Data Privacy Statement YANA

We are happy that you have chosen to use our mobile app “YANA – You Are Not Alone” (hereafter also referred to as “YANA”, “YANA app”, or “app”). The YANA app is available for the operating systems Android and iOS and can be downloaded and installed on your mobile device from the respective app store.

1. General information about data processing

The protection of your privacy is important to us. We want you to know when we process your data, and which data we use. In this Data Privacy Statement you will learn which personal data we process during the use of the YANA app, and to what kind of purpose, and also what rights you have regarding these data.

Categorically, we only store data as long as we need them. There is no legal obligation to provide us with personal data. Automated decision-making, as per Article 22 of the EU-GDPR, will not happen.

2. Definitions

We are required by law that personal data are processed lawfully, in good faith, and in a manner that can be comprehended by the persons who are affected (“lawfulness, fair processing, transparency”). To this end, we hereby inform you about the individual legal definitions of the European General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act, which are also used in these data privacy regulations.

2.1 Personal data

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter the "data subject"). A natural person is considered to be identifiable if he or she can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier, or one or more special features which express the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

2.2 Processing

"Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.3 Restriction of processing

"Restriction of processing" means the marking of stored personal data with the aim of limiting its processing in the future.

2.4 Profiling

”Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

2.5 Pseudonymization

“Pseudonymization“ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person

2.6 Filing system

“Filing system“ means any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

2.7 Controller

“Controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.

2.8 Processor

“Processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2.9 Recipient

“Recipient“ means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive potentially personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

2.10 Third party

A “third party“ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

2.11 Consent

The “consent“ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Responsibility

Data protection responsibility lies with
YANA GmbH
Kranichsteiner Str. 252
64289 Darmstadt
Germany
privacy@yana.world

4. Data we collect

In this paragraph we inform you about the kind of data we collect, the purposes of collection, and the legal foundations.

4.1 Data collection by the app stores

When the mobile app is downloaded, the required information is transferred to the respective app store, in particular user name, e-mail-address and customer number of your account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it. We only process these data as far as it is necessary for the download of the mobile app to your mobile device.

4.2 Log files

During the use of the mobile app, we collect the following data in so-called log files, which are a technical requirement for offering to you the functions of our mobile app and for guaranteeing its stability and safety.

The data are not amalgamated with other data sources. The server log files will be stored for a maximum period of 14 days and then be deleted automatically. Legal basis for the processing of the log files is Article 6 (1) (1) (f) GDPR. We have a legitimate interest to guarantee the functioning, stability and security of our app by means of log file storage.

4.3 Cookies

Similar to the use of cookies on websites, our app stores data records on your mobile device that can later be retrieved again by the app. For the sake of better comprehensibility we will hitherto only use the term cookies when we inform you about the related data processing.

4.3.1 Required cookies

As every app, we make use of cookies to be able to provide certain functions to you. They make mobile apps more user-friendly and effective. These are called transient cookies. They are automatically deleted when you close our app. In particular, there are session cookies, which store a so-called session ID that enables different requests to be allocated to your app. This way, your mobile device will be recognized when you use our app again. The session cookies are deleted when you log out.

Transient cookies do not contain any personal data, but may contain your IP address. We therefore point out that according to Art. 6 (1) (1) (f) GDPR we are entitled to collect personal data in cookies in order to ensure the correct display and stability of this website.

4.3.2 Cookies for range measurement

Our app uses Google Analytics for Firebase, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA, 94043 (“Google”). Google Analytics for Firebase also makes use of cookies.

The information about your use of our app which is generated by the cookie is transferred to a Google server in the USA and stored there. However, your IP address is shortened by Google and therefore anonymized within the member states of the European Union or other states covered by the Agreement on the European Economic Region. Only in exceptional cases the full IP address will be transferred to a Google server in the USA and shortened there.

Google has agreed to follow the regulations of the Privacy Shield Agreement during the transfer. The data transfer to the USA, under observation of the regulations of the Agreement, therefore constitutes an adequate level of protection according to Article 45 GDPR, as confirmed by the resolution of the European Commission from July 12th, 2016. Your IP address will not be amalgamated with other data from Google. You can find further information on the EU/US Privacy Shield at https://www.privacyshield.gov/EU-US-Framework.

We use Google Analytics for analyzing the interest in our app on the basis of Article 6 (1) (1) (f) GDPR, because we have a legitimate interest in improving the range and efficiency of our online offers.

4.4 Location data

In our app we collect location and geo-localisation data with your consent via your mobile device.

We use location data in order to display in a personal feed within the app the community posts that are relevant to you. Also, this information helps us to display additional personalized offers to you, for example advertisements.

