The contact partner and so-called “controller” for the processing of your personal data in the meaning of the EU General Data Protection Regulation (GDPR) when visiting this app is

Lillydoo GmbH

Hanauer Landstraße 147-149

60314 Frankfurt am Main

Telephone: +31 800 2400100

Email: info@lillydoo.com

Kindly contact our Data Protection Officer (DPO) at any time if you have questions about data protection in connection with the use of our website. The DPO can be reached at the postal address above or by email to privacy@lillydoo.com (keyword: "attn. data protection officer"). We expressly point out that if you use this e-mail address, the contents will not be exclusively noted by our data protection officer. If you wish to exchange confidential information, please contact us directly via this e-mail address first.

In order to download and install our app from an app store (e.g. Google Play, Apple AppStore), you must first register a user account with the individual app store provider and must conclude the necessary usage agreement. We do not have any influence over its contents and, in particular, we are not a party to this usage agreement.

When you download and install the app, the necessary information will be transferred to the individual app store provider (e.g. Google, Apple), in particular your user name, email address and the customer number of your account, the time of your download and the individual device code (as well as payment information if in-app purchases apply). We also do not have any influence over this data collection and cannot be held responsible.

We collect data each time our app is used. Your device automatically transmits this data to enable your visit to our app. In particular, this data is the

• your device code, operating system and version;

• general device data, language and location settings, as well as the selected system language;

• IP address of the device, date and time of use;

• app version and any error reports

Data processing is necessary to enable your visit to the app, to detect and rectify any security risks and malfunctions and to guarantee permanent functionality and security of our systems. In addition to the purposes described above, the aforementioned data is also stored for temporary periods in internal log files in order to prepare statistical information about the use of our app and to enhance our app to reflect visitor habits (e.g. if the proportion of mobile devices used to access the app with a particular operating system rises) and to administrate our app in general.

In addition, the app sends us error reports in the event that it crashes (i.e. if the app ends unexpectedly due to a programming error or it no longer responds to your input) for the purposes of improving the app. The error reports only contain the aforementioned device information, as well as information on which point of the app’s software code caused the error.

The information stored in the log files does not permit us to make any direct deductions as to identifiable persons.

The legal grounds for this data processing are set out in Art. 6 paragraph 1 points b) and f) GDPR based on the use of our app and our aforementioned legitimate interest.

Some of the app functions require access to certain services and data on your device. In this case, you must explicitly allow this access, for instance if you wish to receive push notifications from us when you are not currently using the app. The legal grounds for this data processing are set out in Art. 6 paragraph 1 point b) GDPR based on the use of our app. You can adjust the app settings or the settings on your device at any time to change or reset any permissions.

You have the option to register on our app in order to use the full functionality of our app (for instance to like or dislike certain baby names in a gamification element or to connect two app accounts). A Lillydoo account will be created automatically for you when you register on our app. This enables you to purchase our Lillydoo products at any time (kindly take note that in this case our Terms and Conditions and our Privacy Statement will apply separately). You can recognise in the individual input fields which data you are required to provide or may provide voluntarily (e.g. first name and surname, gender, email address, password). Registration is not possible without the compulsory information. The legal grounds for this data processing are set out in Art. 6 paragraph 1 point b) GDPR based on your registration and your use of the app functions.

For orders in our online shop, we offer you the common online payment methods credit card, PayPal, SEPA direct debit or invoice. Depending on the selected payment method in the order process, we will pass on your specified data (e.g. bank details or credit card data) to the bank/credit institution commissioned with the payment or to the commissioned payment service provider for payment processing. Without this transmission of the payment data to the payment service provider or the bank/credit institution, the payment and contract processing is not possible. The legal basis for this data processing is Art. 6 Para. 1 S. 1 lit. b GDPR. In this course, we work together with the following payment service providers:
- Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg. You can find more information about Un-zer in Unzer's privacy policy: https://www.unzer.com/de/datenschutz/
- PayOne GmbH, Loyner Straße 9, 60528 Frankfurt a.M. For further information on PayOne, please see PayOne's privacy policy: https://www.payone.com/DE-en/data-protection-regulations
- PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. You can find more information about PayPal in PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de
If you choose the payment option purchase on account or SEPA, our payment service providers will use Unzer (Unzer GmbH, Avangerowstraße 18, 69115 Heidelberg) to check your creditworthiness. You can find more information about Unzer in the Unzer privacy policy.

With the personalizable feed on the homescreen of our app, we offer you various content on the topic of pregnancy and everyday life with baby and toddler. In order to personalize the content, i.e., to display only the content that is currently relevant to you, you can voluntarily provide additional information, such as the status of your pregnancy/the pregnancy of your partner or about your family. This data will be stored securely with us. The legal basis for the data processing is your explicit consent according to Art. 6 para. 1 lit. a GDPR.

