We take responsible handling of your personal data seriously. Protecting your privacy is of great importance to us. We treat the data we process in the course of our business activities with care. We strive to ensure the highest possible data security when dealing with the information technologies used and generally only collect data that is absolutely necessary.

We take appropriate technical and organizational security measures (e.g., encryption and/or pseudonymization of your personal data, instructions, confidentiality declarations, and controls) to protect your personal data against manipulation, loss, destruction, or access by unauthorized persons. These measures are based on international standards and are regularly reviewed and adapted as necessary.

Our employees are regularly trained in data protection and are bound by special confidentiality obligations. In addition, compliance with data protection is continuously monitored. This also applies to the data processors we commission.

In this privacy policy, we explain how we collect and process personal data, for what purpose this is done, who has access to your personal data, how long we process your data, what rights you have in this context, and how you can contact us.

This privacy policy contains the essential statements on data protection and thus serves to inform about data protection and the right to informational self-determination. The present data protection provisions are not part of the contract and can be changed by us at any time within the framework of legal provisions. The version published on our website applies in each case. The German version is authoritative and also forms the basis for all language versions of our data protection provisions.

Information on Data Protection

Personal data (hereinafter also referred to as "data") is understood to mean all information relating to a specific or identifiable natural person (e.g., name, date of birth, email address, identity data, authentication data, tax data, IP address). In addition, we process special categories of personal data (e.g., your health data). Information that is anonymized or aggregated and can no longer be used to identify a specific person is not considered data.

Data processing includes any handling of personal data, e.g., the procurement, storage, use, disclosure, modification, archiving, or deletion of data. The legal basis and purpose for processing your data is primarily the initiation and/or fulfillment of a contract.

In addition, we base the processing of data on the existence of a legal obligation and/or consent as well as on the overriding legitimate interest of prosperity solutions AG (i.e., in particular to pursue the described purposes and associated goals and to be able to implement corresponding measures).

The processing of your personal data is based on the principles of accuracy, lawfulness, transparency, data minimization, proportionality, accountability, and data security.

prosperity solutions AG, as the processor of your personal data, is subject to the legal provisions applicable in Liechtenstein. Liechtenstein is a member of the European Economic Area (EEA) and the EU General Data Protection Regulation (GDPR) applies in full, together with the applicable national laws, such as the Liechtenstein Data Protection Act (DSG-LI), the Swiss Data Protection Act (DSG-CH), or the German Federal Data Protection Act. The processing of your personal data is based on the General Data Protection Regulation (GDPR), the Liechtenstein Data Protection Act (DSG-LI), the Swiss Data Protection Act (DSG-CH), the German Federal Data Protection Act, and other applicable national laws.

The present data protection provisions do not contain an exhaustive description of our data processing activities. Individual cases are regulated in whole or in part by specific information (with or without reference to this data protection provision).

There are exceptions to the data protection information obligation: This does not apply if the information is not possible or would require disproportionate effort, if you are already informed about the data processing, if the processing is legally required, or if we are legally obliged to maintain confidentiality.

If you want to conclude a contract with us, you must provide us with all data that is necessary for the establishment and conduct of the business relationship and for the fulfillment of the associated contractual obligations. Without this data, we are not able to conclude a contract with you or fulfill it or provide services.

In certain cases, we collect your data from third parties or receive your data from third parties. We only collect personal data without your participation if direct collection would be unreasonable or disproportionate or would violate business secrets according to Art. 20 of the Liechtenstein Insurance Distribution Act.

Controller of Data Processing

The controller within the meaning of the GDPR is:

prosperity solutions AG Feldkircher Straße 31 9494 Schaan Principality of Liechtenstein

Email address: privacy@tpc.li

Prosperity solutions AG is a company of the prosperity group. Other companies of the prosperity group are

the prosperity company AG, Liechtenstein Life Assurance AG, prosperity cashtech AG each with headquarters in Schaan/Liechtenstein as well as
prosperity solutions GmbH with headquarters in Berlin/Germany and
prosperity solutions (Switzerland) AG with headquarters in Zurich/Switzerland.

Purpose of Data Processing

Personal data that you provide to us or that we lawfully receive from companies of the prosperity group, we process for the purposes listed below and/or agreed with these and the underlying goals.

