Privacy Notice

1. Controller and data protection officer

The responsible data controller for the processing of personal data on this website and the functionalities made available through it (hereinafter collectively referred to as the "website"), as well as via our apps, such as www.Cona.app but not exhaustively, (hereinafter collectively referred to as the "apps") is BusinessOS GmbH

2. Processing of personal data

Below you will find an overview of the processing in connection with the use of our website and our apps and the services offered through them. In order to provide and continuously improve our services, we sometimes also use services from third-party providers through which personal data may be processed. We have selected these third-party providers carefully and in accordance with the provisions of the General Data Protection Regulation ("GDPR") in particular. Unless otherwise stated in this privacy notice, only employees of us or the third-party providers who are entrusted with the execution of the corresponding functionality will have access to your personal data. Your personal data will generally be stored for the duration specified by us in regard to the fulfillment of the respective task and in accordance with commercial and tax law requirements and then deleted. Unless otherwise stated in this privacy notice, your personal data will not be transferred to a third country outside the EU/EEA. Any other transfer will only take place if we are legally or officially obliged to do so or if the transfer is necessary in the context of your use of the website, and in line with the applicable statutory requirements. We process personal data of our users only within the framework of the statutory provisions, in particular the GDPR.

2.1 Website visit

When you simply use the website, so if you do not register or otherwise provide data or information to us, we only collect the data that your browser transmits to our server (so-called "server log files"). When you visit our website, we collect the following data, which is technically necessary for us to display the website to you: Our visited website Date and time of the access Amount of data sent in bytes Source/reference from which you reached the website Browser used Operating system used IP address used This processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. b) of the General Data Protection Regulation ("GDPR") on the basis of your use of our website and our interest in improving the stability and functionality of our website in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. We process your data in order to provide you with a functional website, store the data for the duration we have specified for this purpose and then delete your data.

2.2 Using our apps

When you create an account for using our apps, we process your data provided during registration and thereafter for the purpose of managing the relationship with you. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR. We store your data for the duration of the account and for a period of up to three years thereafter, in case as this is necessary in individual cases according to the statutory retention periods. When you log in to or use our apps we process the following data about you: Username Name Email address Password Telephone number (if provided by you) Profile picture (provided by you) Preferred language Usage data Further data that you provide to us voluntarily within the app In addition we collect and process server log file data, which is technically necessary for us to display the app to you: Our visited site Date and time of the access Amount of data sent in bytes Source/reference from which you reached the site Browser used Operating system used IP address used The processing of the above listed data is carried on the basis of Art. 6 para. 1 sentence 1 lit. b) GDPR on the basis of your contractual use of our apps and our interest in improving the stability and functionality of our apps in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. We process your data in order to provide you with functional apps and to enable you to use our app services, store the data for the duration necessary for these purposes and then delete your data.

2.3 Contact us (e.g. by email)

If you contact us by email, we will process your email address. If you also provide us with your name and other personal data, we will also process these. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. b) GDPR. This is because we process your data in order to respond to your request.

2.4 Newsletter

With your consent, you can subscribe to our newsletter, with which we can send you interesting information about our services or products. You can withdraw your consent to receive the newsletter at any time. You can declare your withdrawal by clicking on the link at the end of the newsletter or by sending an email to dpo@getcona.com. To register for our newsletter, we process your name, if you provide it, and your email address. We use the so-called double opt-in procedure: After you have registered, we will send an email to the email address you have provided. In this email, we ask you to confirm that you wish to receive the newsletter. If you confirm your registration for our newsletter, we will save your email address, IP address and the time of registration and confirmation. The purpose of this processing is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data. The legal basis for the processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) and Art. 49 para. Sentence 1 lit. a) GDPR. After successful registration, you will receive a discount code - if offered by us; we process information about the redemption of the discount for verification purposes in accordance with Art. 6 para. 1 sentence 1 lit. b) GDPR. To send you our newsletter, we use the services of external service providers, some of which are located outside the EU, including the service provider Klaviyo, Inc, 125 Summer Street, Floor 6, Boston, MA, 02110, USA . The transfer of data to the USA is based on the Data Privacy Framework, according to which Klaviyo, Inc. is certified and alternatively on the EU standard contractual clauses. Details of the regulations can be found here https://www.dataprivacyframework.gov/s/program-overview and here https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=de.