With our Phot Steps feature, we offer you the opportunity to photographically record your own pregnancy progress and/or the development of your baby and share it with your loved ones. To do this, you can create various photo albums on different topics and share them individually with people you have selected via a link or QR code. Unless you grant third parties access to your albums by one of the aforementioned methods, only you can view your albums and pictures.

For the use of this function, we record the photos uploaded by you. In the event that there are other persons on the photos in addition to yourself, you are responsible for ensuring that you have the necessary consent from all persons with parental authority and/or all other persons depicted for publication.

Please also note our terms of use. Alternatively, you can also use emojis to cover people up or make them unrecognisable. You have the option of editing the images you upload, downloading them to your smartphone and publishing them on other social media. Please note that you are responsible for obtaining the express consent of all persons depicted.

The legal basis for data processing is your explicit consent and the implementation of the user agreement according to Art. 6 para. 1 lit. a, b GDPR.

You have various options for contacting us. These include the contact form, the live chat, the registration for events or the callback function. In this context, we process data exclusively for the purpose of communicating with you.
The legal basis is Art. 6 para. 1 lit. b DSGVO, insofar as your information is required to answer your enquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f DSGVO due to our legitimate interest that you can contact us and that we can answer your enquiry. We only make promotional telephone calls if you have given your consent. If you are not an existing customer, we will only send you promotional e-mails on the basis of your consent. In these cases, the legal basis is Art. 6 Para. 1 lit. a DSGVO.
The data we collect when you contact us will be automatically deleted once your request has been fully processed, unless we still need your request to fulfil contractual or legal obligations.

For contact purposes, we also use the Dixa service of the provider Dixa ApS Vimmelskaftet 41A, 1 Sal., 1161 Copenhagen, Denmark (hereinafter "Dixa").

This is a customer relationship management ("CRM") solution that we use to deliver optimized services to current customers, e.g. through live chat and community software, and to optimize sales processes. The shared CRM platform enables us to ensure optimized management of customer relationships and to promote an ideal customer experience.

As a European company, Dixa is subject to the requirements of the GDPR. Dixa provides us with its software for processing our costumer data and only processes it in a technical sense. Only in special cases (e.g. technical support) do we grant Dixa's employees temporary access to costumer data. In addition, we have concluded a Data Processing Agreement with Dixa for commissioned processing in accordance with Art. 28 DSGVO, in which Dixa undertakes to process the data thus received only in accordance with our instructions and to comply with the EU level of data protection.

Various categories of data are processed: Contact data (e.g. name, address, phone number, email), content data (e.g. photographs), the data you enter. We have made sure that user data is secure at Dixa. Communications are encrypted using the HTTPS protocol and SSL certificates and data is stored in Europe.

Kindly refer to the Dixa Privacy Policy for more information about data processing by Dixa.

You have the option of subscribing to our newsletter, in which we will regularly inform you about innovations to our products and promotions.

To order our newsletter, we use the so-called double opt-in procedure, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you are the owner of the specified e-mail address. If you confirm your e-mail address, we will store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The storage is solely for the purpose of sending you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this purpose. The legal basis for the processing is your consent in accordance with Art. 6 Para. 1 lit. a GDPR.

For certain newsletters (e.g. the #momlife newsletter) we store further data from you (e.g. for the #momlife newsletter your calculated date of birth and your week of pregnancy), which are recognisable in the respective input fields of the registration and which we need for sending these newsletters. The legal basis for this data processing is also Art. 6 Para. 1 lit. a GDPR.

In order for us to be able to provide you with our print magazine, the #momlife pregnancy guide, we also need your address in addition to the information from the #momlife newsletter. The legal basis for this data processing is Art. 6 Para. 1 lit. b GDPR.

In addition, we send you promotional mailings in which we ask you for your feedback on your order, for example. If you have requested our print magazine, the #momlife pregnancy guide, we will use your address to send you postal promotional mailings about our products, for example. The legal basis for this data processing is Art. 6 para. 1 lit. f GDPR.
For the dispatch of our newsletters and promotional mailings, we work together with service providers to whom we transmit, among other things, your email address and your newsletter registration in order to be able to send you the newsletters and promotional mailings. The legal basis for this data processing is Art. 6 para. 1 p. 1 lit. b, f GDPR.

We use standard market technologies in our newsletters to measure interactions with the newsletters (e.g. opening of the email, links clicked). We use this data in pseudonymous form for general statistical evaluations and to optimise and further develop our content and customer communication. On the one hand, this is done with the help of small graphics that are embedded in the newsletters (so-called pixels) and establish a connection to the server of the images when the email is opened. On the other hand, we use links which, when clicked, first register this and then forward to the desired target page. In addition, we measure whether our newsletter could be delivered at all.

