Privacy policy for the Endel app

General Information

We, Endel Sound GmbH, Sophienstraße 21, 10178 Berlin (hereinafter referred to as “Endel”), collect and process your personal data in connection with the Endel App (hereinafter referred to as “App”). We are the “controller” within the meaning of the EU General Data Protection Regulation (GDPR) and comply with applicable US data protection laws, including the California Consumer Privacy Act (CCPA).

Definitions

Personal Data: Any information that relates to an identified or identifiable individual, such as name, identification number, location data, or online identifier.

Processing: Any operation performed on personal data, including collection, recording, organization, storage, alteration, retrieval, use, disclosure, and erasure.

The protection and confidentiality of your data is very important to us. We therefore process your data only to the extent that:

this is necessary to provide the services you requested from the App, you have consented to the Processing or we are otherwise legally authorized to do so.

If you have any questions, suggestions or comments, please feel free to contact Endel Sound GmbH, Sophienstraße 21, 10178 Berlin: E-Mail: ask@endel.io.

You can contact our data protection officer: security@endel.io

What data do we collect from you and for what purpose?

a. Information collected during download

When you download the App, certain required information is submitted to the App Store, including your Apple ID, time of download, payment information (e.g. credit card, bank account) and your individual device ID number. The processing of this data occurs exclusively through the respective App Store or the respective payment system (e.g. Stripe) and is beyond our control. We do not store or process this data.

b. Information that is automatically collected when using the app

As part of your use of the App, we automatically collect certain data required for the use of the App. This includes, for example, your device model, system version, and IP address of your mobile device.

This data is automatically Processed by us (1) to provide you with the App and related features; (2) to improve the features and functionality of the App; and (3) to prevent and correct misuse and malfunctions. This Processing is justified by the fact that (1) the processing is necessary for the fulfilment of the contract between you and us in accordance with Art. 6 para. 1 lit. b) GDPR for the use of the App, or (2) we have a legitimate interest within the meaning of Art. 6 para. 1 lit. f) GDPR in guaranteeing the functionality and error-free operation of the App and being able to offer an interest-oriented service.

c. Creation of a user account (registration) and login

To use the App we can ask you to create a user account. For this purpose, it is necessary to enter your e-mail address (“mandatory information”). The mandatory information enable and guarantee the access and administration of your user account. Mandatory information within the scope of registration are marked with an asterisk and are required for the conclusion of the user contract. If you do not provide this mandatory information, you will not be able to create a user account. The creation of the user account takes place after entering the mandatory data.

In addition, you can voluntarily enter your date of birth during the registration process.

We use the mandatory information to authenticate you when you log in and to follow up requests to reset your password. The data entered by you during registration or login will be processed and used by us to (1) verify your authorization to manage your user account; (2) enforce the App’s terms and conditions and all related rights and obligations; and (3) contact you to send you technical or legal notices, updates, security messages, or other messages regarding the management of your user account.

This Processing is justified by the fact that (1) the processing is necessary for the fulfilment of the contract between you and us in accordance with Art. 6 para. 1 lit. b) GDPR for the use of the App, or (2) we have a legitimate interest within the meaning of Art. 6 para. 1 lit. f) GDPR in ensuring the functionality and error-free operation of the App.

Registration and log-in with Facebook Connect

Facebook Connect makes it easy for you to register for and log into an account. Instead of entering the required information, you can log in with your Facebook login information. You will be redirected to the Facebook page to enter your information.

Registration in this form links your user account to your Facebook profile. We receive Personal Data about you from Facebook, namely your e-mail address and your name. We use these Personal Data only in order to identify you at registration and login. This Processing is justified by Art. 6 para. 1 S. 1 lit. b GDPR.

Facebook also receives data about you from us. We would like to point out that, as the provider of the App, we do not have any knowledge of the content of the data transmitted or its use by Facebook. Further information on this can be found in Facebook's privacy policy. If you do not want data to be collected via Facebook Connect, please do not use the Facebook Connect function.

d. Data syncing: Connecting certain Personal Data to your account

If you create an account, you will have access to our data syncing feature. This means that we will connect your health data, subscription length and originating platform (iOS, Android etc.) to your account. This will enable you to enjoy your personalized ENDEL sound environment (as set out below) from several devices using different originating platforms.

