Privacy Policy Mobile App

1. Introduction

Below, we provide information about the processing of personal data when using our mobile app VYTAL (hereinafter referred to as "App").
Personal data refers to all data that can be associated with a specific natural person, e.g., their name or IP address.

1.1. Contact Details

The responsible party in accordance with Article 4(7) of the EU General Data Protection Regulation (GDPR) is:
VYTAL Global GmbH,
c/o The Ship, Vitalisstraße 67, 50827 Cologne, Germany,
Email: hallo@vytal.org.

We are legally represented by Dr. Tim Breker, Dr. Fabian Barthel, and Dr. Josephine Kreische.
Our data protection officer is heyData GmbH, Gormannstr. 14, 10119 Berlin, www.heydata.eu, Email: info@heydata.de.

1.2. Scope of Data Processing, Purposes, and Legal Bases

Details regarding the scope, purposes, and legal bases for data processing are outlined below. In general, the following legal bases are applicable:

• Art. 6(1)(1)(a) GDPR: Consent-based processing.
• Art. 6(1)(1)(b) GDPR: Processing necessary for the performance of a contract, such as purchasing a product or using a service.
• Art. 6(1)(1)(c) GDPR: Processing necessary to comply with legal obligations, e.g., tax requirements.
• Art. 6(1)(1)(f) GDPR: Processing based on legitimate interests, such as cookies essential for the technical operation of the website.

1.3. Data Processing Outside the EEA

‍When transmitting data to third parties or service providers outside the European Economic Area (EEA), we ensure data security through measures such as EU Commission adequacy decisions (Article 45(3) GDPR) or standard contractual clauses (Article 46(2)(b) GDPR).

‍1.4. Retention Period

‍Unless explicitly stated otherwise, stored data will be deleted once it is no longer needed for its intended purpose and no legal retention obligations apply. For data required for other purposes, processing is restricted (e.g., data retained for legal reasons is blocked from other uses).

‍1.5. Rights of Data Subjects

‍Individuals have the following rights regarding their personal data:

• Right to access
• Right to rectification or deletion
• Right to restriction of processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time

Individuals may also lodge complaints with a data protection supervisory authority.

‍1.6. Obligation to Provide Data

‍Customers and interested parties are required to provide only the personal data necessary for the establishment, performance, or termination of a business relationship or as required by law. Without this data, we may be unable to provide services or execute contracts.

‍1.7. No Automated Individual Decision-Making

‍We do not use fully automated decision-making (Article 22 GDPR) for establishing or maintaining business relationships.

‍1.8. Contact

‍When contacting us (e.g., via email or phone), the provided data will be stored to respond to inquiries. The legal basis is our legitimate interest (Art. 6(1)(1)(f) GDPR). Data will be deleted once no longer necessary or processing will be restricted as required by law.

‍2. Data Processing in the App

2.1. Downloading the App

‍Our app is available for download from Apple's App Store and Google's Play Store (hereafter referred to as "Stores"). When users download the app, the required information is transmitted to the Stores, including the username, email address, account customer number, time of download, payment information, and the individual device identifier. We have no influence over this data collection and are not responsible for it. We only process the data necessary to download the mobile app onto the user's device.
Users can also download the mobile app directly to their device from our website. Additional user data processed during the download via the website is outlined in our website's privacy policy.

‍2.2. Hosting

‍We generally do not use fully automated decision-making under Article 22 GDPR in business or other relationships. Should this change in specific cases, users will be informed separately, as legally required.1.8. ContactWhen users contact us (e.g., via email or phone), the data they provide (e.g., name and email address) is stored to respond to their inquiries. The legal basis for processing is our legitimate interest (Article 6(1) sentence 1(f) GDPR) in responding to inquiries. Data related to inquiries is deleted once it is no longer necessary or restricted if legal retention obligations apply.1.9. Customer SurveysWe occasionally conduct customer surveys to better understand customer needs. The data collected during these surveys is processed based on our legitimate interest (Article 6(1) sentence 1(f) GDPR) in improving our services. Data is deleted once survey results are evaluated.2. NewsletterWe may occasionally inform customers who have previously used our services or purchased products about new offers via email or other electronic means unless they object. The legal basis is Article 6(1) sentence 1(f) GDPR, with our legitimate interest being direct marketing (Recital 47 GDPR). Customers can object to the use of their email address for marketing purposes at any time, free of charge, by using the unsubscribe link in our emails or contacting us at the above email address.Newsletter Subscription
Interested parties can subscribe to a free newsletter by providing their data during signup. This data is processed exclusively for sending the newsletter. Signup occurs via:

‍Our app is hosted by an external provider within the EU. This provider processes the personal data transmitted via the app, such as content, usage, meta/communication data, or contact data. It is in our legitimate interest to provide the app, making the legal basis for data processing Article 6(1) sentence 1(f) GDPR.

