PRIVACY POLICY

Our offer is subject to Swiss data protection law in accordance with the Swiss Data Protection Act (DSG) and any applicable foreign data protection law such as, in particular, the European General Data Protection Regulation (GDPR).

The following data protection provisions apply to the online offer at mummy.fitness

mummy.fitness is an internet platform for pregnant women and mothers. The internet platform features fitness programs for safe exercise, a knowledge database, as well as coaching offers.

1. RESPONSIBLE PERSON AND CONTACT

The responsible party in the sense of the DSGVO and other data protection regulations is:

mummy.fitness Schutzengraben 6 4051 Basel Switzerland

For information and suggestions on the subject of data protection, please contact us at (mummy.fitness.mail@gmail.com).

2. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES

2.1 Description and scope of data processing

Each time our website is called up, our system automatically collects data and information from the computer system of the calling computer.

The following data is collected in this process:

Information about the browser type and the version used. The operating system of the user
The user's Internet service provider
The IP address of the user

Date and time of access
Websites from which the user's system accesses our website
Websites that are accessed by the user's system via our website
This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2.2 Legal basis for data processing

Insofar as the DSGVO is applicable, Art. 6 para. 1 lit. f DSGVO (legitimate interest) forms the legal basis for the temporary storage of the data and the log files.

2.3 Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration

of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security (e.g. to detect attempted attacks) of our information technology systems. If a paid registration takes place, the IP address is stored in order to determine the country with the corresponding VAT rate. An evaluation of the data for marketing purposes does not take place in this context.

2.4 Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of storage of data in log files, this is the case after 365 days at the latest.

2.5 Possibility of objection and elimination

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

3. USE OF COOKIES AND PLUGINS

3.1 Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user calls up a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly (so-called technically necessary cookies). Some elements of our website require that the calling browser can be identified even after a page change. We also use cookies on our website that enable an analysis of the user's surfing behavior (so-called analysis cookies).

Visitor analysis with Visitor Analytics

Visitor Analytics is a simple website analytics service that measures traffic and general details of visitors to our website. By collecting these statistics, we can improve the experience of our website visitors (for example, which pages they visit and when, their approximate location, where a user lands first, or whether they come from a particular referral).

As a website owner using Visitor Analytics, we do not use cookies to collect data about our visitors' device type and screen size, approximate location, browser, operating system, page visits, bounce rate, conversions, and popular content on the website. All of this data is pseudonymized, and Visitor Analytics will never use the data collected to identify individual users or match it with additional information about an individual user.

Visitor Recordings.

Visitor Recordings are an additional feature to Visitor Analytics (described above) in the form of a simple website playback tool that records where our website visitors have browsed and what they have clicked on on our website. We can see this information in playlists and so-called heat maps. Gathering these statistics helps us to make our website more user-friendly and to reproduce and fix technical errors.

Basically, as a website owner using visitor records, we use a snippet of tracking code to collect data about our visitors' journey on our websites, i.e. which subpages they visit, what they clicked on, where they moved their mouse cursor and where they scrolled to. All of this data is pseudonymized, and Visitor Analytics will never use the data collected to identify individual users or match it with additional information about an individual user.

This website uses Google Analytics, a web analytics service provided by Google, Inc. (hereinafter: Google). Google Analytics uses cookies, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics is not merged with other data from Google.

Functions of the Instagram service are integrated on our website. These functions are offered by Instagram Inc, 1601 Willow Road, Menlo Park, CA 94025, USA. When you visit our website and have given your consent, a direct connection is established between your browser and the Instagram server via the plugin. Instagram thereby receives the information that you have visited our site with your IP address. If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram.

For more information, please see Instagram's privacy policy: https://help.instagram.com/519522125107875.

Functions of the TikTok service are integrated on our website. These functions are offered by TikTok, 5800 Bristol Parkway, Culver City, CA 90066, USA. When you visit our website and have given your consent, a direct connection is established between your browser and the TikTok server via the plugin. TikTok thereby receives the information that you have visited our site with your IP address. If you are logged into your TikTok account, you can link the content of our pages to your TikTok profile by clicking on the TikTok button. This allows Instagram to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by TikTok.

