. Agora acts as a third party processor on our behalf through its software development kit (SDK) to allow for the broadcasting of real-time audio and/or video content, real-time recording, and real-time messaging.
When you visit Tamarkoz Live, we will request your consent to access your microphone and your camera according to Art. 6 (1) phrase lit. a GDPR. At the time of this visit, Agora may collect your personal information such as your IP address, use configuration data, real-time engagement metadata, feature usage, performance data, service logs, messages and usage data. However, Agora will never access, share, or disclose your content but may only temporarily retain such data. We may collect and retain your content such as voice data, video data, messaging and images data, and/or other data depending on what services are used by us. Agora may disclose or share your information with its partners, vendors and service providers, affiliates and subsidiaries, legally binding and legal-related disclosures, or other third parties. Agora uses built-in encryption algorithms and encrypted transmission protocols so it cannot read the encrypted content or relate it to you. While using Agora your personal data gets transferred to servers in the USA. To ensure an adequate level of data protection we concluded Standard Contractual Clauses with Agora.
Agora deletes your personal information when it is not necessary to process it anymore to achieve the processing purpose unless Agora is required to store the information for a longer period. Cloud recordings are deleted within 7 days by Agora and service/operation-related metadata is deleted within 30 days by Agora unless a longer storage period is permitted by law. You may withdraw your consent in accordance with Art. 7 GDPR at any time by contacting us through privacy@Tamarkozapp.com.
For further information on the use of your personal data and setting options to protect your privacy, please refer to Agora’s privacy policies at https://www.agora.io/en/privacy-policy/ and https://www.agora.io/en/agora-processor-privacy-statement/. Agora adheres to the guidelines set by the GDPR for data protection and privacy.
III. Your Rights
(1) You have the following rights vis-à-vis us with regard to the personal data concerning you:
– Right to be informed,
– Right to rectification and erasure,
– Right to restriction,
– Right to objection,
– Right to data portability.
– Right to withdrawal according to Article 7 (3) GDPR
(2) You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data is contrary to the GDPR. Our competent supervisory authority is
M.T.O. Jugendhilfe & Kulturförderung e.V.
Harffstr. 29
40596 Duesseldorf
(3) Residents of the State of California have the right to request a full and complete copy of their information once per year. Such copy will be made available by digital mail or physical mail. We will request proof of your identity to prevent fraud, abuse, or other malicious activities. Residents of the State of California may request the complete destruction of all information relating to them, their activities, and their purchases. In such instance, your ability to use our application, website, or other services, will be restricted, as such destruction will prohibit any services we may provide to you. We warrant and certify that we are not a data brokerage and that we will not sell or exchange your information. When a California resident contacts us, we will acknowledge their request within 10 days and may request proof of their identity before moving forward. Upon receipt of such proof, we will respond to the request within 60 days. The delete button on the App will allow for your personal data to be deleted as described above.
IV. Miscellaneous
(1) This Privacy Policy may be modified from time to time, due to ongoing changes in regulatory laws, our third-party associations, or for other reasons. We will make you aware of such change by posting a notice on our application, website, or other means reasonably available.
(2) We will seek to comply with any and all newly developed laws and regulations affecting your privacy. If you believe that this policy does not address your rights within your jurisdiction, please contact us and we will promptly look into the matter.
(3) While we will make reasonable and good faith efforts to delete information upon request, your information may be subject to the policies and terms & conditions or the entities referenced above.
(4) We are not liable for the privacy policy of any third party website and you are cautioned and advised when leaving our site to a third-party’s the terms of their privacy policy will be different from ours.
(5) The laws governing this policy, as outlined above, shall be the laws of the European Union, unless prohibited, in which case, the laws of the United States and the State of California shall control this policy.
(6) You may contact us at: info@tamarkozapp.com or by post PO Box 73288, Davis, CA 95617, U.S.