Privacy Policy for Ownamic

1. Introduction

Ownamic UG (limited liability) (hereinafter also referred to as "Ownamic," "we," "us," or "our") operates the OWNAMIC application in the form of a mobile app and, where applicable, supplementary web services (hereinafter collectively referred to as the "Services"). The application allows private individuals to digitally inventory, photograph, organize, and analyze tangible assets using AI-powered features.

This Privacy Policy describes how we process personal data in connection with your use of our Services. This Privacy Policy specifically takes into account the requirements of the General Data Protection Regulation (GDPR) as well as other applicable data protection laws in the countries where our Services are offered or used, including certain data protection laws in the United States.

This Privacy Policy applies to all persons using our Services worldwide. In particular, it explains:

• what personal data we process,
• for what purposes we process it,
• on what basis the processing takes place,
• which third parties are involved,
• how long data is stored,
• whether data is transferred to third countries, and
• what rights you have.

To the extent that our Services contain links to third-party websites or applications, only the privacy notices of those third parties shall apply to them. We have no control over the data processing carried out by such third parties.

2. Controller

The controller within the meaning of Art. 4 No. 7 GDPR is:

Ownamic UG (haftungsbeschränkt)
c/o POSTFLEX PFX-610-965
Emsdettener Straße 10
48268 Greven
Germany
E-Mail: info@ownamic.com
Website: www.ownamic.com

Commercial Register: [Placeholder] | Represented by: [Placeholder – managing director]

A data protection officer has not currently been appointed. Data protection inquiries may be sent to the email address stated above.

3. Processing Activities

Below, we provide information on the individual processing activities, grouped according to their respective purposes. Within each processing activity, we identify the categories of data processed, the relevant basis for the processing, any recipients or involved third parties, and the storage period.

3.1 Technical Operation and Provision of the Services

We process personal data in order to ensure the technical provision of the Services, the stability and security of the system, and the use of the application.

Categories of data processed

• IP address
• date and time of access
• accessed content and URLs
• HTTP status codes
• amount of data transferred
• device and system information, e.g. operating system, app version, device type

Basis of processing

The processing is carried out to ensure the secure, functional, and stable operation of the Services. Where the GDPR applies, the processing is based on Art. 6(1)(f) GDPR.

Recipients / integrated third parties

• Hostinger International Ltd. as provider of VPS hosting, server location: Frankfurt am Main, Germany
• Microsoft Ireland Operations Ltd. / Azure Storage for encrypted storage of files and content, storage location: Frankfurt am Main, Germany

Storage period

Server log data is generally deleted no later than 30 days after collection, unless longer retention is required in individual cases for technical reasons.

3.2 Registration and User Account

We process personal data in order to create a user account, enable login, and manage the account.

Categories of data processed

• email address
• password (stored exclusively as a hash value)
• registration timestamp
• login and account status data
• optional display name / username

Basis of processing

The processing is carried out to perform the user relationship and to provide functions requiring registration. Where the GDPR applies, the processing is based on Art. 6(1)(b) GDPR.

Recipients / integrated third parties

• Hostinger International Ltd. (application hosting)
• Microsoft Azure Storage (encrypted data storage in Frankfurt)

Storage period

The data is stored for the duration of the user account. After deletion of the account, the data is generally deleted within 30 days, unless statutory retention obligations prevent deletion.

3.3 Sign-in via Google (Google Login)

We optionally offer you the possibility to sign in or register using your Google account.

Categories of data processed

• Google account ID
• email address
• where applicable, display name
• where applicable, profile picture as provided by Google

Basis of processing

The processing is carried out to provide the login function requested by you. Where the GDPR applies, the processing is based on Art. 6(1)(b) GDPR.

Recipients / integrated third parties

• Google LLC / Google Identity Services

Google processes the data generated in connection with the authentication process under its own data protection responsibility. Google's privacy policy also applies: https://policies.google.com/privacy

Storage period

The basic data transmitted by Google is stored for the duration of account use and is generally deleted within 30 days after account deletion, unless statutory obligations prevent deletion.

