Privacy Policy 

This privacy policy (the “Privacy Policy”) is issued to inform you of how Emma Sleep GmbH, its subsidiaries, and its affiliates (collectively “we” “us” “our” or “Emma”) processes your personal data collected through the use of the website. The protection of your personal data is important to us, and we want you to feel safe when using our website. It is our policy to respect and value the users’ privacy rights by ensuring compliance with the requirements of applicable privacy laws. 
1. Information concerning the collection of personal data 

a. The Privacy Policy applies to our collection, processing, and utilization of your personal data on our website. Personal data means all data relating to a living individual who can be identified. 

b. The website is operated by the Controller below:

Emma Sleep GmbH
Wilhelm-Leuschner-Straße 78 - 60329 Frankfurt am Main
Germany

You can reach us for data protection matters through the following contact details:
[email protected]

c. If we use contacted service providers for individual functions to present our services to you or to your data for advertising purposes, we will inform you in detail about the respective processes below. 
2. Collection of personal data when you visit and use our website

a. When visiting our website, i.e. without registering or agreeing to our further processing or utilization of the data, only the personal data, which your browser transmits to our server is automatically saved. In order to fulfill these technical requirements for you to view our website and provide for the necessary security, the following data is saved: 

· IP Address
· Date and time of your visit
· Time zone different to Greenwich Mean Time (GMT)
· Content of the query (specific site visited)
· Access status/HTTP status code
· Amount of transferred data
· Website from which the initial request emanates Browser
· Operating system, device, and its user interface
· Language and version of the browser software
· Name
· Email address

The personal data mentioned above gets processed for the following purposes and legitimate interests:

· To ensure a smooth connection of the website
· To guarantee a comfortable use of our website
· To evaluate system security and stability as well as for other administrative purposes 

This information is temporarily stored in so-called log files. When you visit this website, this information is automatically recorded without your intervention and stored until it is automatically deleted. If you don’t want the above personal data to be collected, you should not access our website as we will be unable to allow you access to our website without such data.

3. Your rights as a data subject and how we protect your personal data

a. You have the following rights vis-à-vis us with regard to your personal data in accordance with the European Union General Data Protection Regulation (“GDPR”):

· Right to information by the data subject (Article 15 GDPR):

You have the right to request information from us about the data we have stored about you at any time. This information includes, among other things, the categories of data that we process, the purposes for which they are processed, the source of the data, if they were not collected directly from you, and, if applicable, the recipients to whom we have passed your data on. You can receive a copy of your data from us free of charge. Should you require additional copies, we reserve the right to invoice you for these copies.

· Right to rectification (Article 16, GDPR):

You have the right to request that we correct incorrect data concerning you. We will take appropriate measures to keep the data stored and processed by us correct, complete and up-to-date on an ongoing basis, based on the most current information available.

· Right to deletion (Article 17, GDPR):

You have the right to request the deletion of your personal data stored by us, unless the processing is to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or Defense of legal claims required.

· Right to restriction of processing (Article 18, GDPR):

You have the right to request that the processing of your personal data be restricted if you dispute the accuracy of the data, if the processing is unlawful, but you refuse to delete it and we no longer need the data, but you need it to assert it, need to exercise or defend legal claims or if you have objected to processing in accordance with Art. 21 GDPR.

· Right to data portability (Article 20, GDPR):

You have the right to request that we transfer your data - as far as technically possible - to another person responsible. However, you can only exercise this right if the data processing is based on your consent or is necessary for the performance of a contract. Instead of receiving a copy of your data, you can also request that we transfer the data directly to another person in charge named by you.

· Right to object (Article 21, GDPR):

You have the right to object to the processing of your data at any time for reasons that arise from your particular situation, provided that the data processing is based on your consent, our legitimate interests or those of a third party. In this case we will stop processing your data. This does not apply if we can prove compelling legitimate reasons for the processing that outweigh your interests, or if we need your data to establish, exercise or defend legal claims.