We base the processing of these data on your explicit consent according to Article 6 (1) (1) (a) GDPR. When your app wants to access your location data for the first time, the operating system of your mobile device will ask whether you agree to allow the app access to your location. By confirming this request with “Yes”, you agree to our processing of these data. You may revoke this consent at any time by deactivating the access to location data in the app settings of your mobile device.

5. Data provided by you

Below we will inform you about how we handle the data you provide to us via the YANA app.

5.1 User account

In order to be able to use our app, you have to create a user account with the registration function. For this purpose, we offer you several options.

5.1.1 Registration with an e-mail address

Firstly, you have the option to register with your e-mail address. Naturally, this requires us to learn your e-mail address. It is required for the registration process and enables us to distinguish the different users. We only send app notifications and information concerning your user account to your e-mail address. It will not used for any other purposes.

Both the user name and the password can be freely selected. There is no obligation to use one's real name or a portrait photo. Names and profile pictures merely serve to distinguish the different users.

Should you close your user account, we will delete your data, unless we are obligated to store them due to reasons prescribed by commercial or tax legislation.

5.1.2 Log-in with a Facebook account

Secondly, you have the option to register with your already existing Facebook account, using your Facebook log-in data. This happens via a respective interface (API) of the social network Facebook, which is run by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (“Facebook”). In this case, a direct connection to Facebook's servers will be set up.

Via the interface, we will receive the general and publicly accessible information from your profile, depending on your personal data protection settings at Facebook. This information includes user ID, name, profile picture, age and gender. We will only store your e-mail address – all other data will be discarded.

We point out that a transfer of your friend's user IDs and your friends list might also occur, if they were labeled as “public” in your Facebook privacy settings. However, these data transmitted by Facebook will be discarded and not stored.

Conversely, based on your agreement with Facebook, information (e. g. about your internet surfing patterns) may be transferred by us to your Facebook profile.

Facebook has agreed to follow the regulations of the Privacy Shield Agreement during the transfer. The data transfer to the USA, under observation of the regulations of the Agreement, therefore constitutes an adequate level of protection according to Article 45 GDPR, as confirmed by the resolution of the European Commission from July 12th, 2016. You can find further information on the EU/US Privacy Shield at https://www.privacyshield.gov/EU-US-Framework.

We base the processing of the above-mentioned data on Article 6 (1) (1) (f) GDPR. We have a legitimate interest in offering various options for registration to our users, in order to keep the handling of our app as user-friendly and convenient as possible. Furthermore, also according to Article 6 (1) (1) (a), data processing is based on the permission given by you to Facebook.

5.1.3 Log-in with a Google account

Thirdly, you have the option to register with your already existing Google account via the service “Google Sign-In” provided by Google Inc., Amphitheatre Parkway 1600, 94043 Mountain View, CA, USA (“Google”). In this case, a direct connection with Google's servers will be made.

The log-in via Google Sign-In links your Google profile with our app. Thus, we will receive the following information: your e-mail address, name, date of birth, gender, as well as the country in which you are located. Depending on the Google privacy settings you have selected, we may also receive information on your internet surfing patterns, your telephone number and the profile pictures you have filed with Google.

However, we will only store your e-mail address and discard all other transferred data.

Conversely, Google Sign-In will also transfer certain data from us to Google. This might include data being transferred to the USA. Google will receive your IP address, and, depending your settings in your Google account, also information on your internet surfing patterns.

Google has agreed to follow the regulations of the Privacy Shield Agreement during the transfer. The data transfer to the USA, under observation of the regulations of the Agreement, therefore constitutes an adequate level of protection according to Article 45 GDPR, as confirmed by the resolution of the European Commission from July 12th, 2016. You can find further information on the EU/US Privacy Shield at https://www.privacyshield.gov/EU-US-Framework.

We base the processing of the above-mentioned data on Article 6 (1) (1) (f) GDPR. We have a legitimate interest in offering various options for registration to our users, in order to keep the handling of our app as user-friendly and convenient as possible. Furthermore, also according to Article 6 (1) (1) (a), data processing is based on the permission given by you to Google.

5.2 User comments and contributions

In the app, you may write contributions and comments (“posts”). These are publicly visible for all users of our app. It is up to you whether you choose to publish data containing personal information in our app.

When posts are published, we will store the IP address and the time of access for a maximum of seven days, based on our legitimate interest according to Article 6 (1) (1) (f) GDPR. This procedure is due to security reasons, in case a post violates the rights of third parties or contains illegal content (insults, defamation, sedition etc.). This is necessary because in this case we might face legal action ourselves for the comment or contribution. These data will not be passed on to third persons, unless such a transfer is prescribed by law or serves our legal defence.

