Privacy Policy for the M.T.O. Tamarkoz® App

Using our mobile app

 

I. Information on the processing of personal data

(1) In addition to our online service, we also provide you with a mobile app (“M.T.O. Tamarkoz® App") that you can download onto your mobile device. In the following we inform you about the collection of personal data when using M.T.O. Tamarkoz App. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.

(2) Data controller is according to Article 7 (7) of the European Data Protection Regulation (“GDPR”)


M.T.O. Tamarkoz® Association

PO Box 73288,

Davis,

CA 95617, U.S.

info@tamarkozapp.com

For our imprint see https://tamarkozapp.com/web/imprint

The internal Contact for Data Protection can be reached under the above stated address or via privacy@tamarkozapp.com.

 

(3) When you contact us by e-mail or via a contact form, we will store your e-mail address and, if you have provided it, also your name and telephone number in order to answer your questions. The data collected in this context will be deleted after storing it is no longer necessary. Do statutory obligations apply, the data will not be deleted but the processing will be restricted.

(4) For some processing activities it might be useful to assign external service providers for individual functions of our offer or use your data for advertising purposes. If we decide to do so, we will inform you below in detail about the respective processes. We will also specify the criteria for the retention period.

 

II. Processing of personal data when using our mobile app 

(1)   Download, deletion and temporarily pausing the processing of your personal data

When the M.T.O. Tamarkoz App is downloaded, the required information is transmitted to the App Store, in particular username, e-mail address, time of download and the individual device code number. We have no influence on this data collection and are not responsible for it. We process the data only to the extent necessary for downloading M.T.O. Tamarkoz App to your mobile device. This processing takes place on the basis of your consent pursuant to Article 6 (1) sentence 1 lit. a GDPR.

When you deinstall the M.T.O. Tamarkoz App, your data will be deleted 30 months from the date of deinstallation for the purpose for which they were collected, unless we are required by law to retain them. We assume that the data will be deleted after this period because we assume that it is no longer likely that you will use our services again. However, in order to give you the opportunity to restore your profile for a shorter period of time, e.g. because you deleted the app at an earlier point in time due to a lack of necessity, we store the data temporarily for you.

If, however, you wish to withdraw your consent and do not wish the use to be suspended temporarily, you can do so by sending an email to info@tamarkozapp.com or sending us a request by using the “contact us” option integrated in the M.T.O. Tamarkoz App which you can find in the menu under “settings”. M.T.O. Tamarkoz App is hosted on AWS Servers in USA and all data is stored in the Amazon RDS database, a service of Amazon.com, Inc. P.O. Box 81226, Seattle, WA 98108-1226, USA. Amazon.com, Inc. is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles.

(2)   Use of data for M.T.O. Tamarkoz App

In order to provide you meditation exercises that serve your individual preferences the best and being aware of your privacy needs, we do not track your health data and limiting the data processing to data categories that are relevant for your meditation experience. Therefore, we record only basic user interaction inside the M.T.O. Tamarkoz App, for example what exercises are your favorites, what categories/exercises you are searching for within the M.T.O. Tamarkoz App and your reporting dates. Furthermore, when you are performing an exercise, we store data about the date and time, it’s duration, amount of repetitions, it’s associated category and the degree of severity. When you decide to report your mood (e.g. happy, sad), we record your report and the date and time of its submission.  This processing is carried out on the legal basis of consent pursuant to Article 6 (1) sentence 1 lit. a GDPR.

You may withdraw your consent any time by sending an email to info@tamarkozapp.com or sending us a request by using the “contact us” option integrated in the M.T.O. Tamarkoz App which you can find in the menu under “settings”. After you have withdrawn your consent, your account will be deactivated. We will store your data for six months in case you will re-activate your account within this time period. If you do not re-activate your account within six months after withdrawing your consent, we will delete your data.

If you do not wish us to store your data for six months, please let us know when you withdraw your consent, then we will delete your data immediately.