‍2.3. Informational Use of the App

‍When users use our app, we collect the data necessary to offer its functionalities and ensure stability and security. This serves our legitimate interest, with the legal basis being Article 6(1) sentence 1(f) GDPR.

‍
The data processed includes:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Requested content (specific page)
• Access status/HTTP status code
• Transferred data volume
• Operating system and its interface
• Language and version of the device

2.4. Access to Functions or Data

‍The app requests access to certain device functions or data to execute app features. By granting access, users consent to the associated data processing, with the legal basis being Article 6(1) sentence 1(a) GDPR. Users can revoke consent at any time by disabling access in their device settings. Revocation does not affect the legality of processing conducted before revocation.
The processed functions or data include the camera and the user's location.

‍2.5. Data Processing for Providing Features

‍We also process the data entered by users into the app and location data to provide app functionalities. The legal basis for this processing is the user agreement regarding the app. If location access is revoked (see section 2.4), location data will no longer be processed.

‍2.6. User Account

‍Users can create a user account in the app. The data collected in this context is processed to fulfill the user agreement regarding the account, with the legal basis being Article 6(1) sentence 1(b) GDPR. The data will be deleted when users delete their account. Users can request account deletion via email.

‍2.7. Single-Sign-On

‍Users can log into our app using one or more Single-Sign-On (SSO) services, utilizing login credentials already created with a provider. Users must already be registered with the respective provider. When using SSO, we receive information from the provider indicating the user's login status, and the provider receives information about the user's use of SSO with our app.
Depending on the user's account settings with the provider, additional information may be shared with us. The legal basis for this processing is the user agreement between the user and the provider.

‍
Providers include:

• Apple Inc., Infinite Loop, Cupertino, CA 95014, USA (Privacy Policy)
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Privacy Policy)
• Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook")
  For Facebook, users are informed about the data shared during the login process. This typically includes name, email address, and Facebook ID. Additional details about Facebook's data processing and privacy rights can be found at Facebook Privacy Policy.
  We share responsibility with Facebook for data processing under SSO and have entered into a joint responsibility agreement (Article 26 GDPR), specifying respective obligations. We provide this information, while Facebook handles other rights under Articles 15-20 GDPR.

2.8. Payment Service Providers

‍To process payments, we use payment processors who act as independent data controllers per Article 4(7) GDPR. By sharing the required order and payment data with these providers, we fulfill our customer agreement (Article 6(1) sentence 1(b) GDPR).

‍
Payment service providers include:

• Apple Inc., USA (for Apple Pay)
• Google Ireland Limited, Ireland (for Google Pay)
• PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
• Stripe Payments Europe, Ltd., Ireland

2.10. Third-Party Tools

2.10.1. Segment
We use Segment, provided by Segment.io, Inc., 100 California Street Suite 700, San Francisco, CA 94111, USA, for analytics. Segment processes metadata and communication data (e.g., device information, IP addresses) in the USA, affecting customers and users.
The legal basis for processing is Article 6(1) sentence 1(a) GDPR, based on user consent. Consent can be revoked anytime without affecting the lawfulness of prior processing.
Data transfer outside the EEA is secured through Standard Contractual Clauses under Article 46(2)(c) GDPR. Data is deleted when no longer needed. Further details are available in Segment's Privacy Policy.

‍2.10.2. Google Analytics
We use Google Analytics from Google Ireland Limited for analytics, processing metadata and communication data (e.g., device information, IP addresses) in the USA.
The legal basis for processing is Article 6(1) sentence 1(a) GDPR, based on user consent. Consent can be revoked anytime without affecting the lawfulness of prior processing.
Data transfer outside the EEA is secured through Standard Contractual Clauses under Article 46(2)(c) GDPR. Data is deleted when no longer needed. Further details are available in Google's Privacy Policy.

‍3. Changes to This Privacy Policy

‍We reserve the right to amend this privacy policy with future effect. The current version is always available here.

‍4. Questions and Comments

‍For any questions or comments regarding this privacy policy, feel free to contact us using the contact details provided above.

‍

‍Privacy Policy for Website

‍

1. Introduction

‍This document provides information on the processing of personal data when using:

• Our website vytal.org
• Our profiles on social media.

Personal data refers to any information relating to an identified or identifiable natural person, such as their name or IP address.