Initiation and execution of contractual relationships
Internal administration (e.g., IT security, audit, controlling)
Communication with you, e.g., by post, email, or telephone
Legal Services and Compliance: We process your data to comply with regulatory and legal obligations and to ensure that laws, guidelines, requirements, and internal instructions are observed. In particular, we process your data to combat money laundering, terrorist financing, and bribery and corruption. We also process your data to fulfill legally required reporting obligations that serve to prevent, detect, or investigate crimes or other violations. This includes, among other things, the duty to provide information, the duty to inform, or the duty to report in connection with supervisory and tax obligations.
Customer surveys and marketing: We process your data for customer surveys and for marketing purposes to inform you about our products and services. Marketing purposes are understood to mean all activities of the prosperity group with which customers can be acquired or existing customer relationships can be expanded.
Statistics and science: We process your data for general and insurance-specific statistical surveys, for risk management purposes, and for market research purposes.
Artificial intelligence: We use AI systems to optimize our services, in particular to support communication and document processing (e.g., translation and linguistic improvement of texts), for the automated handling of customer inquiries in our chatbot or ticketing system, to fulfill statutory due diligence obligations, and to carry out legal and regulatory tasks (e.g., compliance checks, identification of regulatory risks, research and analysis of relevant information). Data processed in the context of AI interactions is not used to train AI models.

Legal Basis

To the extent that the GDPR applies, we rely on the following legal bases:

Art. 6 para. 1 lit. b GDPR (implementation of pre-contractual measures, contract fulfillment. If special categories of personal data are required for this, we obtain your consent in accordance with Article 9 para. 2 a) in conjunction with Article 7 GDPR)
Art. 6 para. 1 lit. c GDPR (legal obligation)
Art. 6 para. 1 lit. f GDPR (legitimate interest)
Art. 6 para. 1 lit. a GDPR (consent, e.g., for advertising or health data)
Art. 9 para. 2 lit. a GDPR (special categories of personal data)

Data Collection

Direct Data Collection

Personal data is primarily collected directly from you (e.g., in online and application forms).

Data from/with Third Parties or Public Authorities

In certain cases, we collect your data from third parties or receive your data from third parties or public authorities and process it within the legally permissible framework. For example, we process data that we have received from authorities or public bodies, financing companies, banks, insurers, distribution partners, employers, credit agencies, press or media.

Data from Publicly Accessible Sources

To the extent permitted, we also obtain certain data from publicly accessible sources (e.g., debt collection register, land register, commercial register, media, internet) or receive such data from other companies within the prosperity group, from authorities, cooperation partners, or other third parties.

Profiling

We want our communication to be useful and relevant to you. Therefore, we use profiling for marketing purposes to better understand our customers and to target content.

What does profiling mean in this context? Profiling is an automated processing of your data to analyze certain personal aspects and assign you to a customer group (segment). We use exclusively data that you have provided to us, such as your specified language or country of residence.

Purpose and effect of profiling: The only purpose of this profiling is the personalization of our marketing communication. If you have chosen German as your language, for example, you will receive our newsletter in German. This approach has no other effects on you and in particular does not affect the contracts, conditions, or services available to you.

Legal basis: If you have given us consent to receive marketing information (Art. 6 para. 1 lit. a GDPR), this also includes the profiling described here that is associated with it.

Automated decision-making in individual cases that has legal effect on you or significantly affects you in a similar way (according to Art. 22 GDPR) does not take place.

Disclosure of Data

General

We protect your data and do not sell it to third parties. Your data may be disclosed to data processors and third parties under certain circumstances (e.g., if required for contract conclusion or contract processing or for other purposes mentioned in this privacy policy). If legally required, these recipients are contractually obliged to comply with the currently applicable data protection legislation as well as confidentiality and, if applicable, secrecy.

Within prosperity solutions AG, those departments receive your data that need it to fulfill contractual and legal obligations. Data processors we use (Article 28 GDPR) can also receive data for these mentioned purposes. These are companies in the categories of IT services, software development, logistics, printing services, communication, payment service providers, financing, debt collection, consulting and consulting, sales and marketing, as well as information and address research. We may only pass on information about you if legal provisions permit or require this, you have consented, or we are authorized to provide information. Under these conditions, recipients of personal data can be, for example:

Companies of the prosperity group

We are part of the prosperity group and therefore handle certain business processes partially in central service units and data processing systems of the prosperity group. This data processing only takes place within the European Economic Area (EEA) or Switzerland. For these processing operations, there are data processing agreements at group level that meet the requirements of Art. 28 GDPR.