2.5 Orders and payments

In case we do offer services or goods to be purchased via our apps or services the following applies: If you place orders or make payments, then in addition to the data specified in the server log files and the goods or services ordered, we also process your name, your address, your email address, your telephone number if applicable, the purchase price together with payment details and the time stamp of the purchase. In addition to our employees who are entrusted with the execution of the order, external service providers who are involved in order processing will also have access to your personal data, insofar as this is necessary for the provision of the respective service. If your payment data is collected by us and not directly by the payment service provider, it will be forwarded to the payment service provider that you have selected to process the payment. We pass on the data that you provide to us and that is necessary for execution of the payment. Depending on the payment service provider selected, this may include Name, address, account number, bank code, credit card number if applicable, invoice amount, currency and transaction number, email address, IP address, mobile phone number. You can see which data is transmitted based on the categories requested during the payment process. Data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b) GDPR. The data is transmitted solely for the purpose of processing the payment; the data will be deleted after delivery, unless our service providers are themselves obliged to retain the data for legal reasons. Please inform yourself about the data processing by the selected payment service provider on the corresponding websites of the provider with whom you have concluded your contract. In order to be able to offer you the payment services of the respective payment service providers, we transmit personal data, such as contact data and order data, to the respective payment service provider, which processes your personal data for the purpose of executing the payment transaction. Information on data processing in this respect can be found at the respective payment service provider Stripe: https://stripe.com/de/privacy If, when using the order or payment services, personal data is transferred to locations outside the EU or European Economic Area in countries for which the European Commission has not issued an adequacy decision (https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de), the data transfer is secured by the so-called EU standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to establish an adequate level of security, consent will be obtained from you in advance as part of the consent management system in accordance with Art. 49 para. 1 sentence 1 lit. a) GDPR. You can obtain a copy of the EU standard contractual clauses by contacting us.

3. Integration of third-party providers

We also integrate the following external services to optimize our services and offers:

3.1 Google

Unless otherwise stated in this privacy notice, the operator of all Google services mentioned here is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. If, when using the services, personal data is transferred to locations outside the EU or European Economic Area in countries for which the European Commission has not issued an adequacy decision (https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_de), the data transfer is secured by the so-called EU standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to establish an adequate level of security, consent will be obtained from you in advance as part of the consent management system in accordance with Art. 49 para. 1 sentence 1 lit. a) GDPR. The transfer of data to the USA is also partly based on the Data Privacy Framework, according to which Google is certified. Details of the regulations can be found here https://www.dataprivacyframework.gov/s/program-overview

3.1.1 Google Analytics

The "Google Analytics" service is used on this website. Google Analytics is a web analysis service and enables us to draw conclusions about user behavior on our website by setting cookies and the information thus obtained. The information generated by the cookies is also sent to a Google server in the US and stored there. The following data is collected and processed with the help of Google Analytics: IP address (anonymized) Usage data Click path App updates Browser information Device information JavaScript support Visited pages Referrer URL Downloads Flash version Location information Click Ids Google Client Id Purchase activity Widget interactions Date and time of the visit The legal basis for processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. If you do not want Google Analytics to collect and process the aforementioned data, you can refuse your consent or withdraw it at any time with effect for the future. The personal data is stored for as long as it is required to fulfill the purpose of processing. The data will be deleted as soon as it is no longer required to achieve the purpose. In addition to Google Ireland Limited, the data may be transmitted to the following recipients as part of the processing: • Google LLC. • Alphabet Inc. To read the privacy notice and cookie policy of Google Ireland Limited, please visit https://policies.google.com/privacy?hl=en and https://policies.google.com/technologies/cookies?hl=en. As part of the processing by Google Analytics, data may be transferred to the third countries US, Singapore, Taiwan and Chile.