· Right to withdraw consent (Article 7 (3), GDPR):

You have the right to withdraw your consent to us at any time. As a result, we are not allowed to continue the data processing based on this consent in the future.

b. You can send your inquiries regarding your rights as a data subject to us by completing the data subject rights (DSR) Request Form by clicking this
link.

c. We fully recognize the value of your personal data. Appropriately, we strive to maintain the confidentiality, integrity, and availability of your personal data. We also train our employees to properly handle your personal data and are obligated to maintain a duty of confidentiality. 

4. Recipients of personal data

a. Within the scope of our activities and services, it may become necessary for us to disclose the personal data stored about you to natural persons, legal entities or public authorities. We conclude contracts with our service providers, which ensure that they may only process your personal data in a way that we have explicitly instructed them to do so. Furthermore, we ensure that they take the necessary technical and organizational measures to process your data securely and store your personal data only as long as necessary. External service providers who may receive personal data generally fall into the following categories of recipients:

· Emma Sleep GmbH’s Subsidiaries and affiliates
· IT service provider to maintain our IT infrastructure
· Cloud provider
· Service provider for the optimization of the online offer

b. If personal data is processed in countries outside your country, we will ensure that your personal data is processed in accordance with your country’s data protection level. In the absence of an adequacy decision, we only transfer data to service providers from third countries that offer suitable guarantees. 

5. Storage and retention of your personal data

We may provide You with push notifications, in-app notifications, alerts and other electronic communications related to the App and/or Emma Sleep services, such as enhancements, offers, products, events, and other promotions.After downloading the App, You will be asked to accept or deny push notifications/alerts. If You deny, You will not receive any push notifications/alerts. If You accept, push notifications/alerts will be automatically sent to You. If You no longer wish to receive push notifications/alerts from the App, You may opt out by changing Your notification settings on Your mobile device.

a. Emma may collect, store, process, disseminate or use your personal data in a manner that causes it to be transferred or accessed from computer systems owned or operated by or on behalf of us (or a vendor of Emma). Your personal data are stored in Emma’s cloud which is hosted in servers located in the European Union except when local requirements of the country you are using the website from have data localization requirements or prohibit the transfer of personal data. 

b. Your personal data will be retained in accordance with local legal and regulatory requirements applicable to the country you are using the website from, and subject to Emma’s data retention obligations. If the retention period is not defined by local laws and regulations, we generally may keep your personal data up to 10 years.

c. We keep your personal data for the period of the customer relationship with you or for the legally required period after termination of such relationship or agreement in order to defend our legal claims, to protect and enforce our rights, or to comply with laws and regulations. In general, the legal retention period for legal retention period for documents important for taxation (such as accounting receipts) is ten (10) years while other documents that can be considered as commercial or business transaction documents is six (6) years. 

6. Communications and contact form

When you contact us such as through email or via the contact form, the information you provide will be processed for the purpose of processing your request and for the event that follow-up questions arise. If you are contacting us in relation to other matters, our legal basis for the processing of your personal data is our legitimate interest to address your concern and to enable you to contact us quickly and easily. The personal data collected by us in this context will be deleted when the request associated with the contact has been completely clarified and it is also not to be expected that the specific contact will become relevant again in the future, unless legal storage obligations stand against this.

7. Newsletters and electronic notifications

a. We send newsletters, emails and other electronic notifications containing promotional information. Our newsletters may contain information about our products, offers, promotions and our company. With the following notes we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your right of objection.Newsletter subscriptions are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored by the service provider are also logged. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data. To subscribe to the newsletter, it is sufficient to enter your e-mail address. The provision of further data is voluntary and is used to address you personally. After your confirmation we will save your e-mail address for the purpose of sending the newsletter. The newsletter dispatch and the measurement of performance are based on your consent if you subscribed. 

b. If you receive a newsletter, notification, and/or marketing without subscribing, we are doing so on the basis of our legitimate interest for marketing and to inform you about our products and services. 

c. To stop receiving the newsletter, you may withdraw your consent to or object to receiving the same at any time by clicking on the unsubscribe link provided in every newsletter email or by completing the DSR Request Form. 