For more information, please see Instagram's privacy policy:

https://www.tiktok.com/legal/privacy-policy-eea?lang=de

For the integration of videos on our website, we use YouTube, which is offered by Google LLC, D/B/A YouTube, 901 Cherry Ave. San Bruno, CA 94066. USA. When you visit one of our web pages in which a YouTube video is embedded, your IP address as well as the date and time of access to the video are transmitted to servers of YouTube. If you are logged in as a user of YouTube at the same time, YouTube may link the thereby collected data with your user account..

For more information on YouTube, please see YouTube's privacy policy:

https://policies.google.com/privacy https://www.youtube.com/static?template=terms

Google, Instagram, TikTok and Youtube are members of the so-called Privacy Shield and offer an adequate level of data protection according to DSGVO and DSG in case of transfer of personal data

to the USA. You can access the adequacy decision of the European Commission here, and the Privacy Shield guide of the Federal Data Protection and Information Commissioner here.

3.2 Legal basis for data processing

Insofar as the DSGVO is applicable, Art. 6 (1) lit. f DSGVO (legitimate interest) forms the legal basis for the processing of personal data using technically necessary cookies and for the processing of personal data in the context of the integration of Vimeo.

Art. 6 para. 1 lit. a DSGVO (consent) forms the legal basis for the use of cookies for analysis purposes and the plugins of Google, Facebook and Instagram if the DSGVO is applicable. You have the right to revoke your consent and adjust cookies at any time.

3.3 Purpose of data processing through the use of cookies.

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change. In these purposes also lies our legitimate interest in the processing of personal data according to Art. 6 para. 1 lit. f DSGVO.

The analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimize our offer. Furthermore, we use the analysis cookies and the corresponding plugins from Instagram and TikTok for advertising purposes in order to display advertisements to you via these social media.

3.4 Duration of storage, possibility of objection and removal

Cookies are stored on the user's computer and transmitted from it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website in full.

4. SOCIAL MEDIA

mummy.fitness is present in social networks in order to maintain communication with our customers and interested parties as well as to inform them about our offer.

The data of the users of these networks are processed primarily for information and advertising purposes. Cookies are created which allow us to create usage profiles based on the interests of the users. The usage profiles are then used, for example, to place advertisements within the social networks but also on third-party websites.

Social networks may process users' personal data outside the European Economic Area. In the event that a provider is certified under the EU-U.S. Privacy Shield, it has thereby undertaken to comply with the data protection standards of the European Union. The same applies to the Swiss-U.S. Privacy Shield with regard to Swiss standards.

For data processing, we rely on Art. 6 para. 1 p. 1 lit. f DSGVO, this due to our legitimate interest in effective user information and communication with users. The legal basis for the data processing

carried out by the social networks under their own responsibility can be found in the privacy policy of the relevant social network. You can also obtain further information (incl. objection options) under the links below.

Data protection requests are best made directly to the respective social network so that the request can be processed as efficiently as possible. The social network in question has access to the requested data and can take action accordingly.

Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). Privacy Policy: https://help.instagram.com/519522125107875
TikTok (5800 Bristol Parkway, Culver City, CA 90066, USA).
Privacy Policy: https://www.tiktok.com/legal/privacy-policy-eea?lang=de

Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Privacy policy: https://policies.google.com/privacy
Opt-Out: https://adssettings.google.com/authenticated
EU-U.S. Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.

5. REGISTRATION

5.1 Description and scope of data processing

On our website, we offer users the opportunity to register by providing personal data. The data is entered in an input mask and transmitted to us and stored. The data is not passed on to third parties. The following data is collected during the registration process:

First and last name
Address
E-mail address
Username
Password
Calculated date of birth (Only for users of the pregnancy program, so that the training can be adjusted to the week of pregnancy).

After registration, the user can voluntarily enter body measurement data (e.g. weight, abdominal circumference).

5.2 Legal basis for data processing

Insofar as the DSGVO is applicable, Art. 6 para. 1 lit. a and b DSGVO form the legal basis for the collection and processing of the data collected during registration. For existing customer advertising, Art.6 para. 1 lit. f DSGVO represents the corresponding legal basis.