External service providers

We use external service providers to fulfill our contractual and legal obligations.

Conclusion of electronic business transactions

We offer conclusions in electronic business transactions. In this area, we have cooperation with service providers that guarantee an electronic and legally binding signature (digital signature).

Other recipients

In addition, we may transmit your personal data to other recipients, such as authorities to fulfill legal reporting and control obligations (e.g., social security institutions, tax authorities, law enforcement agencies, supervisory authorities (e.g., BaFin, FMA, FINMA, EIOPA, customs, Financial Intelligence Unit). We also transmit your personal data to credit institutions for payment processing. Other data recipients can be those institutions for which you have given us your consent for data transmission or for which you have released us from confidentiality (e.g., health insurance companies, doctors, hospitals).

A service provider list of the recipients mentioned above, with whom not only temporary business relationships exist, can be requested directly from us in the current version. For any further information, please contact the controller at the address mentioned above.

Disclosure of Data to Data Processors

We work with data processors such as suppliers, IT and other service providers to fulfill contractual or legal obligations. These are contractually obliged to process the data only for the purposes predetermined by prosperity solutions AG.

Data Transfer to Third Countries

If we transfer personal data to service providers in countries outside the European Economic Area (EU and EEA), this is done exclusively on the condition that either the European Commission has certified an adequate level of data protection for the third country concerned or that other appropriate data protection guarantees exist - such as binding corporate data protection rules or EU standard contractual clauses. An exception to this only exists if the transfer is legally required or takes place on the basis of official or court orders.

We currently transfer personal data to service providers in third countries outside the EU, particularly to Switzerland and the USA. For Switzerland, the EU Commission decided on January 15, 2024, that a data protection level comparable to that of the EU is guaranteed. For transfers to the USA, the EU Commission recognized with its decision of July 10, 2023, that for personal data transferred from the EU/EEA area to EU-U.S. Data Privacy Framework-certified organizations in the USA, an equivalent level of data protection exists. If a service provider should not be certified according to the Data Privacy Framework, we ensure that other appropriate guarantees are agreed, e.g., according to EU standard contractual clauses (SCC).

To the extent legally required, we will inform you separately about such data transfers.

Duration of Storage

Your personal data will be deleted as soon as it is no longer required for the purposes mentioned above. In certain cases, however, longer retention may be necessary - for example, when potential legal claims could be asserted against us. In such cases, storage takes place for the duration of the relevant legal limitation periods, which can usually be three years, but in individual cases up to thirty years.

In addition, we are legally obliged to keep certain personal data for a longer period. Such obligations arise in particular from personal and company law, tax law, and the law on due diligence in financial transactions.

The corresponding evidence and retention periods are up to ten years.

Contract data: up to 10 years after contract conclusion
Health data: until the expiry of legal limitation periods (usually up to 10 years and in individual cases up to 30 years)
Consents: up to 3 years after revocation

Obligation to Provide Personal Data

In the context of our business relationship, you only need to provide the personal data that is necessary for the establishment and conduct, execution, and termination of a business relationship, that we need to exercise our legitimate interests, or that we are legally obliged to collect. Without this data, we will usually have to refuse the conclusion of the contract or the execution of the order or may not be able to continue an existing contract and may have to terminate it.

In particular, we are obliged under the money laundering regulations to identify you before establishing the business relationship, for example, on the basis of your identity document, and to collect your name, place of birth, date of birth, country of birth, nationality, and your residential address and to electronically record the identity document. For us to be able to comply with these legal obligations, you must provide us with the necessary information and documents under the Due Diligence Act and immediately report any changes that arise during the business relationship. If you do not provide us with the necessary information and documents, we may not establish or continue the business relationship you desire.

Acknowledgment

By concluding a contract with us, you acknowledge this privacy policy. You can find the current version of this document on our website under the "Data Protection" section.

Your Rights

As a data subject, you have the right to information about the data stored about you. In certain cases, you can also request correction, deletion, restriction of processing, objection, or transfer of your data. A correction may be considered if the data is incorrect. Data must be deleted if the legal basis for collection and/or storage no longer exists and there is no legal retention obligation.