This Processing is justified by the fact that (1) the processing is necessary for the fulfilment of the contract between you and us in accordance with Art. 6 para. 1 lit. b) GDPR for the use of the App, or (2) we have a legitimate interest within the meaning of Art. 6 para. 1 lit. f) GDPR in ensuring the functionality and error-free operation of the App.

e. Generic mode

If you use the app without providing any further data or giving permission, we will not Process any Personal Data to create a personalized sound environment for you. You will then receive a generic sound environment.

f. Personalized sound environment

If you want to personalize your sound environment, you can share various information and manage these shares. These include, for example, your heart rate and your location.

The following authorizations can be assigned to the app:

  • Internet access: This is required to store your entries on our servers.

  • Location data: By Processing your location data, the app can personalize your sound environment by incorporating weather and time data.

This data is Processed to provide the service, in particular to provide the functionality of the app and the services specified in the terms and conditions. This data processing is justified by the fact that the processing is necessary for the fulfilment of the contract between you and us pursuant to Art. 6 para. 1 lit. b) GDPR for the use of the App.

You can also grant the following authorizations:

  • Heart rate: By processing your heart rate, the app allows you to create personalized sound environments.

  • Motion, data: By processing your movement data, especially your Cadence, steps count and speed, the app can create personalized sound environments for you.

If you grant these authorizations, we Process your Personal Data to provide you with personalized sound environments based on your consent pursuant to Art. 6 para. 1 lit. a) GDPR.

You are not obliged to provide your Personal Data. Furthermore, the use of our app and the associated services is voluntary. However, if you do not wish to provide us with the necessary data, we will not be able to provide you with the functions and services mentioned above.

Please note that when using third-party hardware, such as an Apple Watch, the third-party’s privacy policy applies.

g. Reports and highlights

We will inform you periodically, usually once a week, about your weekly highlights when using the app and show you statistical analyses. For this purpose we process data about your activity in the app. This is justified by the fact that the processing is necessary for the fulfilment of the contract between you and us pursuant to Art. 6 para. 1 lit. b) GDPR for the use of the App.

h. Payments

For payment processing, only the data relevant to payment is transmitted to Apple Pay, Google Play, Stripe and PayPal. This is justified by the fact that the processing is necessary for the fulfilment of the contract between you and us pursuant to Art. 6 para. 1 lit. b) GDPR for the use of the App. 

i. Advertising and newsletter

With your consent, you can allow us to send you advertising and our newsletter, which will inform you about our new products and services and other relevant information. The legal basis for this Processing is Art. 6 para. 1 sentence 1 lit. a GDPR. We store your e-mail address as long as you agree to receive this information.

You can unsubscribe from receiving this information from us anytime by clicking on the link contained in each newsletter.

Where we store your data; who has access to your data.

We store your data on your device and on the servers of our IT service provider Amazon Web Services SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg. Processing shall only take place on our behalf and on the basis of a data processing agreement.

If you use Facebook Connect to register for and log into an account, your Personal Data will be transmitted to Facebook, Inc. 1601 Willow Road Menlo Park, California 94025 in the United States.

Data transfers to the US (e.g., through Facebook Connect or other third-party tools) are secured by the EU-US Data Privacy Framework (DPF), which ensures that personal data receives adequate protection in line with EU standards during such transfers.