5.3 Purpose of data processing

Registration of the user is necessary for the fulfillment of a contract with the user or for the implementation of pre-contractual measures. This means, among other things, that we need this data to deliver and invoice the online programs to the user. In the case of the pregnancy program, the user records the calculated date of birth so that the training session corresponds to the current week of pregnancy.

We also use contact data for existing customer advertising. This means that we inform our users about news, competitions and surveys even after the end of the program. These e-mails contain an unsubscribe link.

5.4 Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is the case for data collected during the registration process for the fulfillment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the implementation of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner in order to comply with contractual or legal obligations. For existing customer advertising, as described in 5.3, contact data is retained even after the end of the contract.

6. USE OF OUR OFFER

6.1 Data collection and data processing

In the context of the use of our online offer, personal data is also processed to the extent necessary (e.g. when ranking, participating in competitions or writing comments and ratings). Users can also voluntarily provide additional data during use, which is used for an overview. For example, the number of kilograms lost by the mummy.fitness community is displayed without naming the user. It is not possible to draw conclusions about individuals. The legal basis for this is Art. 6 para. 1 lit. a and b DSGVO.

6.2 Data transfer to third parties

In the context of order data processing, data may be processed by service providers. We have mentioned some of these service providers (so-called third parties) in this privacy policy. However, we may also work with other service providers, including data centers, software providers, IT service providers as well as consulting companies. These service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions and have appropriate technical and organizational measures in place.

If these service providers process your data outside the European Union or Switzerland, this may result in your data being transferred to a country with a lower data protection standard. In such cases, we ensure that the service providers in question guarantee an equivalent level of data protection by contract or otherwise (for example, by certifying the service provider in accordance with the EU-US or Swiss - US Privacy Shield).

Data processing on the occasion of an order
Data processing in the context of an order serves the purpose of processing the order. Art. 6 (1) lit. b DSGVO forms the legal basis for this. The data involved can be seen from the input mask that you fill out when placing the order.

For the fulfillment of the contract it may be necessary that the data is forwarded to our payment service provider or to the commissioned credit institution. For all payment methods (except prepayment) mummy.fitness works together with the payment service provider Stripe.

These payment methods can be used:

Credit card / Stripe
If you pay by credit card, then the payment processing is carried out via Stripe Payments Europe Ltd. to which we pass on your information provided during the ordering process in accordance with Art. 6 (1) lit. b DSGVO. The transfer of your data takes place exclusively for the purpose of payment processing with Stripe Payments Europe Ltd. and only insofar as it is necessary for this purpose. You can find more information about the data protection of "Stripe" here: https://stripe.com/de/privacy#translation.
Apple Pay
If you opt for the "Apple Pay" payment method of Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, the payment processing is carried out via the "Apple Pay" function of your terminal device operated with iOS, watchOS or macOS by charging a payment card deposited with "Apple Pay". Apple Pay uses security functions integrated into the hardware and software of your device to protect your transactions. For the release of a payment, the entry of a code previously defined by you as well as the verification by means of the "Face ID" or "Touch ID" function of your terminal device is therefore required.
For the purpose of payment processing, the information you provide during the ordering process, together with information about your order, is passed on to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before the data is transmitted to the payment service provider of the payment card stored in Apple Pay to carry out the payment. The encryption ensures that only the website through which the purchase was made can access the payment data. After the payment has been made, Apple sends your device account number and a transaction- specific, dynamic security code to the source website to confirm the success of the payment.
If personal data is processed during the described transmissions, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6 (1) lit. b DSGVO.
Apple retains anonymized transaction data, including the approximate amount of the purchase, the approximate date and time, and whether the transaction was completed successfully. The anonymization completely eliminates any reference to individuals. Apple uses the anonymized data to improve Apple Pay and other Apple products and services.
When you use Apple Pay on iPhone or Apple Watch to complete a purchase made through Safari on Mac, the Mac and the authorization device communicate over an encrypted channel on Apple's servers. Apple does not process or store any of this information in a format that can identify you personally. You can disable the ability to use Apple Pay on your Mac in your iPhone settings. Go to "Wallet & Apple Pay," and uncheck "Allow payments on Mac."
For more information about Apple Pay privacy, please visit the following web address: support.apple.com/en/HT203027