Your rights in detail:

Information (Art. 15 GDPR): You have the right to request information about whether and which personal data we process about you.
Correction (Art. 16 GDPR): If your data is incorrect or incomplete, you can request its correction or completion at any time.
Deletion (Art. 17 GDPR): Under certain conditions (e.g., when the purpose ceases to apply or you revoke your consent), you have the right to request the deletion of your personal data ("right to be forgotten").
Restriction of processing (Art. 18 GDPR): You can request that the processing of your data be restricted, e.g., if you dispute the accuracy of the data or an objection procedure is running.
Data portability (Art. 20 GDPR): You have the right to receive your provided personal data in a structured, common, and machine-readable format and to transfer it to another controller.
Objection to processing (Art. 21 GDPR): You can object to the processing of your personal data if it is based on legitimate interests or is used for direct advertising. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.
Revocation of your consent (Art. 7 para. 3 GDPR): If you have given us consent for data processing, you can revoke this at any time with effect for the future, without this affecting the lawfulness of the previous processing.

Please note that a revocation of consent can have effects on your contractual relationship. If certain data processing is necessary for the execution or maintenance of the contract, a revocation can lead to us not being able to provide our contractual services or only being able to provide them to a limited extent. In such cases, we reserve the right not to continue the contract if no other legal basis for data processing exists.

Data Protection Officer

You can reach our data protection officer at the following address with the addition "Data Protection Officer":

prosperity solutions AG Feldkircher Straße 31 9494 Schaan Principality of Liechtenstein Email: privacy@tpc.li

Swiss Data Protection Officer

In Switzerland, you can reach our representative appointed in accordance with Art. 14 of the CH DSG at the following address with the addition "Data Protection Officer":

prosperity solutions (Switzerland) AG Gutenbergstrasse 10 8002 Zurich Switzerland Email: privacy@tpc.li

Data Protection Supervisory Authority

If you believe that prosperity solutions AG does not comply with applicable data protection regulations towards you, we recommend that you first contact the responsible data protection officer mentioned above.

However, you can also file a complaint directly with the responsible data protection supervisory authority:

Principality of Liechtenstein

Data Protection Office (DSS) Städtle 38 Postfach 684 FL-9490 Vaduz https://www.datenschutzstelle.li

Switzerland

Federal Data Protection and Information Commissioner Feldeggweg 1 CH-3003 Bern https://www.edoeb.admin.ch/en

Update of this Privacy Policy

This privacy policy may be adapted at a later time due to changes, e.g., in legal provisions. You can obtain a current version of the information sheet as well as the service providers with whom not only temporary business relationships exist on our websites under the "Data Protection" section.

Use of the prosperity solutions AG Application

Below you will find supplementary information on the collection and processing of personal data that is collected via the application/website of prosperity solutions AG and related services (hereinafter also referred to as "Website" or "Prosperity App").

For the Prosperity App, the controller of data processing is:

prosperity solutions AG Feldkircher Straße 31 9494 Schaan Principality of Liechtenstein Email address: privacy@tpc.li

Processing of Your Personal Data in Connection with the Use of the Prosperity App

Information Collected When Downloading the Prosperity App

When you download the Prosperity App, information is sent to the app store you use. This information may include your Apple or Android ID, the time of download of the Prosperity App, payment information, and your individual device ID. This data is only processed by the app store you use and is outside our control.

Information Automatically Collected When Using the Prosperity App

When you use the Prosperity App, we automatically collect certain data that is necessary in this context. This includes, for example, your device model, system version, and the IP address of your mobile device or computer. We process this data automatically to

provide the Prosperity App for you,
improve the functions and performance of the Prosperity App, and
prevent and/or fix any misuse and/or malfunctions.

To the extent that the GDPR applies, this processing is justified by the fact that it is necessary according to Art. 6 para. 1 lit. b GDPR for the fulfillment of the contract between you and us.

Processing of Your Personal Data When Using Our Services in the Prosperity App

We offer services in the Prosperity App (e.g., creation of a user account, possibility to contact us, conclusion and management of contracts) and ask you to provide personal data when using them. The required information is always marked as mandatory fields. Without this information, we are not able to provide the desired service or answer your inquiries. This includes data from you that you have directly provided, such as surname, first name, gender, phone number, email address, login details and password, and investment interest.