‍1.1. Contact InformationThe controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) is:

‍
VYTAL Global GmbH
Maarweg 251b, 50825 Cologne, Germany
Email: hallo@vytal.org
Legal representatives:

‍Dr. Tim Breker,
Dr. Fabian Barthel, and
Dr. Josephine Kreische

‍
‍Our data protection officer is:
Martin Bastius
heyData GmbH
Gormannstr. 14, 10119 Berlin, Germany
Website: www.heydata.eu
Email: info@heydata.de

1.2. Scope of Data Processing, Purposes, and Legal Basis

‍The scope, purposes, and legal basis for data processing are detailed below. The following legal bases apply to data processing:

• Article 6(1) sentence 1(a) GDPR: For processing based on user consent.
• Article 6(1) sentence 1(b) GDPR: For processing necessary for contract fulfillment, such as when a user purchases a product or requests services. This also includes pre-contractual measures.
• Article 6(1) sentence 1(c) GDPR: For processing to comply with legal obligations (e.g., tax requirements).
• Article 6(1) sentence 1(f) GDPR: For processing based on legitimate interests, such as cookies necessary for the technical operation of the website.

1.3. Data Processing Outside the EEA

‍When transferring data to service providers or third parties outside the European Economic Area (EEA):

• If an adequacy decision (e.g., for Canada or Israel) exists under Article 45(3) GDPR, the security of the data transfer is guaranteed.
• If no adequacy decision exists (e.g., for the USA), the legal basis is typically Standard Contractual Clauses (SCCs) under Article 46(2)(b) GDPR, which form part of the contract with the third party. Many providers offer additional contractual guarantees, such as encryption measures or notification obligations in case of government access requests.
• Data transfers to the United Kingdom currently rely on the transitional provisions in the Trade and Cooperation Agreement between the EU and the UK.

1.4. Retention Period

‍Unless explicitly stated otherwise, stored data is deleted when it is no longer necessary for its intended purpose and no legal retention obligations prevent its deletion. If data cannot be deleted due to other legally permissible purposes, its processing is restricted (e.g., locked and not used for other purposes), particularly for commercial or tax-related obligations.

‍1.5. Data Subject Rights

‍Data subjects have the following rights regarding their personal data:

• Right to access
• Right to rectification or deletion
• Right to restriction of processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent at any time

Additionally, data subjects have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data.

‍1.6. Obligation to Provide Data

‍Customers, prospects, or third parties must only provide personal data necessary for establishing, executing, and terminating a business relationship or as required by law. Without this data, contracts or services cannot be fulfilled or maintained. Required fields are marked as such.

‍1.7. No Automated Individual Decision-Making

• Selecting a checkbox on our website
• Checking a box on a paper form
• Any other clear action indicating consent

The legal basis for processing is Article 6(1) sentence 1(a) GDPR (consent), which can be revoked at any time using the unsubscribe link in the newsletter or by contacting us. Revocation does not affect the legality of processing before revocation.

‍Tracking in Newsletters
Based on user consent (Article 6(1) sentence 1(a) GDPR), we track the open and click rates of our newsletters to understand content relevance for recipients.Newsletter Tools Used:

• SendGrid by Twilio, Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA (Privacy Policy)
• HubSpot by HubSpot, Inc., 25 1st Street, Cambridge, MA 0214, USA (Privacy Policy)
• Customer.io by Peaberry Software, Inc., 921 SW Washington Street Suite 820, Portland, OR 97205, USA (Privacy Policy)

These providers process content, usage, meta/communication data, and contact data in the USA.

‍3. Data Processing on Our Website

3.1. Informational Use of the Website

‍When visiting our website purely for informational purposes (i.e., without submitting information), we collect personal data transmitted by the browser to our server to ensure the stability and security of our website. This serves our legitimate interest, making the legal basis Article 6(1) sentence 1(f) GDPR.
The data collected includes:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred
• Website from which the request originated
• Browser
• Operating system and its interface
• Language and version of the browser software.

This data is also stored in log files and deleted when no longer necessary, at the latest after 14 days.

‍3.2. Web Hosting and Website Provision

‍Our website is hosted by Webflow, Inc., 208 Utah, Suite 210, San Francisco, CA 94103, USA (Privacy Policy). The provider processes personal data transmitted via the website, such as content, usage, metadata, communication, or contact data, in the USA.
Our legitimate interest is to provide the website, with the legal basis for data processing being Article 6(1) sentence 1(f) GDPR.
Data transfers to countries outside the EEA are secured by Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR, ensuring data security in compliance with GDPR.

‍3.3. Contact Form

‍When users contact us via the contact form on our website, we store the submitted data and message content.
The legal basis for this data processing is our legitimate interest in responding to inquiries (Article 6(1) sentence 1(f) GDPR).
This data is deleted once it is no longer necessary, or processing is restricted if legal retention obligations apply.