(3)   Collection of log file data

When using M.T.O. Tamarkoz App, we collect the following log file data: 

- IP address

- User Name

- Sign-up type (email, mobile)

- Device ID

- Date and time of request

- Content of request (concrete page, concrete API endpoint)

- Access status/HTTP status code

- Device Access Token

- Amount of data transferred in each case

- Terminal equipment from which the request comes

- User agent

- Login limit

- Operating system and its interface

- Country ID

- Language and version of the user agent.

From a technical point of view, this data is absolutely necessary for us in order to offer the various functions of M.T.O. Tamarkoz App and to guarantee the stability and security of M.T.O. Tamarkoz App, as well as to enable comfortable use of the functions. This processing purpose also represents the legitimate interest, which according to Article 6 (1) Sentence 1 lit. f GDPR is the legal basis for data processing.

          IP addresses in log files are deleted after 14 days.

(4) Newsletter via ActiveCampaign

You have on our website the opportunity to subscribe to our complimentary newsletter. For sending the newsletter, we require the following data at the time of registration:

- E-mail address

- Name

- IP address

- Subscription type

Additionally, we process your IP address, date and time of your registration. Further data will not be processed during the registration process. Besides, we integrated so-called "web-beacons" in our e-mail newsletter. These are pixel-sized image files which record when and how often the newsletter is opened, how many times the e-mail is viewed, time of retrieval, e-mail client used by the recipient, your IP address and if you clicked on a certain elements included in the newsletter (e.g. buttons or links). The name of the image file is individualized for each newsletter recipient by attaching an unique ID. This enables us to register which ID belongs to which e-mail address and serves to determine which newsletter recipient has just opened or is reading the e-mail. As part of the registration process, we need to obtain your consent, so we are allowed to process your personal data regarding the dispatch of the Newsletter. Before giving your consent, a reference will appear to this privacy policy.

For dispatching our Newsletter we use a service offered by the ActiveCampaign, LLC, 1 N Dearborn St., 5th Floor Chicago, Illinois 60602 ("ActiveCampaign") which acts as processor on our behalf. Personal data you have provided by registering to the Newsletter. The data you have provided through the newsletter registration (e-mail address, if applicable name, IP address, date and time of your registration) will be transmitted to and stored on a server operated by ActiveCampaign and exclusively be used for dispatching the newsletter to you. Your data will not be transferred to third parties. The collected data will not be synchronized with other data we collected through other components implemented on our Website. ActiveCampaign is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles. For more information about how Zapier protects your privacy, see: https://www.activecampaign.com/legal/privacy-policy .

We process your personal data after gaining your consent for the Newsletter according to Art. 6 (1) phrase 1 lit. a GDPR. Your e-mail address is processed for sending you the newsletter. We check the e-mail address you have provided to ensure that you are in fact the actual owner or that the owner of the e-mail address has given his/her consent to receive the newsletter. We process your IP address, the date and time of your registration for our security in the event that a third party registers on our Website without your knowledge or misuses your personal data. The web-beacons enable us to recognize when an e-mail was opened and which link the recipient followed. We use this information to constantly improve our newsletter and to adapt it to your personal wishes and needs. 

Your personal data will be deleted when it is not necessary anymore to achieve the purpose for which it has been collected. When you have cancelled your subscription, your name, IP and e-mail address will be restricted, and no newsletter will be sent to you anymore. However, we store the data collected during the registration process after you have withdrawn your consent on the basis of Article 6 (1) phrase 1 lit. f GDPR, so we are able to proof in a legal dispute that you registered to our newsletter. This represents also our legitimate interest in storing the data. Your data will be deleted after three years from the end of the year in which you have withdrawn your consent. The data collected by using web-beacons will be deleted immediately after you have withdrawn your consent.

You can withdraw your given consent in accordance with Art. 7 GDPR at any time by unsubscribing from the Newsletter. You can cancel your subscription by clicking on the "Unsubscribe" link integrated in each newsletter. This does not affect the legality of the processing carried out on the basis of the given consent until you have declared your withdrawal. In the event of withdrawal, your personal data will no longer be processed and deleted immediately.  