3.4 AI-Supported Image Analysis and Asset Identification

The application allows the analysis of uploaded images in order to automatically recognize, categorize, describe, and support value-related assessments of items.

Categories of data processed

• uploaded images
• metadata contained in images, where applicable
• analysis results derived from the images
• additional user input relating to the respective item

Basis of processing

The processing is carried out to provide the contractually owed core functionality. Where the GDPR applies, the processing is based on Art. 6(1)(b) GDPR. If, in exceptional cases, special categories of personal data are visible in images and their processing becomes relevant, consent may additionally be required.

Recipients / integrated third parties

• Google LLC – Gemini Developer API (Paid Service) to perform the AI-supported analysis
• Microsoft Azure Storage for encrypted storage of image files and analysis results in Frankfurt

Note regarding the AI provider

According to the information available, inputs, files, and responses processed under the paid Gemini service are not used to train Google's models. However, Google may temporarily log inputs and outputs for security and abuse prevention purposes.

Storage period

Images and analysis results are generally stored for the duration of account use and deleted within 30 days after account deletion, unless statutory retention obligations prevent deletion.

3.5 AI-Supported Assistant

The app provides an AI-powered assistant that allows users to ask questions in natural language about the items in their inventory and retrieve information.

Categories of data processed

• user text inputs
• conversation content
• contextual data from the user account, insofar as required to process the request
• generated responses

Basis of processing

The processing is carried out to provide the requested function. Where the GDPR applies, the processing is based on Art. 6(1)(b) GDPR.

Recipients / integrated third parties

• Google LLC – Gemini Developer API (Paid Service)
• Microsoft Azure Storage for storing relevant content in Frankfurt

Note

Please do not enter sensitive personal data into the AI assistant unless this is necessary for the use of the application.

Storage period

Conversation data is generally stored for the duration of use, but for no longer than 12 months, unless earlier deletion takes place or statutory obligations prevent deletion.

3.6 Payment Processing

We process data for the purpose of handling paid services and subscriptions.

Categories of data processed

• billing data
• transaction data
• payment status
• where applicable, partial information regarding the payment method used

Basis of processing

The processing is carried out to perform the contractual relationship and to comply with statutory retention obligations. Where the GDPR applies, the processing is based on Art. 6(1)(b) and (c) GDPR.

Recipients / integrated third parties

• Stripe Payments Europe, Ltd. as payment service provider

We do not store complete credit card data on our own servers. Payment processing is carried out by Stripe in accordance with its own privacy policy: https://stripe.com/privacy

Storage period

Billing and transaction data is retained for 10 years in accordance with statutory retention obligations.

3.7 Handling Support Requests

We process personal data in order to handle user inquiries, provide technical support, and clarify issues relating to our Services.

Categories of data processed

• email address
• name or user identifier, where provided
• content of the request
• communication and case-related data
• where applicable, technical information you provide to us for error analysis

Basis of processing

The processing is carried out to handle your request and provide support services. Where the GDPR applies, the processing is based on Art. 6(1)(b) GDPR and, where necessary, on Art. 6(1)(f) GDPR.

Recipients / integrated third parties

Where an external email or support service provider is used, such provider will act as a processor.

Storage period

Support requests and related communication data are generally stored for up to 3 years after completion of the matter, unless longer retention is required for legal defense purposes or due to statutory obligations.

3.8 Transactional Communication

We process personal data in order to send you transactional communications relating to your account and your use of the Services, in particular registration confirmations and password reset emails.

Categories of data processed

• email address
• sending and delivery information
• time and content of the message

Basis of processing

The processing is carried out to perform the user relationship and provide essential communication functions. Where the GDPR applies, the processing is based on Art. 6(1)(b) GDPR.

Recipients / integrated third parties

Where an external email service provider is used, such provider will act as a processor.

