Seroton App Privacy Policy

Data Privacy Notice

(Last updated: 15 September 2025)

Seroton offers a mobile app for using the RelaxHub, which you can download to your mobile device. Below we inform you about the processing of personal data when using our mobile app. Personal data means all data that relates to you personally, such as your name, address, email address, or user behavior. With this notice, we inform you about our processing activities and comply with our legal obligations, in particular those arising from the EU General Data Protection Regulation (GDPR).

1. Controller

The controller within the meaning of the GDPR for the processing of personal data in our app is:

Seroton GmbH

Richard-Stücklen-Straße 19

91710 Gunzenhausen

hello@seroton.com

For data protection inquiries or to exercise your data subject rights, please contact: dataprotection@seroton.com.

2. Data Protection Officer

We have appointed the following Data Protection Officer:

Kertos GmbH

Brienner Straße 41

80333 Munich

Email: dsb@kertos.io

3. Data Processing within the App

3.1 Provision and Use of the App

When downloading the app, the necessary information is transmitted to the app store, in particular your username, email address, customer number, time of download, payment information, and the individual device identification number. The app store also independently collects various data and provides analytical results. We have no influence on this data processing and are not responsible for it. We only process this data insofar as it is required for the download of the mobile app to your device.

Recipient: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (infrastructure and hosting, server-side logic and execution of app processes).

Data processed:

• Usage data (e.g. IP address, date and time of the request)

• Device data (e.g. device identifier, operating system)

• Contact data (e.g. email address, phone number)

• Network data (e.g. MAC address when using Wi-Fi)

• Identification data (e.g. unique device number IMEI, unique subscriber number IMSI)

• App store data (e.g. username, customer number, payment information)

• Technical log data (e.g. request and response data, error messages)

Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR (ensuring security and operation of the app).

Retention period: For the duration of app usage and thereafter in accordance with statutory retention periods.

Third-country transfer: Transfer of data to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) as well as additional Standard Contractual Clauses (SCCs).

Further information: https://policies.google.com/privacy, https://cloud.google.com/terms/cloud-privacy-notice

3.2 System Permissions

Certain functions of our app require access to specific interfaces and data on your device. Depending on the operating system, your explicit consent may be required. Below we explain which functions of our app may request permissions (where relevant) and for what purposes. You can manage these permissions at any time in your device’s system settings.

• Location services / location data: Required to connect the RelaxHub hardware device and provide the haptic experience. If you do not allow access, usage may not be possible or may be limited.

• Notifications / push messages: Permission is required for push services. On some devices, this is enabled by default for all apps.

• Bluetooth: Required to connect the RelaxHub hardware device and provide the haptic experience.

• Camera: Required, for example, to take photos or scan QR codes. Access only occurs when you actively select this function in the app.

• Microphone: Required to record and process audio data. Access is only requested and used when you actively use the recording function.

• Mobile data (iOS) / access to all networks (Android): Enables the app to transmit data via your device’s internet connection. For example, necessary when sending search queries to our servers.

• Device storage: May be required to store or access files. Both on Android and iOS, the app can only access its own app-specific storage area; access to other files or general device storage is not possible.

  
  

3.3 Registration and User Authentication

Purpose: Creation of a user account to provide personalized app functions and content.

Recipient: Google Ireland Limited, Dublin, Ireland and Google LLC, Mountain View, CA, USA (main database for storing and managing user data and app content, provision and management of user authentication for our application).

Data processed:

• Name

• Email address

• Password (encrypted storage)

• Gender

• Date of birth

• Personal focus (e.g. performance, relaxation)

• Personal goals (e.g. stress reduction)

• Routine (e.g. frequency of use)

• Experience level with relaxation exercises

• Connected Seroton RelaxHubs

• Device information (operating system, smartphone version)

• Login information (e.g. email address, username)

• Authentication data (e.g. password hash, security token)

• Device information (e.g. device ID, IP address)

• Usage statistics (e.g. login times, login frequency)

Legal basis: Art. 6(1)(b) GDPR (performance of contract); for health data: Art. 9(2)(a) GDPR (explicit consent).