The legal basis for this is your consent according to Art. 6 para. 1 lit. a GDPR. Access to the information in the end device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. We want to share content that is as relevant as possible for our customers via our newsletter and better understand what you are actually interested in. If you do not wish to have your usage behaviour analysed, you can unsubscribe from the newsletter. You can prevent the measurement of the opening of an email by deactivating graphics or the output of HTML content in your email program by default.

For marketing purposes (e.g. for sending our newsletters and information emails) and for analysis purposes when you visit our website, we use the customer relationship management module "Salesforce Marketing Cloud" by Salesforce.com Inc., The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105, USA ("Salesforce"). Salesforce is used to tailor our offerings and services to your interests and to improve our advertising and communications to you. Salesforce uses cookies or other unique identifiers (e.g. cookie IDs) to learn more about your usage patterns on our websites. However, you can deactivate this at any time in the cookie settings. Your contact details (e.g. name, address, email address, IP address) are transferred to the Salesforce Marketing Cloud for the purposes mentioned above. The Salesforce Marketing Cloud data is stored and processed on Salesforce servers in the USA. Salesforce undertakes with binding internal data protection rules in accordance with Art. 46 (2) b) and Art. 47 GDPR (so-called Binding Corporate Rules) to maintain an appropriate level of data protection even when processing data outside the European Union. Salesforce has also implemented standard contractual clauses (SCCs) in an order processing agreement.

For more information about the Salesforce Marketing Cloud and Service and the data processed, please visit
https://www.salesforce.com/nl/company/privacy/.

We use the services of Typeform S.L., Carrer Bac de Roda, 163, 08018 Barcelona ("Typeform") to create user surveys, in particular as part of our Diaper Innovation Programme. Typeform is a tool for creating and conducting user surveys that helps us improve our offering and service based on your feedback.
With the help of Typeform, we integrate user surveys (e.g. satisfaction surveys, surveys within the framework of the Diaper Innovation Programme) into our app, the implementation of which is voluntary. When conducting surveys, Typeform processes and stores personal data (e.g. customer number) and survey results. We have concluded a so-called "Data Processing Agreement" with Typeform, in which we oblige Typeform to protect the data of our customers, not to pass them on to third parties and, in the event of a transfer of personal data via sub-processors or affiliated companies to the USA, to comply with the regulations of the standard contractual clauses pursuant to Art. 46 GDPR.
The legal basis for data processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in the technically error-free and optimised provision of our services as well as the customers' consent according to Art. 6 para. 1 lit. a GDPR, insofar as you decide to voluntarily participate in the Diaper Innovation Programme. You can find more information on data processing by Typeform in Typeform's privacy policy.

For some of the functions of our app, it is necessary that we use so-called cookies, tokens, configuration files or comparable technologies. These are small text files or data packets that are stored on your end device. They make your use of the app more convenient and enable you, for example, to access the app in a more user-friendly way or save whether you want to receive notifications. However, they do not execute programmes or load viruses. We want to enable you to use our app more conveniently and individually. The legal basis for this data processing is Art. 6 para. 1 lit. b) and f) GDPR based on your use of the app and our aforementioned legitimate interest. You can manage the use of cookies, tokens or configuration files yourself at any time via your device settings. However, it may be that your comfort in using our app is limited if you reject cookies, tokens or configuration files.

We use the Google Firebase web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") for the Apps. Google Firebase allows us to statistically analyse our App based on your general user behaviour and to feed information or notifications into our App in real time. This service is an integral part of our app in order to continuously improve our app and to be able to design it according to your needs. The legal basis for this data processing is Art. 6 para. 1 lit. b) and f) GDPR based on your use of the app and our aforementioned legitimate interest.

For this purpose, Google Firebase stores, among other things, the number and duration of sessions, operating systems, device models, region and a number of other data in anonymised form. A detailed overview of the data collected by Google Firebase can be found at https://support.google.com/firebase/answer/6318039.
Subcontractors that Google may use can be found at https://firebase.google.com/terms/subprocessors.

Some of the data may also be processed on servers in the USA. In the event that personal data is transferred to the USA or other third countries, this is done on the basis of Art. 49 Para. 1 lit. b GDPR in order to enable the fulfilment of a contract with you or the implementation of pre-contractual measures.
More information on this can be found at:
- in the terms of use of Google Firebase: https://firebase.google.com/terms/crashlytics
- in the data protection information of Google Firebase: https://firebase.google.com/support/privacy/

In order to optimise our marketing activities, we use the service provider Adjust (adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin). The data collected via Adjust informs us, for example, about the download of the LILLYDOO app, the online advertising channel through which the download was generated, the time the app was opened, the duration of app use and about app functions used.