Storage period

Data relating to data transmission and logs is generally deleted after 6 months, unless a longer retention period is required.

3.9 Surveys

Where we conduct surveys to improve our Services, we process personal data for the purpose of conducting, evaluating, and following up on such surveys.

Categories of data processed

• contact data, insofar as used for the survey invitation
• survey content and responses
• voluntarily provided additional information

Basis of processing

Participation in surveys is generally voluntary. Where the GDPR applies, the processing is regularly based on Art. 6(1)(a) GDPR or, where user surveys are conducted to further develop our Services, on Art. 6(1)(f) GDPR.

Recipients / integrated third parties

Where we use external tools or service providers for surveys, they will be engaged as processors.

Storage period

Personal survey data is stored only for as long as necessary for carrying out and evaluating the survey. It is then deleted or anonymized.

3.10 Analytics and Evaluation of User Behavior

We process usage data in order to analyze and further develop the functionality, usability, and performance of our Services.

Categories of data processed

• usage and interaction data
• information on functions accessed
• session and event data
• technical device and connection data
• aggregated or anonymized evaluation data

Basis of processing

Where the evaluation is based exclusively on anonymized data, no personal data is processed. To the extent that personal or pseudonymized usage data is processed in individual cases, such processing is carried out depending on the specific setup for the optimization of our Services. Where the GDPR applies, such processing is then based on Art. 6(1)(f) GDPR or, where legally required, on consent pursuant to Art. 6(1)(a) GDPR.

Recipients / integrated third parties

At present, the evaluation is carried out via an internal analytics dashboard. No third-party analytics tools are currently used.

Storage period

Personal or pseudonymized usage data is stored only for as long as necessary for analytics and optimization purposes. Anonymized evaluations may be stored permanently.

3.11 Marketing, in particular Google Ads Conversion Tracking

We process personal data in order to measure the reach and effectiveness of our marketing activities and to promote our Services in a targeted manner.

Categories of data processed

• usage and event data
• technical device and browser data
• IP address or shortened IP address, where technically applicable
• information on whether users accessed our Services via advertisements or performed specific actions there

Basis of processing

Marketing-related tracking and conversion measurement are carried out only where any legally required consent has been obtained. Where the GDPR applies, the processing is based on Art. 6(1)(a) GDPR and on the applicable provisions protecting terminal equipment, in particular Section 25 TDDDG.

Recipients / integrated third parties

• Google Ireland Limited / Google LLC in connection with Google Ads Conversion Tracking

Storage period

The storage period depends on the specific technical implementation and the settings of the service used. Consent-based marketing data is stored only to the extent necessary and for the respective intended purposes.

3.12 Protection Against Automated Access / CAPTCHA

We use protective mechanisms to safeguard our Services against automated access, misuse, and spam, in particular in connection with registration and login.

Categories of data processed

• IP address
• technical connection data
• interaction data to distinguish human from automated use

Basis of processing

The processing is carried out for the security and integrity of the Services. Where the GDPR applies, the processing is based on Art. 6(1)(f) GDPR.

Recipients / integrated third parties

• PrivateCaptcha (https://privatecaptcha.com) – Intmaker OU, registration code 16430441, registered at Parnu mnt 139b, Tallinn, Harjumaa, Estonia, 11317

Storage period

Processing takes place on a session basis; data is generally stored only for as long as technically necessary.

4. Cookies

Our Services use cookies and similar technologies, in particular for technical provision, security, and where activated for analytics or marketing purposes.

4.1 Technically Necessary Cookies

We use technically necessary cookies and comparable storage technologies in order to:

• manage user logins and sessions,
• provide security functions,
• ensure the stability and integrity of the Services.

Basis of processing

Where the GDPR applies, the subsequent processing of personal data is based on Art. 6(1)(f) GDPR. Where access to information on your terminal device is involved, such access is based on the applicable provisions protecting terminal equipment, in particular Section 25(2) TDDDG.