Retention period: For the duration of account use; personal data will be deleted upon account deletion.

Third-country transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and Standard Contractual Clauses (SCCs).

Further information: https://firebase.google.com/support/privacy

3.4 Server-Side Analytics

Purpose: Analysis and improvement of our app through the collection of usage data for demand-oriented design and optimization.

Recipient: Mixpanel, Inc., 405 Howard Street, Floor 2, San Francisco, CA 94105, USA (pseudonymized data only).

Data processed:

• Usage data collected server-side (e.g. clicks on menu items, interactions with navigation elements)

• Other server-side collected information (e.g. accessed pages)

Legal basis: Legitimate interests pursuant to Art. 6(1)(f) GDPR (demand-oriented design and continuous optimization of our app, improving usability and user experience, identifying weaknesses and improvement potential, increasing efficiency and effectiveness of app functions).

Retention period: Data is stored for the duration of analytical purposes.

Third-country transfer: Transfer of data to the USA based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).

Further information: https://mixpanel.com/legal/privacy-policy/

3.5 Personalized Program Recommendations

Purpose: Provision of personalized program recommendations to improve the user experience.

Data processed:

• Current mood (e.g. relaxed, stressed)

• Time availability (e.g. preferred times of use)

• Previous interactions (e.g. programs used, frequency)

• User preferences (e.g. preferred types of exercises)

• Progress data (e.g. frequency of app usage)

Legal basis: Art. 6(1)(b) GDPR (performance of contract); for health data: Art. 9(2)(a) GDPR (explicit consent).

Retention period: For the duration of the use of the personalized recommendation function; specific data for recommendations will be deleted upon withdrawal of consent.

Further information: The use of personalized program recommendations is voluntary. You can withdraw your consent at any time in the app settings.

3.6 Feedback and Problem Reporting

Purpose: Improving the user experience and the product, troubleshooting.

Data processed:

• Engagement scales

• Favorites

• Questionnaires on usage behavior and satisfaction

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Retention period: For the duration of the usage of the feedback function; personal data will be deleted upon account deletion.

Further information: The use of the feedback function is voluntary. You can withdraw your consent at any time in the app settings.

3.7 Tracking and Analytics

To improve our services and to analyze and optimize app usage, we use various tracking and analytics technologies. Primarily, mobile advertising IDs such as the “Identifier for Advertisers” (IDFA) for Apple devices and “Google Advertising ID” (GAID/AAID) for Android devices are used. These IDs serve to identify devices for analysis and advertising purposes. In addition, we integrate SDKs from third-party providers (e.g. for statistics, advertising, or error reporting), which collect device-specific information (e.g. advertising ID, usage behavior, IP address, and, where applicable, location data). Unless these technologies are strictly necessary, their use is based solely on your prior consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw your consent at any time in the privacy settings of the app or in your device settings.

3.7.1 Google BigQuery

Purpose: Data analysis for optimizing our services and business processes.

Recipient: Google Ireland Limited, Dublin, Ireland and Google LLC, Mountain View, CA, USA.

Data processed:

• Usage statistics (e.g. page views, duration of visits)

• Transaction data (e.g. purchase history, product preferences)

• Aggregated user information (e.g. demographic data, location data)

• Performance metrics (e.g. loading times, error rates)

Legal basis: Legitimate interests pursuant to Art. 6(1)(f) GDPR (improvement and optimization of our services, increasing usability).

Retention period: Data is stored for a maximum of 24 months and then deleted or anonymized.

Third-country transfer: Transfer of data to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) as well as Standard Contractual Clauses (SCCs).

