Privacy Policy

Last updated: March 16, 2026

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and particularly on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online services”).

The terms used are not gender-specific.

Controller

Teratis Solutions GmbH
Altendeichstieg 10
21109 Hamburg

Authorized representative: Joel Renk

E-mail address: support@fog-breaker-support.com

Overview of Processing Activities

Types of Data Processed

• Master data (inventory data).
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and process data.
• Image and/or video recordings.
• Audio recordings.
• Log data.
• Health data (step count).

Categories of Data Subjects

• Service recipients and clients.
• Communication partners.
• Users.
• Business and contract partners.
• Third parties.

Purposes of Processing

• Provision of contractual services and fulfilment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Conversion measurement.
• Click tracking.
• Organisational and administrative procedures.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Registration procedures.
• Provision of our online services and user experience.
• Information technology infrastructure.
• Public relations.
• Business processes and operational procedures.
• Provision of activity-based app features (step tracking).

Applicable Legal Bases

Applicable legal bases under the GDPR: The following is an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of personal data relating to them for one or more specific purposes.
• Contract performance and pre-contractual enquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains specific provisions regarding the right of access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making in individual cases including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Applicable legal bases under the Swiss Data Protection Act: If you are in Switzerland, your data is processed on the basis of the Federal Act on Data Protection (Swiss DPA). Unlike the GDPR, the Swiss DPA generally does not require a legal basis to be stated for the processing of personal data, and the processing of personal data is carried out in good faith, lawfully, and proportionately (Art. 6(1) and (2) Swiss DPA). We only collect personal data for a specific purpose that is recognisable to the data subject and only process it in a manner compatible with that purpose (Art. 6(3) Swiss DPA).

Security Measures

We implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to data, as well as access, input, transmission, ensuring availability and separation of data. We have also established procedures to ensure the exercise of data subject rights, deletion of data and responses to data compromise. Furthermore, we consider the protection of personal data during the development and selection of hardware, software and procedures in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorised access. TLS, as the further developed and more secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.

Transfer of Personal Data

In the course of processing personal data, it may be transmitted to or disclosed to other entities, companies, legally independent organisational units or individuals. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or disclosing or transferring data to other persons, entities or companies, this is done in compliance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised as a safe legal framework by an adequacy decision of the EU Commission on 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers in accordance with the EU Commission’s requirements, which establish contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary protection level, while the Standard Contractual Clauses serve as an additional safeguard. Should changes occur in the context of the DPF, the Standard Contractual Clauses will act as a reliable fallback option.

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

Disclosure of personal data abroad (Swiss DPA): In accordance with the Swiss DPA, we only disclose personal data abroad if adequate protection of the persons concerned is ensured (Art. 16 Swiss DPA). If the Federal Council has not established adequate protection, we take alternative protective measures.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with statutory provisions as soon as the underlying consents are revoked or no further legal grounds for the processing exist. This applies to cases where the original processing purpose no longer applies or the data is no longer required. Exceptions to this rule exist where statutory obligations or special interests require longer retention or archiving of data.

Retention and deletion periods under German law:

• 10 years – Books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the operating instructions and other organisational documents required for their understanding (§ 147(1) No. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) No. 1 in conjunction with (4) HGB).
• 8 years – Accounting records, such as invoices and cost receipts (§ 147(1) No. 4 and 4a in conjunction with (3)(1) AO and § 257(1) No. 4 in conjunction with (4) HGB).
• 6 years – Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents relevant for taxation purposes, as well as payroll accounting documents and cash register tapes (§ 147(1) No. 2, 3, 5 in conjunction with (3) AO, § 257(1) No. 2 and 3 in conjunction with (4) HGB).
• 3 years – Data required to account for potential warranty and damage claims or similar contractual claims and rights is stored for the duration of the standard statutory limitation period of three years (§§ 195, 199 BGB).

Retention and deletion periods under Swiss law:

• 10 years – Books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting vouchers and invoices, as well as all required operating instructions and other organisational documents (Art. 958f Swiss Code of Obligations (OR)).
• 10 / 5 years – Data necessary for potential damage claims or similar contractual claims is stored for the duration of the statutory limitation period of ten years, unless a shorter period of five years applies in certain cases (Art. 127, 128, 130 OR).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject under the GDPR, you have various rights arising in particular from Arts. 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about such data, as well as further information and a copy of the data in accordance with statutory requirements.
• Right to rectification: You have the right in accordance with statutory requirements to request the completion of data concerning you or the correction of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right in accordance with statutory requirements to request that data concerning you be erased immediately, or alternatively to request restriction of the processing of such data.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with statutory requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Rights of data subjects under the Swiss DPA: As a data subject under the Swiss DPA, you have the following rights:

• Right to information: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary for you to exercise your rights under this Act and to ensure transparent data processing.
• Right to data release or transfer: You have the right to request the release of your personal data that you have provided to us in a commonly used electronic format.
• Right to rectification: You have the right to request the correction of inaccurate personal data concerning you.
• Right to object, erasure and destruction: You have the right to object to the processing of your data, and to request that personal data concerning you be erased or destroyed.