Google Pay
If you opt for the "Google Pay" payment method of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), the payment processing is carried out via the "Google Pay" application of your mobile end device by charging a payment card deposited with Google Pay or a payment system verified there (e.g. PayPal). For the release of a payment via Google Pay, the prior unlocking of your mobile end device by the respective verification measure set up (such as facial recognition, password, fingerprint or pattern) may be required.
For the purpose of payment processing, the information you provide during the ordering process, together with information about your order, will be passed on to Google. Google then transmits your payment information stored in Google Pay in the form of a uniquely assigned transaction number to the source website, with which a completed payment is verified. This transaction number does not contain any information about the real payment data of your payment means deposited in Google Pay, but is created and transmitted as a one-time valid numeric token. For all transactions via Google Pay, Google only acts as an intermediary to process the payment transaction. The

transaction is carried out exclusively in the relationship between the user and the source website by debiting the means of payment deposited with Google Pay.
Insofar as personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6 (1) lit. b DSGVO.

Google reserves the right to collect, store and evaluate certain transaction-specific information for each transaction made via Google Pay. This includes the date, time and amount of the transaction, merchant location and description, a description of the purchased goods or services provided by the merchant, photos that you have attached to the transaction, the name and email address of the seller and buyer or the sender and recipient, the payment method used, your description for the reason for the transaction and, if applicable, the offer associated with the transaction.

According to Google, this processing is carried out exclusively in accordance with Art. 6 para.1 lit. f DSGVO on the basis of the legitimate interest in proper billing, verification of transaction data and optimization and functional maintenance of the Google Pay service.
Google also reserves the right to merge the processed transaction data with further information collected and stored by Google when using other Google services.

The terms of use of Google Pay can be found here: payments.google.com/payments/apis- secure/u/0/get_legal_document.
Further information on data protection with Google Pay can be found at the following Internet address: https://payments.google.com/payments/apis- secure/u/0/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

Bank transfer/advance payment
mummy.fitness provides account number and bank routing number to allow users to make a payment from their bank account.

7. CONTACT FORM AND E-MAIL CONTACT

7.1 Description and scope of data processing

It is possible to contact us via the e-mail address provided. In this case, the user's personal data transmitted with the e-mail will be stored.

The data is used exclusively for processing the conversation. 7.2 Legal basis for data processing

The legal basis for the processing of the data is Art. 6 (1) lit. a DSGVO if the user has given his consent.

The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) lit. f DSGVO. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.

7.3 Purpose of data processing

In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.

7.4 Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.

7.5 Possibility of objection and removal

The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

All personal data stored in the course of contacting us will be deleted in this case.

8. RIGHTS OF THE SUBJECT

If personal data of yours is processed, you are - if the GDPR is applicable - a data subject within the meaning of the GDPR and you are entitled to the following rights against the controller:

8.1 Right to information

You may request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing exists, you have the right to information with regard to data concerning you that is processed by us.

8.2 Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are inaccurate or incomplete. The controller shall make the rectification without undue delay.

If we have disclosed your data to third parties, we will inform them of the correction, insofar as this is required by law.

8.3 Right to restriction of processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;

the controller no longer needs the personal data for the purposes of processing, but you need them for the establishment, exercise or defense of legal claims; or
if you have objected to the processing pursuant to Article 21 (1) DSGVO and it is not yet clear whether the legitimate grounds of the controller outweigh your grounds.

If the processing of personal data concerning you has been restricted, this data may only be processed in a restricted manner (namely in particular for the assertion of legal claims or with your consent).

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

8.4 Right to deletion

You can demand that we delete the personal data concerning you without delay, we are obliged to delete this data without delay. Please note that the right to erasure is subject to restrictions. For example, we may not delete data that we are still required to retain due to legal retention periods.

If we have passed on your data to third parties, we will inform them of the deletion, insofar as this is required by law.

8.5 Right to data portability

You have the right, if and to the extent that the GDPR applies, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller without hindrance by the controller to whom the personal data was provided.

8.6 Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

8.9 Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

8.10 Right to complain to a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, place of work or place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).