(5) Sending e-mails to customers via Google G Suite

We use G Suite, a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (“G Suite”), which acts as processor on our behalf. We use this service to send Newsletter as described above, from our domain name to you. For this, Google receives your first and surname, subscription type of the newsletter and email address.

We process your personal data after gaining your consent for the Newsletter according to Art. 6 (1) phrase 1 lit. a GDPR. The purpose of transmitting your data to G Suite is to send you the correct newsletter type to your e-mail address. Google is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles. For more information about how Zapier protects your privacy, see: https://policies.google.com/ .

Your personal data will be deleted when it is not necessary anymore to achieve the purpose for which it has been collected. This will be the reason when you have cancelled your subscription, in which case your name and e-mail address will be deleted immediately. 

You can withdraw your given consent in accordance with Art. 7 GDPR at any time by unsubscribing from the Newsletter. You can cancel your subscription by clicking on the "Unsubscribe" link integrated in each newsletter. This does not affect the legality of the processing carried out on the basis of the given consent until you have declared your withdrawal. In the event of withdrawal, your personal data will no longer be processed and deleted immediately.  

(6) Automated workflow for dispatching the Newsletter by using Zapier

We use Zapier, a service of Zapier, Inc., 548 Market, San Francisco, California 94104 (“Zapier”), which acts as processor on our behalf. We use this service for automating processes between ActiveCampaign and G Suite regarding the dispatch of our Newsletter. For this, Zapier receives your first and surname, subscription type of the newsletter and e-mail address.

We process your personal data after gaining your consent for the Newsletter according to Art. 6 (1) phrase 1 lit. a GDPR. The purpose of using Zapier as transmission channel to transfer your data from ActiveCampaign to G Suite is to ensure an effective and time saving procedure that is less prone to errors due to automatization. Zapier is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles. For more information about how Zapier protects your privacy, see: https://zapier.com/privacy .

Your personal data will be deleted when it is not necessary anymore to achieve the purpose for which it has been collected. This will be the reason when you have cancelled your subscription, in which case your name and e-mail address will be deleted immediately. 

You can withdraw your given consent in accordance with Art. 7 GDPR at any time by unsubscribing from the Newsletter. You can cancel your subscription by clicking on the "Unsubscribe" link integrated in each newsletter. This does not affect the legality of the processing carried out on the basis of the given consent until you have declared your withdrawal. In the event of withdrawal, your personal data will no longer be processed and deleted immediately.  

(7) Amazon Cloud Front

We use the Amazon CloudFront service, operated by Amazon Web Services, Inc. Box 81226, Seattle, WA 98108-1226 (“Amazon”), to provide static and dynamic content more quickly to you. In addition to the date and time of your visit, the URL of the Web page you are visiting, and your IP address are transferred to Amazon servers in the USA. Amazon is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles. Our purpose for using the service lies in streaming/downloading exercises on the Tamarkoz App with less interruption as possible. This constitutes also our legitimate interest within the meaning of Art. 6 (1) lit. f GDPR.

How long your IP address is stored by Amazon is neither known to us nor can we influence this process. For further information on the use of your personal data and setting options to protect your privacy, please refer to the Amazon privacy policy at https://aws.amazon.com/de/privacy/?nc1=f_pr . You have the possibility to object to the processing of your personal data in accordance to Article 21 GDPR at any time. We are still allowed to process the personal data if we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

(8) Vimeo

Our website uses video components from Vimeo, LLC, headquartered at 555 West 18th Street, New York, New York 10011, USA, hereinafter referred to as "Vimeo". When you visit one of our subpages that embedded a Vimeo video, you connect to a server in the USA used by Vimeo to display the video. During this process, personal information is transmitted to the Vimeo server, such as your IP address, the URL of the subpage, and the time and date the subpage was accessed. If you are logged in to your Vimeo account at the time the Vimeo video is played, your usage behavior will relate to your personal Vimeo profile. Vimeo is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles. For more information about how Vimeo protects your privacy, see: https://vimeo.com/privacy.