5.3 Other inquiries

When you contact us via e-mail, telephone or telefax, your inquiry, including all personal data arising thereof will be stored by us for the purpose of processing your request. We will not pass on these data without your consent. The processing of these data is based on Article 6 (1) (1) (b) GDPR, if your inquiry is related to the fulfilment of a contract concluded with us or required for the implementation of pre-contractual measures. Furthermore, the processing is based on Article 6 (1) (1) (f) GDPR, because we have a legitimate interest in the effective handling of requests sent to us. In addition, according to Article 6 (1) (1) (c) GDPR we are also entitled to the processing of the above-mentioned data, because we are legally bound to enable fast electronic contact and immediate communication.

Of course, your data will only be used strictly according to purpose and only for processing and responding to your request. After final processing, your data will immediately be anonymized or deleted, unless we are bound by a legally prescribed storage period.

6. Transfer of personal data to data processors

In principle, we will never pass on your personal data to third parties without your explicit consent. However, just as every modern business we cooperate with data processors in order to be able to offer you the best possible uninterrupted service.

When we cooperate with external service providers, regular order processing is performed, based on Article 28 GDPR. For this purpose, we enter into respective agreements with our partners, in order to safeguard the protection of your data. For processing your data, we only use carefully selected processors. They are bound by our instructions, and regularly controlled by us. We only commission external service provider who have guaranteed that all data processing procedures are performed in unison with data protection regulations.

Receivers of personal data may be:

7. Your rights

In this section we inform you about your rights with regards to your personal data.

7.1 Revocation of consent

If your personal data is processed on the basis of consent which you have given us, you have the right to revoke your consent at any time. The revocation of consent does not affect the legality of the processing performed on the basis of the consent until the time of revocation.

You can contact us at any time to exercise your right to revoke consent.

7.2 Right to confirmation

You have the right to request confirmation from the controller that we are processing personal data concerning you. You can request this confirmation at any time using the contact details above.

7.3 Right to information

In the event that personal data is processed, you can request information about this personal data and the following information at any time:

If personal data is transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards under Article 46 of the GDPR in connection with the transfer. We provide a copy of the personal data that is the subject of the processing. For any additional copies you request of a person, we may charge a reasonable fee based on our administrative costs. If your request is submitted electronically, the information must be provided in a standard electronic format, unless otherwise stated. The right to receive a copy under paragraph 3 shall not affect the rights and freedoms of others.

You can contact us at any time to exercise your right to revoke consent.

7.4 Right to rectification

You have the right to demand the immediate correction of incorrect personal data concerning you. Taking into account the purposes of processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

7.5 Right to erasure (“right to be forgotten“)

You have the right to demand that the controller erase personal data concerning you without undue delay, and we are obligated to erase personal data without undue delay where one of the following grounds applies:

If the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data. The right to erasure (“right to be forgotten“) does not apply to the extent that the processing is necessary:

7.6 Right to restriction of processing

You have the right to request that we restrict the processing of your personal data if any of the following conditions apply:

In the event that processing has been restricted under the aforementioned conditions, this personal data shall – with the exception of storage – only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

In order to exercise the right to restrict processing, the data subject may contact us at any time using the contact details provided above.

7.7 Right to data portability

You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data have been provided, to the extent that:

In exercising your right to data portability pursuant to paragraph 1, you have the right to have the personal data transmitted directly from one controller to another, to the extent that this is technically feasible. The exercise of the right to data portability does not affect your right to erasure (“right to be forgotten”). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.8 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data which concerns you which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. If objection is made, the controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

In the event that personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

Regarding the use of information society services, and notwithstanding Directive 2002/58/EC, you can exercise your right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1), you, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The right of objection can be exercised at any time by contacting the respective controller.

7.9 Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for you or similarly significantly affects you. This does not apply if the decision:

This right can be exercised by the data subject at any time by contacting the respective controller.

7.10 Right to lodge a complaint with a supervisory authority

You also have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you as data subject consider that the processing of personal data relating to you infringes this Regulation.

7.11 Right to effective judicial remedy

Without prejudice to any other available administrative or judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR, you have the right to an effective judicial remedy if you consider that your rights under this Regulation have been infringed as a result of the processing of your personal data in breach of this Regulation.

8. Children and young people

In principle, our offer is directed towards adults. Children and young people under the age of 16 are not allowed to transmit personal data to us without the consent of their parents or legal guardians.

9. Amendments

Due to the fast-paced development of both the internet and data protection legislation, we explicitly reserve the right to make amendments to these data privacy regulations.