Payment Processing

We use additional service providers for payment transactions in the context of contractual and other legal relationships, on the basis of statutory obligations or otherwise on the basis of our legitimate interests. The payment transactions are carried out exclusively via encrypted connections in accordance with the state of the art, so that the entered data is protected against unauthorised access during transmission.

• Types of data processed: Master data; payment data; contract data; usage data; meta, communication and process data; contact data.
• Data subjects: Service recipients and clients; business and contract partners.
• Purposes of processing: Provision of contractual services; business processes; conversion measurement; marketing; provision of our online services.
• Legal bases: Contract performance (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Services used:

• RevenueCat: Management of subscriptions and in-app purchases, revenue data analysis, user activity tracking, integration with app stores to automate payment processing, management of promotions and discounts, provision of real-time analytics and reports on subscriber data. Service provider: Revenuecat, Inc., 1032 E Brandon Blvd #3003 Brandon, FL 33511, USA. Website: https://www.revenuecat.com/. Privacy policy: https://www.revenuecat.com/privacy/.

Provision of Online Services and Web Hosting

We process user data in order to provide our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

• Types of data processed: Usage data; meta, communication and process data; log data; content data.
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online services; IT infrastructure; security measures.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Services used:

• Collection of access data and log files: Access to our online services is logged in the form of server log files. Server log files may include the address and name of the accessed web pages and files, the date and time of access, the volume of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Log file information is stored for a maximum of 30 days and then deleted or anonymised. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• Google Cloud Services: Cloud infrastructure services and cloud-based application software. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Website: https://cloud.google.com/. Privacy policy: https://policies.google.com/privacy. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.

Processing of Data in the Context of the Application (App)

We process user data of our application to the extent necessary to provide users with the application and its functionalities, to monitor its security and to continue developing it. We may also contact users in compliance with legal requirements where communication is required for the administration or use of the application.

• Types of data processed: Master data; usage data; meta, communication and process data; image and/or video recordings; audio recordings; content data; health data (step count).
• Data subjects: Users; business and contract partners; third parties; service recipients and clients; communication partners.
• Purposes of processing: Provision of contractual services; security measures; provision of our online services; organisational and administrative procedures; IT infrastructure; business processes; communication; reach measurement; tracking; profiling.
• Legal bases: Contract performance (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR).

Services and notes:

• Storage of a pseudonymous identifier: To provide and ensure the functionality of the application, we use a pseudonymous identifier. This identifier is a mathematical value (i.e. no clear-text data such as names are used) that is assigned to a device and/or the installation of the application on it. It is generated when the application is installed, remains stored between application starts and updates, and is deleted when users remove the application from their device.
• Device permissions for access to functions and data: The use of our application or its functionalities may require user permissions to access certain functions or data stored on or accessible via the device. Permissions must be granted by users and can be revoked at any time in the device settings. Revoking permissions may affect the functionality of the application.
• Access to camera and stored recordings: In the context of using our application, image and/or video recordings (including audio recordings) of users (and other persons captured in the recordings) are processed via access to camera functions or stored recordings. Such access requires revocable user permission and serves solely to provide the respective functionality of the application.
• Use of microphone functions: In the context of using our application, microphone functions and audio recordings captured with their help are processed. Use of the microphone functions requires revocable user permission and serves solely to provide the respective functionality of the application.
• Access to health and activity data (step count): Our application accesses the user’s step count data. This data is collected via the device’s built-in pedometer sensor and, where available, via the platform’s health APIs (Google Health Connect on Android, Apple HealthKit on iOS). Access requires revocable user permission. Step count data is a core feature of the application and is transmitted to and stored on our servers, linked to the user’s account, in order to provide activity-based app features. Step count data is not shared with third parties. It is deleted when the user deletes their account or upon request; Legal basis: Contract performance (Art. 6(1)(b) GDPR), as step tracking is a core feature of the service; consent (Art. 6(1)(a) GDPR) for access to the device’s health APIs where required by the operating system.
• No location history or movement profiles: Location data is only used on a point-in-time basis and is not processed to create a location history or movement profile of the devices used or their users.
• Supabase: Cloud-based platform providing developers with tools for building and scaling applications, including authentication, real-time database, APIs, storage and analytics. Service provider: Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992. Website: https://supabase.com/. Privacy policy: https://supabase.com/privacy. Third-country transfer basis: EU/EEA – Standard Contractual Clauses; Switzerland – Standard Contractual Clauses.
• Sentry: Monitoring system stability and identifying code errors – device details or error timestamps are collected pseudonymously and subsequently deleted. Service provider: Functional Software Inc., Sentry, 132 Hawthorne Street, San Francisco, California 94107, USA. Security measures: IP masking (pseudonymisation of IP address). Website: https://sentry.io. Privacy policy: https://sentry.io/privacy/. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.
• Firebase Cloud Messaging: Sending push notifications to mobile devices and web applications, managing message queues for efficient delivery, supporting user group segmentation for targeted communication, providing analytics to evaluate notification effectiveness. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Website: https://firebase.google.com. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.
• PostHog Cloud EU: Web analytics and reach measurement – collection of information about user interactions with the online service regarding its features, content and duration of use. Service provider: PostHog Inc., 261 Market St., #4008, San Francisco, CA 94114, USA. Legal basis: consent (Art. 6(1)(a) GDPR). Website: https://posthog.com/. Privacy policy: https://posthog.com/privacy. Note: operated on EU servers. Third-country transfer basis: EU/EEA – Standard Contractual Clauses; Switzerland – Standard Contractual Clauses.