Storage period

Depending on the function, until the end of the session or for a limited period insofar as technically necessary.

4.2 Your Settings Options

You can manage, restrict, or delete cookies and comparable technologies through your browser or device settings. Please note that this may impair the functionality of the Services.

We currently do not honor general browser Do Not Track (DNT) signals. Where required by applicable law, technical Global Privacy Control (GPC) signals may be taken into account.

4.3 Consent Management / Management of Consent Settings

When we use cookies, analytics tools, or marketing technologies that require consent, we use a consent management process. This allows us to record, store, and keep track of your choices regarding specific categories of technologies. We process this information to document your consent decisions, respect your preferences during subsequent visits or uses, enable only the technologies you have approved, and comply with our legal accountability and documentation obligations.

Categories of data processed

• information on whether and to which categories you have consented or objected
• time of consent or refusal
• technical proof data for documenting the consent decision
• where applicable, pseudonymous identifiers as well as device or browser information
• where applicable, IP address in shortened or technically processed form

Basis of processing

The processing is carried out for the administration and documentation of your consent decisions. Where the GDPR applies, it is based on Art. 6(1)(c) GDPR and, additionally, on Art. 6(1)(f) GDPR. Where access to information on your terminal device is involved, the applicable provisions protecting terminal equipment also apply, in particular Section 25 TDDDG.

Recipients / integrated third parties

The management of consent settings is currently carried out via the technical functionality integrated into our Services. No external consent management service provider is currently used.

Storage period

Consent decisions and related proof data are stored only for as long as necessary to respect your settings and ensure data protection documentation.

5. International Data Transfers

Ownamic generally hosts and stores data in Frankfurt am Main, Germany, in particular via Hostinger VPS and Azure Storage.

However, for certain AI and login functions we use services from Google LLC, where personal data may also be processed outside the EU or EEA, in particular in the United States or other countries with globally distributed server locations.

This applies in particular to:

• Google Gemini Developer API for image analysis and the AI assistant
• Google Identity Services for Google Login
• where applicable, Google Ads Conversion Tracking, insofar as this function is activated

Where personal data is transferred to third countries, we rely on appropriate safeguards, in particular:

• the EU-U.S. Data Privacy Framework, UK-U.S. Data Bridge, Swiss-U.S. Data Privacy Framework where applicable, and
• Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

6. Data Subject Rights

Depending on your place of residence and the applicable data protection law, you may in particular have the following rights:

• access to the personal data we process about you
• rectification of inaccurate or incomplete data
• erasure of your personal data
• restriction of processing
• data portability
• objection to certain data processing activities
• withdrawal of consents with effect for the future
• complaint to a competent supervisory authority

Where the GDPR applies, these rights arise in particular from Art. 15 to 21 GDPR and Art. 77 GDPR.

If you are located in the European Union, you may in particular contact the supervisory authority responsible for Ownamic.

To the extent that rights under the laws of other countries apply to you, in particular under the CCPA/CPRA or comparable U.S. state privacy laws, you may also exercise such rights against us, including rights of access, correction, deletion, and where provided by law, objection to certain data uses.

Ownamic does not sell personal data.

To exercise your rights, simply contact us at: info@ownamic.com

7. Minors

Our Services are not intended for persons under the age of 18. We do not knowingly collect personal data from children under 18. If you believe that a child under 18 has provided us with personal data, please contact us at info@ownamic.com. We will review the matter and, where appropriate, delete the relevant data.

8. Account Deletion

If you wish to request deletion of your user account, you may do so:

• within the application via the account settings, insofar as such functionality is provided, or
• by email to info@ownamic.com

Upon receipt of your request, we will review the request and delete your account and the personal data associated with it, unless statutory retention obligations prevent deletion.

9. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy from time to time, in particular where changes are made to our Services, the technical systems used, the legal framework, or the processing of data.

The current version will be made available in the app and/or on the related online offerings. In the event of material changes, we will inform you separately in accordance with legal requirements.