8. Social media plug-ins

We have integrated plug-ins on our web services. These plug-ins are indicated by the respective button belonging to the service. With the help of the plug-ins, users can share or post links to the corresponding websites in social networks such as Facebook or Twitter or recommend the contents there.
Through your active interaction with these plugins, (e.g., by clicking the respective button or leaving a comment) this information is transmitted directly to the respective service and stored there.When you visit one of our web services that contain an activated plugin, your browser establishes a connection with the servers of the respective service, which in turn transmits the content of the plugin to your browser, which then integrates it into the displayed page. Thus, the information about the visit of our web services is forwarded to the respective service. We do not collect personal data ourselves by means of the social plugins or about their use and have no influence on which data an activated plugin collects and how these are used by the provider. It must be assumed that at least the IP address and device-related information is collected and used. It is also possible that the service provider will attempt to store cookies on the computer used. If you are logged in to the respective service at the same time as visiting our web services via your personal user account (e.g. via another browser session), the service provider can assign the visit to our web services to your account. 

9. Updates to this Privacy Policy

We keep this Privacy Policy under regular review and may update this Privacy Policy from time to time to reflect the changes in our services. We encourage you to read and/or review this Privacy Policy periodically for the latest updates on our privacy practices. 

10. Cookies and Tools

a. In addition to the abovementioned data categories, we use cookies to make the experience of visiting our website as user-friendly as possible and to allow you to make use of certain functions. Cookies are little text files that are saved on your browser’s delegated hard drive, through which certain information flows back to the person who sets the cookie (in this case us). Cookies are used to improve the user experience and effectiveness of our website. 

b. This website uses the following types of cookies:

· Transient Cookies – Transient cookies are automatically deleted when you close your browser. These are mostly session cookies, which save a so-called “session-ID”, which allows for the assigning of different queries within your browser during a particular session. This can be used to identify your device when one repeatedly visits a website during a session. These cookies are deleted once you log out or the browser window is closed.

· Persistent Cookies – Persistent cookies enable the website to remember your information and settings on your next visit. This gives you faster and more convenient access to the website, as you do not have to change your language settings again, for example. How long the cookie remains on your device depends on the duration or expiration date of the respective cookie and your browser settings. These cookies are automatically deleted after a set period of time which can differ from cookie to cookie. Persistent cookies can be deleted via the security settings in your browser at any time.

Depending on the kind of cookie, we use cookies either on the basis of our legitimate interests (technically necessary cookies, Article 6(1)(f) GDPR or on the basis of your consent (optional cookies, Article 6(1)(a) GDPR, according to your selection of the cookie banner displayed when you access the website. You can also configure your browser settings according to your preferences and, for example, refuse to accept third-party cookies or all cookies. This may result in a functional limitation of our offers and our website.

c. Cookies and/or tools used in the website may include the following: 

Mailchimp
Description of Service:
This is a Customer Relationship Management tool.

Processing Company:
The Rocket Science Group, LLC
675 Ponce de Leon Ave NE
Suit 5000
Atlanta, GA 30308

Data Protection Officer of Processing Company:
Below you can find the email address of the data protection officer of the processing company.
[email protected]

Data Purposes:
This list represents the purposes of the data collection and processing.
· Marketing

Data Collected:
This list represents all (personal) data that is collected by or through the use of this service.
· Name
· Email address
·Open rates on email
· Email clicks

Legal Basis:
In the following the required legal basis for the processing of data is listed.
·Article 6(1)(a), GDPR

Location of Processing:
This is the primary location where the collected data is being processed. If the data is also processed in other countries, you are informed separately.
United States of America

Retention Period:
The retention period is the time span the collected data is saved for the processing purposes. The data needs to be deleted as soon as it is no longer needed for the stated processing purposes.

Data Recipients:
In the following the recipients of the data collected are listed.
· Akamai
· Amazon
· CodeScience
· E-Hawk
· El Camino
· Finc3
· FiveTran
· Google
· Looker
· Percona
· R.R. Donnelley
· SC Wedis Company SRL
· Slack
· TaskUs
· TaxJar
· Two Bulls
· Tyrannosaurus Tech
· Vextras LLC
· Zendesk 

Click here to read the privacy policy of the data processor:
https://www.intuit.com/privacy/statement/