Privacy Policy

to the MASTHAVE® Website

as of 21 June 2024, last updated on 07 August 2024

The following Privacy Policy is divided into

1. general information,

2. data collecting/purpose of processing/legal basis/duration of storage

3. disclosure to third parties

4. Google Analytics,

5. Google Adwords

6. deletion of data

7. rights regarding the processing of personal data

8. right to object

9. changes to this privacy policy/responsible party

1. General information

GA²LEN e.V., c/o DGAKI, Robert-Koch-Platz 7, 10115 Berlin (hereinafter referred to as "GA²LEN e.V.") is pleased that you have visited our website www.masthave-app.com (hereinafter referred to as the "Website") and that you are interested in the MASTHAVE® self-assessment app (hereinafter referred to as the "MASTHAVE app"). We protect your privacy and personal information to the best of our ability.

The purpose of this website is to provide information about the MASTHAVE app and to allow interested users and physicians to contact us.

The name and contact details of the data controller are as follows:

GA²LEN e.V

c/o DGAKI

Robert-Koch-Platz 7

10115 Berlin

E-Mail: masthave@ga2len.berlin

The contact details of the Data Protection Officer are as follows:

E-Mail: privacy@ga2len.network

When you visit this website, personal data is transmitted. According to Article 4(1) of the General Data Protection Regulation (EU) 2016/679 (hereinafter "GDPR"), personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

According to Article 4(2) of the GDPR, data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

This Privacy Policy is supplemented by our Terms and Conditions, available at https://masthave-app.com/gtc, and our Cookie Policy, available at https://masthave-app.com/. The Legal Notice is available at https://masthave-app.com/imprint.

2. Data collected / purpose of processing / legal basis / duration of storage

Below you will find information on the categories of data collected, the purpose of the processing, the applicable legal basis and the duration of storage.

Categories of data

Authentication data

= IP address, date and time of the request, time zone difference to Greenwich Mean Time, content of the request (specific page), access status/HTTP status code, amount of data transferred, website from which the request originated, browser, operating system and its interface, language and browser software version.

Purpose of processing

Access to the website.

Ensure use of the product.

To analyse the functionality of the system.

Administrative purposes.

Legal foundation

Performance of a contract, Article 6(1)(b) GDPR.

Interest in error-free operation and functionality of the application in order to prevent misuse and improve the application, Article 6(1)(f) GDPR.

Duration of storage

1 month

Categories of data

Contactform = name, surname, e-mail-adress

Purpose of processing

Access to the product.

Ensure use of the product.

To analyse the functionality of the system.

Administrative purposes.

Legal foundation

Performance of a contract, Article 6(1)(b) GDPR.

Interest in error-free operation and functionality of the application in order to prevent misuse and improve the application, Article 6(1)(f) GDPR.

Duration of storage

1 month.

2.3 Data from children

The website is not intended for use by children under the age of 18.

The collection and/or storage of personal data from children is not intended in the operation of the Website. However, the use of services may occur under certain circumstances. If this is the case, children, i.e. all users under the age of 17, must obtain parental consent before visiting the Website and/or using the contact form. If parents discover that their child has submitted personal information to the contact form without their consent, they must ask us to delete that personal information. To do so, please send an email to masthave@ga2len.network. If the data controller becomes aware that personal data has been collected from a child under the age of 18, the necessary steps will be taken immediately to either obtain parental consent for the processing of the child's personal data or to delete such personal data.

3. Disclosure to third parties

We do not sell your personal information. We also do not share personal information with third parties without your consent, unless such sharing is permitted by law. The personal data you provide will be collected and stored only for internal use by the data controller and for its own purposes. The controller may arrange for the data to be transferred to one or more processors who will also use the personal data exclusively for the controller's internal purposes. Where processing is carried out on behalf of the controller, the controller will only work with processors who offer sufficient guarantees that appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR and the protection of data subjects is guaranteed. The transfer of data to processors takes place on the basis of Art. 28 para. 1 GDPR. The sale of your data to third parties and/or the disclosure of data for marketing purposes is hereby excluded. We are also required by law to provide information to certain authorities upon request. These are law enforcement authorities, authorities that prosecute administrative offences punishable by a fine, and tax authorities. The disclosure of this data is based on our legitimate interest in the prevention of misuse, the prosecution of criminal offences and the establishment, assertion and enforcement of claims, provided that your rights and interests in the protection of your personal data are not overridden, Art. 6 para. 1 lit. f GDPR. The GDPR allows data processing within the EU. Processing outside the EU in a so-called third country is permitted if a comparable level of protection exists in the third country (adequacy decision according to Art. 45, 46, 47 GDPR). The service providers we use are either based in the EU or in a country where the EU has determined that there is an adequate level of data protection.

4. Google Analytics

In order to better tailor this website to the needs of our users, we analyze visits to our website. We use your previously anonymized IP address (and possibly similar numbers that are exchanged between computers during normal Internet use) to analyze data about the websites visited, your browser and your computer, among other things. The stored data is used for statistical purposes only; in particular, the IP address is not linked to a specific person. The data will not be passed on to third parties.

