Regarding the Quitt App

1 Introduction

With "Quitt", we provide you with a mobile app that you can download to your mobile

device via the "Apple App Store" or for Android via the "Google PlayStore". The

following information is intended to provide you as the "data subject" with an

overview of the processing of your personal data by us and your rights under data

protection laws. Your personal data is always processed in accordance with the

General Data Protection Regulation (GDPR) and all applicable country-specific data

protection regulations. We have implemented numerous technical and organisational

measures to ensure the highest possible level of protection when processing your

personal data.

2 Scope of application

This data protection information relates exclusively to our Quitt app.

3 Responsible Person

Controller within the meaning of the GDPR:

Tomorrow GmbH

Neuer Pferdemarkt 23

20359 Hamburg

Germany

E-mail: support@tomorrow.one

Website: www.tomorrow.one

4 Data Protection Officer

If you have any questions or suggestions regarding data protection issues, you can

contact – at any time – our

Data protection team

Tomorrow GmbH

Neuer Pferdemarkt 23

20359 Hamburg

Germany

dataprotection@tomorrow.one

or our data protection officer:

colenio GmbH & Co. KG

Herrn Michael Vogelbacher

Bahnhofstr. 5

53572 Unkel

Telefon: +49 (0)1719760 212

E-Mail: Michael.Vogelbacher@colenio.com

5 Transmission and disclosure of personal data

As part of our activities, we transfer personal data to external parties (e.g. individuals,

companies or legally independent organisational units). Details on this can be found

below in this privacy policy with the respective service providers.

6 Data processing in third countries

We process personal data in third countries. This refers to countries outside the

European Union (EU) and the European Economic Area (EEA). We only process

data in third countries where there is an adequate level of data protection within the

meaning of Art. 44-49 GDPR. You can find details on this in this privacy policy for the

respective third-party providers.

7 Download the Quitt app

You can download our app from the Apple App Store and the Google Playstore. This

involves a data transfer to Google or Apple.

Provider

Apple App Store: Apple Inc, One Apple Park Way, Cupertino, CA 95014, USA

Google Playstore: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4,

Ireland

Purpose Processing

• Provision of our app

• Offering our contractual services

Legal basis

• Contract fulfilment and implementation of pre-contractual measures (Art. 6

para. 1 sentence 1 lit. b GDPR)

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). The legitimate

interest consists in providing our app and offering our contractual services.

Data protection information from Apple and Google

You can find more information in Apple's privacy policy: Apple privacy policy and

Google privacy policy

8. Registration/creation of a user profile

Provider

Tomorrow GmbH, Neuer Pferdemarkt 23, 20359 Hamburg, Germany

Purpose Processing

Provision of our services

Processed data

• User name

• Password

• Profile photo (optional)

Legal basis

• Contract fulfilment and implementation of pre-contractual measures (Art. 6

para. 1 sentence 1 lit. b. GDPR)

9 Survey Monkey

Provider

SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road,

Dublin, Ireland

Processed data

• Content data (your answers in the survey)

• Meta and communication data (e.g. IP address)

• E-mail address

Legal basis

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Data protection information

Further information on data processing can be found in SurveyMonkey's privacy

policy.

10. Cloud service provider

10.1. General information

We use cloud services that are accessible via the Internet and run on the servers of

the respective providers both for hosting various services and as a backup for your

registration data.

10.2. Amazon Web Services (AWS)

Provider

Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg

Processed data

• All registration data (see 8. Registration/ Creating a user profile/ Inventory

data)

Purpose of the processing

• Storage of a back-up of the registration data to prevent data loss, ensure

availability and recoverability of the data

Legal basis

• Art. 6 para. 1 sentence 1 lit. f. GDPR. The legitimate interests consist in the

availability and recoverability of the data as well as backing up the data to

prevent data loss.

Data protection outside the EU/EEA

When you use our app, personal data is processed on the servers of AWS in

Frankfurt. However, personal data may also be transferred to the parent company of

AWS in the USA. The European Commission has issued an adequacy decision

pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis

of this decision, data transfers to organisations based in the USA that are certified

accordingly are permitted. Amazon is certified under the EU-U.S. Data Privacy

Framework.

Data protection information from Amazon

Further information can be found in Amazon's privacy policy.

Further information on data processing Amazon.

10.3. CDN

General information

Our app uses a CDN. This is a network of high-performance servers that cache

content at various locations around the world. A CDN helps us to provide content in

the shortest possible time and to relieve the web host by distributing the data traffic.

Provider

Amazon Web Services Inc, 410 Terry Avenue North, Seattle, WA 98109-5210, USA

Processed data

• Usage data (e.g. websites visited, time of access)

• Meta and communication data (e.g. IP address)

• Content data (e.g. entered text content, photographs, videos)

Purpose of data processing

• Provision of content within the shortest possible time

• Relief of the web host by distributing the data traffic

Legal basis

• Legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR). The legitimate

interest arises from our need for a technically flawless and fast presentation of

our app and the relief of our IT infrastructure.