We store the data you enter for the period during which you use your user account and beyond according to legal retention obligations.

You can manage and change all information in the protected customer area at any time.

The legal basis for data processing is, to the extent that the GDPR applies, Art. 6 para. 1 lit. b GDPR, as it serves to ensure the efficient provision and management of the user account within the framework of the contract between you and us. Unless exceptions apply within the services mentioned below, your personal data will be stored until you either delete the data or delete your user account as a whole. Your personal data will be deleted within 90 days after deletion of your account. Legal retention obligations or the need to keep your personal data for legal action due to misconduct in connection with the use of the service or payment problems may result in us having to keep your personal data longer.

Please note that data entered on behalf of Liechtenstein Life Assurance AG via the Prosperity App (e.g., documents in connection with an address adjustment) is forwarded to Liechtenstein Life Assurance AG. In this case, prosperity solutions AG acts as a data processor for Liechtenstein Life Assurance AG, and the deletion periods of Liechtenstein Life Assurance AG apply to these processing operations.

Communication

We store and process the personal data that you provide to us when you contact us via the chat function or by email. We use this data only to answer your inquiry or to contact you and for the associated technical administration.

The legal basis for the lawfulness of this data processing is, to the extent that the GDPR applies, Art. 6 para. 1 lit. b GDPR, because it serves the fulfillment of the contract between you and us or corresponding pre-contractual measures, and Art. 6 para. 1 lit. f GDPR, because the processing of these inquiries serves both your and our legitimate interest in communication and lively exchange with you as well as in the further development of our offers. We also understand your use of the respective interaction channel as your consent (to the extent that the GDPR applies: Art. 6 para. 1 lit. a GDPR) to data processing for the respective (specified) purpose.

After your inquiry has been processed, we store your personal data for a period of three years, beginning with the end of the calendar year in which the inquiry was resolved. We will then delete your data and/or only continue to store it if the law, articles of association, or contract prescribe retention periods or if we need to continue storing the data to assert, exercise, or defend legal claims.

Electronic Communication and Associated Data Security

You have various options to contact prosperity solutions AG via the Prosperity App.

The personal data you transmit is protected by encryption mechanisms corresponding to the current security standard. Despite extensive technical and organizational security measures, data may be lost or intercepted and/or manipulated by unauthorized persons.

We are concerned about your data security and take appropriate technical and organizational security measures to prevent this within our systems.

Your computer is outside the security area controlled by prosperity solutions AG. It is your responsibility as a user to inform yourself about the required security measures and to take appropriate measures. prosperity solutions AG is in no way liable for damages that may arise from data loss or manipulation. The internet is a globally open network. When you transmit personal data over the internet, you always do so at your own risk. With unencrypted electronic communication, data can be intercepted and manipulated by third parties or lost.

Email and Chat

If you want to send an email or chat message with confidential content to prosperity solutions AG, it should be encrypted to prevent unauthorized knowledge or falsification during transmission.

For unencrypted emails sent to prosperity solutions AG, data security cannot be guaranteed, which is why prosperity solutions AG excludes any warranty and liability. As an alternative to encrypted email communication, we therefore recommend that you contact us directly via the Prosperity App.

The use of our chatbot in the Prosperity App is voluntary. When using the chatbot, entering personal or confidential data is not required. We therefore ask you to refrain from mentioning such data. You are free to contact us via alternative channels, in particular by telephone or email.

Data Sharing Through Document Exchange

With the Prosperity App, you can easily share key details of your policy with another person. Depending on the access right selected (Basic or full view), different information is shared. With the Basic view, the invited person can see the start and end date of the policy, the contract number, the name of the policyholder, as well as the data and steps required to assert a potential claim for benefits. With the full view, the invited person receives full read access to the policy data, such as key contract data, configured contract options, involved and beneficiary persons, payments made, the asset investment, and its allocation.

This data use is based on Art. 6 para. 1 lit. b GDPR (performance of a contract), as you instruct us to exchange your documents. At your request, we make the requested data visible to the selected person. You can revoke this sharing yourself at any time if you no longer want it.

Cookies and Similar Technologies

Information about cookies and similar technologies can be found below.