3.1.2 Google Ads

We use "Google Ads" (formerly Google AdWords) on our website, a service provided by Google Ireland Ltd. Google Ads enables us to draw attention to our attractive offers using advertising on external websites. This enables us to determine how successful individual advertising measures are. These advertising materials are delivered by Google via so-called "ad servers". For this purpose, we use so-called ad server cookies, which can be used to measure certain parameters for measuring success, such as the display of ads or clicks by users. If you access our website via a Google ad, Google Ads will save a cookie on your PC. These cookies usually expire after 30 days. They are not intended to be used to identify you personally. The following information is usually saved as analysis values for this cookie: Unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), opt-out information (marking that the user no longer wishes to be contacted). These cookies enable Google to recognize your web browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer can recognize that the user has clicked on the ad and been redirected to this page. Each Ads customer is assigned a different cookie. Cookies cannot therefore be tracked across Ads customers' websites. We ourselves do not collect and process any personal data in the advertising measures mentioned. We only receive statistical evaluations from Google. Based on these evaluations, we can see which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising material, in particular we cannot identify the users based on this information. Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. To the best of our knowledge, Google receives the information that you have accessed the corresponding part of our website or clicked on an ad from us. If you have a user account with Google and are registered, Google can assign the visit to your user account. Even if you are not registered with Google or have not logged in, there is a possibility that Google will find out and save your IP address. We use Google Ads for marketing and optimization purposes, in particular to display ads that are relevant and interesting to you, to improve campaign performance reports and to achieve a fair calculation of advertising costs. The legal basis is your consent in accordance with Art. 6 para. 1 sentence 1 lit a) GDPR. As part of the processing by Google, data may be transmitted to the third countries USA, Singapore, Taiwan and Chile. You can also prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. You can also prevent cookies from being stored by setting your web browser to block cookies from the domain “www.googleadservices.com” (https://www.google.de/settings/ads). Please note that this setting will be deleted if you delete your cookies. You can also deactivate interest-based ads using the link http://optout.aboutads.info. Please note that this setting will also be deleted if you delete your cookies. You can find further information on data usage by Google, setting and objection options, and data protection on the following Google websites: Privacy policy: https://policies.google.com/privacy?hl=de&gl=de Google website statistics: https://services.google.com/sitestats/de.html

3.1.3 Google Maps

On the website the “Google Maps” service is integrated via API in order to be able to display geographical information. The use of Google Maps enables Google to collect, process and use data about your use of the service. By using Google Maps, information about the use of this website, including your IP address and the (start) address entered as part of the route planner function, can be transmitted to Google in the USA. The map content is transmitted by Google directly to your browser, which then integrates it into the website. Further information about how Google processes your data can be found in the Google privacy policy. The following data is collected and processed using Google Maps: IP address Location information Usage data Date and time of visit URLs

3.1.4 Google Tag Manager

We use Google Tag Manager ("GTM"), a service provided by Google Ireland Ltd. GTM uses tags such as code snippets or pixels on your website using a so-called container, which places a kind of placeholder in the source code and stores the tools to be used, without us having to intervene in the website's source code. Using GTM, tools can be used on your website without having to integrate them into the source code. Instead, you only need to integrate the GTM code, and then you can use GTM as a central location to start or deactivate the desired tools. GTM works on the website by triggering a defined user behavior, which then displays a tag (i.e., a pixel tag, web beacon, or HTML code) for the tool. GTM collects the relevant data for the integrated tool and forwards it to the tool. In this context, not only are the data categories described for the respective tools transmitted to the respective tool providers; Google Ireland Ltd. also receives information about your usage behavior on our website. Since many of the tool providers are located in countries outside the EU, we would like to refer you to the description of the respective tools if you would like information about the transfer mechanisms concluded by us. The essential content of the data protection agreements in this context can be viewed at https://policies.google.com/privacy/frameworks?hl=de. We use the GTM to implement not only statistical tools but also marketing tools. Accordingly, the GTM is a statistical and marketing tool, and the use of the GTM is carried out via the cookie consent tool based on your consent in accordance with Art. 6 (1) (a) GDPR, which you can revoke at any time with future effect by sending an email to dpo@getcona.com. As part of the processing by Google, data may be transferred to the third countries USA, Singapore, Taiwan and Chile.

3.1.5 Whats-App

If you decide to communicate with us via WhatsApp, we will process your personal data, such as your telephone number, your picture, your status information and your name, if you provide it to us. In addition, we process the personal data that you transmit to us via WhatsApp. In this regard, we recommend that you only provide us with the information that is absolutely necessary to answer your request and refrain from providing additional information. Whether you use WhatsApp and contact us in this way is up to you and you can receive the same information by telephone, electronically and/or by post WhatsApp is a telecommunications service of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, and a company of Meta Platforms, Inc. We process your personal data in order to answer your request sent via WhatsApp. The legal basis for this data processing is your use of our WhatsApp channel in accordance with Art. 6 para. 1 sentence 1 lit. b) GDPR. Data processing by WhatsApp is governed by the privacy notice of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, and is available at https://www.whatsapp.com/legal/?lg=de&lc=DE&eea=1#privacy-policy. The employees who manage our WhatsApp channels will have access to your personal data. It cannot be ruled out that WhatsApp employees may also have access to your personal data. Likewise, it cannot be ruled out that your data will be stored on WhatsApp servers in the United States of America. The transfer of data to the USA is based on the EU standard contractual clauses and the Data Privacy Framework, according to which WhatsApp LLC is certified. Details of the regulations can be found here https://www.dataprivacyframework.gov/s/program-overview.