Data protection outside the EU/EEA

The European Commission has issued an adequacy decision pursuant to Art. 45 (3)

GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data

transfers to organisations based in the USA that are certified accordingly are

permitted. Amazon is certified under the EU-U.S. Data Privacy Framework.

Data protection information from Amazon

You can find more information in Amazon's privacy policy.

Further information on data processing Amazon.

10.4. Snowflake

General information

We use Snowflake as a cloud-based data platform to carry out pseudonymised

descriptive analyses and evaluations at an aggregated level and to merge data

sources. No analyses are carried out at individual customer level.

Provider

Snowflake Computing Netherlands B.V., FOZ Building, Gustav Mahlerlaan 300-314

1082 ME Amsterdam, Netherlands

Processed data

• Pseudonymised registration data (see IX. Registration/ Creating a user profile/

Inventory data)

• Pseudonymised usage data (e.g. app screens visited, time of transactions) −

Meta and communication data (e.g. timing of push notifications)

Purpose of data processing

• Determination of company key figures

• Evaluation of measures and optimisation of business processes

Legal basis

• Legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR). The legitimate

interest arises from our interest in optimising our business processes,

evaluating measures taken and determining key company figures.

Data protection information from Snowflake

Further information can be found in Snowflake's privacy policy.

11. Your rights as a data subject

11.1. Information (Art. 15 GDPR)

You have the right to receive free information from us at any time about the personal

data stored about you and a copy of this data in accordance with the statutory

provisions.

11.2. Rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate personal data concerning

you. You also have the right to request the completion of incomplete personal data,

taking into account the purposes of the processing.

11.3. Erasure (Art. 17 GDPR)

You have the right to demand that we delete personal data concerning you

immediately if one of the reasons provided for by law applies and insofar as the

processing or storage is not necessary.

11.4. Restriction of processing (Art. 18 GDPR)

You have the right to demand that we restrict processing if one of the legal

requirements is met.

11.5. Data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have

provided to us, in a structured, commonly used and machine-readable format. You

also have the right to transmit this data to another controller without hindrance from

us to whom the personal data has been provided, provided that the processing is

based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR

or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and the processing is carried

out by automated means, unless the processing is necessary for the performance of

a task carried out in the public interest or in the exercise of official authority vested in

us. In addition, when exercising your right to data portability pursuant to Art. 20 para.

1 GDPR, you have the right to obtain that the personal data be transferred directly

from one controller to another controller, insofar as this is technically feasible and

provided that this does not adversely affect the rights and freedoms of other persons.

11.6. Objection (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any

time to processing of personal data concerning you which is based on Article 6(1)(e)

(data processing in the public interest) or (f) (data processing on the basis of a

balancing of interests) of the GDPR. This also applies to profiling based on these

provisions within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer

process your personal data unless we can demonstrate compelling legitimate

grounds for the processing which override your interests, rights and freedoms, or the

processing serves the establishment, exercise or defence of legal claims. In

individual cases, we process personal data for direct marketing purposes. You can

object to the processing of your personal data for the purpose of such advertising at

any time. This also applies to profiling insofar as it is associated with such direct

advertising. If you object to the processing for direct marketing purposes, we will no

longer process the personal data for these purposes. You also have the right to

object, on grounds relating to your particular situation, to the processing of personal

data concerning you which is carried out by us for scientific or historical research

purposes or for statistical purposes in accordance with Article 89(1) GDPR, unless

such processing is necessary for the performance of a task carried out in the public

interest. In the context of the use of information society services, and notwithstanding

Directive 2002/58/EC, you are free to exercise your right to object by automated

means using technical specifications.

11.7. Revocation of consent under data protection law

You have the right to withdraw your consent to the processing of personal data at any

time with effect for the future.

11.8. Complaint to a supervisory authority

You have the right to complain to a supervisory authority responsible for data

protection about our processing of personal data.

12. Storage duration of personal data

We process and store your personal data only for as long as required for the purpose

of storage or as stipulated by law. If the storage purpose no longer applies or if a

prescribed storage period expires, the personal data will be routinely blocked or

deleted in accordance with the statutory provisions. The criterion for the duration of

the storage of personal data is the respective statutory retention period. After this

period has expired, the corresponding data is routinely deleted if it is no longer

required for the fulfilment or initiation of a contract.

13. Up-to-dateness and changes to the data

protection notice

We reserve the right to amend or supplement this data protection notice as required.

We will publish the changes here. You should therefore visit this page regularly to

keep yourself informed about the current status of the data protection information.