Type	Name	Purpose	Storage Period	Necessity
Cookie	session-token	Serves authentication and security to maintain your session after login.	1 year	Technically necessary
Cookie	NEXT_LOCALE	Stores the language you have chosen for future visits.	1 year	Technically necessary
LocalStorage	supportFormValues	Temporarily stores your entries in contact or support forms to prevent data loss when reloading the page.	Until form submission	Technically necessary
LocalStorage	apollo-cache-persist	Stores application data locally to reduce loading times on repeated visits (caching).	Until end of session	Technically necessary
SessionStorage	`__anon_id` `__user_id` `__user_traits` `__prev_lang`	Serve to recognize your device during a session	Until end of session	Technically necessary

Processing of Personal Data Through the Use of Service Providers

We use a number of cloud providers and tools to provide our services. These service providers process personal data on our behalf and according to our instructions. We have concluded corresponding data processing agreements (DPA) with all service providers in accordance with Art. 28 GDPR to ensure the protection of your personal data.

Amazon Web Services EMEA SARL (AWS)

We use services from Amazon Web Services EMEA SARL (AWS) as an infrastructure provider for hosting, storage, and processing of personal data of our Prosperity App application. AWS provides us with the technical infrastructure (servers, databases, storage services, etc.) on which our applications and data are operated.

In connection with the use of AWS, we can collect the following data categories:

Identification data: e.g., name, email address, phone number, user ID, device ID.
Demographic data: e.g., age, gender, location
Log data

We store personal data in the AWS infrastructure.

We process your personal data using AWS for the following purposes:

Provision of our online offers,
Hosting of our application
Storage of data
Execution of backend processes.

The legal basis for our processing is Art. 6 para. 1 lit. b GDPR (contract fulfillment) or Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient and secure operation of our services).

Data transfer to third countries: A data transfer to the USA is not excluded by the use of AWS. If a transfer takes place, it is based on the standard contractual clauses of the EU Commission (SCCs), which AWS has committed to as a binding guarantee for an adequate level of data protection. The standard contractual clauses do not apply to a data transfer if AWS has introduced binding internal data protection rules for processors (Binding Corporate Rules for Processors) or an alternative recognized compliance standard for lawful data transfers. AWS is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Google Cloud Platform (GCP)

We use services from Google Cloud Platform (GCP), offered by Google Cloud EMEA Limited as an infrastructure provider for the prosperity App. GCP offers similar infrastructure services to AWS.

Similar to AWS, the processed personal data can be log data, identification data, or demographic data.

We process your personal data using GCP for the following purposes:

Provision of backend services
Provision of AI services
Storage and processing of application data.

To the extent that the GDPR applies, the legal basis for our processing is Art. 6 para. 1 lit. b GDPR (contract fulfillment) or Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient and scalable operation of our services).

Data transfer to third countries: A data transfer to the USA can take place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). GCP is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Prosperity Copilot: The Prosperity App has an integrated chat function for communication. This chat function includes an Artificial Intelligence (AI) called 'Prosperity Copilot', which also runs on GCP. The Prosperity Copilot categorizes your inquiries and forwards them accordingly to the responsible department.

Vercel

Prosperity App uses Vercel, Inc. for the delivery of our frontend applications and static content. Vercel provides a global Content Delivery Network (CDN) and Edge Functions to deliver content quickly and performantly to end users worldwide.

Vercel processes IP addresses, browser information, access times, visited pages (technical access data), as well as the static content and possibly personal data that is forwarded via our serverless functions. Vercel stores our content and forwards requests to our backend systems.

We process your personal data using Vercel for the following purposes:

Fast and efficient delivery of our web content
Performance optimization and load distribution.

To the extent that the GDPR applies, the legal basis for processing is Art. 6 para. 1 lit. f GDPR (legitimate interest in providing a secure application).

Data transfer to third countries: Due to the global CDN, a data transfer to third countries outside the EU/EEA, including the USA, can take place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). Vercel is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Microsoft Azure

We use services from Microsoft Ireland Operations Limited as an infrastructure provider for our application.

Similar to AWS and GCP, the personal data processed here can be log data, application data, authentication data, or other personal data stored by us in Azure.

The purpose of processing is the provision and operation of specific applications or functions including data storage as well as AI applications.