Further information: https://cloud.google.com/terms/cloud-privacy-notice

4. Contact

When you contact us via the in-app form or by email, we process the personal data you provide (e.g. name, email address, content of the message) exclusively to process and respond to your inquiry. The legal basis is generally our legitimate interest in communicating with you (Art. 6(1)(f) GDPR) or – where the request is aimed at initiating or performing a contract – Art. 6(1)(b) GDPR. Your data will only be stored as long as necessary to process your request. Data will not be disclosed to third parties unless we are legally obliged to do so or it is essential to process your request.

5. Registration for the Seroton Innovator Program

Purpose: Conducting user tests, surveys, and feature tests as part of our Innovators Program.

Data processed:

• Contact information (e.g. name, email address)

• User data (e.g. usage behavior, preferences)

• Feedback data (e.g. responses to surveys, test reports)

• Technical data (e.g. device information, app version)

Legal basis: Consent pursuant to Art. 6(1)(a) GDPR.

Retention period: Data is stored for the duration of participation in the Innovators Program and deleted upon exit or upon the user’s request.

Further information: Participation in the Innovators Program is voluntary. You may withdraw your consent at any time with future effect by unsubscribing from the program or contacting us.

6. International Data Transfers

We generally process your data within the EU and the EEA. However, some service providers are located in so-called “third countries.” The GDPR sets high requirements for this. All recipients must meet these requirements. Before transferring data to a third-country provider, we review the level of data protection and only select providers with demonstrably adequate protection. Each provider – including those outside the EEA – has entered into a data processing agreement with us.

For providers outside the EEA, additional requirements apply: Pursuant to Art. 44 et seq. GDPR, data may be transferred if at least one of the following conditions is met:

• The European Commission has determined an adequate level of protection.

• Standard Contractual Clauses (SCCs) have been agreed with the recipient.

• Other appropriate safeguards pursuant to Art. 46 GDPR.

• In exceptional cases, one of the derogations of Art. 49 GDPR applies.

7. Recipients of Data

Personal data collected by us will only be transferred if:

• you have given your explicit consent pursuant to Art. 6(1)(a) GDPR,

• the transfer is required under Art. 6(1)(f) GDPR to protect legitimate interests or to establish, exercise, or defend legal claims and there is no reason to assume that your interests prevail,

• we are legally obliged (Art. 6(1)(c) GDPR), or

• the transfer is legally permissible and necessary for the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR).

Possible recipients include:

• Processors: Group companies or external service providers, e.g. in the area of technical infrastructure, processing, maintenance, or payment processing. These may only use data according to our instructions.

• Public authorities: Authorities and offices, e.g. tax authorities, public prosecutors, courts, if we are obliged to do so or legitimate interests require it.

8. Data Security and Protective Measures

We ensure that your personal data remains secure and confidential. To protect against manipulation, loss, or misuse, we implement technical and organizational measures that are regularly reviewed and adapted to the state of the art.

Please note that other persons or institutions on the internet may not comply with data protection requirements. In particular, unencrypted data (e.g. emails) can be viewed by third parties. We have no influence over this. Therefore, please protect your data against misuse through encryption or comparable measures.

9. Data Retention

Personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if provided for by European or national regulations. Data will also be blocked or deleted when a statutory retention period expires, unless it is still required for contract fulfillment.

10. Data Subject Rights

You have the following rights regarding your personal data:

• Right of access: You can find out whether we process your personal data. If so, you have the right to know what data, why we use it, who receives it, and how long we retain it.

• Right to rectification: You may demand the immediate correction of inaccurate or completion of incomplete data.

• Right to erasure: You may demand deletion, e.g. if data is no longer required, you withdraw consent, or the processing was unlawful.

• Right to restriction of processing: You may demand blocking in certain cases.

• Right to data portability: You may receive your data in a machine-readable format.

Right to withdraw and object: You may withdraw your consent at any time with future effect. The lawfulness of past processing remains unaffected. You may object to the use of your data for advertising purposes at any time; this also applies to related profiling.

Right to lodge a complaint: You may lodge a complaint with a supervisory authority if you believe your rights have been violated.