The legal basis for the use of Vimeo components is Art. 6 (1) phrase 1 lit. f GDPR. Your personal data will be processed in order to make the respective video uploaded to Vimeo accessible to you. This is also our legitimate interest in processing your personal data.  We do not know how long your personal data collected by Vimeo is stored, nor can we influence this. However, if you do not want Vimeo to associate the data collected through our website directly with your Vimeo account, you can log out of your account before you watch the video. You can also completely prevent the use of the Vimeo plugin by using add-ons for your browser, e.g. the script blocker "NoScript" (http://noscript.net/).”

(9)   Installation ID and push notifications

Furthermore, when M.T.O. Tamarkoz App is started for the first time, we assign a unique installation ID for each installation. It does not contain any personal data. If you delete M.T.O. Tamarkoz App and then reinstall it, a new installation ID will be assigned. When M.T.O. Tamarkoz App starts on the mobile device, a connection to a server can be established in order to send push notifications from the admin panel to the respective device that the ID got assigned to.

We use Google Firebase, a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, to provide you with such push notifications after you consented according to Article 6 (1) Sentence 1 lit. a GDPR to receive them. 

(10)   Application of Stripe as payment service provider

We are using the payment service provider Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA (“Stripe”), for online payment matters. When you execute payments, Stripe will collect according to its own Privacy Policy your payment method information (such as credit or debit card number, or bank account information), purchase amount, date of purchase, your name, email, billing or shipping address and in some cases your transaction history to authenticate you.

Stripe may also share your personal information with service providers, subcontractors or other affiliates to the extent necessary to fulfill the contractual obligations of your order or to process the personal information on behalf of Stripe. You will find an overview of these third parties under the following link: https://stripe.com/sub-processors/legal

The legal basis for the data processing is Article 6 (1) Sentence 1 lit. b GDPR.

The processing of your personal data is necessary for the processing of your order with the payment method selected by you, in particular for the confirmation of your identity as well as for the administration of your payment. Stripe will use your data as long as it is providing its services to you, for more detailed information, see the Privacy Policy of Stripe under https://stripe.com/privacy.

We retain Personal Data after we cease providing Services to you, even if you close your Stripe account, to the extent necessary to comply with our legal and regulatory obligations, and for the purpose of fraud monitoring, detection and prevention.

Stripe is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles. In addition, Stripe has implemented intra-group data transfer agreements.

(11)  Payment for In-App-Purchases

If you make an In-App purchase on an Apple device, the transaction and payment will be made solely between you and the Apple App Store based on the terms and conditions and privacy policy applicable to that device, which can be found at https://www.apple.com/legal/internet-services/itunes/us/terms.html and https://www.apple.com/legal/privacy/en-ww/

If you make an in-app purchase on an Android device from the Google Play Store, the transaction and payment will be made solely between you and the Google Play Store, subject to the terms and conditions and privacy policy of the Google Play Store, which can be found at https://play.google.com/about/play-terms/index.html and https://policies.google.com/privacy

(12)  Log-in through Facebook and Google

While logging in with your Facebook or Google account, we process your name, e-mail-address, profile picture and phone number on the basis of your consent Article 6 (1) Sentence 1 lit. a GDPR. We are using the profile picture you are using for the respective network also as profile picture to individualize your account in the M.T.O. Tamarkoz App. The other data is constantly processed because it is necessary for the use of M.T.O. Tamarkoz App that you are logged in. In case you want to withdraw your consent being logged in with your Facebook or Google account, you need to sign up with your e-mail-address or phone number, because otherwise we are not able to give you access to our app. We use Google Firebase, a service of Google Inc., for giving you the opportunity to log in with your Google account.