This website uses Google Universal Analytics, a web analytics service provided by Google Inc ("Google"). The legal basis for the processing of personal data by Google Analytics is Art. 6 par. 1 sentence 1 lit. f) GDPR. The operator of the Google Analytics component is

Google Ireland Limited

incorporated and operating under the laws of Ireland

(Registration number: 368047 / VAT number: IE6388047V)

Gordon House, Barrow Street

Dublin 4

Dublin, Ireland

Google Universal Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website (including your IP address) is usually transmitted to a Google server and stored there. IP anonymisation has been activated on this website so that the IP address of Google users within member states of the European Union or in other contracting states of the Agreement on the European Economic Area is shortened beforehand. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Universal Analytics will not be merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link http://tools.google.com/dlpage/gaoptout?hl=de. You can find more information on terms of use and data protection at

http://www.google.com/analytics/terms/de.html or at http://www.google.de/privacy.html.

We would like to point out that this website uses Google Universal Analytics with the code extension "anonymizeIp" to ensure an anonymous collection of IP addresses (so-called IP masking) and to exclude a direct personal reference.

5. Google Ads

This website uses Google Ads, a program of Google Inc ("Google"). The legal basis for the processing of personal data using Google Ads is Art. 6 para. 1 sentence 1 lit. f) GDPR. The operator of the Google Ads component is

Google Ireland Limited

incorporated and operating under the laws of Ireland

(Registration number: 368047 / VAT number: IE6388047V)

Gordon House, Barrow Street

Dublin 4

Dublin, Ireland

Google Adwords is an online advertising program that uses conversion tracking. When you visit our website through a Google ad, Google Adwords places a cookie on your computer. Each Google Adwords customer receives a different cookie. The legal basis for the processing of personal data using Google Adwords is Art. 6 par. 1 sentence 1 lit. f) GDPR.

Our company only receives information about the total number of users who responded to the ad. No information is shared that could be used to identify you personally. The information is not used for tracking purposes.

6. Deletion of data

The following provisions apply in addition to the information provided in Section 2 of this Privacy Policy. The legislator has imposed various retention periods and obligations. At the end of these periods, the relevant data is routinely deleted. If data is not affected by this, it will be deleted or made anonymous when the purposes stated in this Privacy Policy no longer apply. Except as otherwise provided in this Privacy Policy, we will store personal information collected by us for as long as necessary to fulfill the purposes for which it was collected. Further processing or use of your personal data will only take place if permitted by law or if you have consented to such processing or use. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with any other relevant information. We store information for the purpose of detecting and tracking misuse, in particular your IP address, for a maximum of one month. The legal basis for this is Art. 6 para. 1 lit. f GDPR, the text of Art. 6 GDPR can be found here:

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1474615617790

Our legitimate interest in retaining data for one month is to ensure the proper functioning of the app and the transactions processed through it, and to be able to defend against cyber attacks and the like. We may use anonymous usage information to customise the design of the App.

7. Rights relating to the processing of personal data

Right of access

You have the right to request information from us at any time regarding the personal data concerning you that we process, in accordance with Art. 15 GDPR. You can send a request by post or e-mail to the addresses above. The text of Art. 15 GDPR at the following link

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1474615617790

Right to rectify inaccurate data

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you, Art. 16 GDPR. For this purpose, please use the contact addresses mentioned above. The text of Art. 16 GDPR is available here:

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1474615617790

Right to erasure

You have the right to the immediate erasure ("right to be forgotten") of personal data concerning you, if the legal grounds under Art. 17 GDPR apply. The text of Art. 17 GDPR here:

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1474615617790

Legal grounds exist, for example, if the personal data are no longer necessary for the purposes for which they were originally processed, or if you have withdrawn your consent and there is no other legal basis for the processing; the data subject objects to the processing. If you wish to exercise the above-mentioned right, please contact us at the above-mentioned address.

Right to restrict processing

You have the right to restrict processing if the conditions are met and in accordance with Art. 18 GDPR. You can find the text of Art. 18 GDPR here:

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1474615617790

According to it, the restriction of processing may be necessary, in particular, if the processing is unlawful and the data subject refuses the erasure of the personal data and instead requests the restriction of the use of the personal data, or the data subject has objected to the processing pursuant to Art. 21 (1) GDPR, pending verification of whether our legitimate grounds override yours. If you wish to exercise the above rights, please contact us at the above address.

Right to data portability

You have the right to data portability pursuant to Art. 20 GDPR. You can find the text of Art. 20 GDPR here:

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1474615617790

You have the right to receive the data concerning you that you have provided to us in a commonly used, structured and machine-readable format and to have that data transferred to another controller, such as another service provider. This is on condition that the processing is based on consent or contract and is carried out using automated procedures. If you wish to exercise any of the above rights, please contact us at the above address.

8. Right to object

Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, based, inter alia, on Art. 6 para. 1 lit. f) GDPR, in accordance with Art. 21 GDPR. We will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. If you wish to exercise any of the above rights, please contact us at the above address.

The text of Art. 21 GDPR here:

http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1474615617790

Right to complain to a supervisory authority

If you are of the opinion that the processing of your personal data by us is unauthorised, you have the right to lodge a complaint with the competent national data protection authority. You can find the contact details of your national data protection authority at

https://www.datenschutz-wiki.de/Aufsichtsbehörden_und_Landesdatenschutzbeauftragte

If you wish to contact the authority, please contact us first - this will enable us to resolve your concerns quickly and easily.

9. Changes to this privacy policy / person responsible

The current version of this privacy policy is always available at www.masthave-app.com and relates exclusively to the MASTHAVE website. The data protection information is subject to constant adaptation.

You can find the legal notice at www.masthave-app.com.

Controller within the meaning of the GDPR:

GA²LEN e.V

c/o DGAKI

Robert-Koch-Platz 7

10115 Berlin

E-Mail: masthave@ga2len.berlin

Status: June 2024