To the extent that the GDPR applies, the legal basis for processing is Art. 6 para. 1 lit. b GDPR (contract fulfillment) or Art. 6 para. 1 lit. f GDPR (legitimate interest in stable and efficient operation).

Data transfer to third countries: A data transfer to the USA can take place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). Microsoft is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Qovery

We use services from Qovery SAS as a platform for automated deployment and management of our products (e.g., Prosperity App, PS Suite, Partner Life). Qovery supports us in reliably rolling out applications, provisioning infrastructure resources, orchestrating deployments, consistently managing environments, and ensuring stable operations.

The data processed includes in particular technical system and performance data, such as configuration and deployment settings, log data, metadata on infrastructure resources, version and build information, IP addresses (possibly pseudonymized), user agent data, technical identifiers such as service or container IDs, and error messages without personal content. We strive to minimize the transfer of directly identifiable personal data to Qovery.

The purpose of processing is the provision, automation, and monitoring of our deployments, ensuring stable operation of our applications, error diagnosis and resolution, optimization of our infrastructure, and ensuring an efficient and secure development and execution environment.

The legal basis for this processing is Art. 6 para. 1 lit. f GDPR (legitimate interest in secure, stable, efficient, and scalable provision of our services).

Data transfer to third countries: A transfer to the USA may take place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). Qovery is also certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

PostHog

Prosperity App uses PostHog, Inc. to analyze user behavior to improve our products. We use PostHog in a privacy-friendly configuration: The analysis is based exclusively on data that is transmitted from our own servers to PostHog (so-called backend tracking). No code from PostHog is executed on your device and no cookies are set by PostHog.

In connection with the use of PostHog, we can process the following data categories:

Browser and device data, referrer URL, timestamp, click paths, visited pages, interactions with the application (e.g., button clicks, form interactions), possibly pseudonymous user IDs.

We have configured PostHog so that IP addresses are anonymized before they are stored and no directly identifiable data is processed without your explicit consent.

Purpose of processing: Analysis of user behavior to optimize and improve our application.

To the extent that the GDPR applies, the legal basis for this processing is our legitimate interest in analyzing and optimizing our offer according to Art. 6 para. 1 lit. f GDPR. Since no direct access to your device takes place, your interests and fundamental freedoms do not override our interest in this pseudonymized analysis.

Data transfer to third countries: A data transfer to the USA takes place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). PostHog is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Braze

We use services from Braze, Inc. as a technical service provider for our customer communication by email. Braze is used by us exclusively for sending emails; no independent data collection by Braze takes place on our website or in our app.

We process using Braze your email address as well as content of the respective communication for the following purposes:

Sending necessary transactional emails: This includes notifications that are necessary for the fulfillment of our contract with you (e.g., confirmations, security-relevant information). To the extent that the GDPR applies, the legal basis for this is Art. 6 para. 1 lit. b GDPR.
Sending marketing information: If you have given us your express consent for this, we use Braze to send information about our products and offers. To the extent that the GDPR applies, the legal basis for this is your consent according to Art. 6 para. 1 lit. a GDPR.

To the extent that the GDPR applies, the legal basis for processing your data is our legitimate interest according to Art. 6 para. 1 lit. f GDPR (e.g., to improve our services and for personalized advertising, provided your interests do not override) as well as your explicit consent according to Art. 6 para. 1 lit. a GDPR (e.g., for receiving newsletters or push notifications).

Data transfer to third countries: A data transfer to the USA takes place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). Braze is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Functional Software, Inc. (Sentry)

We use Functional Software, Inc. d/b/a Sentry ("Sentry") for error monitoring of our software and applications (including the Prosperity App). Sentry helps us to detect and fix technical problems and errors in real time to ensure the stability and user-friendliness of our services.

In the event of errors or performance problems, technical data such as error messages, stack traces (error logs), device information (operating system, browser version), app version, date and time of the error can be transmitted to Sentry.

The purpose of this processing is error detection and correction, improvement of application stability, optimization of performance.

To the extent that the GDPR applies, the legal basis for processing your data is Art. 6 para. 1 lit. f GDPR (legitimate interest in ensuring the technical functionality and security of our services as well as improving the user experience).

Data transfer to third countries: A data transfer to the USA takes place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). Functional Software, Inc. (Sentry.io) is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Twilio (Sendgrid)

Prosperity App uses services from Twilio Ireland Limited, in particular the SendGrid service, for sending emails. This includes both transactional emails (e.g., confirmations, password resets, notifications about your account) and marketing emails (if you have agreed to this).