Obtaining Applications via App Stores

Our application is obtained via special online platforms operated by other service providers (so-called “app stores”). In this context, the privacy policies of the respective app stores apply in addition to our privacy notices, in particular with regard to the procedures used on the platforms for reach measurement and interest-based marketing, as well as any charges.

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Services used:

• Apple App Store: App and software sales platform. Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA. Privacy policy: https://www.apple.com/legal/privacy/en-ww/.
• Google Play: App and software sales platform. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy.

Registration, Login and User Accounts

Users may create a user account. In the course of registration, the required mandatory information is communicated to users and processed for the purpose of providing the user account on the basis of contractual obligation. The data processed includes, in particular, login information (username, password and an e-mail address).

In the context of using our registration and login functions and the use of the user account, we store the IP address and the time of each user action. Storage is based on our legitimate interests and those of the user in protection against misuse and other unauthorised use. User data may be deleted upon termination of account unless legal obligations require otherwise.

• Registration with pseudonyms: Users may use pseudonyms as usernames instead of real names.
• User profiles are not public: User profiles are not publicly visible or accessible.
• Deletion of data upon termination: When users cancel their user account, their data relating to the user account is deleted, subject to statutory permission, obligation or user consent.

Single Sign-On Authentication

“Single sign-on” or “single sign-on authentication” refers to procedures that allow users to log in to our online services using a user account with a single sign-on provider (e.g. a social network). The authentication takes place directly with the respective single sign-on provider. In the course of such authentication, we receive a user ID confirming that the user is logged in under that user ID with the respective provider and a non-reusable ID (a so-called “user handle”). Whether additional data is transmitted to us depends solely on the single sign-on procedure used, the data releases selected during authentication, and the settings in the user’s privacy or other account settings with the single sign-on provider.

Services used:

• Apple Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations. Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA. Privacy policy: https://www.apple.com/legal/privacy/en-ww/.
• Google Single Sign-On: Authentication services for user logins, provision of single sign-on functions, management of identity information and application integrations. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF).

Contact and Enquiry Management

When you contact us (e.g. by post, contact form, e-mail, telephone or via social media) and in the context of existing user and business relationships, the information provided by the enquiring party is processed to the extent necessary to respond to contact enquiries and any requested measures.

Services used:

• Contact form: When contact is made via our contact form, by e-mail or other communication channels, we process the personal data transmitted to us to respond to and process the respective request. This typically includes details such as name, contact information and any other information provided to us that is necessary for appropriate processing. We use this data exclusively for the stated purpose of making contact and communication.
• Discord: Chat, audio and video transmissions, instant messaging and community management. Service provider: Discord, Inc., 444 De Haro St, Suite 200, San Francisco, California 94107, USA. Privacy policy: https://discord.com/privacy. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF).

Communication via Messenger

We use messenger services for communication. In the case of end-to-end encryption of content (i.e. the content of your message and attachments), we point out that the communication content is encrypted end-to-end, meaning that the content of messages cannot be viewed even by the messenger providers themselves. However, messenger providers may still be able to determine when and with whom communication partners communicate with us, as well as technical information about the device used and, depending on device settings, also location information (so-called metadata).

You can revoke any consent given at any time and object to communication with us via messenger at any time.

Push Notifications

With the consent of users, we may send so-called “push notifications” – messages displayed on users’ screens, end devices or in browsers, even when our online service is not actively being used. To subscribe to push notifications, users must confirm the request from their browser or end device. This consent process is documented and stored. A pseudonymous identifier of the browser (so-called “push token”) or the device ID of an end device is stored for this purpose.