3.1.6 Social Media

We maintain online social media presences to increase our reach. If you click on a link embedded in our websites or apps, you will be redirected to the relevant page: Instagram: https://www.instagram.com , Facebook: https://www.facebook.com. Pinterest: https://www.pinterest.com. TikTok https://www.tiktok.com. LinkedIn: https://www.linkedin.com

4. Cookies

Depending on your browser settings and whether you have given us your consent, cookies may be set when you visit the website in order to extend the functionality of the website and make it more convenient for you to use. Cookies are small text files that are stored on your computer. Cookies are stored and read on the basis of § 25 TDDDG. Most of the cookies we use are deleted from your hard disk at the end of the browser session ("session cookies"). In addition, we use so-called permanent cookies ("persistent cookies"), which remain on your end device in order to recognize you the next time you visit the website. If cookies are set, they collect and process certain user data such as browser and location data as well as IP address values to an individual extent as described above in the server log files. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. If personal data is also processed by individual cookies used by us, the processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR and § 25 TDDDG on the basis of our legitimate interest (in the case of so-called "necessary cookies") or in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR on the basis of your consent for all other cookies (marketing and analytics cookies). An overview of the cookies used and the duration of the respective cookie storage can be found in the cookie settings in our cookie consent tool . Please note that you can also set your browser so that you are informed about the setting of cookies and can decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. Each browser differs in the way it manages cookie settings. Cookie settings are described in the help menu of each browser, which explains how you can change your cookie settings. Please note that if you do not accept cookies, the functionality of our website may be restricted.

5. Cookie Consent Tool

We use a so-called cookie consent tool to obtain consent for cookies and cookie-based applications that require consent. Each cookie must be evaluated individually to a certain extent, as each cookie stores different data. The expiry time of a cookie also varies from a few minutes to a few years. Therefore, please refer directly to the cookie settings in our cookie consent tool, which is displayed at the bottom of the website, for an overview of the cookies used and the duration of the respective cookie storage. So that the cookie consent tool can clearly assign page views to individual users and individually record, log and store the consent settings made by the user for the duration of a session, certain user information, as described in the server log files, is collected by the cookie consent tool when our website is accessed, transmitted to the cookie consent tool server and stored there. The data processing carried out by the cookie consent tool is carried out in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR on the basis of our legitimate interest in a legally compliant, user-specific and user-friendly consent management for cookies and also in a legally compliant design thereof, insofar as Art. 6 para. 1 sentence 1 lit. c) GDPR also applies as the legal basis. We process your data for this purpose for the duration of your session and delete your data afterwards, unless you have given your consent to the setting of cookies; in such a case, we process your data for the duration specified for each cookie.

6. Your rights

You can contact us either in writing or by email at dpo@getcona.com to exercise the following rights: Information about your data in order to check and verify it, in accordance with Art. 15 GDPR; Receiving a copy of your personal data, Art. 15 (3) GDPR; rectification, erasure or restriction of processing, including the right to have incomplete or inaccurate data completed by means of supplementary communication, in accordance with Art. 16, 17 and 18 GDPR Objection to the processing of personal data processed by us on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR, pursuant to Art. 21 GDPR; there is a right to object to the processing if this is done for reasons arising from your particular situation; if the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right of objection without the requirement to specify a particular situation; Receiving the data you have provided in a structured, commonly used and machine-readable format and transmitting this data to another controller, provided that you have given your consent to the processing or the processing is based on a contract; You also have the right to lodge a complaint with a supervisory authority in connection with the processing of your personal data. You can contact the authority responsible for your place of residence or the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin. If you have given your consent to processing, you can revoke this at any time with effect for the future by notifying us, e.g. via dpo@getcona.com. We will store your consent for three years after the end of the year in which you withdraw your consent.

7. Automated decision-making and profiling

With the exception of the services described above, your personal data will not be used for automated decision-making or profiling. Profiling is only carried out with your consent as described above in the context of the individual services.

8. Changes to this privacy notice

We reserve the right to amend this privacy notice in the event of changes to the legal situation or our services or for other reasons. The current version is always available on our website.