Analytics tools

Endel partially commissions third party providers to provide services for the analysis and evaluation of data. Processing is only carried out on our behalf and on the basis of a data processing agreement. All data transfers to the US are secured under the EU-US Data Privacy Framework. In detail we use the following tools:

a. Tableau

We use Tableau, a business intelligence and data visualization platform by Tableau Software, LLC, 1621 N 34th St, Seattle, WA 98103, USA. Tableau allows us to analyze and visualize app usage data to improve the user experience. Tableau’s privacy policy can be found here https://tableau.com/privacy. Any data transfers to the USA are secured by the EU-US Data Privacy Framework.

b. Google Firebase

We use the Google Firebase service from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to send push notifications. These use encrypted, anonymous device IDs, such as Apple device tokens, to deliver Push Services. Data transfers to the USA are secured by the EU-US Data Privacy Framework. Google Firebase's privacy policy is available here https://firebase.google.com/support/privacy

c. Crashlytics

We work with Crashlytics, a Google LLC service, to collect information about system crashes and bugs. Crashlytics collects information about device usage, app version, and hardware data. Data transfers to the USA are secured by the EU-US Data Privacy Framework. For more information, please review Crashlytics' privacy policy here https://firebase.google.com/support/privacy

d. Plug-ins

We are currently using the social media plug-ins from Facebook and Spotify. We offer you the possibility to communicate directly with the provider of the plug-in via the button. When using the plug-ins, your data may be transmitted to the respective plug-in provider.

e. Mailchimp 

Our newsletter is sent using Mailchimp, provided by Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. Mailchimp tracks newsletter opens, clicks, and other metrics for statistical analysis. Data transfers to the USA are secured by the EU-US Data Privacy Framework. You can find Mailchimp’s privacy policy here: https://mailchimp.com/legal/privacy/. If you do not want your usage of the newsletter to be analyzed by Mailchimp, you can always withdraw your consent and unsubscribe from the newsletter at any time.

f. Push-notifications 

For push notifications, we use the technology of the provider OneSignal, located at 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA. We use “OneSignal” to send you push notifications and to keep you informed about news through the notifications. The provider processes personal data from you which allow conclusions to be drawn about your user behaviour, such as your reactions to the push notifications. The legal basis for the processing is Art. 6 para. 1 lit. a) GDPR. Data transfers to the USA are secured by the EU-US Data Privacy Framework. You can withdraw your consent at any time. OneSignal’s privacy policy can be found here: https://onesignal.com/privacy_policy.

How long your data will be stored and how you can delete it

We store your data only for the time period for which you use the app and they are necessary to fulfill the purpose for which they were originally collected. If applicable, we will store your data for as long as is legally required, e.g. for tax reasons. California residents can request specific data retention information under the CCPA by contacting us.

You can delete your data by visiting the data management section in your settings. This will irrevocably delete all your data from our databases.

Your data rights

Depending on the circumstances of the specific case, you have the following rights:

  • The right of access (Art. 15 GDPR)

  • The right to rectification (Art. 16 GDPR)

  • The right to erasure (Art. 17 GDPR)

  • The right to restriction of processing (Art. 18 GDPR)

  • The right to data portability (Art. 20 GDPR)

  • The right to take legal action or to file a complaint with the competent supervisory authorities (Art. 77 GDPR)

In addition, you have the right to object at any time to the Processing of your Personal Data for purposes of direct marketing or to pursue our legitimate interest.

You may (i) exercise the above rights or (ii) ask questions or (iii) complain about our processing of your Personal Data by contacting us as indicated above.

Under the CCPA, California residents have the right to:

  • Request information about the categories of personal data we have collected or disclosed.

  • Request access to specific pieces of personal data collected about them.

  • Request the deletion of personal data, subject to certain legal exceptions.

  • Opt-out of the sale of their personal data (though we do not sell personal data as defined under the CCPA).

We do not sell your personal data as defined by the CCPA. To exercise any of your CCPA rights, please contact us at ask@endel.io.

Changes to our privacy policy

We reserve the right to amend this privacy policy in accordance with the provisions of data protection law. You will find the current version on our website at https://endel.zendesk.com/hc/articles/360003562619.

If you have any questions, suggestions or comments on the subject of data protection, please feel free to contact us. Contact information:  Endel Sound GmbH, Sophienstraße 21, 10178 Berlin, E-Mail: ask@endel.io

Version: 1.5 ; Date: 15 October 2024