This processes your email address, name (if provided), content of the emails, time of sending, delivery status of the emails, and possibly technical metadata of the email communication.

Purpose of processing is technical email sending, communication with users and customers, marketing communication.

To the extent that the GDPR applies, the legal basis for processing is Art. 6 para. 1 lit. b GDPR (for transactional emails that are necessary for contract fulfillment), Art. 6 para. 1 lit. a GDPR (for marketing emails based on your consent) or Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient and reliable communication with our users).

Data transfer to third countries: A data transfer to Twilio Inc. in the USA is not excluded. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). Twilio Inc. is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks

iDenfy

We use services from iDenfy, UAB for conducting online identification processes. This serves to verify your identity in the context of our restoration of access to the prosperity App as well as for customer onboarding.

This processes your names, date of birth, address, nationality, gender, copies of identity documents (e.g., ID card, passport), photos or video recordings of your face (possibly with biometric features), information about your device and your IP address, as well as data from the identification process itself (e.g., time of identification) by iDenfy.

The purpose of processing is legally secure and reliable identity determination and verification to fulfill legal obligations (e.g., money laundering law) or for contract fulfillment.

To the extent that the GDPR applies, the legal basis for this processing is Art. 6 para. 1 lit. c GDPR (fulfillment of legal obligations).

iDenfy is a company based in Lithuania. A data transfer to third countries generally does not take place.

IDnow

We use services from IDnow GmbH for conducting online identification processes. This serves to verify your identity in the context of our restoration of access to the prosperity App as well as for customer onboarding.

This processes your names, date of birth, address, nationality, gender, copies of identity documents (e.g., ID card, passport), photos or video recordings of your face (possibly with biometric features), information about your device and your IP address, as well as data from the identification process itself (e.g., time of identification) by IDnow.

The purpose of processing is legally secure and reliable identity determination and verification to fulfill legal obligations (e.g., money laundering law) or for contract fulfillment.

The legal basis is, to the extent that the GDPR applies, Art. 6 para. 1 lit. c GDPR (fulfillment of legal obligations).

IDnow is a German company. A data transfer to third countries generally does not take place.

New Relic

We use services from New Relic, Inc. as a monitoring provider for infrastructure. New Relic helps us to analyze the performance of our systems, detect and fix errors, and improve the general user-friendliness of our services.

Data processed here includes technical performance data such as CPU utilization, memory usage, network traffic, application response times, database queries, error messages (without personal content), log data, IP addresses (possibly pseudonymized), session IDs, user agent information. We try to minimize the transmission of directly identifiable personal data to New Relic.

The purpose of processing is monitoring the technical performance and availability of our systems, error diagnosis and correction, capacity planning, optimization of application performance.

To the extent that the GDPR applies, the legal basis for this processing is Art. 6 para. 1 lit. f GDPR (legitimate interest in ensuring the technical stability, security, and efficiency of our services).

Data transfer to third countries: A data transfer to the USA takes place. The transfer is based on the standard contractual clauses of the EU Commission (SCCs). New Relic is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks.

Data Processing for Advertising Purposes

We process your personal data for the purpose of sending you information, offers, and advertising by e-mail about our products and services as well as the products and services of our affiliated companies.

The legal basis for this processing is your consent in accordance with Art. 6 (1) (a) GDPR. Your consent is voluntary.

We process the following categories of personal data that you provide to us as part of your consent: first name, last name, e-mail address.

Within our company, only those departments that need access to your data to fulfill the stated advertising purposes (e.g. marketing department) will receive it.

We may also use processors (e.g. for e-mail dispatch or CRM systems), who will process your data exclusively according to our instructions and in strict compliance with legal requirements.

Your personal data will be stored for as long as your consent is valid or until you object to this processing. After withdrawal of your consent, your data will be deleted or blocked without delay for advertising purposes, unless other legal bases (e.g. commercial or tax law retention obligations) or legitimate interests justify further storage. In this case, your data will only be further processed for those other purposes and deleted after they have been fulfilled.

Your consent to data processing for advertising purposes is completely voluntary and can be withdrawn at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data Privacy Statement – prosperity solutions AG