‍3.4. Job Listings

‍We publish job openings on our website, affiliated pages, or third-party platforms.
Data provided as part of the application process is processed to conduct recruitment. If this data is necessary for the decision to establish an employment relationship, the legal basis is Article 88(1) GDPR in conjunction with Section 26(1) BDSG. Required fields are marked accordingly. Applications without this data cannot be processed.
Additional voluntary data provided by applicants is processed based on consent (Article 6(1) sentence 1(a) GDPR). Applicants are advised to avoid including sensitive data (e.g., political opinions or religious beliefs) in their resumes or cover letters, as such data is unnecessary. If included, processing is based on the applicant's consent (Article 9(2)(a) GDPR).
Applicant data may also be processed for future recruitment if explicit consent is provided (Article 6(1) sentence 1(a) GDPR).
Applicant data is shared with HR personnel, recruiters, and other relevant staff.

• If employment results from the application, data is retained until the end of the employment relationship.
• If rejected, data is deleted six months after the decision, unless consent for future use is granted (then retained for one year).

3.5. Payment Service Providers

‍For payment processing, we use payment processors who act as independent data controllers per Article 4(7) GDPR. By providing order and payment data to these processors, we fulfill the contract with our customers (Article 6(1) sentence 1(b) GDPR).
Payment processors include:

• Apple Inc., USA (Apple Pay)
• Google Ireland Limited, Ireland (Google Pay)
• PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
• Stripe Payments Europe, Ltd., Ireland

3.6. Third-Party Tools3.6.1. YouTube Video‍

We embed YouTube videos provided by Google Ireland Limited, Dublin, Ireland. Data processed includes metadata, communication data (e.g., device information, IP addresses), and usage data (e.g., pages visited, content interest, access times) in the USA.
The legal basis is Article 6(1) sentence 1(a) GDPR (consent). Consent can be withdrawn at any time. Data transfers outside the EEA are secured by consent. Further information is available in YouTube's Privacy Policy.

‍3.6.2. Facebook Custom Audiences
We use Facebook Custom Audiences for advertising. Data processed includes usage data and metadata in the USA.
The legal basis is Article 6(1) sentence 1(a) GDPR (consent). Data transfers are secured by SCCs. Further details are in Facebook's Privacy Policy.

‍3.6.3. Google Analytics
We use Google Analytics by Google Ireland Limited to analyze website usage. Data processed includes usage and metadata in the USA.
The legal basis is Article 6(1) sentence 1(a) GDPR (consent). Data transfers are secured by SCCs. Further information is available in Google's Privacy Policy.

‍3.6.4. HubSpot
We use HubSpot for customer relationship management. Data processed includes usage and metadata in the USA.
The legal basis is Article 6(1) sentence 1(a) GDPR (consent). Data transfers are secured by SCCs. Further information is available in HubSpot's Privacy Policy.

‍3.6.5. Google Maps
We use Google Maps for embedded maps. Data processed includes usage and metadata in the USA.
The legal basis is Article 6(1) sentence 1(a) GDPR (consent). Further information is available in Google's Privacy Policy.

‍3.6.6. Google Tag Manager
We use Google Tag Manager for analytics and advertising. Data processed includes usage data in the USA.
The legal basis is Article 6(1) sentence 1(a) GDPR (consent). Data transfers are secured by SCCs. Further information is available in Google's Privacy Policy.

‍3.6.7. Facebook Pixel
We use Facebook Pixel for analytics. Data processed includes usage data in the USA.
The legal basis is Article 6(1) sentence 1(a) GDPR (consent). Data transfers are secured by SCCs. Further details are in Facebook's Privacy Policy.

‍4. Data Processing on Social Media Platforms

‍We maintain profiles on social media networks to present our company and services. Social media operators often process user data for advertising and profiling purposes. Information may also be stored in cookies or combined with other data.
Users can object to this data processing via the privacy policies of these platforms, which may involve data processing outside the EU.

‍4.1. Facebook

• Profile hosted by Facebook Ireland Ltd.
• Privacy Policy
• Users can object to data processing here.

4.2. Instagram

• Profile hosted by Facebook Ireland Ltd.
• Privacy Policy.

4.3. YouTube

• Profile hosted by Google Ireland Limited.
• Privacy Policy.

4.4. Twitter

• Profile hosted by Twitter Inc.
• Privacy Policy.

4.5. LinkedIn

• Profile hosted by LinkedIn Ireland Unlimited Company.
• Privacy Policy.

5. Changes to This Privacy Policy

‍We reserve the right to amend this privacy policy with future effect. The latest version is always available here.

‍6. Questions and Comments

‍For questions or comments about this privacy policy, please contact us using the details provided above.

‍