Adjust uses IP and Mac addresses of the users for the analysis, which are, however, hashed after collection and are used by Adjust exclusively in pseudonymised form. The data is stored on the servers of adjust GmbH in Germany. We have concluded an order processing agreement with adjust GmbH. The processing of your personal data collected when using Adjust is carried out on the legal basis pursuant to Art. 6 (1) lit. b and f) GDPR based on your use of the app and our legitimate interest.

Further information can be found in the privacy policy of Adjust: https://www.adjust.com/terms/privacy-policy/.

The data we collect will only be passed on if
- you have given your express consent in accordance with Art. 6 Para. 1 Sentence 1 lit. a GDPR,
- the disclosure is necessary for the assertion, exercise or defence of legal claims in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not having your data disclosed,
- we are legally obliged to disclose your data according to Art. 6 para. 1 p. 1 lit. c GDPR or
- this is legally permissible and necessary according to Art. 6 para. 1 p. 1 lit. b GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request.
Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include in particular data centres that store our app and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting companies. If we pass on data to our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.
In addition, disclosure may take place in connection with official enquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement.

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a transfer to a third country is provided for and there is no adequacy decision or suitable guarantees, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the consent banner, you will also be informed of this.

In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. After that, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations.

For evidence purposes, we must retain contractual data for three years from the end of the year in which the business relationship with you ends. Any claims become statute-barred at this point at the earliest according to the statutory limitation period.

Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so because of legal documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents are two to ten years.

Your rights, in particular revocation and objection
You are entitled to the data subject rights formulated in Art. 15 - 21, Art. 77 GDPR at any time:
- Right to withdraw your consent;
- Right to object to the processing of your personal data (Art. 21 GDPR);
- Right to information about your personal data processed by us (Art. 15 GDPR);
- Right to rectification of your personal data stored by us which is incorrect (Art. 16 GDPR);
- Right to have your personal data deleted (Art. 17 GDPR);
- Right to restrict the processing of your personal data (Art. 18 GDPR);
- Right to data portability of your personal data (Art. 20 GDPR);
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

To exercise your rights described here, you can contact us at any time using the contact details above. This also applies if you would like to receive copies of guarantees to prove an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request.
Your enquiries regarding the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for a longer period if there are grounds for asserting, exercising or defending legal claims. The legal basis is Art. 6 (1) sentence 1 lit. f GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5 (2) GDPR.

You have the right to revoke your consent at any time. This means that we will no longer process the data based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If you object to the processing of your data for direct marketing purposes, you have a general right of objection, which we will also implement without giving reasons.
If you wish to exercise your right of revocation or objection, it is sufficient to send an informal message to the contact details above.

Finally, you have the right to complain to a data protection supervisory authority. For example, you can exercise this right at a supervisory authority in the member state of your place of residence, your place of work or the place of the alleged infringement. In Frankfurt am Main, where we are based, the competent supervisory authority is the Hessian Commissioner for Data Protection and Freedom of Information, Gustav-Stresemann-Ring 1, 65189 Wiesbaden.

We maintain state-of-the-art technical measures to guarantee data security, in particular the protection of your personal data against risks associated with data transfer or unauthorised access by third parties. These technical measures are adapted to remain state-of-the-art. For the protection of the personal data input by you on the app we use the Secure Sockets Layer (SSL) standard, which encrypts the information you enter.

We amend this Privacy Policy from time to time, for instance if we revise our app or if the statutory requirements change. Where we make changes or introduce updates, we will inform you (if technically possible) the next time that you open the app. Kindly read the Privacy Policy from time to time if you use our app; data processing takes place according to the latest version of the Privacy Policy published in the app (kindly take note that our Terms and Conditions and our Privacy Statement apply separately to our website and the use of our online shop).

19.1.. ANDROID (GOOGLE) OPERATING SYSTEM:

• Settings – Google – Ads and then ‘Reset Advertising ID’ and/or ‘Disable Personalised Ads’

• Information about location settings

• Information about location settings: https://support.google.com/nexus/answer/6179507?hl=en and https://support.google.com/pixelphone/answer/3467281 and general information https://support.google.com/accounts/answer/3118621?hl=en

19.2. IOS (APPLE) OPERATING SYSTEM:

• Settings – Privacy – Ads and then ‘Reset Advertising Identifier’ and/or ‘Limit Ad Tracking’

• Information about data protection and location data is also available at: https://support.apple.com/en-gb/HT203033