Users can change their receipt of push notifications at any time using the notification settings of their respective browser or end device.

• Push notifications with advertising content: Push notifications sent by us may contain advertising information. Commercial push notifications are processed on the basis of user consent. Legal basis: consent (Art. 6(1)(a) GDPR).

Newsletter and Electronic Notifications

We send newsletters, e-mails and other electronic notifications (hereinafter “newsletter”) only with the consent of the recipients or on the basis of a statutory authorisation. Newsletter content typically includes information about our services, promotions and offers.

Unsubscribing: You can cancel receipt of our newsletter at any time, i.e. withdraw your consent or object to further receipt. A link to unsubscribe from the newsletter can be found at the end of each newsletter, or you may use the contact options provided above.

Measurement of open and click rates: Newsletters contain a so-called “web beacon” – a pixel-sized file that is retrieved from our server (or that of a dispatch service provider) when the newsletter is opened. Technical information such as browser details, your system and IP address, as well as the time of retrieval, are collected. This information is used for the technical improvement of our newsletter based on technical data or target groups and their reading behaviour. Legal basis: consent (Art. 6(1)(a) GDPR).

Services used:

• Resend: Sending, receiving and managing e-mails; tools for analysing and optimising e-mail campaigns. Service provider: Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Website: https://resend.com/. Privacy policy: https://resend.com/legal/privacy-policy.

Presences on Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We point out that user data may be processed outside the European Union in this context, which may give rise to risks for users, for example making it harder to enforce user rights. User data within social networks is typically processed for market research and advertising purposes.

Services used:

• Instagram: Social network enabling the sharing of photos and videos, commenting and liking posts, sending messages, and subscribing to profiles and pages. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Privacy policy: https://privacycenter.instagram.com/policy/. Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF).
• X (formerly Twitter): Social network. Service provider: X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland. Privacy policy: https://x.com/en/privacy.

Changes and Updates

We ask you to regularly inform yourself about the content of our privacy policy. We update the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require an action on your part (e.g. consent) or other individual notification.

Where we provide addresses and contact information of companies and organisations in this privacy policy, please note that addresses may change over time and ask you to verify the information before contacting us.

Definitions

This section provides an overview of the terms used in this privacy policy. To the extent that terms are legally defined, their statutory definitions apply.

• Master data (inventory data): Master data encompasses essential information needed for the identification and management of contractual partners, user accounts, profiles and similar assignments. This data may include personal and demographic details such as names, contact information (addresses, telephone numbers, e-mail addresses), dates of birth and specific identifiers (user IDs).
• Content data: Content data encompasses information generated in the course of creating, editing and publishing content of all kinds. This category may include texts, images, videos, audio files and other multimedia content published on various platforms and media, together with associated metadata.
• Click tracking: Click tracking allows the movements of users across an entire online service to be tracked. Since the results of these tests are more accurate when the interaction of users can be tracked over a certain period of time, cookies are usually stored on users’ computers for these test purposes.
• Contact data: Contact data is essential information that enables communication with individuals or organisations. It includes telephone numbers, postal addresses and e-mail addresses, as well as communication means such as social media handles and instant messaging identifiers.
• Conversion measurement: Conversion measurement (also referred to as “visit action evaluation”) is a procedure used to assess the effectiveness of marketing measures. A cookie is usually stored on users’ devices on websites where the marketing measures take place and then retrieved again on the target website.
• Meta, communication and process data: Meta, communication and process data are categories containing information about the way in which data is processed, transmitted and managed. Metadata describes the context, origin and structure of other data. Communication data captures the exchange of information between users via various channels. Process data describes the processes and workflows within systems or organisations, including transaction logs and activity records.
• Usage data: Usage data refers to information that captures how users interact with digital products, services or platforms, including features used, time spent on pages, navigation paths, frequency of use, IP addresses, device information and location data.
• Personal data: “Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Profiles with user-related information: The processing of “profiles with user-related information” or “profiles” encompasses any type of automated processing of personal data that consists of using these personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include information about demographics, behaviour and interests).
• Log data: Log data is information about events or activities logged in a system or network, typically including timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system.
• Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate visitor flows of an online service and may encompass the behaviour or interests of visitors in relation to certain information, such as website content.
• Tracking: “Tracking” refers to the ability to track the behaviour of users across multiple online services. Behavioural and interest information is typically stored in cookies or on the servers of tracking technology providers (so-called profiling).
• Controller: The “controller” is the natural or legal person, authority, institution or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or erasure.
• Contract data: Contract data is specific information relating to the formalisation of an agreement between two or more parties, documenting the conditions under which services or products are provided, exchanged or sold.
• Payment data: Payment data encompasses all information required to process payment transactions between buyers and sellers, including credit card numbers, bank account details, payment amounts, transaction data, verification numbers and billing information.