(13)   Google Analytics

We use Google Analytics and Google Firebase, both services of Google Inc., to analyse the general use of the M.T.O. Tamarkoz App., in particular app installs/uninstalls, category activities, exercise activities, FAQ activities, start of a session, number of shares. Your IP address does not get tracked during these activities. Google compiles and submits a report about the general usage of the M.T.O. Tamarkoz App and we use this information to continuously improve our service and increase the user friendliness of the M.T.O. Tamarkoz App. The reports we receive do not contain personal data. We process the information according to Art. 6 (1) Sentence 1 lit. f GDPR.

Google is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles.

(14) SendGrid

We use SendGrid, a service of SendGrid, Inc., 1801 California Street, Suite 500, Denver, Colorado 80202, as service provide to send you information via email regarding administrative issues, code verification, welcome notification and account updates. Additionally, we send you further information about our products and services we are offering in the M.T.O. Tamarkoz App or related products and services offered by M.T.O. Tamarkoz Association to keep you informed about various possibilities to improve your wellbeing. in order to help you to get used to the functions of the M.T.O. Tamarkoz App without any problems. For this, we process your account data, in particular your name and email address according to Art. 6 (1) Sentence 1 lit. f GDPR. You have the right to object to this data processing by sending an email to info@tamarkozapp.com or sending us a request by using the “contact us” option integrated in the M.T.O. Tamarkoz App which you can find in the menu under “settings”, SendGrid is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles.

(15) Twilio

We use Twilio, a service of Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA, 94105, USA, for sending you an SMS when you signup with your phone number. The processing of your phone number by Twilio is based on your consent according to Article 6 (1) Sentence 1 lit. a GDPR. You may withdraw your consent any time by sending an email to info@tamarkozapp.com or sending us a request by using the “contact us” option integrated in the M.T.O. Tamarkoz App which you can find in the menu under “settings”,

SendGrid is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles.

 

III. Your Rights

You have the following rights vis-à-vis us with regard to the personal data concerning you:

–   Right to be informed,

–   Right to rectification and erasure,

–   Right to restriction,

–   Right to objection,

–   Right to data portability.

–   Right to withdrawal according to Article 7 (3) GDPR

 

(2) You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data is contrary to the GDPR. Our competent supervisory authority is

M.T.O. Jugendhilfe & Kulturförderung e.V.

Harffstr. 29

40596 Duesseldorf


(3) Residents of the State of California have the right to request a full and complete copy of their information once per year. Such copy will be made available by digital mail or physical mail. We will request proof of your identity to prevent fraud, abuse, or other malicious activities. Residents of the State of California may request the complete destruction of all information relating to them, their activities, and their purchases. In such instance, your ability to use our application, website, or other services, will be restricted, as such destruction will prohibit any services we may provide to you. We warrant and certify that we are not a data brokerage and that we will not sell or exchange your information. When a California resident contacts us, we will acknowledge their request within 10 days and may request proof of their identity before moving forward. Upon receipt of such proof, we will respond to the request within 60 days. In the event deletion of information is required we will provide a written statement asserting such deletion has occurred to the best of our ability.

 

IV. Miscellaneous

(1) This Privacy Policy may be modified from time to time, due to ongoing changes in regulatory laws, our third-party associations, or for other reasons. We will make you aware of such change by posting a notice on our application, website, or other means reasonably available.

(2) We will seek to comply with any and all newly developed laws and regulations affecting your privacy. If you believe that this policy does not address your rights within your jurisdiction, please contact us and we will promptly look into the matter.

(3) While we will make reasonable and good faith efforts to delete information upon request, your information may be subject to the policies and terms & conditions or the entities referenced above.

(4) We are not liable for the privacy policy of any third party website and you are cautioned and advised when leaving our site to a third-party’s the terms of their privacy policy will be different from ours.

(5) The laws governing this policy, as outlined above, shall be the laws of the European Union, unless prohibited, in which case, the laws of the United States and the State of California shall control this policy.

(6) You may contact us at: info@tamarkozapp.com or by post PO Box 73288, Davis, CA 95617, U.S.